WordPress Security Updates: May 2020

These monthly reports are provided for the WordPress community at large from Pagely’s head of security, Robert Rowley. Rowley and the entire security team keep their finger on the pulse of any potential vulnerabilities that might affect our customers, as well as any WordPress user.

We sincerely hope these efforts help any and all that could use information from the experts on monthly security issues. We commend the researches and developers that help to identify and patch these issues in a timely fashion.

WordPress Core

No notable WordPress core security releases.


Plugin/Theme Vulnerabilities of Note

bbPress By The bbPress Contributors

bbPress version 2.6.5 was released on May 28th. This security release addresses multiple vulnerabilities including one which affects sites with New User Registration enabled, allowing privilege escalation on newly created accounts.

WooCommerce By Automattic

There exists a vulnerability within WooCommerce, which would allow users with access to modify and duplicate products to upload arbitrary PHP code to the website, then execute it. This is an authenticated vulnerability (requiring a user account), and high risk as it would allow attackers to execute code on the server itself.

Note: This vulnerability is a Remote Code Execution (RCE) based on our review of mslavco’s findings.

Page Builder by SiteOrigin

The page-builder plugin before version 2.10.16 has a CSRF (Cross-Site Request Forgery) to Reflected XSS (Cross-Site Scripting) vulnerability. Attackers could utilize this attack to target site administrators to execute code within the administrator’s browser within wp-admin. The attack targets the live editor and action_builder_content functions of the plugins.

Elementor Pro

There is a critical vulnerability in Elementor Pro versions before 2.9.4 which allows any logged-in user the ability to upload and execute PHP scripts. This vulnerability is actively being utilized with a registration bypass vulnerability which affects Ultimate Addons for Elementor (described next), allowing for subscriber registration even if registration is disabled.

Ultimate Addons for Elementor

The Ultimate-Elementor plugin before versions 1.24.2 allows attackers to create subscriber-level users, even if registration is disabled on a WordPress site. As noted, this vulnerability is being combined with the Elementor Pro vulnerability described above which may lead to remote code execution on sites with registration open and both Elementor plugins installed.

Photo Gallery By 10Web

An unauthenticated SQL injection can be executed on this plugin and it looks to target the gallery_type area of the plugin specifically. Site owners have until June 5th to update to version 1.5.55 or higher before the vulnerability details will be made publicly available.

Form Maker By 10Web

A vulnerability in this plugin allows an administrator or higher-level user to perform a SQL injection via Form Maker. Site owners should update to version 1.13.35 or higher as soon as possible, as the security researchers have stated some details regarding how to exploit this vulnerability have already been released publically.

Official MailerLite Sign Up Forms By MailerGroup (x2)

The official-mailerlite-sign-up-forms plugin has two vulnerabilities that have recently been reported. The first deals with the MailerLite plugin not sanitizing user input data which leaves a site vulnerable to SQL injection, this vulnerability was fixed in version 1.4.4. The second vulnerability addresses CSRF issues and was patched in version 1.4.5 of this plugin.

WP Product Review Lite By ThemeIsle

The wp-product-review plugin before version 3.7.6 is susceptible to an Unauthenticated Stored XSS attack which bypasses built-in protections allowing malicious HTML or Javascript to be stored and injected on all the site’s product pages.

See previous months’ WordPress security updates from April and March.

New Posts in your inbox