WordPress 5.1.1 Security and Maintenance Release available to download

WordPress has a new Security and Maintenance Release so please update your websites as soon as possible if they haven’t updated automatically yet. This release includes 14 fixes, it’s a short-cycle maintenance release, so according to WordPress team, there will be another update in the matter of several weeks.

What’s fixed? Well, there were several critical security issues one of them related to comments (filtering and storing them in the database) which allowed to execute Cross-Site Scripting (XSS) attack by the maliciously crafted comment. This WordPress vulnerability discovered by Simon Scannell from RIPS Technologies. All latest versions like 5.1 and earlier releases are affected so once again – please update now!

Continue reading WordPress 5.1.1 Security and Maintenance Release available to download

WordPress plugins for WooCommerce by Multidots endangered thousands of online stores

Multidots Inc. is a software development company from India that has developed a wide range of various WordPress plugins. About a month ago ThreatPress Security Research Team found a lot of vulnerabilities in ten plugins designed by Multidots to extend the capabilities of WooCommerce. As you can understand, these plugins designed for online stores powered by WooCommerce / WordPress. ThreatPress notified the Multidots instantly about the issues with their WordPress plugins, usually developer fixes problem as soon as possible, but in this case, everything went quite a different way.

Vulnerable plugins by Multidots

So, overall ThreatPress found that there are ten vulnerable plugins. All of them hosted on WordPress.org plugin repository. Here’s the list of these plugins (plugin name, active installs and vulnerability type):

Continue reading WordPress plugins for WooCommerce by Multidots endangered thousands of online stores

ThreatPress report of WordPress vulnerabilities for the 2017 year

ThreatPress published a summary of all WordPress vulnerabilities detected in the 2017 year. This beautiful info-graphic (below) gives statistical information collected from ThreatPress database of WordPress vulnerabilities and data available on such open sources like WordPress.org website.

All of the WordPress plugins that were marked as vulnerable in the 2017 year have more than seventeen million active installs. Just imagine how many sites were at potential risk. I think we’re talking about a number that exceeds five million websites. Five million!!! OK, let’s see what more do we have on this infographic.

ThreatPress 2017 year report in numbers

  • 221 vulnerability added to the database of WordPress vulnerabilities compared to the 234 vulnerabilities in the 2016 year.
  • 202 plugins were identified as vulnerable, 153 of them hosted on WordPress.org plugin repository.
  • 5 WordPress themes were identified as vulnerable, this number could be much bigger, but it’s hard to access and check themes from premium repositories.
  • The most common vulnerability type was a Cross-Site Scripting (XSS) with a SQL Injection (SQLi) on a second place and Broken Access Control on the third.
  • Other quite common vulnerability types in the 2017 year were Cross-Site Request Forgery (CSRF), Arbitrary File Upload, BYPASS, Arbitrary File Download, PHP Object Injection and Local File Inclusion.
  • Top five vulnerable plugins in the 2017 year (by the number of active installs according to WordPress.org data) were Yoast SEO, WooCommerce, Smush Image Compression and Optimisation, Duplicator and Loginizer.
  • There were 8 WordPress security-related releases in the 2017 year.

Continue reading ThreatPress report of WordPress vulnerabilities for the 2017 year

Email Subscribers & Newsletters plugin vulnerability found by ThreatPress

Email Subscribers & Newsletters WordPress plugin developed by Icegram has more than one hundred thousands active installs. Email Subscribers & Newsletters plugin is a complete newsletter solution, and you can collect leads, send automated notification emails, create and send newsletters.

Email Subscribers & Newsletters WordPress is an excellent plugin with a lot of features. However today I don’t want to discuss all the features of this plugin, I want to talk about the vulnerability that was found by ThreatPress Security company in this piece of software.

Email Subscribers & Newsletters plugin vulnerability

Recently we (ThreatPress Security) found a vulnerability in Email Subscribers & Newsletters plugin that could be easily exploited by anyone. I mean, by anyone. And the result of the successful attack is a complete list of subscribers.

Continue reading Email Subscribers & Newsletters plugin vulnerability found by ThreatPress

ThreatPress Database of WordPress vulnerabilities

The ThreatPress project makes another step. From now ThreatPress WordPress Vulnerabilities DataBase site is online and available to anyone for free. The database contains information gathered from various open sources on the Internet. The database is constantly updatable and holds information about vulnerable WordPress versions, vulnerable WordPress plugins, and themes.

What’s inside of ThreatPress Vulnerabilities Database

The database has three content categories, WordPress, WordPress plugins and WordPress themes. WordPress category provides information about all vulnerabilities discovered in various versions of the WordPress content management system. Categories for WordPress plugins and WordPress themes give results on vulnerable versions of WordPress plugins and themes.

Continue reading ThreatPress Database of WordPress vulnerabilities