This article covers our public notifications related to major security issues our clients and the WordPress community should know about. We are always focused on prevention and the mitigation of risk to our clients, and keeping you updated here is part of that process.
List of Vulnerable Plugins During This Month
[visualizer id=”21734″ lazy=”no” class=””]
Plugins Removed From the Repository
[visualizer id=”21736″ lazy=”no” class=””]
WordPress security team decides to close a plugin when a security issue is found and the developer doesn’t release a patch in a timely manner. You can read more about this here. If you are using one or more of the above plugins we recommend deactivating them until the developer releases a patch for the mentioned vulnerability or consider a more reliable alternative.
|: Authenticated WP Options Change
A critical vulnerability was found in this plugin that when exploited allows an attacker to:
- Change the site options
- Create malicious redirects
- Escalate privileges (login as an administrator)
This issue was resolved in the free version 1.21.12 on October 16, however when checking the premium version we noticed it was still vulnerable and was finally resolved on October 28 after we reported it. More details here.
|WPBakery Page Builder
|: Authenticated Stored XSS
WPbakery Page Builder former Visual Composer had a medium vulnerability in versions before 6.4.1 that was only exploitable by high privilege users. Nevertheless we recommend all its users to update to the latest version.
|: Unauthenticated SQL Injection
Loginizer had an unauthenticated SQL Injection in versions before 1.6.4 caused by a lack of filtering before executing a database query. An attacker just had to craft a request with a malicious username. More information here.