Feedback

WordPress Vulnerability Report #16 – December 2019 & Yearly Rewind

#Uncategorised

3rd January 2020

WordPress 5.3 security issues are in the spotlight of the last Vulnerability Report of 2019. While our list of “best-in-class” plugins remained unaffected, we’ve noticed vulnerabilities in two popular plugins with over 160,000 installations combined. Discover why you should update to WordPress 5.3.1 as soon as possible, and the dangers of using the older versions of “301 Redirects – Easy Redirect Manager” and “GDPR Cookie Compliance”.

2019 was the first full calendar year for WordPress Vulnerability Report. The 12 issues covered 48 vulnerabilities in the most popular plugins and the core of WordPress.

Throughout the year we’ve monitored over 100 unique plugins. 79 of these are on our “best-in-class” list and are monitored regularly as part of the Report and our monthly WordPress maintenance service.

We’ve also reported critical vulnerabilities in over two dozen popular second choice plugins, like Easy Redirect Manager and GDPR Cookie Compliance in this issue.

In 2020 the Vulnerability Report is here to stay. If you’d like to be the first one to know about new issues, subscribe to our newsletter which also includes weekly articles from our expert on how to run a profitable business website.

Our goal is to make the Web secure and transparent for everyone. If you have questions regarding our report, don’t hesitate to contact us.

We also offer professional security monitoring – including plugin monitoring, offsite backups, and much more. Learn more about our WordPress security and maintenance services and subscribe to our newsletter for monthly updates on WordPress vulnerabilities.

Secure business website – WordPress core and plugin vulnerabilities

Learn why we launched the WordPress Vulnerability Report in the video message from our Technical Director, Tomasz Lisiecki.

If you’re looking for more information, please read our introductory article.

WordPress 3.7-5.3 – Access Control Issue

Problem
A user without proper privileges was able to use the API to make a post “sticky”.

Is it safe?
While this isn’t a direct threat to your site, it’s an intrusive vulnerability that can affect your business negatively and potentially opens up the possibility for other, more dangerous attacks.

Our recommendation
Update to the latest WordPress version immediately.

Level of warning
High

WordPress 3.7-5.3 – Cross-Site Scripting (XSS) in Links

Problem
Attackers can craft harmful links to WordPress websites, which then execute scripts on the user’s machine.

Is it safe?
An XSS attack poses a threat to both your website and individual visitors. Depending on the script and security awareness of the user, the attack can range from stealing a password of an unprivileged user to a full website takeover.

Our recommendation
Update to the latest WordPress version immediately.

Level of warning
Moderate

WordPress 3.7-5.3 – Cross-Site Scripting (XSS) in Block Editor

Problem
The content of Gutenberg block editor can be used to store harmful scripts which execute when users interact with it.

Is it safe?
This doubles-down on the above vulnerability considering all potential targets will use accounts with at least some privilege level. While the attack has fewer potential targets and is harder to execute, it’s also much harder to avoid triggering the scripts.

Our recommendation
Update to the latest WordPress version immediately.

Level of warning
High

301 Redirects – Easy Redirect Manager 2.40 – Multiple Vulnerabilities

Problem
The plugin isn’t our “go-to” redirect manager but we’ve decided to include it due to its popularity. There are several security issues, but the problem boils down to the fact that authenticated users, regardless of privilege level, can manipulate redirect rules, potentially leading your users to harmful sites, executing scripts, and performing virtually any other attack.

Is it safe?
The scope of these vulnerabilities and how easy it is to exploit them will soon make the plugin a target for attackers.

Our recommendation
Update to the safe version 2.45 as soon as possible.

Level of warning
High

GDPR Cookie Compliance 4.0.2 – Authenticated Settings Manipulation

Problem
The function used to reset settings in the plugin doesn’t use privilege verification and lacks security checks.

Is it safe?
Any authenticated user familiar with the code of the plugin can execute the function to reset settings.

Our recommendation
Update the plugin to the version 4.0.3 which patches the issues.

Level of warning
Moderate

Here’s What You Should Do Next

If you’d like us to work on your website to increase your profits, please get in touch. No matter where you are in the world.

Talk to us

If you are a little unusure whether we are a good fit for each other, head over to this page to learn about our typical clients.

See who we work with

Do you want profit?

Download these FREE resources and optimise your website for conversions.

Included in our resources:

  • Discover how to optimise your website for conversions and grow your business.
  • Learn how to optimise your website using modern SEO techniques.
  • Find out ways of making your website profitable to your business.
  • Plus email notifications of industry insights, tools and tips to help your business grow.

We will never sell, rent or trade your personal information with anyone. Pinky promise.