Unfortunately, April 2019 was a busy month for WordPress vulnerabilities. You don’t need to worry because our vulnerability roundup has you covered with what you need to know. We are going to cover what the exploits are and how they can affect you.

We’ve divided the vulnerabilities up into three different categories:

  1. WordPress Plugins
  2. WordPress Themes
  3. Breaches From Around the Web

We’re including breaches from around the web because it is important to also be aware of vulnerabilities outside of the WordPress ecosystem. Exploits to server software can lead to sensitive data being exposed. Database breaches can expose the credentials for the users on your site, opening the door for attackers to access your site.

WordPress Plugin Vulnerabilities

Last month saw several major plugin vulnerabilities with wide-ranging impacts for users.

1. WooCommerce Checkout Manager

wordpress-vulnerability-roundup-april-2019 WordPress Vulnerability Roundup – April 2019

WooCommerce Checkout Manager version 4.2.6 had an unpatched Arbitrary File Upload vulnerability. If your site had the Categorize Upload Files option enabled in the WooCommerce Checkout Manager, the exploit allowed an unauthenticated attacker to upload a file bypassing the check to see if it is an allowed file.

A hacker could exploit the flaw to run code that would allow them to access/modify files, or even gain admin access.

What You Should Do

Update to version 4.3. The update included a patch for the Arbitrary File Upload vulnerability.

2. Contact Form Builder

wordpress-vulnerability-roundup-april-2019-1 WordPress Vulnerability Roundup – April 2019

Contact Form Builder 1.0.68 and below was vulnerable to a Cross-Site Request Forgery exploit and Local File Inclusion vulnerabilities. What this boils down to is that someone could use a Cross-Site Request Forger and use the $_GET['action'] to load a malicious file.

What You Should Do

The vulnerability has been patched, and you should update to version 1.0.69.

3. Advanced Contact form 7 DB

wordpress-vulnerability-roundup-april-2019-2 WordPress Vulnerability Roundup – April 2019

Advanced Contact form 7 DB version 1.6.0 and below of the plugin is vulnerable to a SQL Injection. The vulnerability requires the attacker to have an account to take advantage of the exploit, but the account only needs to have subscriber privileges. Depending on your server configuration, the exploit can give the attacker access to nothing more than encrypted hashes or they could take control of the server. Make sure you are using a host that makes managing your security a priority.

What You Should Do

The vulnerability has been patched, and you should update to version 1.6.1.

4. YellowPencil Visual CSS Style Editor

wordpress-vulnerability-roundup-april-2019-3 WordPress Vulnerability Roundup – April 2019

YellowPencil Visual CSS Style Editor has a vulnerability that allows an attacker to bypass authentication and run requests on the site as a site administrator. In that request, they can change the WordPress settings to open site enrollment and make Administrator the default new user role.

What You Should Do

It doesn’t appear that this plugin is going to receive a patch, so I would suggest removing the YellowPencil Visual CSS Style Editor and finding a replacement.

5. Yuzo Related Posts

The Yuzo vulnerability is very similar to the YellowPencil exploit. The Yuzo is vulnerable to a cross-site scripting attack. An exploit in the plugin will someone to inject code into the site to change the WordPress settings or even add malicious redirects.

What You Should Do

I would suggest removing the Yuzo Related Posts plugin for now. The plugin author says he intended to come out with a new and improved version at a later date.

6. WP Statistics

wordpress-vulnerability-roundup-april-2019-4 WordPress Vulnerability Roundup – April 2019

WP Statistics version 12.6.3 and below are vulnerable to a cross-site scripting attack. Just like our last plugin, an attacker would be able to inject malicious code on your site using an exploit found in WP Statistics.

What You Should Do

The vulnerability has been patched, and you should update to version 12.6.4.

WordPress Themes

A few WordPress theme vulnerabilities cropped up this month.

1. Newspaper Theme

wordpress-vulnerability-roundup-april-2019-5 WordPress Vulnerability Roundup – April 2019

The Newspaper Theme by tagDiv version 9.2.2 and lower was another piece of WordPress cross-site scripting vulnerability.

What You Should Do

The vulnerability has been patched, and you should update to version 9.5.

2. Job Board Responsive WordPress Theme

wordpress-vulnerability-roundup-april-2019-6 WordPress Vulnerability Roundup – April 2019

Job Board Responsive WordPress Theme version 2.4 and below was susceptible to a couple of different exploits. The first exploit allowed unauthenticated users to enumerate users and the second exploit to reset passwords to user accounts.

What You Should Do

The vulnerability has been patched, and you should update to version 2.4.1.

How to Be Proactive About WordPress Theme & Plugin Vulnerabilities

Running outdated software is the number one reason WordPress sites are hacked. It is crucial to the security of your WordPress site that you have an update routine. You should be logging into your sites at least once a week to perform updates.

Automatic Updates

Using the iThemes Security Pro Version Management, you can enable automatic updates to ensure you are getting the latest security patches.

Automatic updates are a great choice for sites that don’t change very often. The lack of needed attention often leaves these sites neglected, and running outdated software.

wordpress-vulnerability-roundup-april-2019-7 WordPress Vulnerability Roundup – April 2019

Version Management Updates
  • WordPress Automatic Updates – All WordPress updates are automatically installed when available.
  • Plugin Automatic Updates – All plugin updates are automatically installed when available.
  • Theme Automatic Updates – All theme updates are automatically installed when available. Use this if you’ve put your theme customizations in a child theme, to not override your customizations by updating the parent theme.
  • Granular Control over Plugin and Theme updates – You may have plugins/themes that you’d like to either manually update, or delay the update until the release has had time to prove stable. You can choose Custom for the opportunity to assign each plugin or theme to either update immediately (Enable), not update automatically at all (Disable) or update with a delay of a specified amount of days (Delay).

wordpress-vulnerability-roundup-april-2019-8 WordPress Vulnerability Roundup – April 2019

 Strengthening and Alerting to Critical Issues

  • Strengthen Site When Running Outdated Software – iThemes Security will automatically enable stricter security when an update has not been installed for a month. First, it will force all users that do not have two-factor enabled to provide a login code sent to their email address before logging back in. Second, it will disable the WP File Editor (to block people from editing plugin or theme code), XML-RPC pingbacks and block multiple authentication attempts per XML-RPC request (both of which will make XML-RPC stronger against attacks without having to turn it off completely).
  • Scan for Other Old WordPress Sites – This will checks for other outdated WordPress installs on your hosting account. A single outdated WordPress site with a vulnerability could allow attackers to compromise all the other sites on the same hosting account.
  • Send Email Notifications –  For issues that require intervention, an email is sent to admin-level users.

Breaches From Around the Web

1. 80 Million U.S. Households Exposed

A database hosted on the Microsoft Cloud Server that held full names, income and marital status for 80 million households was publicly accessible. Microsoft issued a statement saying that they notified the owner of the DB and that it is no longer publicly available.

2. Docker Breach

Docker informed 190,000 users about changing their password. The breach exposed Docker usernames, hashed passwords, and API tokens used on GitHub and Bitbucket.

What You Should Do

If you have a Docker account, I would suggest playing it safe and updating your password. This kind of breach also exposes the need to use a unique password for every account. Reusing passwords leaves your sites exposed when your passwords are part of a massive database breach. It isn’t a matter of if, it is a matter of when one of your accounts will be exposed.

Create unique passwords for each site and secure them safely using LastPass.

Use the iThemes Security Pro Reforce Compromised Passwords feature. Harnessing the power of Troy Hunt’s haveibeenpwned API, you refuse the nearly 8 Billion compromised passwords in the haveibeenpwned database.

Refusing compromised passwords serves two purposes, the first is to secure your site and not let a single user make your site vulnerable. The second, it can inform your users that they are using credentials that are known to bad actors.

While you are at it, adding two-factor authentication will help protect your site against database breaches. I lock down all of my WordPress sites using Authy.

Vulnerability Roundup Wrap Up

It is a dangerous internet out there. Make sure you are keeping your site up to date, so you are getting the latest security patches. Use a unique password and two-factor on every site to protect yourself against database breaches.

wordpress-vulnerability-roundup-april-2019-9 WordPress Vulnerability Roundup – April 2019

A WordPress Security Plugin Can Help Secure Your WordPress Website

iThemes Security Pro, our WordPress security plugin, offers 30+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress two-factor authentication, brute force protection, strong password enforcement and more, you can add an extra layer of security to your website.

Get iThemes Security


SEO News and More

SEO News and More

Share This