We take a lot of precautions when it comes to the safety and security of your website but once we hand off your website to you that burden falls on you to maintain that. Nicely Done Sites offers a maintenance agreement so that we can continue to maintain your website so that it remains as safe and secure as possible. We highly recommend all of our clients purchase one but it is not mandatory. If not we hope at least that you do keep your WordPress website up to date and in this series of posts we are going to detail some of the vulnerabilities discovered recently.
Media File Manager
The Media File Manager should only be something available to a user with Administrator access however multiple vulnerabilities were discovered that when combined could obtain a PHP code execution to allow anyone to read sensitive files. This issue has not been fixed yet.
Better WordPress reCAPTCHA
This is a Cross-Site Scripting (XSS) vulnerability where an attacker is able to insert browser executable code in a HTTP response. It affects users who open a malicious link and it returns an error message to the user while the reCAPTCHA is disabled and controlled by the attacker. This particular plug-in has not been under development for some time so it may be better to get a more updated version or use another plugin free of these vulnerabilities.
GDPR Compliance
A vulnerability was discovered with the GDPR Compliance plugin that allows unauthorized users the ability to execute any actions and to update databases. One of the PHP pages does not check user credentials. This issue has been fixed.
Ninja Forms
Another XSS vulnerability. It was possible to insert code into a Ninja Forms submission form which allowed for a potential unauthorized access. It has since been fixed.
Yoast SEO
This is a Race Condition, or where a system tries to perform two or more operations simultaneously when they should be done in sequence. This issue has been fixed.
Download WP-DBManager
This vulnerability was discovered in October and patched over the Thanksgiving holiday. This issue caused files to be deleted arbitrarily from the database which would lead to errors trying to retrieve those files and a non-functional database.
Ultimate Member
This plugin has a cross-site request forgery which forces an authenticated end user to execute an unwanted action. These attacks typically use this vulnerability to change a user’s information, login credentials or to purchase something. The website has no way to distinguish between a real user and an attacker since the user is logged in. These are similar to XSS attacks. This vulnerability was fixed within 4 days of its discovery.
Input Validation with WordPress 4.9.8
This is an Input Validation vulnerability in thumbnail processing that can result in a remote code execution. An attacker exploits a thumbnail upload by a legitimate user and it allows the attacker to be able to modify some files but the attacker never gains control of those files. This exploit requires little in the way of skill to exploit but may only be possible with certain plugins installed. It has not been fixed since being discovered in September.
Do you use any of these plugins with your website? If you do you need to make sure that your WordPress site is up to date. Don’t forget that Nicely Done Sites also offers Maintenance Agreements for the websites that we build. We can keep an eye on this for you and take care of it for you so you do not need to worry.