WordPress Vulnerability Roundup: December 2020, Part 2

New WordPress plugin and theme vulnerabilities were disclosed during the second half of December. This post covers the recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website.

The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.

In the December, Part 2 Report

WordPress Core Vulnerabilities

No new WordPress core vulnerabilities have been disclosed this month.

The latest version of WordPress core is currently 5.6. As a WordPress security best practice, make sure you’re running the latest version of WordPress core.

WordPress Plugin Vulnerabilities

1. DiveBook

DiveBook versions below 1.1.4 have an Improper Authorization Check, Unauthenticated SQL Injection, & Unauthenticated Reflected XSS vulnerabilities.

Remove the plugin until a security fix is released.

2. Pagelayer

Pagelayer versions below 1.3.5 have Multiple Reflected Cross-Site Scripting vulnerabilities.

The vulnerability is patched, and you should update to version 1.3.5.

3. Ultimate Category Excluder

Ultimate Category Excluder versions below 1.2 have a Cross-Site Request Forgery vulnerability.

The vulnerability is patched, and you should update to version 1.2.

4. Directories Pro

Directories Pro versions below 1.3.46 have Authenticated Reflected Cross-Site Scripting vulnerability.

The vulnerability is patched, and you should update to version 1.3.46.

5. Total Upkeep

Total Upkeep versions below 1.14.10 have a Sensitive Data Disclosure & Unauthenticated Backup Download vulnerabilities.

The vulnerability is patched, and you should update to version 1.14.10.

6. Redux Framework

Redux Framework versions below 4.1.21 have CSRF Nonce Validation Bypass vulnerability.

The vulnerability is patched, and you should update to version 4.1.21.

7. Contact Form 7

Contact Form 7 versions below 5.3.2 have an Unrestricted File Upload vulnerability.

The vulnerability is patched, and you should update to version 5.3.2.

8. Simple Social Media Share Buttons

Simple Social Media Share Buttons versions below 3.2.1 have an Unauthenticated Reflected Cross-Site Scripting vulnerability.

The vulnerability is patched, and you should update to version 3.2.1.

9. Envira Gallery Lite

Envira Gallery Lite versions below 1.8.3.3 have an Authenticated Stored Cross-Site Scripting vulnerability.

The vulnerability is patched, and you should update to version 1.8.3.3.

10. Limit Login Attempts Reloaded

Limit Login Attempts Reloaded versions below 2.16.0 have an Authenticated Reflected Cross-Site Scripting & Login Rate Limiting Bypass vulnerabilities.

The vulnerability is patched, and you should update to version 2.16.0.

WordPress Theme Vulnerabilities

1. ListingPro

ListingPro versions below 2.6.1 have an Unauthenticated Arbitrary Plugin Installation/Activation/Deactivation & Unauthenticated Sensitive Data Disclosure vulnerabilities.

The vulnerability is patched, and you should update to version 2.6.1.

December Security Tip: Why You Need a Universal User for Support

Anytime you create a new user on your website, you are adding another entry point that a hacker could exploit. But there will likely be times you may need some outside help for your website, like when you are seeking support or after hiring an independent contractor. You need a safe, secure way to add temporary admin access to your website.

Granting Outside Access to your Website: Your Typical Bad Options

Typically, you have two options to provide external access to your website…. and neither are great.

1. Share Your Admin User’s Credentials

Your first and worst option is to share the username and password of your WordPress admin user.

Why Sharing Your Admin Credentials is a Terrible Idea

Reduced Security – If you share your user’s credentials, you will have to disable two-factor authentication to allow the person using your credentials to login. Google shared on its blog that using two-factor authentication, or 2-step verification, can stop 100% of automated bot attacks. Disabling two-factor authentication, even for a short period of time, drastically reduces your website’s security.
Inconvenient – Sharing your credentials requires you to change your password. If you forget to change your password, there are one or more people that have admin access to your website whenever they want it.

2. Create a Separate User for the Support Tech

While creating a brand new admin user for the support specialist is better than sharing your admin credentials, it still isn’t great.

Why Creating a User for the Support Tech is Terrible

Increased Vulnerability – Creating a new administrator user adds another point of entry that could be exploited. If you don’t have a password policy in place, the support tech could choose a weak password, making your WordPress login more vulnerable to attack.
Inconvenient – Going through the process of setting up a new user anytime you need outside help is time-consuming. You have to create the new user and then remember to delete the user when they no longer need access to your website. It is a WordPress security best practice to remove any unused users from your website.

Granting Outside Access to Your Website: The Better Way

The iThemes Security Pro Privilege Escalation feature allows you to grant a user extra capabilities temporarily.

Privilege Escalation makes it easy and safe to create a universal user that you can give to any outside developers or support techs that need temporary access to your website.

With Privilege Escalation, you can create a new user and name it Support and give it the Subscriber user role. The next time you need to provide temporary access to your website, you can bump the Support user from a subscriber to an administrator. We will walk through how to do this later in the post, but first, let’s talk about why Privilege Escalation is a better way of granting access to your website.

Why Privilege Escalation is Better

Easy – You don’t have to create a new user every time you need to grant access to your website.
Automatic – The privilege escalation only lasts for 24 hours. After 24 hours is up, the user automatically loses all the additional privileges. You don’t have to remember to remove users or change any passwords.
No Sacrifice in Security – You can still require this universal support user to use the email method of two-factor to login, which means you have the same level security as you do with your other admin users. Because the actual user role is a subscriber, you don’t run any real risk leaving it on your website.

How to Use Privilege Escalation in iThemes Security Pro

To get started, enable Privilege Escalation on the main page of the security settings.

You can create a new user and name it Support and give it the Subscriber user role. The next time you need to provide temporary access to your website, navigate to your Support user’s Profile page.

Update the email address to allow the outside support person to request a new password. Then scroll down until you see the Temporary Privilege Escalation settings. Click the Set Temporary Role toggle, and select Admin. The user will now have Admin access for the next 24 hours.

If they don’t need the full 24 hours, you can revoke the privilege escalation from the user profile page. If you need more than 24 hours, you can set the exact number of days you need in the Days field.

See how it works

A WordPress Security Plugin Can Help Secure Your Website

iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.

Get iThemes Security Pro

The post WordPress Vulnerability Roundup: December 2020, Part 2 appeared first on iThemes.

Source: Security Feed