We take a lot of precautions when it comes to the safety and security of your website but once we hand off your website to you that burden falls on you to maintain that. Nicely Done Sites offers a maintenance agreement so that we can continue to maintain your website so that it remains as safe and secure as possible. We highly recommend all of our clients purchase one but it is not mandatory. If not we hope at least that you do keep your WordPress website up to date and in this series of posts we are going to detail some of the vulnerabilities discovered recently.

The calendar has turned to May so below is a list of vulnerabilities disclosed during the month of April. April saw some major vulnerabilities disclosed so if you have any of these plugins installed you should take action if you haven’t already. And if you haven’t been keeping up check out last month’s list of vulnerabilities. For a more detailed description of these issues click here.


Ultimate Member

This is a Cross-Site Request Forgery (CSRF) vulnerability that took advantage of a logged in user’s edit form to allows an attacker to change the email address in the administrator profile. This allows them to reset the password via the forgot password option which sends an email to the new address. The attacker would then have full access to the site. This vulnerability was published on April 1 and fixed two days later.  This is a popular plugin, the top user profile and membership plugin on WordPress so if you use this plugin update now.

WP Google Maps

This is an Unauthenticated SQL Injection that created a potential REST API exploit. It was made public on April 2 and fixed the next day.

Duplicate Page

This Authenticated SQL Injection vulnerability allows an attacker to potentially steal sensitive information like passwords or in worst case scenario compromise your WordPress installation. It can also be escalated into a PHP Object Injection vulnerability depending on what other plugins are installed. This is a popular plugin with around 800,000 installs and allows a page to be duplicated and the action to create the duplicate page does not perform a privilege check so a less privileged user could insert their own information and compromise the site. The issue was discovered in late March and fixed in early April. If you use this plugin update it immediately.

Yuzo Related Posts

This plugin has a stored XSS vulnerability due to missing authentication checks in the routines that allow for information being stored in the database. This allows an attacker to inject code into the plugin which will then be inserted into an HTML template and executed when a visitor comes to the site. This has the possibility to deface a website, to redirect the user or to compromise the administrator account. This vulnerability was discovered at the end of March and has not been patched. The plugin has been removed from the WordPress plugin depository. It may be a good idea to disable it or remove it completely.

Yellow Pencil Visual CSS Style Editor

The issue with this plugin is two different issues. The first involves a function that is called on every page that checks if a specific request has been sent. If it has the user has their privilege level escalated which makes privilege checks used later worthless as the user now has administrative access. The second is the same attack as the previous plugin vulnerability, Yuzo Related Posts. This issue was discovered around the same time but a security researcher published it allowing for no time for the issue to be fixed. It has since been removed from WordPress and users should disable it or remove it until a fix is completed.

Download Advanced Contact Form 7 DB

A SQL Injection Vulnerability was discovered as part of a regular security audit. It allowed an attacker who had at least subscriber level access to leak sensitive information or even compromise an entire WordPress site. The discovery was made at the end of March and a patch was released on April 10. As of the release of the patch it does not appear that any site was compromised but it should be updated as soon as possible.

WP Download Manager

This Authenticated XSS vulnerability executes Category short code used to sort categories and reorder items. A parameter can be added that will allow code to be executed. This vulnerability appears to be only with the pro version. It was discovered in mid-April and fixed on April 23.

Contact Form Builder

This is a Cross Site Forgery Request and a Local File Inclusion vulnerability. No sanitization is performed with one of the basic actions that the plugin performs and it allows an attacker to upload their own file, taking the issue from a CSFR issue to a LFI issue. This issue was discovered in mid-March and was fixed on April 22.

WooCommerce Checkout Manager

This Arbitrary File Upload vulnerability was disclosed by a WordPress security site that is having issues with WordPress Security Moderators and has gone rogue. To be clear this vulnerability is not with the WooCommerce plugin, this particular plugin is a separate plugin. If the Categorize File Upload option is enabled an unauthenticated remote attacker can upload files to certain directories and they could execute service side script code. The end result could allow an attacker to gain access to the site and compromise it. This vulnerability was disclosed on April 25 and no fix has been created yet.

Print My Blog

This Unauthenticated Server Side Forgery Request vulnerability allows an attacker to use a URL to exploit a remote function. If that attacker has a web server set up this can be upgraded to become an XSS attack. This was discovered in late April and patched two days later. It is doubtful that anyone was able to exploit this vulnerability before it was made public.


No Core Vulnerabilities were disclosed during April


CarSpot Theme

This theme, which is used by many car dealerships, featured an Authenticated Stored XSS vulnerability. Poor filtering of input data fields which allowed an attacker to insert their own code and execute it. This issue was discovered in mid-April and was fixed on April 23.

Comments are closed.

Scroll to Top