WordPress Vulnerability Report #12 – August 2019

The August 2019 issue marks the first anniversary of WordPress Vulnerability Report. For the 12th month in a row, our team has monitored the WordPress core and over 100+ popular plugins. Learn which ones are currently a threat to your site.

Monthly WordPress Vulnerability Report
Article by Dawid Zimny
I am particularly interested in web analytics. Knowing the way your visitors browse your website will help you improve their browsing experience and is crucial for converting them into clients.

In this issue:

  • Popup Builder - SQL Injection
  • WP SVG Icons - Cross-Site Request Forgery
  • NextGEN Gallery - SQL Injection

Our goal is to make the Web secure and transparent for everyone. If you have questions regarding our report, don’t hesitate to contact us.

We also offer professional security monitoring – including plugin monitoring, offsite backups, and much more. Learn more about our WordPress security and maintenance services.

Secure business website – WordPress core and plugin vulnerabilities

Learn why we launched the WordPress Vulnerability Report in the video message from our Technical Director, Tomasz Lisiecki.

If you’re looking for more information please read our introductory article.

Popup Builder - SQL Injection!

A function in Subscribers Table is vulnerable to SQL injection.
Is it safe?
Attackers with access to the Subscribers Table can execute malicious database queries, which can lead to a full website takeover.
Our recommendation
Upgrade to at least version 3.45.

WP SVG Icons - Cross-Site Request Forgery!

The contents of file uploads isn't verified properly. Uploading a zipped PHP file will lead to its extraction, executing malicious code remotely, without direct access to the site.
Is it safe?
The attack can affect not only the website, but also compromise data on your local machine.
Our recommendation
The vulnerability was patched in version 3.2.3 and you should update the plugin.

NextGEN Gallery - SQL Injection!

In some cases, gallery display can malfunction and open up the possibility to execute SQL queries.
Is it safe?
The vulnerability exposes the database, allowing the attacker to take full control of a website.
Our recommendation
Update the plugin to at least version 3.2.11 as soon as possible.

Got Something To Share?

Your email address will not be published. Required fields are marked *