This edition highlights critical vulnerabilities, no-fix plugins removed from the WP repo, WordPress’s ban on WP Engine, and our latest blog on effectively securing your site.
#1 – Recurring Vulnerability: GiveWP Plugin
Critical severity PHP Object Injection vulnerability.
How will I know I’m okay?
Upgrade ASAP to v3.16.2+
What’s the risk?
Severity risk 10/10 – an attacker can inject and execute malicious objects within a PHP application.
Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#2 – Recurring Vulnerability: The Events Calendar Plugin
Potentially 700,000 sites with high severity risk.
How will I know I’m okay?
Upgrade ASAP to v6.6.4.1+
What’s the risk?
Severity risk 9.3/10 – SQL Injection – an attacker can directly interact with your WP database!
Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#3 – Vulnerable: JupiterX Core Plugin
Serious file-upload threat.
How will I know I’m okay?
Upgrade ASAP to v4.6.6+
What’s the risk?
Severity risk 10/10 – Arbitrary File Upload – an attacker can upload any type of file to your site, including backdoors that could gain further access.
Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#4 – Vulnerable: W3 Total Cache Plugin
Low severity private data exposure w/1+ million sites affected.
How will I know I’m okay?
Upgrade ASAP to v2.7.6+
What’s the risk?
Severity risk 3.7/10 – Sensitive Data Exposure – can let unauthorised users access confidential information.
Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#5 – Plugins with Severe Security Risks Removed from wp.org
The vulnerable plugins listed below have no official fixes and are actively exploited. As a preventive measure, they were removed from wp.org.
These should probably be removed/replaced:
- REST API TO MiniProgram Plugin
No official fix available. Remove it for now. - WP Easy Gallery Plugin
No official fix available. Remove it for now. - Vmax Project Manager Plugin
No official fix available. Remove it for now. - Special Text Boxes Plugin
No official fix available. Remove it for now. - Contact Form 7 Math Captcha Plugin
No official fix available. Remove it for now.
Editor Comment
As a precautionary measure, take a few minutes each week to perform a review of your sites to catch issues early.
#6 – Vulnerable: Advanced File Manager Plugin
Another file upload risk!
How will I know I’m okay?
Upgrade ASAP to v5.2.9+
What’s the risk?
Severity risk 7.5/10 – Arbitrary File Upload – an attacker can upload any type of file to your site, including backdoors that could gain further access.
Editor Comment
Please use ShieldPRO’s auto-upgrade feature for vulnerable plugins.
#7 – WP Engine banned from wp.org
WordPress has restricted WP Engine servers from accessing wp.org resources, which may prevent vital software updates, particularly for at-risk plugins.
There appears to be a reprive until 1st October, but after then you may need to rely on manual updates, unless WPE puts in a solution or comes to an agreement with WordPress.org
#8 – Our Blog: Disabling Directory Browsing
Directory browsing lets users see files in a web directory if there’s no index file, risking exposure of sensitive data. It’s important to prevent this to protect against unauthorised access.
Thanks for reading, and have a great week!
Paul Goodchild
Shield Security for WordPress
