Nine WordPress plugins, including popular ad management, malware firewall and database managers were found to have vulnerabilities affecting over 1.3 million websites
The United States Government Vulnerability Database and WordPress security researchers published alerts of WordPress plugin vulnerabilities. Among those plugins, nine of the most popular plugins affect over 1.3 million websites.
While there were many more plugins found vulnerable, the nine most popular plugins affected well over 1.3 million websites. The vulnerabilities were rated
The following are on the list of nine vulnerable plugins:
The Header Footer Code Manager WordPress Plugin was discovered by Wordfence security researchers to have a Reflected Cross-Site Scripting vulnerability.
The vulnerability requires the hacker to trick an administrator into clicking a link or other action in order to make it vulnerable to a full site take over.
The researchers noted that because this plugin affects a sensitive area of WordPress sites in that it’s for adding code to websites, the variety of malicious actions could extend to adding backdoors and attacking site visitors.
Publishers are recommended by Wordfence to update their installations to at least version 1.1.17.
The Ad Inserter – Ad Manager & AdSense Ads was reported by WPScan to also have a vulnerability that can lead to a Reflected Cross-Site Scripting exploit.
Publishers are advised to update to at least version 2.7.10.
This plugin contains a vulnerability that could lead to SQL injection exploit.
According to the National Vulnerability Database:
“The Popup Builder WordPress plugin before 4.0.7 does not validate and properly escape the orderby and order parameters before using them in a SQL statement in the admin dashboard, which could allow high privilege users to perform SQL injection”
Publishers are recommended to update to at least version 4.0.7 of the WordPress plugin.
This WordPress plugin also contains a Reflected Cross-Site scripting vulnerability. An attacker must have admin level credentials in order to carry out the attack.
Publishers are advised to update to at least version 4.20.94.
This WordPress plugin was discovered by security researchers at Patchstack who reported the plugin to have a Cross Site Request Forgery (CSRF) vulnerability.
Publishers are advised to update to at least version 3.4.5.
Security researchers at WPScan reported a SQL Injection vulnerability affecting the Database Backup for WordPress plugin that handles the most sensitive part of any WordPress installation, the database.
WPScan notes:
“The plugin does not properly sanitise and escape the fragment parameter before using it in a SQL statement in the admin dashboard, leading to a SQL injection issue”
Publishers are advised by the National Vulnerability Database to update the Database Backup for WordPress plugin to at least version 2.5.1.
The GiveWP Donation Plugin was found to contain a Reflected Cross-Site Scripting vulnerability. Publishers are advised to update to at least version 2.17.3 of the plugin.
This plugin contains a SQL Injection exploit that could lead to a Reflected Cross-Site Scripting attack. Publishers are advised to update to at least version 3.2.34.
This plugin was discovered by security researchers to contain an issue that could lead to a Reflected Cross-Site Scripting attack. Publishers are advised to update to at least version 3.0.4 of the plugin.
There were many plugins reported to have vulnerabilities. But these nine are the most popular plugins.
All of the plugins have received a patch that closes the vulnerability but it’s up to publishers to make sure that they are using the latest versions in order to keep their websites and site visitors safe.
Header Footer Code Manager
https://www.wordfence.com/blog/2022/02/reflected-xss-in-header-footer-code-manager/
Ad Inserter – Ad Manager & AdSense Ads
https://nvd.nist.gov/vuln/detail/CVE-2022-0288
Popup Builder WordPress Plugin
https://nvd.nist.gov/vuln/detail/CVE-2022-0228
Anti-Malware Security and Brute-Force Firewall
https://nvd.nist.gov/vuln/detail/CVE-2021-25101
https://wpscan.com/vulnerability/5fd0380c-0d1d-4380-96f0-a07be5a61eba
WP Content Copy Protection & No Right Click
https://nvd.nist.gov/vuln/detail/CVE-2022-23983
Database Backup for WordPress
https://nvd.nist.gov/vuln/detail/CVE-2022-0255
GiveWP – Donation Plugin and Fundraising Platform
https://nvd.nist.gov/vuln/detail/CVE-2021-25100
https://nvd.nist.gov/vuln/detail/CVE-2021-25099
Download Manager
https://nvd.nist.gov/vuln/detail/CVE-2021-25069
https://wpscan.com/vulnerability/4ff5e638-1b89-41df-b65a-f821de8934e8
Advanced Database Cleaner WordPress Plugin
https://nvd.nist.gov/vuln/detail/CVE-2021-24921
Roger Montti is a search marketer with over 20 years experience. I offer site audits, phone consultations and content and …
Get our daily newsletter from SEJ’s Founder Loren Baker about the latest news in the industry!
Subscribe to our daily newsletter to get the latest industry news.
Subscribe to our daily newsletter to get the latest industry news.
