These monthly reports are provided for the WordPress community at large from Pagely’s head of security, Robert Rowley. Rowley and the entire security team keep their finger on the pulse of any potential vulnerabilities that might affect our customers, as well as any WordPress user.
We sincerely hope these efforts help any and all that could use information from the experts on monthly security issues. We commend the researches and developers that help to identify and patch these issues in a timely fashion.
WordPress Core
No notable WordPress core security releases.
Plugin/Theme Vulnerabilities of Note
WordPress website owners who have the custom-searchable-data-entry-system or product-lister-walmart plugins installed are strongly encouraged to remove them or find a replacement as soon as possible. Both of these plugins were removed from the WP.org plugin repository due to inaction of the developer to patch one or more security flaws:
Moving on, let’s discuss plugins that have patches for reported vulnerabilities in March:
All-in-One WP Migration
This very popular plugin with over 2 million active installations is, unfortunately, naming backup files based on a timestamp and a random number between 0 and 1000. Attackers may be able to make an educated guess as to what that the timestamp’s value is, then initiate attacks to download backups of websites. This flaw was fixed by making the backup file names less guessable in version 7.15.
WooCommerce Smart Coupons
This premium add-on for WooCommerce had a high-risk vulnerability that may cause direct financial loss for WooCommerce sites running the Smart Coupons add-on. Due to a lack of proper authorization checks in the gift card/coupon creation codebase, an attacker could make a request to generate a new gift card or coupon to the site without authenticating themselves first. Allowing them to create gift cards or coupons with arbitrary values, then use them to purchase items off the website. This would only affect sites with this plugin installed and the gift card or coupon functionality enabled.
Since this is a premium plugin, auto-update functionality may not work as expected. Due to the high risk, it is strongly encouraged you manually double-check that this plugin has been updated to at least version 4.6.5.
WP Security Audit Log
This Security Audit Log plugin has over 100,000 active installations. If any of those installations has not completed the initial setup wizard, they are vulnerable to an attack that allows attackers to run the install wizard themselves without logging in to wp-admin.
The WP Security Audit log team patched this vulnerability in version 4.0.2, site owners are encouraged to check if they have this plugin installed and verify the install wizard has been completed (or remove it entirely).
LearnPress LMS
Remote classrooms and learning websites running LearnPress LMS need to be aware of an insecurity that allows students (or any authenticated user) to change their role to the instructor role. It is recommended to update this plugin to 3.2.6.7 or higher before any students decide to recreate the cliche of a 90s hacker movie attack and gain instructor access to their classrooms.
Gutenberg & Elementor Templates Importer for Responsive WordPress Theme
The plugin named “responsive-add-ons” (Used for importing Gutenberg & Elementor Templates for the Responsive WordPress theme) lacked proper authentication steps on a number of it’s AJAX endpoints. This plugin before release 2.2.6 would allow unauthenticated requests to take many actions on the site, with numerous highly dangerous actions including importing xml/json files, activating plugins, inject javascript or reset the site’s data.