ShieldNOTES Ep#21: New Supply Chain Attack; Elementor Addon & WP Google Map Vulnerabilities; Hacker Security Guide

There’s another supply chain attack with WP.org plugins affected.

#1 – Vulnerable: Nested Pages Plugin

CSRF with 100,000 installs.

How will I know I’m okay?
Upgrade ASAP to v3.2.8+

What’s the risk?
Severity risk 8.3/10 – an attacker can force privileged users to execute unwanted actions while authenticated.

Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

More Info →

#2 – Vulnerable: Ultimate Addons for Elementor Plugin

Widely used plugin with a critical Privilege Escalation vulnerability.

How will I know I’m okay?
Upgrade ASAP to v1.36.32+

What’s the risk?
Severity risk 8.8/10 – an attacker can escalate their low-privileged account to gain higher privileges and take full control of the website.

Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

More Info →

#3 – Vulnerable: WP Google Map Plugin

Potentially 300,000 WP sites with severe security risk.

How will I know I’m okay?
Upgrade ASAP to v4.6.2+

What’s the risk?
Severity risk 8.5/10 – SQL Injection – an attacker can interact with your WP database directly!

Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

More Info →

#4 – Vulnerable: UsersWP Plugin

Not a hugely popular plugin, but it poses a high risk.

How will I know I’m okay?
Upgrade ASAP to v1.2.11+

What’s the risk?
Severity risk 9.3/10 – SQL Injection – an attacker can interact with your WP database directly!

Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

More Info →

#5 – Plugins Affected by Polyfill Supply Chain Attack

Polyfill.js – a widely used JavaScript library – has been exploited by hackers with malicious code that can lead to Cross-Site Scripting (XSS) risk and steal user data, manipulate site actions, and redirect visitors to malicious sites.

These plugins below are known to embed scripts from the affected domains and should be updated to the latest version or removed:

Amelia
No official fix available. Remove it for now.

WP User Frontend
Upgrade to v4.0.8+

Product Customer List for WooCommerce
Upgrade to v3.1.7+

Editor Comment
As a precautionary measure, take a few minutes each week to perform a review of your sites to catch issues early.

#6 – From our blog: Secure your site from hackers

Bad guys never sleep, and neither should we. We guide you through easy steps to defend your site and keep it secure.

More Info →

Thanks for reading, and have a great week!

Paul Goodchild
Shield Security for WordPress