This article covers our public notifications related to major security issues our clients and the WordPress community should know about. We are always focused on prevention and the mitigation of risk to our clients, and keeping you updated here is part of that process.
List of Vulnerable Plugins During This Month
[visualizer id=”21824″ lazy=”no” class=””]
Plugins Closed by WordPress Security
[visualizer id=”21828″ lazy=”no” class=””]
WordPress security team decides to close a plugin when a security issue is found and the developer doesn’t release a patch in a timely manner. You can read more about this here.
Relevant Vulnerabilities
secure-file-manager:
Authenticated File Upload
ait-csv-import-export:
Unauthenticated File Upload
augmented-reality:
Unauthenticated File Upload
These plugins have critical vulnerabilities that when exploited would give an attacker complete control over your website. All of them are closed, which means no new installs are allowed but old installs will work without any issues, thus, please check if you have any of them installed (even if it’s not activated) and remove them from your plugins folder.
woocommerce-anti-fraud:
Unauthenticated Order Status Manipulation
Versions < 3.3 of this plugin have a bug that when exploited could cause unnecessary damage to your online store. An unauthenticated attacker would be able to change the status of all the orders making it difficult to handle them since the data will not be reliable. On November 23 the developer released a new version.