ShieldNOTES Ep#25: Plugins with Various Critical Vulnerabilities & User Enumeration Attacks

August 5, 2024 by Paul G. | Security, ShieldNOTES

This week: a few big vulnerabilities to look-out for, and a security tip from our blog.

#1 – Vulnerable: Paid Memberships Pro – Member Directory Add On Plugin

Critical SQL Injection vulnerability.

How will I know I’m okay?
Upgrade ASAP to v1.2.6+

What’s the risk?
Severity risk 8.5/10 – an attacker can interact with your WP database directly!

Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

More Info →

#2 – Vulnerable: Better Find and Replace Plugin

High severity PHP Object Injection vulnerability.

How will I know I’m okay?
Upgrade ASAP to v1.6.2+

What’s the risk?
Severity risk 8.3/10 – an attacker can inject and execute malicious objects within a PHP application.

Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

More Info →

#3 – Vulnerable: File Manager Pro Plugin

Settings Change vulnerability on up to 60.000 sites.

How will I know I’m okay?
Upgrade ASAP to v1.8.3+

What’s the risk?
Severity risk 7.5/10 – an attacker can modify the plugin’s settings, potentially compromising site security and functionality.

Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

More Info →

#4 – Vulnerable: Superfly Menu Plugin

A lesser-known plugin but with a high CSRF risk.

How will I know I’m okay?
Upgrade ASAP to v5.0.30+

What’s the risk?
Severity risk 8.8/10 – an attacker can force privileged users to execute unwanted actions while authenticated.

Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

More Info →

#5 – Vulnerable: Forminator Plugin

Potentially 500,000 sites with low severity but a serious security risk.

How will I know I’m okay?
Upgrade ASAP to v1.29.2+

What’s the risk?
Severity risk 5.8/10 – Sensitive Data Exposure – can let unauthorized users access confidential information.

Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.

More Info →

#6 – From our blog: User Enumeration Attacks

User enumeration lets attackers find usernames on your WP site and then try to guess passwords through brute force or dictionary attacks. Find out how to get ahead of this sort of threat.

More Info →

Thanks for reading, and have a great week!

Paul Goodchild
Shield Security for WordPress

Hello dear reader!

If you want to level-up your WordPress security with ShieldPRO, click to get started today. (risk-free, with our no-quibble 14-day satisfaction promise!)

You'll get all PRO features, including AI Malware Scanning, WP Config File Protection, Plugin and Theme File Guard, import/export, exclusive customer support, and much, much more.

We'd be honoured to have you as a member, and look forward to serving you during your journey towards powerful, WordPress security.

Try ShieldPRO Today →

ShieldPRO Testimonials