WordPress Vulnerability Report #7 – March 2019


2nd April 2019

March proved to be another quiet month for the plugins we use on our clients’ sites. We have identified two vulnerabilities that don’t require authentication – in WordPress comments and a popular WooCommerce addon, as well as a WordPress core loophole that could lead to code execution

Considering the severity of the unauthenticated issues and the possible scope of the second WordPress core vulnerability, we encourage you to do a thorough security check and update your plugins to the newest versions.

Learn why we launched the Monthly WordPress Vulnerability Report in the introductory post including a video message from our Technical Director, Tomasz Lisiecki.


Due to logic flaws and the way comments are stored and processed, an unauthenticated attacker could post a comment with a link to a malicious site. If an Admin visited that link, the attacker’s script would execute in the background.

Is it safe?
Since this attack only requires comments to be enabled and no authentication, this vulnerability affects a huge number of WordPress websites.

Our recommendation
Update to WordPress 5.1.1 as soon as possible.

Level of warning


Unlike the first attack, this one requires authentication with at least Author privileges. After logging in, the user can upload an image file that will trigger malicious code and allow them to take over the entire site.

Is it safe?
The vulnerability is caused by a very old issue with WordPress core. On top of the authentication requirement, the issue only occurs when you have installed a plugin that handles entries incorrectly. This makes the attack fairly unlikely but also hard to track, as any plugin could be affected.

Our recommendation
The exploit is not possible in WordPress 4.9.9 and 5.0.1. We highly recommend updating to the newest WordPress build. However, if you use any of these two versions you’re safe from this specific loophole.

Level of warning


An unauthenticated user can manipulate the input fields during checkout to execute malicious scripts.

Is it safe?
Flawed processing of input data enables the visitor to manipulate the entries so that admins browsing saved carts will trigger the execution of malicious scripts.

Our recommendation
Update the plugin to the safe 2.2.3 version at the earliest convenience.

Level of warning

Here’s What You Should Do Next

If you’d like us to work on your website to increase your profits, please get in touch. No matter where you are in the world.

Talk to us

If you are a little unusure whether we are a good fit for each other, head over to this page to learn about our typical clients.

See who we work with

Do you want profit?

Download these FREE resources and optimise your website for conversions.

Included in our resources:

  • Discover how to optimise your website for conversions and grow your business.
  • Learn how to optimise your website using modern SEO techniques.
  • Find out ways of making your website profitable to your business.
  • Plus email notifications of industry insights, tools and tips to help your business grow.

We will never sell, rent or trade your personal information with anyone. Pinky promise.