There are a couple of big premium plugins with major vulnerabilities. If you’re running these, we urge you to review them:
#1 – Critical Vulnerability in LayerSlider Plugin
This plugin is practically everywhere with estimated 1M+ installs.
How will I know I’m okay?
Upgrade the plugin to v7.10.1+
What’s the risk?
Unauthenticated SQL Injection: 9.8/10 severity.
Editor Comment
If you use ShieldPRO’s automatic upgrader for vulnerable plugins/themes, this will be done automatically for you.
#2 – RCE Vulnerability in Oxygen Builder Plugin
With over 150,000 estimated installs, it’s widely used.
How will I know I’m okay?
There is some debate with the developer as to whether this is actually a vulnerability and so they never provided a patch. Their argument is that the issue stems from a lack of clear documentation on the actual authorization granted to non-admins, and it’s not a vulnerability.
What’s the risk?
If you’re using the theme and you’ve granted a non-admin user “Client Control” (so-called) priviledges, they can potentially take control of a site, without having administrator priviledges.
Editor Comment
We can see both sides to the argument, but without doubt, we would never use such a system, as it violates the principles of access control and “least priviledge”.
#3 – HTTP/2 DoS Attack Vulnerability
The newer HTTP/2 protocol, depending on its implementation, may be subject to DoS attacks.
What’s Should I Do?
Apache httpd (web server) is listed as being potentially vulnerable to this attack, so it might be worth contacting your web hosting provider and asking whether they have applied any available updates to mitigate this..
Editor Comment
Ensuring your webhost is on top of this is why it’s so important that your webhost is proactive and keeps their infrastructure secure. Choosing a good webhost is critical.
Thanks for reading, and have a wonderful week!
Paul Goodchild
Shield Security for WordPress