ShieldNOTES Ep#24: Many Critical Vulnerabilities; and a 361M Data Breach

Several critical vulnerabilities published in the last week and a huge personal data breach to be aware of.

#1 – Vulnerable: Social Auto Poster Plugin

High risk arbitrary file upload vulnerability.

How will I know I’m okay?
Upgrade ASAP to v5.3.15+

What’s the risk?
Severity risk 9.9/10 – Arbitrary File Upload – an attacker can upload any type of file to your site, including backdoors that could gain further access.

Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

More Info →

#2 – Vulnerable: PowerPack Pro for Elementor Plugin

Site takeover risk.

How will I know I’m okay?
Upgrade ASAP to v2.10.15+

What’s the risk?
Severity risk 8.8/10 – an attacker can escalate their low-privileged account to gain higher privileges and take full control of the website.

Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

More Info →

#3 – Vulnerable: ListingPro Theme

Critical SQL Injection vulnerability with no official fix.

How will I know I’m okay?
No fix available yet; please watch for updates.

What’s the risk?
Severity risk 9.3/10 – SQL Injection – an attacker can directly interact with your WP database!

Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

More Info →

#4 – Vulnerable: LiteSpeed Cache Plugin

CSRF with 5+ million installs.

How will I know I’m okay?
Upgrade ASAP to v6.3+

What’s the risk?
Severity risk 7.1/10 – an attacker can force privileged users to execute unwanted actions while authenticated.

Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

More Info →

#5 – Vulnerable: Royal Elementor Addons Plugin

Potentially 400,000 sites with low severity but recurring XSS risk.

How will I know I’m okay?
Upgrade ASAP to v1.3.981+

What’s the risk?
Severity risk 6.5/10 – XSS – allowing injection of malicious scripts into website that guests may execute.

Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

More Info →

#6 – 361M+ Unique Emails & Passwords Leaked

One of the largest data breaches in history was discovered, with 361 million unique emails, usernames, and passwords available for sale through a Telegram channel.

The compromised data includes major tech platforms like Gmail, Amazon, Netflix, PayPal, LastPass etc.

Editor Comment
Never re-use passwords; use a Password Manager; and turn-on Shield’s Pwned Password protection feature.

More Info →

Thanks for reading, and have a great week!

Paul Goodchild
Shield Security for WordPress