Monthly WordPress Vulnerability Report #3 – November 2018


3rd December 2018

The November issue of Monthly WordPress Vulnerability Report includes vulnerabilities in some of the most popular plugins out there – Yoast SEO, WooCommerce and Ninja Forms. With a low to moderate level of warning these attacks don’t pose a huge threat, although due to a sheer amount of websites affected the vulnerabilities can quickly catch the attention of attackers.

Cross-site-scripting and privilege escalation are recurring issues in WordPress and it’s no different this month. WooCommerce suffers from the latter because of the way WordPress handles privileges. A clever file deletion can escalate the Shop Manager’s privileges to the point where they can take control of any other account on the website.

If you want to know why we launched the Monthly WordPress Vulnerability Report, check out the introductory post including a message from our Technical Director, Tomasz Lisiecki, in the form of a short video.


Attackers with the Shop Manager role can delete specific files on the server to gain control over any account, including Admin. It’s caused by a flaw in the way WordPress manages privileges.

Is it safe?
Shop Manager roles are assigned to employees and gaining access to an account with such privilege is a requirement. With that being said, the attacker can potentially gain access to these accounts by phishing or XSS attacks and over 4 million WooCommerce shops are affected by the vulnerability.

Our recommendation
The issue is fixed in version 3.4.6 and we strongly recommend you to update the plugin.

Level of warning

Ninja Forms

The “Submissions” page of Ninja Forms plugin is vulnerable to cross-site scripting attacks.

Is it safe?
The attack isn’t necessarily easy to execute and its scope is limited, although it requires no authentication and as such it’s best to update the plugin.

Our recommendation
Get your plugin up-to-date with the newest version, 3.19.1.

Level of warning

yoast SEO

The plugin can be exploited by users with Manager role because of Authetincated Race Condition. A “race condition” is taking advantage of timing in the code to cause actions in an order different than what the code expects.

Is it safe?
An attacker can execute commands but only if they can acquire an account with the Manager role. As such, the risk of an attack is very low, although the issue is fixed in version 9.2.

Our recommendation
Update the plugin to version 9.2 to eliminate a chance of an exploit.

Level of warning

Here’s What You Should Do Next

If you’d like us to work on your website to increase your profits, please get in touch. No matter where you are in the world.

Talk to us

If you are a little unusure whether we are a good fit for each other, head over to this page to learn about our typical clients.

See who we work with

Do you want profit?

Download these FREE resources and optimise your website for conversions.

Included in our resources:

  • Discover how to optimise your website for conversions and grow your business.
  • Learn how to optimise your website using modern SEO techniques.
  • Find out ways of making your website profitable to your business.
  • Plus email notifications of industry insights, tools and tips to help your business grow.

We will never sell, rent or trade your personal information with anyone. Pinky promise.