WordPress Security Updates: April 2020

These monthly reports are provided for the WordPress community at large from Pagely’s head of security, Robert Rowley. Rowley and the entire security team keep their finger on the pulse of any potential vulnerabilities that might affect our customers, as well as any WordPress user.

We sincerely hope these efforts help any and all that could use information from the experts on monthly security issues. We commend the researches and developers that help to identify and patch these issues in a timely fashion.

WordPress Core

A WordPress Security release (5.4.1) was made available on Wednesday, Apr 29th.

This release addresses the following 7 vulnerabilities:

  • Unauthenticated viewing of some private posts
  • Two XSS (Cross Site Scripting) vulnerabilities fixed in WordPress customizer
  • XSS in wp-object-cache
  • XSS in file upload process
  • XSS in search block
  • Password reset tokens not being invalidated

Plugin/Theme Vulnerabilities of Note

WordPress website owners who have the following plugins installed are strongly encouraged to remove them or find a replacement as soon as possible. These plugins were removed from the WP.org or CodeCanyon plugin repositories due to inaction of the developer to patch one or more security flaws:

  • art-picture-gallery
  • bsi-hotel-pro
  • car
  • catch-breadcrumb
  • contact-form-7-datepicker
  • poll-wp
  • support-ticket-system-by-phoeniixx
  • widget-settings-importexport
  • wp-advanced-search
  • wp-post-page-clone
  • wp-gdpr-core

The following plugins had high severity vulnerabilities addressed in April:

Simple File List

This plugin has a low install count of 4,000+ but has a high-risk arbitrary file upload vulnerability in versions lower than 4.2.3 which can lead to remote code execution. The vulnerability allows an unauthenticated user to upload an image file with PHP code in it, then make a second request to rename the image file’s extension .php, making it executable via the web.

Media Library Assistant

With over 60,000+ installs, the Media Library Assistant plugin had an authenticated remote code execution vulnerability that was fixed in version 2.82.


The LearnDASH premium plugin (sfwd-lms) is vulnerable to a remote unauthenticated SQL injection vulnerability. This could allow attackers to manipulate the database on the hosted website. It is strongly recommended site owners ensure their sfwd-lms plugin is updated to version 3.1.6 or higher, this must be done manually as it is a premium plugin and may require re-purchase to receive this patch.

Tickera WordPress Event Ticketing

Site owners using the Tickera WordPress Event Ticketing plugin should update immediately to version or higher. There exists a public exploit that shows attackers how they can download a PDF which includes information on all registered attendees for an even. This poses a high risk for site owners who are concerned about protecting private data.


LifterLMS versions before 3.37.15 did not properly check file type or paths when updating files on the webserver, which could lead to an attacker being able to write web executable files to the site. This is considered a high-risk vulnerability and recommended site owners update immediately.

See previous months’ WordPress security updates from March and February.

New Posts in your inbox