WordPress Core
No notable WordPress core security releases.
Plugin/Theme Vulnerabilities of Note
Duplicator Plugin
The Duplicator and Duplicator-Pro plugins both contained a vulnerability that allowed attackers to make a single request to a website, and be able to download arbitrary files from the WordPress website. It is being reported that attackers are actively using this vulnerability, attempting to download files like wp-config.php; which contains the database credentials and secret encryption salts/keys for a hosted WordPress application.
Pagely customers who have not opted out received an update within 24 hours of the patch being available, and Pagely’s security team notified any customer with plugin updates turned off to update their installation immediately. It is valuable to note that our hosting infrastructure design does not allow direct connections to our database servers from remote IP addresses, nor do we store secrets like salts or passwords in the common wp-config.php file.
WooCommerce Flexible Checkout
The Flexible Checkout Fields free plugin addon for sites running WooCommerce were being actively targeted with a series of vulnerabilities that under specific circumstances allowed remote attackers to create their own administrator accounts on an affected site. The developers of the plugin quickly released a patch when they became aware of the problem, and the Pagely security team checked all sites for signs of infection, notifying customers if any action needed to take place.
- https://wpvulndb.com/vulnerabilities/10093
- https://www.wpdesk.net/blog/flexible-checkout-fields-vulnerability/
Pricing Table (Supsystic)
The pricing table plugin versions before 1.8.2 included an AJAX endpoint which performed privileged actions (such as updating database contents) without proper authentication that the request was being made by a valid user on the site. This vulnerability would allow anyone to modify database contents on the site and posed a high risk as the changes they make in the database could lead to running javascript from within the wp-admin panel.
The risk is similar to the Flexible Checkout Fields with the key difference being this was found and reported by security researchers first and was not actively being exploited before the patch was made available before an attack was weaponized.
ThemeREX Addons
Lack of authentication in a REST API endpoint that ThemeREX Addons creates can expose a site to a remote code execution vulnerability. Allowing unauthenticated attackers to execute arbitrary code on sites running an insecure version of this plugin.
No patch has been made available by the developers and people are reporting this is being actively attacked in the meantime. Pagely’s security team is recommending the removal of the plugin if you have it installed.