This week: a few big vulnerabilities to look-out for, and a security tip from our blog.
#1 – Vulnerable: Paid Memberships Pro – Member Directory Add On Plugin
Critical SQL Injection vulnerability.
How will I know I’m okay?
Upgrade ASAP to v1.2.6+
What’s the risk?
Severity risk 8.5/10 – an attacker can interact with your WP database directly!
Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#2 – Vulnerable: Better Find and Replace Plugin
High severity PHP Object Injection vulnerability.
How will I know I’m okay?
Upgrade ASAP to v1.6.2+
What’s the risk?
Severity risk 8.3/10 – an attacker can inject and execute malicious objects within a PHP application.
Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#3 – Vulnerable: File Manager Pro Plugin
Settings Change vulnerability on up to 60.000 sites.
How will I know I’m okay?
Upgrade ASAP to v1.8.3+
What’s the risk?
Severity risk 7.5/10 – an attacker can modify the plugin’s settings, potentially compromising site security and functionality.
Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#4 – Vulnerable: Superfly Menu Plugin
A lesser-known plugin but with a high CSRF risk.
How will I know I’m okay?
Upgrade ASAP to v5.0.30+
What’s the risk?
Severity risk 8.8/10 – an attacker can force privileged users to execute unwanted actions while authenticated.
Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#5 – Vulnerable: Forminator Plugin
Potentially 500,000 sites with low severity but a serious security risk.
How will I know I’m okay?
Upgrade ASAP to v1.29.2+
What’s the risk?
Severity risk 5.8/10 – Sensitive Data Exposure – can let unauthorized users access confidential information.
Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#6 – From our blog: User Enumeration Attacks
User enumeration lets attackers find usernames on your WP site and then try to guess passwords through brute force or dictionary attacks. Find out how to get ahead of this sort of threat.
Thanks for reading, and have a great week!
Paul Goodchild
Shield Security for WordPress