Plugin Vulnerabilities

The plugin ‘Download Plugins and Themes from Dashboard’ (https://wordpress.org/plugins/download-plugins-dashboard/) , a plugin that lets you download installed plugins and themes ZIP files directly from your admin dashboard without using FTP with 10,000+ installs has been identified to have multiple security flaws in version less than 1.6.

NinTechNet discovered a multiple security issues within the Download Plugins and Themes from Dashboard WordPress plugin. The plugin’s setting update request did not check for authorisation, allowing an unauthenticated user to inject malicious JavaScript, which would be stored in the backend database. The author released a fixed version (1.6) on Sept 30th.

Recommendation

Our recommendation is to immediately update to version 1.6

Users of FullWorks Security will have been automatically notified of this vulnerability during their code scan.

If you are not a user of Fullworks Security you can sign up for a free 30 day trial

Or you can sign up to our free newsletter below.

The plugin Theme Editor (https://en-gb.wordpress.org/plugins/visualizer/) , a plugin that allows you to edit theme files, create folders and more with 30,000+ installs has been identified to have multiple security flaws in version 2.1 and lower.

These vulnerabilities were reported by WebArxSecurity (and details can be found here https://www.webarxsecurity.com/wordpress-theme-editor-plugin-multiple-vulnerabilities/. The author release a fixed version (2.2) on Sept 30th.

Recommendation

Our recommendation is to immediately update to version 2.2

Users of FullWorks Security will have been automatically notified of this vulnerability during their code scan.

If you are not a user of Fullworks Security you can sign up for a free 30 day trial

Or you can sign up to our free newsletter below.

The plugin Visulalizer (https://en-gb.wordpress.org/plugins/visualizer/) , a tables and charts management plugin with over 40,000 installs has been identified to have a security weakness in versions less than 3.3.1 by security researcher Nathan Davidon ( https://nathandavison.com/ ). The plugin developers released an update yesterday including a fix.

Recommendation

Our recommendation is to immediately update to version 3.3.1

Users of FullWorks Security will have been automatically notified of this vulnerability during their code scan.

If you are not a user of Fullworks Security you can sign up for a free 30 day trial

Or you can sign up to our free newsletter below.

The plugin Rich Reviews (https://en-gb.wordpress.org/plugins/rich-reviews/) has been closed on the WordPress repository since March 2019 for security issues. However security researchers at WordFence ( https://www.wordfence.com/blog/2019/09/rich-reviews-plugin-vulnerability-exploited-in-the-wild/) have reported that this vulnerability is being exploited in the wild.

Recommendation

Our recommendation is to immediately remove the Rich Reviews plugin and find an alternative.

Users of FullWorks Security will have been automatically notified of this vulnerability during their code scan and would have been notified since March that the plugin had be removed from WordPress.org

If you are not a user of Fullworks Security you can sign up for a free 30 day trial

Or you can sign up to our free newsletter below.

The plugin Delucks SEO (https://en-gb.wordpress.org/plugins/visualizer/) , has been identified to have a security weakness in versions less than 2.1.7 as reported on The Ninja Technologies Network (https://blog.nintechnet.com/vulnerability-in-the-wordpress-delucks-seo-plugin-actively-exploited/) The plugin developers released an update including a fix.

Recommendation

Our recommendation is to immediately update to version 2.1.7 or above.

Users of FullWorks Security will have been automatically notified of this vulnerability during their code scan.

If you are not a user of Fullworks Security you can sign up for a free 30 day trial

Or you can sign up to our free newsletter below.