April 8, 2024 by Paul G. | Security, ShieldNOTES

ShieldNOTES Ep#8: LayerSlider, Oxygen & HTTP/2

There are a couple of big premium plugins with major vulnerabilities. If you’re running these, we urge you to review them:

#1 – Critical Vulnerability in LayerSlider Plugin

This plugin is practically everywhere with estimated 1M+ installs.

How will I know I’m okay?
Upgrade the plugin to v7.10.1+

What’s the risk?
Unauthenticated SQL Injection: 9.8/10 severity.

Editor Comment
If you use ShieldPRO’s automatic upgrader for vulnerable plugins/themes, this will be done automatically for you.

More Info →

#2 – RCE Vulnerability in Oxygen Builder Plugin

With over 150,000 estimated installs, it’s widely used.

How will I know I’m okay?
There is some debate with the developer as to whether this is actually a vulnerability and so they never provided a patch. Their argument is that the issue stems from a lack of clear documentation on the actual authorization granted to non-admins, and it’s not a vulnerability.

What’s the risk?
If you’re using the theme and you’ve granted a non-admin user “Client Control” (so-called) priviledges, they can potentially take control of a site, without having administrator priviledges.

Editor Comment
We can see both sides to the argument, but without doubt, we would never use such a system, as it violates the principles of access control and “least priviledge”.

More Info →

#3 – HTTP/2 DoS Attack Vulnerability

The newer HTTP/2 protocol, depending on its implementation, may be subject to DoS attacks.

What’s Should I Do?
Apache httpd (web server) is listed as being potentially vulnerable to this attack, so it might be worth contacting your web hosting provider and asking whether they have applied any available updates to mitigate this..

Editor Comment
Ensuring your webhost is on top of this is why it’s so important that your webhost is proactive and keeps their infrastructure secure. Choosing a good webhost is critical.

More Info →

Thanks for reading, and have a wonderful week!

Paul Goodchild
Shield Security for WordPress

Hello dear reader!

If you want to level-up your WordPress security with ShieldPRO, click to get started today. (risk-free, with our no-quibble 14-day satisfaction promise!)

You'll get all PRO features, including AI Malware Scanning, WP Config File Protection, Plugin and Theme File Guard, import/export, exclusive customer support, and much, much more.

We'd be honoured to have you as a member, and look forward to serving you during your journey towards powerful, WordPress security.

Try ShieldPRO Today →

ShieldPRO Testimonials
@georgido108's Gravatar @georgido108

Fantastic Security Plugin

I use Shield security on all my websites to protect all forms of data and for safeguarding our site. Best one by far

@pjpsoft's Gravatar @pjpsoft

security is a must

the best one I have tested for a great price

@odeeew's Gravatar @odeeew

Very Nice!!

This is a very nice security plugin!!

@traceybarron's Gravatar @traceybarron

Fantastic Plugin with great support

I’ve used this plugin on many sites for some time now. It’s fantastic. Not only has it helped keep out any security threats, it’s a great way to check the audit trail of what’s been going on on our sites. It’s super configurable too. The support is great as well.…

Leave a Comment

Your email address will not be published. Required fields are marked *

Click to access the login or register cheese