New WordPress plugin and theme vulnerabilities were disclosed during the second half of November. This post covers the recent WordPress plugin, theme, and core vulnerabilities and what to do if you run one of the vulnerable plugins or themes on your website.
The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.
WordPress Core Vulnerabilities
Good news! No new WordPress core vulnerabilities disclosed in November.
Keep in mind that WordPress 5.6 is due out December 8, so mark your calendars.
WordPress Plugin Vulnerabilities
1. Good LMS
Good LMS versions below 2.1.5 have an Unauthenticated SQL Injection vulnerability.
2. BA Book Everything
BA Book Everything versions below 1.3.25 have Unauthenticated Reflected XSS & XFS vulnerabilities.
3. AIT CSV Import / Export
All versions of AIT CSV Import / Export have an Unauthenticated Arbitrary File Upload vulnerability.
4. Fancy Product Designer
Fancy Product Designer versions below 4.5.1 have an Unauthenticated Stored Cross-Site Scripting vulnerability.
5. Contextual Related Posts
Contextual Related Posts versions below 2.9.4 have an CSRF Nonce Validation Bypass vulnerability.
6. Import and export users and customers
Import and export users and customers versions below 1.16.3.6 have a CSV Injection vulnerability.
7. Easy Registration Forms
Easy Registration Forms versions below 2.0.6 have an CSV Injection vulnerability.
8. Spam protection, AntiSpam, FireWall by CleanTalk
Spam protection, AntiSpam, FireWall by CleanTalk versions below 5.149 have Multiple Authenticated SQL Injections vulnerabilities.
9. Secure File Manager
All version of Secure File Manager have an Authenticated Remote Command Execution vulnerability.
10. Media Library Assistant
Media Library Assistant versions below 2.90 have an Authenticated Blind SQL Injection vulnerability.
11. WooCommerce Anti-Fraud
WooCommerce Anti-Fraud versions below 3.3 have an Unauthenticated Order Status Manipulation vulnerability.
WordPress Theme Vulnerabilities
1. Love Travel
Love Travel versions below 3.8 have Unauthenticated Reflected XSS & XFS vulnerabilities.
November Security Tip: Why You Need a WordPress Security Log
Logging is an essential part of your WordPress security strategy. Insufficient logging and monitoring can lead to a delay in the detection of a security breach. In fact, most breach studies show that the time to detect a breach is over 200 days! That amount of time allows an attacker to breach other systems, modify, steal, or destroy more data. It is for those reasons that Insufficient Logging landed on the OWASP top 10 of web application security risks.
Most breach studies show that the time to detect a breach is over 200 days!
WordPress security logs have several benefits in your overall security strategy.
- Identity and stop malicious behavior.
- Spot activity that can alert you of a breach.
- Assess how much damage was done.
- Aide in the repair of a hacked site.
If your site does get hacked, you will want to have the best information to aid in a quick investigation and recovery.
What are WordPress Security Logs?
WordPress Security Logs in iThemes Security Pro keeps track of important security events that occur on your website. These events are important to monitor to indicate if or when a security breach occurs.
Your website’s security logs are a vital part of any security strategy. The information found in these records can be used to lockout bad actors, highlight an unwanted change on the site, and help to identify and patch the point of entry of a successful attack.
How to Add WordPress Security Logs to Your Website
The easiest way to add security logging to your website is with a plugin like iThemes Security Pro. As soon as iThemes Security Pro is installed and activated, it will start monitoring and recording important security activity as it occurs on your website.
iThemes Security Pro then turns the data from your logs into a real-time WordPress security dashboard so you can get a better view of all the security activity happening on your site.
Check out our post on WordPress security logs, to learn what security events you should be monitoring and how to record them.
See how it works
A WordPress Security Plugin Can Help Secure Your Website
iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.
Get iThemes Security Pro
The post WordPress Vulnerability Roundup: November 2020, Part 2 appeared first on iThemes.
Source: Security Feed