New WordPress plugin and theme vulnerabilities were disclosed during the first half of October. In this post, we cover recent WordPress plugin, theme, and core vulnerabilities and what to do if you are running one of the vulnerable plugins or themes on your website.
The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.
WordPress Core Vulnerabilities
There have not been any WordPress core vulnerabilities disclosed in the second half of July.
WordPress Plugin Vulnerabilities
1. XCloner
XCloner versions below 4.2.15 have a Cross-Site Request Forgery vulnerability.
.
2. Ninja Forms Contact Form
Ninja Forms Contact Form versions below 3.4.27.1 have a Cross-Site Request Forgery vulnerability.
3. Coditor
All versions of Coditor have a Cross-Site Request Forgery vulnerability.
4. Simple:Press
Simple:Press versions below 6.6.1 have a Broken Access Control vulnerability, which could lead to a Remote Code Execution attack.
5. WP Courses LMS
WP Courses LMS versions below 2.0.29 have a Broken Access Control vulnerability.
6. Slider by 10Web
Slider by 10Web versions below 1.2.36 have Multiple Authenticated SQL Injection vulnerabilities.
7. WordPress + Microsoft Office 365 / Azure AD
WordPress + Microsoft Office 365 / Azure AD versions below 11.7 have an Authentication Bypass vulnerability.
8. Team Showcase
Team Showcase versions below 1.22.16 have an Authenticated Stored Cross-Site Scripting vulnerability.
9. Post Grid
Post Grid versions below 2.0.73 have an Authenticated Stored Cross-Site Scripting vulnerability.
10. WPBakery Page Builder
WPBakery Page Builder versions below 6.4.1 have an Authenticated Stored Cross-Site Scripting vulnerability.
11. Hypercomments
All versions of Hypercomments Unauthenticated Arbitrary File Deletion vulnerability.
12. Dynamic Content for Elementor
Dynamic Content for Elementor versions below 1.9.6 have an Authenticated Remote Code Execution vulnerability.
13. PowerPress Podcasting
PowerPress Podcasting versions below 8.3.8 have Authenticated Arbitrary File Upload leading issues leading to a Remote Code Execution vulnerability.
WordPress Theme Vulnerabilities
1. Shapely
Shapely versions below v1.2.9 have an Unauthenticated Function Injection vulnerability.
2. NewsMag
NewsMag versions below 2.4.2 have an Unauthenticated Function Injection vulnerability.
3. Activello
Activello versions below 1.4.2 have an Unauthenticated Function Injection vulnerability.
4. Illdy
Illdy versions below 2.1.7 have an Unauthenticated Function Injection vulnerability.
5. Allegiant
Allegiant versions below 1.2.6 have an Unauthenticated Function Injection vulnerability.
6. Newspaper X
Newspaper X versions below 1.3.2 have an Unauthenticated Function Injection vulnerability.
7. Pixova Lite
Pixova Lite versions below 2.0.7 have an Unauthenticated Function Injection vulnerability.
8. Brilliance
Brilliance versions below 1.3.0 have an Unauthenticated Function Injection vulnerability.
9. MedZone Lite
MedZone Lite versions below 1.2.6 have an Unauthenticated Function Injection vulnerability.
10. Regina Lite
Regina Lite versions below 2.0.6 have an Unauthenticated Function Injection vulnerability.
12. Transcend
Transcend versions below 1.2.0 have an Unauthenticated Function Injection vulnerability.
13. Affluent
Affluent versions below 1.1.2 have an Unauthenticated Function Injection vulnerability.
14. Bonkers
Bonkers versions below 1.0.6 have an Unauthenticated Function Injection vulnerability.
15. Antreas
Antreas versions below 1.0.7 have an Unauthenticated Function Injection vulnerability.
16. NatureMag Lite
All versions of NatureMag Lite have an Unauthenticated Function Injection vulnerability.
October Security Tip: Why You Should Use Two-Factor Authentication
Using two-factor authentication for your WordPress website user logins can help keep your website secure even if you use one of the plugins in this edition of the vulnerability roundup with an authentication bypass vulnerability.
Using two-factor authentication for your WordPress website user logins can help keep your website secure even if you are using a plugin with an authentication bypass vulnerability.
Why? Two-factor authentication makes it nearly impossible for an unauthenticated user to login to your website.
What is two-factor authentication? Two-factor authentication is a process of verifying a person’s identity by requiring two separate methods of verification. Two-factor authentication adds an extra layer of WordPress security to verify it’s actually you logging in and not someone who gained access (or even guessed) your password.
Here are a few more reasons to use two-factor authentication to add another layer of protection to your WordPress login.
- Reused passwords are weak passwords. According to the Verizon Data Breach Investigations Report, over 70% of employees reuse passwords at work. But the most important stat from the report is that “81% of hacking-related breaches leveraged either stolen or weak passwords.”
- Even though 91% of people know reusing passwords is poor practice, a staggering 59% of people still reuse their passwords everywhere!
- Many people are still using passwords that have appeared in a database dump. A database dump occurs when a hacker successfully gains access to a user database and then dumps the contents somewhere online. Unfortunately for us, these dumps contain a ton of sensitive login and account information.
- The “Collection #1″ Data Breach that was hosted on MEGA hosted included 1,160,253,228 unique combinations of email addresses and passwords. This kind of score will provide a malicious bot with over a billion sets of credentials to use in brute force attacks. A brute force attacks refer to a trial and error method used to discover username and password combinations to hack into a website.
- Even if you have a strong password, you’re only as secure as every other admin user on your site. Okay, so you are the type of person that uses a password manager like LastPass to create strong and unique passwords for each of your accounts. But what about the other administrator and editor users on your site? If an attacker was able to compromise one of their accounts, they could still do a ton of damage to your website.
- Google has said two-factor authentication is effective against 100% of automated bot attacks. That alone is a pretty good reason.
How to Add Two-Factor Authentication to Secure Your WordPress Login with iThemes Security Pro
The iThemes Security Pro plugin makes it easy to add two-factor authentication to your WordPress websites. With iThemes Security Pro’s WordPress two-factor authentication, users are required to enter both a password AND a secondary code sent to a mobile device such as a smartphone or tablet. Both the password and the code are required to successfully log in to a user account.
To start using Two-Factor Authentication on your website, enable the feature on the main page of the iThemes Security Pro settings.
In this post, we unpack all the steps of how to add two-factor authentication to your site with iThemes Security Pro, including how to use a third-party app like Google Authenticator or Authy.
See how it works
A WordPress Security Plugin Can Help Secure Your Website
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.
Get iThemes Security Pro
The post WordPress Vulnerability Roundup: October 2020, Part 1 appeared first on iThemes.
Source: Security Feed