WordPress Vulnerability Roundup: September 2020, Part 2

Sep 23, 2020 | Security - Internet, WordPress, and otherwise




Quite a few new WordPress plugin and theme vulnerabilities were disclosed during the second half of September, making this one of our largest round-ups to date. In this post, we cover recent WordPress plugin, theme, and core vulnerabilities and what to do if you are running one of the vulnerable plugins or themes on your website.

The WordPress Vulnerability Roundup is divided into three different categories: WordPress core, WordPress plugins, and WordPress themes.

In the September, Part 2 Report

WordPress Core Vulnerabilities

No WordPress core vulnerabilities were disclosed in the second of September. Just make sure you are running the latest version of WordPress, which is version 5.5.1.

WordPress Plugin Vulnerabilities

1. Asset CleanUp

wordpress-vulnerability-roundup-september-2020-part-2 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 1.3.6.7.

2. Sticky Menu, Sticky Header

wordpress-vulnerability-roundup-september-2020-part-2-1 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 2.21.

3. Cookiebot

wordpress-vulnerability-roundup-september-2020-part-2-2 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 3.6.1.

4. All In One WP Security & Firewall

wordpress-vulnerability-roundup-september-2020-part-2-3 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 4.4.4.

5. Absolutely Glamorous Custom Admin

wordpress-vulnerability-roundup-september-2020-part-2-4 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 6.5.5.

6. Elementor Addon Elements

wordpress-vulnerability-roundup-september-2020-part-2-5 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 1.6.4.

7. Email Subscribers & Newsletters

wordpress-vulnerability-roundup-september-2020-part-2-6 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 4.5.6.

8. 10Web Social Post Feed

wordpress-vulnerability-roundup-september-2020-part-2-7 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 1.1.27.

9. Affiliate Manager

wordpress-vulnerability-roundup-september-2020-part-2-8 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 2.7.8.

10. WP Hotel Booking

wordpress-vulnerability-roundup-september-2020-part-2-9 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 1.10.2.

11. WP Project Manager

wordpress-vulnerability-roundup-september-2020-part-2-10 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 2.4.1.

12. 10WebAnalytics

wordpress-vulnerability-roundup-september-2020-part-2-11 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 1.2.9.

13. Top 10 – Popular posts plugin for WordPress

wordpress-vulnerability-roundup-september-2020-part-2-12 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 2.9.5.

14. Lightweight Sidebar Manager

wordpress-vulnerability-roundup-september-2020-part-2-13 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 1.1.4.

15. Radio Buttons for Taxonomies

wordpress-vulnerability-roundup-september-2020-part-2-14 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 2.0.6.

16. Product Catalog X

wordpress-vulnerability-roundup-september-2020-part-2-15 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 1.5.13.

17. Paid Memberships Pro

wordpress-vulnerability-roundup-september-2020-part-2-16 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 2.4.3.

18. NotificationX

wordpress-vulnerability-roundup-september-2020-part-2-17 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 1.8.3.

19. Coming Soon & Maintenance Mode Page

wordpress-vulnerability-roundup-september-2020-part-2-18 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 1.58.

20. Menu Swapper

generic-wp-plugin WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 1.1.1.

21. Woody ad snippets

wordpress-vulnerability-roundup-september-2020-part-2-19 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 2.3.10.

22. Forminator

wordpress-vulnerability-roundup-september-2020-part-2-20 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 1.13.5.

23. RSS Aggregator by Feedzy

wordpress-vulnerability-roundup-september-2020-part-2-21 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 3.4.3.

24. Feed Them Social

wordpress-vulnerability-roundup-september-2020-part-2-22 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 2.8.7.

25. WP ERP

wordpress-vulnerability-roundup-september-2020-part-2-23 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 1.6.4.

26. eCommerce Product Catalog 

wordpress-vulnerability-roundup-september-2020-part-2-24 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 2.9.44.

27. Easy Testimonials

wordpress-vulnerability-roundup-september-2020-part-2-25 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 3.7.

28. Dokan

wordpress-vulnerability-roundup-september-2020-part-2-26 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 3.0.9.

29. Best WooCommerce Multivendor Marketplace Solution

wordpress-vulnerability-roundup-september-2020-part-2-27 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 3.5.8.

30. Custom Field Template

wordpress-vulnerability-roundup-september-2020-part-2-28 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 2.5.2.

31. Coupon Creator

wordpress-vulnerability-roundup-september-2020-part-2-29 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 3.1.1.

32. Cool Timeline

wordpress-vulnerability-roundup-september-2020-part-2-30 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 2.0.3.

33. Funnel Builder by CartFlows

wordpress-vulnerability-roundup-september-2020-part-2-31 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 1.5.16.

34. Import / Export Customizer Settings

wordpress-vulnerability-roundup-september-2020-part-2-32 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 1.0.4.

35. Discount Rules for WooCommerce

wordpress-vulnerability-roundup-september-2020-part-2-33 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 2.2.1.

36. MetaSlider

wordpress-vulnerability-roundup-september-2020-part-2-34 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 3.17.2.

37. Drag and Drop Multiple File Upload

wordpress-vulnerability-roundup-september-2020-part-2-35 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 1.3.5.5.

WordPress Theme Vulnerabilities

1. JobMonster

wordpress-vulnerability-roundup-september-2020-part-2-36 WordPress Vulnerability Roundup: September 2020, Part 2
The vulnerability is patched, and you should update to version 4.6.6.1.

iThemes Security Pro Feature Spotlight: Trusted Devices

There are many features in iThemes Security Pro that can stop hackers from exploiting vulnerabilities in WordPress plugins and themes. Authentication Bypass and Session Hijacking are two of the most dangerous types of vulnerabilities. Both of these vulnerabilities can be exploited by hackers to bypass authentication protections and take control over your website.

Today we are going to cover Trusted Devices, a robust security method to protect your website even when it is vulnerable to bypass authentication or session hijacking attacks.

Trusted Devices is a robust security method to protect your website even when it is vulnerable to bypass authentication or session hijacking attacks.

Why We Developed Trusted Devices

Let’s say you follow all of the WordPress security best practices to protect your user account. Not only do you use a unique, strong password for every site, but you also lock down all of your online accounts with two-factor authentication. You are a good example of what it looks like to take WordPress security seriously.

Yet, even with all of the security measures you put into place, somehow, your website was still hacked. And, to make matters worse, the attacker used YOUR WordPress user to hack the site. How did this happen to you, the security guru?!

Unfortunately, even if you do everything right to secure your WordPress user account, there are still methods that hackers can use to exploit your account.

For example, WordPress generates a session cookie every time you log into your website. And let’s say that you have a browser extension that has been abandoned by the developer and is no longer releasing security updates. Unfortunately for you, the neglected browser extension has a vulnerability. The vulnerability allows bad actors to hijack your browser cookies, including the earlier-mentioned WordPress session cookie. This type of hack is known as Session Hijacking. So, an attacker can exploit the extension vulnerability to piggyback off your login and start making malicious changes with your WordPress user.

Pretty crummy, right? We agree, so we created a way to protect your account, even when bad actors can find and exploit other vulnerabilities.

What Are Trusted Devices?

The Trusted Devices feature in iThemes Security Pro works to identify the devices that you and other users use to login to your WordPress site. After your devices are identified, we can stop session hijackers and other bad actors from doing any damage on your website.

When a user has logged in on an unrecognized device, Trusted Devices can restrict their administrator-level capabilities. This means that if an attacker were able to break into the backend of your WordPress site, they wouldn’t have the ability to make any malicious changes to your website.

In this scenario, you will receive an email that lets you know that someone logged into your site from an unrecognized device. The email includes an option to block the hacker’s device. Then you can just laugh and laugh, knowing that you ruined a bad guy’s day.

Another benefit of Trusted Devices is that it makes Session Hijacking a thing of the past. If a user’s device changes during a session, iThemes Security will automatically log the user out to prevent any unauthorized activity on the user’s account, such as changing the user’s email address or uploading malicious plugins.

Man, it sure does feel good preventing malicious attacks from being successful!

How to Use the Trusted Devices Feature in iThemes Security Pro

To start using Trusted Devices, enable them on the main page of the security settings, and then click the Configure Settings button.

wordpress-vulnerability-roundup-september-2020-part-2-37 WordPress Vulnerability Roundup: September 2020, Part 2

In the Trusted Devices settings, decide which users you want to use the feature, and enable then Restrict Capabilities and Session Hijacking Protection features.

wordpress-vulnerability-roundup-september-2020-part-2-38 WordPress Vulnerability Roundup: September 2020, Part 2

After enabling the new Trusted Devices setting, users will receive a notification in the WordPress admin bar about pending unrecognized devices. If your current device hasn’t been added to the trusted devices list, click the Confirm This Device link to send the authorization email.

wordpress-vulnerability-roundup-september-2020-part-2-39 WordPress Vulnerability Roundup: September 2020, Part 2

Click the Confirm Device button in the Unrecognized Login email to add your current devices to the Trusted Devices list.

wordpress-vulnerability-roundup-september-2020-part-2-40 WordPress Vulnerability Roundup: September 2020, Part 2

Once Trusted Devices is enabled, users can manage devices from their WordPress User Profile page. From this screen, you can approve or deny devices from the Trusted Devices list.

wordpress-vulnerability-roundup-september-2020-part-2-41 WordPress Vulnerability Roundup: September 2020, Part 2

Additionally, you have the option to signup for some third-part APIs to improve the accuracy of the Trusted Devices identification and to use static image maps to display the approximate location of an unrecognized login. Check out the Trusted Devices setting to see what integrations are available,

wordpress-vulnerability-roundup-september-2020-part-2-42 WordPress Vulnerability Roundup: September 2020, Part 2

A WordPress Security Plugin Can Help Secure Your Website

iThemes Security Pro, our WordPress security plugin, offers 50+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.

Get iThemes Security Pro

Source

WordPress Development

SEO NEWS

seo news

We’re listening.

Have something to say about this article? Share it with us on Facebook, Twitter or LinkedIn:

SHARE IT HERE:

Subscribe ToThe Weekly SEO Trade News Updates

Get the latest SEO, SEM and SMM marketing intel, tips and tricks from one of the best SEO Gurus online. 

Every Tuesday morning we send out an aggregated email listing all new posts on SEO Trade News.

Excellent! Now check your email to confirm your subscription.