<p align="justify">This article covers our public notifications related to major security issues our clients and the WordPress community should know about. We are always focused on <a href="https://pagely.com/solutions/secure-wordpress-hosting/">prevention and the mitigation of risk to our clients</a>, and keeping you updated here is part of that process.<!--more--></p> <h3 align="justify">List of Vulnerable Plugins During This Month</h3> <p style="text-align: center"><style type="text/css" name="visualizer-custom-css" id="customcss-visualizer-21824"></style><div id="visualizer-21824-1000241081"class="visualizer-front visualizer-front-21824"></div><!-- Not showing structured data for chart 21824 because title is empty --></p> <h3>Plugins Closed by WordPress Security</h3> <p style="text-align: center"><style type="text/css" name="visualizer-custom-css" id="customcss-visualizer-21828"></style><div id="visualizer-21828-2115067163"class="visualizer-front visualizer-front-21828"></div><!-- Not showing structured data for chart 21828 because title is empty --></p> <p align="justify">WordPress security team decides to close a plugin when a security issue is found and the developer doesn’t release a patch in a timely manner. You can read more about this <a href="https://developer.wordpress.org/plugins/wordpress-org/alerts-and-warnings/" target="_blank" rel="noopener noreferrer">here</a>.</p> <h3 align="justify">Relevant Vulnerabilities</h3> <p align="justify"><a href="https://wpscan.com/vulnerability/10478" target="_blank" rel="noopener noreferrer">secure-file-manager</a>:<br /> <b>Authenticated File Upload</b></p> <p align="justify"><a href="https://wpscan.com/vulnerability/10471" target="_blank" rel="noopener noreferrer">ait-csv-import-export</a>:<br /> <b>Unauthenticated File Upload</b></p> <p align="justify"><a href="https://wpscan.com/vulnerability/10457" target="_blank" rel="noopener noreferrer">augmented-reality</a>:<br /> <b>Unauthenticated File Upload</b></p> <p align="justify">These plugins have critical vulnerabilities that when exploited would give an attacker complete control over your website. All of them are closed, which means no new installs are allowed but old installs will work without any issues, thus, please check if you have any of them installed <i>(</i><b><i>even if it’s not activated</i></b>) and remove them from your plugins folder.</p> <p align="justify"><a href="https://wpscan.com/vulnerability/10479" target="_blank" rel="noopener noreferrer">woocommerce-anti-fraud</a>:<br /> <b>Unauthenticated Order Status Manipulation</b></p> <p align="justify">Versions < 3.3 of this plugin have a bug that when exploited could cause unnecessary damage to your online store. An unauthenticated attacker would be able to change the status of all the orders making it difficult to handle them since the data will not be reliable. On <strong>November 23</strong> the developer released a <a href="https://dzv365zjfbd8v.cloudfront.net/changelogs/woocommerce-anti-fraud/changelog.txt" target="_blank" rel="noopener noreferrer">new version</a>.</p>
