From XSS in WordPress core and popular plugins, to the appearance of DebugMaster malware, this past week has been busy.
Stay ahead of the threats with this roundup and additional safety guide from our blog archive.
#1 – WordPress Core Vulnerability
WordPress Core <= 6.8.2 is vulnerable to XSS and Sensitive Data Exposure.
No fix available yet.
The WordPress Core security team is aware of the issue and is already working on a fix. This is a low-severity vulnerability. Contributor-level privileges required in order to exploit it.
Editor Comment
Monitor WordPress updates closely and install security fixes immediately upon release to protect your site from these vulnerabilities. Also, it’s worth taking a few minutes each week to perform a sites review to catch issues early.
#2 – Security Risks in Popular Plugins
These top 10 plugins power millions of sites; two have no fixes yet, so exposure is high. Act now and tighten your security.
TranslatePress Plugin
Deserialization of untrusted data; 8.1/10; Update to v2.10.3+
WP Statistics Plugin
XSS; 7.1/10; Update to v14.15.5+
Popup Maker Plugin
XSS; 6.5/10; Update to v1.21.0+
Backuply – Backup, Restore, Migrate and Clone Plugin
Arbitrary File Deletion; 6.5/10; Update to v1.4.9+
Admin and Site Enhancements (ASE) Plugin
XSS; 6.5/10; Update to v7.9.8+
Widget Options – Extended Plugin
XSS; 6.5/10; Update to v5.2.2+
SureForms Plugin
XSS; 5.9/10; Update to v1.9.1+
Download Manager Plugin
Sensitive Data Exposure; 5.3/10; No fix; Remove/or replace.
Ninja Forms Plugin
CSRF; 4.3/10; Update to v3.12.1+
Stackable Plugin
Sensitive Data Exposure; 4.3/10; No fix; Remove/or replace.
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#3 – High Security Risks in Less Popular Plugins
These plugins don’t grab headlines, but they do break things heavily. Update to clean up the mess they’re causing.
Podlove Podcast Publisher Plugin
Arbitrary File Upload; 10/10; Update to v4.2.7+
Uni CPO (Premium) Plugin
Arbitrary File Upload; 10/10; Update to v4.9.55+
MultiLoca Plugin
Broken Access Control; 9.8/10; Update to v4.2.9+
Sign-up Sheets Plugin
PHP Object Injection; 9.8/10; Update to v2.3.3+
Editor Comment
It’s worth taking a few minutes each week to perform a sites review to catch issues early and wherever possible, use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#4 – DebugMaster Malware Creates Persistent Admin Access on WordPress Sites
A stealthy WordPress backdoor hides in files disguised as legitimate utilities to maintain a secret administrator named “help.” The DebugMaster plugin creates that account, sends the credentials (and the server IP) to an attacker, injects malicious code that visitors can see, and logs administrator IPs. Both the plugin and the “help” user are hidden from normal listings, and if the account is removed a backup file will continuously recreate it to retain access.
Full cleanup requires deleting both malicious files and the hidden admin account.
Editor Comment
A security plugin plays a crucial role in protecting your sites, but it’s not everything. You need to run regular security audits to catch things that may fly under the radar. We can’t stress enough how being proactive will pay dividends in the long run.
#5 – Our blog: The Importance of Regular WordPress Maintenance
This is a quick reminder from our blog archive about why regular site upkeep isn’t just about looks or content, but is essential for functionality and protecting against cyber threats. Make consistent checks and updates a priority to keep your site secure and running smoothly.
Thanks for reading, and have a wonderful week!
Paul Goodchild
Shield Security for WordPress
