WordPress Vulnerability Report #16 – December 2019 & Yearly Rewind

WordPress 5.3 security issues are in the spotlight of the last Vulnerability Report of 2019. While our list of “best-in-class” plugins remained unaffected, we’ve noticed vulnerabilities in two popular plugins with over 160,000 installations combined. Discover why you should update to WordPress 5.3.1 as soon as possible, and the dangers of using the older versions of “301 Redirects - Easy Redirect Manager” and “GDPR Cookie Compliance”.

Monthly WordPress Vulnerability Report
Article by Dawid Zimny
I am particularly interested in web analytics. Knowing the way your visitors browse your website will help you improve their browsing experience and is crucial for converting them into clients.

In this issue:

  • WordPress 3.7-5.3 - Access Control Issue
  • WordPress 3.7-5.3 - Cross-Site Scripting (XSS) in Links
  • WordPress 3.7-5.3 - Cross-Site Scripting (XSS) in Block Editor
  • 301 Redirects - Easy Redirect Manager 2.40 - Multiple Vulnerabilities
  • GDPR Cookie Compliance 4.0.2 - Authenticated Settings Manipulation

2019 was the first full calendar year for WordPress Vulnerability Report. The 12 issues covered 48 vulnerabilities in the most popular plugins and the core of WordPress.

Throughout the year we’ve monitored over 100 unique plugins. 79 of these are on our “best-in-class” list and are monitored regularly as part of the Report and our monthly WordPress maintenance service.

We’ve also reported critical vulnerabilities in over two dozen popular second choice plugins, like Easy Redirect Manager and GDPR Cookie Compliance in this issue.

In 2020 the Vulnerability Report is here to stay. If you’d like to be the first one to know about new issues, subscribe to our newsletter which also includes weekly articles from our expert on how to run a profitable business website.


Our goal is to make the Web secure and transparent for everyone. If you have questions regarding our report, don’t hesitate to contact us.

We also offer professional security monitoring – including plugin monitoring, offsite backups, and much more. Learn more about our WordPress security and maintenance services and subscribe to our newsletter for monthly updates on WordPress vulnerabilities.

Secure business website – WordPress core and plugin vulnerabilities

Learn why we launched the WordPress Vulnerability Report in the video message from our Technical Director, Tomasz Lisiecki.

If you’re looking for more information, please read our introductory article.

WordPress 3.7-5.3 - Access Control Issue!

Problem
A user without proper privileges was able to use the API to make a post "sticky".
Is it safe?
While this isn't a direct threat to your site, it's an intrusive vulnerability that can affect your business negatively and potentially opens up the possibility for other, more dangerous attacks.
Our recommendation
Update to the latest WordPress version immediately.

WordPress 3.7-5.3 - Cross-Site Scripting (XSS) in Links!

Problem
Attackers can craft harmful links to WordPress websites, which then execute scripts on the user's machine.
Is it safe?
An XSS attack poses a threat to both your website and individual visitors. Depending on the script and security awareness of the user, the attack can range from stealing a password of an unprivileged user to a full website takeover.
Our recommendation
Update to the latest WordPress version immediately.

WordPress 3.7-5.3 - Cross-Site Scripting (XSS) in Block Editor!

Problem
The content of Gutenberg block editor can be used to store harmful scripts which execute when users interact with it.
Is it safe?
This doubles-down on the above vulnerability considering all potential targets will use accounts with at least some privilege level. While the attack has fewer potential targets and is harder to execute, it's also much harder to avoid triggering the scripts.
Our recommendation
Update to the latest WordPress version immediately.

301 Redirects - Easy Redirect Manager 2.40 - Multiple Vulnerabilities!

Problem
The plugin isn't our "go-to" redirect manager but we've decided to include it due to its popularity. There are several security issues, but the problem boils down to the fact that authenticated users, regardless of privilege level, can manipulate redirect rules, potentially leading your users to harmful sites, executing scripts, and performing virtually any other attack.
Is it safe?
The scope of these vulnerabilities and how easy it is to exploit them will soon make the plugin a target for attackers.
Our recommendation
Update to the safe version 2.45 as soon as possible.

GDPR Cookie Compliance 4.0.2 - Authenticated Settings Manipulation!

Problem
The function used to reset settings in the plugin doesn't use privilege verification and lacks security checks.
Is it safe?
Any authenticated user familiar with the code of the plugin can execute the function to reset settings.
Our recommendation
Update the plugin to the version 4.0.3 which patches the issues.

Got Something To Share?

Your email address will not be published. Required fields are marked *