WMS 003: June WordPress Vulnerabilities
Weekly tips, strategy, and advice for building & leveraging your website to maximize your business.
Welcome to episode three of Websites Made Simple!
In this episode I cover June 2020 WordPress Core, plugin, and theme security vulnerabilities. Each one we talk about is classified as Critical, High, Medium, or Low risks. And lastly, I will let you know if the issues have been resolved and whether or not you should update to the latest release.
A must listen if you want the latest information on security issues that could be placing your website at risk.
Check it out!
Links To Plugins, Themes, and Vulnerabilities
- Drag and Drop Multiple File Uploader is a simple, straightforward WordPress plugin extension for Contact Form7, which allows the user to upload multiple files using the drag-and-drop feature or the common browse-file of your web form.
- Security issue is that in some cases an unauthenticated file upload could occur.
- The vulnerability is patched, and you should update to version 18.104.22.168
MapPress Maps – Critical
- MapPress adds interactive Google or Leaflet maps to WordPress
- This vulnerability enables an attacker with subscriber privileges on your website to download or delete arbitrary files or upload arbitrary malicious files
- The vulnerability is patched, and you should update to version 2.54.6
Image Photo Gallery Final Tiles Grid – Critical
- Image Gallery + Photo Gallery + Portfolio Gallery + Tiled Gallery in 1 plugin. Includes lightbox and hover effects. It supports Pinterest (masonry) photo gallery and tiled grid gallery
- Like WordPress Core this is another XSS issue
- The vulnerability is patched, and you should update to version 3.4.19
bbPress – Critical
- Streamlined discussion board, bbPress is easy to integrate, easy to use, and is built to scale with your growing community to create a forum
- bbPress versions below 2.6.5 have an Unauthenticated Privilege Escalation vulnerability when New User Registration enabled.
- This means when a new user registers on your forum they could have higher permissions than intended
- The vulnerability is patched, and you should update to version 2.6.5
Page Builder: PageLayer – Drag and Drop website builder – High
- With about 200,000 active installs this page builder is not used that much however, it does allow users to create web pages without knowing any code
- One more XSS issue this month falls onto this plugin
- The vulnerability is patched, and you should update to version 1.1.2
Multi Scheduler – High
- The issue here is that under certain circumstances the forms it uses could allow a hacker to delete users if the specific ID of that user is known
- As of the time of this recording, the plugin has temporarily been removed from wordpress.org and is no longer available for download
- Users should deactivate and uninstall this plugin immediately and await a new version release
JobSearch – High
- Straight forward plugin that allows you a simple solution to display jobs on any type of website
- Another XSS vulnerability
- The vulnerability is patched, and you should update to version 1.5.1.
Elementor Page Builder – High
- My favorite page builder that has over 5 million active installs
- Like others this month and the otherwise common XSS issue strikes Elementor as well this month
- The vulnerability is patched, and you should update to version 2.9.10
SportsPress – High
- Transform your WordPress into a fully configurable team, club, or league website
- And one more XSS issue to round out our plugins this month
- The vulnerability is patched, and you should update to version 2.7.2
AdRotate – Medium
- Allows you to manage all your adverts from the WP dashboard
- Certain URLs passing variables can be exploited in one way or another – just means that in certain cases if your site is passing certain information through the URL then you could be at risk
- Developer states they are not aware of any uses of this vulnerability but does recommend updating
- The vulnerability is patched, and you should update to version 5.8.4.
Careerfy – High
- Careerfy – Job Board WordPress theme brings you a simple solution to display jobs on any type of websites job board
- This theme has a reported XSS issue this month
- The vulnerability is patched, and you should update to version 3.9.0
Newspaper – High
- This theme does what you would expect and helps create a news website with our a newspaper template
- This theme also has a XSS issue
- The vulnerability is patched, and you should update to version 10.3.4
I am a proud affiliate of some of these tools. That means if you click the links and then make a purchase of those products, I will earn a small commission. Affiliate links absolutely do not cost you anything additional. In fact, in some cases these links provide additional benefits, discounts, or add-ons. All of the affiliate links are clearly marked for your benefit. Please know that I recommend these products and chose to be an affiliate because I truly believe in them, use them, and know they work.
WMS 004: Top 7 Mistakes When Building Your Website
About the Show
Created for the non-techie entrepreneur, John Dockins reveals all of his website and online business strategies, income sources and killer marketing tips so that you can be ahead of the pack with your website and online business.
Self proclaimed “coffee addict”, you’ll learn how to build authority online using content management systems like WordPress, email marketing, search engine optimization, content marketing, and much more so that you can create something amazing without burning yourself out.
Websites Made Simple Podcast
John is a family man who also owns his own web design agency and has won several design awards for his work.