Unrestricted Access APR 2022
Tailored WP/Woo Security Report
Be informed about the latest Unrestricted Access APR 2022 - WP Security Circumvention, identified and reported publicly. These breaches create even more problems and vulnerability exploitation with a severe negative impact on any WordPress Security. Consider our security audit.
An jaw-dropping estimated 1.806.000+ active WordPress installations are susceptible to these attack types, considering only the publicly available numbers. It is a significant 27% increase compared to last month. The estimated number can double with premium versions as they are private purchases.
Furthermore, the initial estimation can multiply if we consider the already patched versions BUT NOT UPDATED by owners, as the vulnerability remains active within their domain. As these owners start changing their hosting provider (due to constant unexplained issues), they actively migrate these vulnerabilities behind protected areas, possibly exposing other clean WP to different attack types.
The following cases made headlines PUBLICLY in the Unrestricted Access APR 2022 category:
Hire security professionals to protect your WP/Woo from publicly reported cases of Unrestricted Access APR 2022 BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!
- WooCommerce Affiliate Plugin – Coupon Affiliates - CrossSite Request Forgery (CSRF) + Sensitive Information Disclosure
- WooCommerce Affiliate Plugin – Coupon Affiliates - Unauthenticated Stored Cross-Site Scripting (XSS)
- Active installations: 1,000+
- OSMapper - Unauthenticated Arbitrary Post Deletion
- This plugin has been closed as of February 15, 2022 and is not available for download. This closure is temporary, pending a full review.
- NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor - Unauthenticated SQL Injection (SQLi)
- Active installations: 30,000+
- Amelia – Events & Appointments Booking Calendar - Sensitive Data Disclosure
- Amelia – Events & Appointments Booking Calendar - Arbitrary Customer Deletion via CSRF
- Amelia – Events & Appointments Booking Calendar - Arbitrary Appointments Status Update
- Amelia – Events & Appointments Booking Calendar - Arbitrary Appointments Update
- Amelia – Events & Appointments Booking Calendar - Unauthenticated Stored Cross-Site Scripting (XSS)
- Amelia – Events & Appointments Booking Calendar - SMS Service Abuse and Sensitive Data Disclosure
- Active installations: 40,000+
- Narnoo Distributor - Unauthenticated Local File Inclusion (LFI) vulnerability leading to Arbitrary File Read / RCE
- This plugin has been closed as of February 18, 2022 and is not available for download. This closure is temporary, pending a full review.
- Limit Login Attempts (Spam Protection) - Unauthenticated SQL Injection (SQLi)
- Active installations: 300+
- Church Admin - Unauthenticated Plugin's Backup Disclosure
- Active installations: 1,000+
- Drag and Drop Multiple File Upload – Contact Form 7 - Unauthenticated Stored Cross-Site Scripting (XSS)
- Active installations: 40,000+
- Plezi - Unauthenticated Stored Cross-Site Scripting (XSS)
- Active installations: 90+
- Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection - Unauthenticated SQL Injection (SQLi)
- Block Bad Bots and Stop Bad Bots Crawlers and Spiders and Anti Spam Protection - WordPress Options Update
- Active installations: 10,000+
- Title Experiments Free - Unauthenticated SQL Injection (SQLi)
- Active installations: 800+
- SpeakOut! Email Petitions - Unauthenticated SQL Injection (SQLi)
- Active installations: 5,000+
- Ninja Forms +
File Uploads - Unauthenticated Arbitrary File Upload - Ninja Forms +
File Uploads - Unauthenticated Stored Cross-Site Scripting (XSS)- Active installations: N/A
- Easy Social Icons - SQL Injection (SQLi)
- Easy Social Icons - Unauthenticated Arbitrary Icon Deletion
- Easy Social Icons - Stored Cross-Site Scripting (XSS)
- Active installations: 40,000+
- Booking Package – Appointment Booking Calendar System - Unauthenticated Sensitive Data Disclosure
- Active installations: 9,000+
- Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress - Unauthenticated Email Address Disclosure
- Active installations: 1+ million
- Product Table for WooCommerce (wooproducttable.com) - Unauthenticated Arbitrary Function Call
- Active installations: 8,000+
- Daily Prayer Time - Unauthenticated SQL Injection (SQLi)
- Active installations: 1,000+
- RSVP and Event Management Plugin - Unauthenticated Entries Export
- Active installations: 5,000+
- TATSU - No-Code Page Builder for WordPress - Unauthenticated Remote Code Execution (RCE)
- Active installations: N/A
- SearchIQ – The Search Solution - Unauthenticated Stored Cross-Site Scripting (XSS)
- Active installations: 2,000 +
- Admin Word Count Column - Unauthenticated Arbitrary File Read
- This plugin has been closed as of March 29, 2022 and is not available for download. This closure is temporary, pending a full review.
- Web To Print Shop : uDraw – Widescreen UI - Unauthenticated Arbitrary File Access
- Active installations: 20+
- English WordPress Admin - Unauthenticated Open Redirect
- This plugin has been closed as of January 18, 2022 and is not available for download. Reason: Security Issue.
- Donations - Unauthenticated SQL Injection (SQLi)
- This plugin has been closed as of February 28, 2022 and is not available for download. This closure is temporary, pending a full review.
- Master Elements - Unauthenticated SQL Injection (SQLi)
- This plugin has been closed as of March 9, 2022 and is not available for download. This closure is temporary, pending a full review.
- Users Ultra Membership, Users Community and Member Profiles With PayPal Integration Plugin - Unauthenticated SQL Injection (SQLi)
- This plugin has been closed as of March 14, 2022 and is not available for download. This closure is temporary, pending a full review.
- Videos sync PDF - Unauthenticated Local File Inclusion (LFI)
- Active installations: 10+
- Cab fare calculator - Unauthenticated Local File Inclusion (LFI)
- Active installations: 100+
- EXMAGE – WordPress Image Links - Blind Server-Side Request Forgery (SSRF)
- Active installations: 2,000+
- Advanced Page Visit Counter – Most Advanced WordPress Visit Counter Plugin - CrossSite Request Forgery (CSRF) + Sensitive Information Disclosure
- Advanced Page Visit Counter – Most Advanced WordPress Visit Counter Plugin - Blind SQL Injection (SQLi)
- Active installations: 10,000+
- RW Divi Unite Gallery - Security Bypass
- This plugin has been closed as of January 24, 2022 and is not available for download. This closure is temporary, pending a full review.
- Safe SVG - SVG Sanitization Bypass
- Active installations: 600,000+
Get Healthy, Stay Healthy! A healthier online business starts today and it begins with your WP/Woo. Hire security experts to solve all your vulnerabilities created from Unrestricted Access APR 2022.
BRIEF: Open and Unrestricted Access APR 2022 to anything within a website is one thing everybody considers to be a total disaster. Many employees have come to rely on the Internet both for work and day-to-day life. As such, they demand unrestricted access at work, and many company bosses have obliged. Without the knowledge to them, however, there may be a risk associated with this.
What is Unauthenticated Insecure Deserialisation?
Insecure Deserialisation is a vulnerability which occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary code upon it being deserialised. If the function that is responsible for converting serial data into a structured object assumes that the data is trusted, an attacker may format the serial data in such a way that the result of deserialisation is malicious. Unfortunately, many standard deserialisation functions in programming languages assume that the data is safe.
What is Unauthenticated Backup Download?
The plugin does not restrict access to a BACKUP file containing sensitive information, such as the internal path of backups, which may then allow unauthenticated users to download them.
What is Unrestricted File Upload?
By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website. By doing this, it allows an attacker to inject malicious content such as web shells into the sites, and providing a method for initial access into the system.
What is Login Rate Limiting Bypass?
When the plugin is configured with a custom header in its Trusted IP Origins setting (e.g X-Forwarded-For), attackers could bypass the protection offered by tampering the header sent in requests. When the plugin is configured to accept an arbitrary header as client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomising the header input, the login count does never reach the maximum allowed retries.
What is Improper Authorisation Check?
An attacker could leverage these issues to dump the database including administrative user credentials, to steal cookie-based authentication credentials, or launch other attacks. An anonymous user may create a new dive entry with a crafted HTTP POST.
SOLVE any reported Unrestricted Access APR 2022 vulnerability! Do you suspect any security circumvention in your WordPress / WooCommerce?
