Monthly WordPress Security Roundup [August 2020]

Hello everyone, it’s Kanishk from Astra Security. This is another edition of the Monthly WordPress Security Roundup for August 2020. Today we’ll discuss the core changes in the new WordPress 5.5 updates, recent vulnerabilities found in WP plugins and themes, and some other security issues. So, let’s get straight into the news.

WordPress rolls out version 5.5

On 11th August, WordPress rolled out its latest version 5.5 with the changes to its block editor interface (1500+), enhancements and feature requests (150+), bug fixes (300+), and more. The update also added a new feature called ‘Automatic updates’ for themes and plugins and suspended a couple of themes due to violations of WP theme guidelines.

We’ve also seen many publishers complaining about some unexpected behaviors after updating to WordPress 5.5. You can check this article on how to find and fix them.

Whereas, this month, no WordPress core security vulnerabilities were disclosed.

New feature of auto-updates for updating themes and plugins:

The newly introduced ‘Automatic updates’ feature allows site owners to enable auto-updates for individual plugins and themes. This will help in improving the site security and functionality by shortening the time of doing manual updates for each plugin or theme. Many of the 455 million websites powered by WordPress still run vulnerable plugin versions for weeks or even months after the release of security patches. This feature is expected to reduce that number and prevent the sites from being hacked. 

The Automatic updates feature will be disabled by default, but you can enable it by going to Plugins section in your WP menu and click on Enable auto-updates as shown in below image:

UI changes for block editor:

WordPress 5.5 included 1500+ changes to the block editor user interface “in the hope of simplifying iconography, color palette, focus, and general interface.” For more info, check here. 

WordPress themes suspended:

WordPress has penalized the WPAstra theme which is a first non-default WordPress theme that crossed over 1 Million installs mark. This temporary suspension was enforced due to a violation of the WP theme review guidelines. Similar to this case, the Zerif Lite theme was also suspended. Both the themes were found injecting affiliate links into their theme code that lead to a said temporary suspension. 

Vulnerabilities discovered in WordPress themes and plugins

This month, a lot of critical vulnerabilities were discovered and patched in the WordPress plugins, and themes. Many of these plugins and themes are quite popular with WordPress website owners and there is a strong possibility you might be using one.

Here are those:

1. Newsletter plugin 

• Newsletter WordPress plugin below v6.8.2 has a reflected Cross-Site Scripting (XSS) flaw and a PHP Object Injection vulnerability that can allow attackers to add rogue admins, inject backdoors, and even take over the site access after the successful exploitation.  
• Vulnerabilities are patched in the Newsletter plugin version >6.8.3.

2. Divi Theme, Extra Theme, and Divi Builder plugin (by Elegant Themes)

• Users that have access to the builder using Divi v3.0 and above, Extra v2.0 and above, or Divi Builder v2.0 and above should update their plugin to the latest version v4.5.3
• Vulnerabilities found in these versions were – privilege escalation and remote code execution (RCE).

3. Facebook Chat Plugin

• The Official Facebook Chat Plugin for WordPress < = version 1.5 has a high severity Authenticated Options Change vulnerability that can allow attackers to “connect their own Facebook Messenger account and engage in chats with the site visitors.”
• The flaw is fixed in the patched version 1.6.

4. Quiz and Survey Master plugin

• WordPress Quiz Plugin – Quiz And Survey Master < = version 7.0.0 has critical Arbitrary file upload & deletion flaws that can allow unauthenticated attackers to launch varying attacks – including fully taking over vulnerable websites.
• The patched versions are above v7.0.1 

5. Advanced Access Manager

• WordPress plugin Advanced Access Manager (AMM) <6.6.2 has high-severity authorization bypass and privilege escalation vulnerability that can lead to the site takeover.
• It is advised to the AMM plugin users to immediately update the plugin to its fully patched version 6.6.2

6. TinyMCE Editor

• TinyMCE Editor, an open-source text editor used in the content management systems (CMS) of websites has a cross-site scripting (XSS) vulnerability in its 5.2.1 and earlier versions. 
• Recommendations: Update to version 4.9.11 or 5.4.1

7. Discount Rules for WooCommerce

• WordPress WooCommerce plugin Discount Rules (versions 2.0.2 and below) has SQL injection, authorization issues, and unauthenticated stored cross-site scripting (XSS) security vulnerabilities that hackers have found exploiting.
• Patched version: 2.1.0 

8. WooCommerce extension NAB Transact

• WooCommerce extension NAB Transact (below version 2.1.0) has a security vulnerability that can allow hackers to bypass payments.
• The payment bypass vulnerability is fixed in the version 2.1.2

Websites that are running on Astra Security’ Firewall are already protected from XSS, RCE, PHP object injection, arbitrary file upload & deletion, authorization bypass, and SQL injection attacks against such vulnerabilites.

A Tip: “Earlier this month cPanel and WebHost Manager (WHM) users began reporting a targeted phishing email campaign with an email subject of “cPanel Urgent Update Request” that was pretending to be a security advisory from the company. This fake advisory stated that updates had been released to fix “security concerns” in cPanel and WHM software versions 88.0.3+, 86.0.21+, and 78.0.49+, and recommends all users install the updates.” (Source)

That does it for this month’s WordPress Security Roundup. Stay safe from any unanticipated attack and be aware of the security vulnerabilities and latest patches. From all of us here at Astra Security, have a great month ahead and we’ll catch you up next time.

Astra Security Suite – WordPress Security Plugin Can Help Secure Your Site

Astra Security Suite, WordPress security plugin, is the go-to security suite for your WordPress website. With Astra Security Suite, you don’t have to worry about any malware, credit card hack, SQLi, XSS, SEO Spam, comments spam, brute force & 100+ types of threats. This means you can get rid of other security plugins & let Astra Security take care of it all.

Source: Security Feed