These monthly reports are provided for the WordPress community at large from Pagely’s head of security, Robert Rowley. Rowley and the entire security team keep their finger on the pulse of any potential vulnerabilities that might affect our customers, as well as any WordPress user.
We sincerely hope these efforts help any and all that could use information from the experts on monthly security issues. We commend the researches and developers that help to identify and patch these issues in a timely fashion.
WordPress 5.4.2 Security Release
A WordPress Security release (5.4.2) was made available on June 10th.
This release addresses the following 6 vulnerabilities:
- Authenticated XSS in the block editor
- Authenticated XSS in media files
- Authenticated XSS in theme uploads
- Privilege escalation in set-screen-option()
- Open redirect in wp_validate_redirect()
- Information leak allowing comments to be read from password-protected posts and pages.
Plugin/Theme Vulnerabilities of Note
Removed from Repo
WordPress website owners who have the following plugins installed are strongly encouraged to remove them from their websites or find a replacement as soon as possible. These plugins were removed from the WP.org plugin repository due to inaction of the developer to patch one or more security flaws:
High Severity Vulnerabilities
ACF to REST API
The acf-to-rest-api plugin versions before 3.3.0 are affected by a vulnerability which would disclose the values of the wp_options table to attackers. This vulnerability has varying severity based on what data is contained in a site’s wp_options table.
The kingcomposer plugin versions before 2.9.4 lack proper access controls for ajax endpoints, many of these ajax endpoints also include vulnerabilities which users with a valid accounts could target to change WordPress option values, inject content, store XSS code, delete files on the site or execute arbitrary code.
The wpdiscuz plugin versions before 5.3.6 are affected by an unauthenticated SQL injection vulnerability. This plugin is currently on release 7.0.3, and the plugin author is making 5.3.6 available as a back port for site owners not ready for version 7.
Brizy – Page Builder
Brizy Page Builder before version 1.0.126 is susceptible to an access control vulnerability via AJAX calls which allows a user with minimal privileges the ability to access editor functions.
The Jobsearch premium plugin before version 1.5.1 is affected by an unauthenticated reflected cross-site scripting vulnerability. The Proof of Concept is provided within the link below and is easily replicated: