Unrestricted Access JAN 2022
Tailored WordPress Security Report
Be informed about the latest Unrestricted Access JAN 2022 – WP Security Circumvention, identified and reported publicly. These breaches create even more problems and vulnerability exploitation with a severe negative impact on any WordPress Security. Consider our FREE security consulting.
An jaw-dropping estimated 6.044.000+ active WordPress installations are susceptible to these attack types, considering only the publicly available numbers. It is a mind-boggling 480% increase compared to last month. The estimated number can double with premium versions as they are private purchases.
Furthermore, the initial estimation can multiply if we consider the already patched versions BUT NOT UPDATED by owners, as the vulnerability remains active within their domain. As these owners start changing their hosting provider (due to constant unexplained issues), they actively migrate these vulnerabilities behind protected areas, possibly exposing other clean WP to different attack types.
The following cases made headlines PUBLICLY in the SQL Injections JAN 2022 category:
- Logo Carousel – Logo Slider, Logo Showcase, and Clients Logo Gallery – Stored Cross-Site Scripting (XSS)
- Logo Carousel – Logo Slider, Logo Showcase, and Clients Logo Gallery – Unauthorised Private Post Access
- Logo Carousel is a beautiful logo showcase and clients logo gallery plugin that allows you to display a group of logo images in a visually appealing carousel through an intuitive Shortcode Generator. It’s very user-friendly and convenient to manage & display the logo images in your any WordPress site. Active installations: 20,000+
- WCFM Marketplace – Best Multivendor Marketplace for WooCommerce – Unauthenticated SQL Injection
- WooCommerce Multivendor Marketplace (WCFM Marketplace) is the best free front end multi-vendor marketplace plugin on WordPress, powered by WooCommerce. It helps you to build your own dream marketplace like Amazon, eBay, etsy, AirBnB or Flipkart within minutes, with minimal setup. Active installations: 30,000+
- Tickera – WordPress Event Ticketing – Unauthenticated Stored Cross-Site Scripting (XSS)
- If you want to sell tickets on your website and deliver them to your customers digitally, Tickera is exactly what you need. By using Tickera plugin to sell and deliver tickets, you are essentially setting up your own hosted ticketing solution where you control the profits without any middleman fees taken by Tickera. Active installations: 6,000+
- Hide My WP – Amazing Security Plugin for WordPress! – Unauthenticated Plugin Deactivation
- Hide My WP – Amazing Security Plugin for WordPress! – Unauthenticated SQL Injection
- Hide My WP is number one security plugin for WordPress. It hides your WordPress from attackers, spammers and theme detectors. Over 26,000 satisfied customers use Hide My WP. It also hides your wp login URL and renames admin URL. It detects and blocks XSS, SQL Injection type of security attacks on your WordPress website. Active installations: 30,000+
- Contact Form & Lead Form Elementor Builder – Unauthenticated Stored Cross-Site Scripting (XSS)
- Lead Form Builder Plugin is a contact form builder as well as lead generator. Contact Form plugin is compatible with all page builders like Elementor, Brizy, SiteOrigin, Gutenburg etc. Lead Form Builder allows you to create beautiful contact forms. Plugin comes with nearly all field options required to create Contact form, Registration form, News letter and contain Ajax based drag & drop field ordering. Active installations: 20,000+
- LiteSpeed Cache – IP Check Bypass to Unauthenticated Stored Cross-Site Scripting (XSS)
- LiteSpeed Cache – Reflected Cross-Site Scripting (XSS)
- LiteSpeed Cache for WordPress (LSCWP) is an all-in-one site acceleration plugin, featuring an exclusive server-level cache and a collection of optimization features. Active installations: 2+ million
- Canto – Unauthenticated Blind SSRF
- Easily find and publish photos, images, and any other web-safe media file from directly to your WordPress website. Simplify collaboration with your creative team by retrieving media without having to search through emails or folders. Active installations: 70+
- PublishPress Capabilities – User Role Access, Editor Permissions, Admin Menus – Unauthenticated Arbitrary Options Update to Blog Compromise
- PublishPress Capabilities gives you control over all the permissions on your WordPress site. We built this user role editor plugin so you have an EASY and POWERFUL way to manage users. You can customize all your WordPress user roles, from Administrators and Editors to Authors, Contributors, Subscribers and custom roles. Each use role can have the exact permissions that your site needs. Active installations: 100,000+
- PublishPress Capabilities Pro – Unauthenticated Arbitrary Options Update to Blog Compromise
- PublishPress Capabilities is the best plugin to control permissions for your WordPress posts, pages, media and custom post types. Capabilities allows you to manage user roles. You can create and copy roles. You can choose specific permissions for each role. Capabilities also enables you to back up, restore and migrate your site’s permissions. Active installations: N/A
- Site Reviews – Unauthenticated Stored Cross-Site Scripting (XSS)
- Site Reviews allows your visitors to submit reviews with a 1-5 star rating on your website, similar to the way you would on TripAdvisor or Yelp. The plugin provides blocks, shortcodes, and widgets, along with full documentation. Active installations: 40,000+
- Multivendor Marketplace Solution for WooCommerce – WC Marketplace – Unauthenticated AJAX Calls
- Afraid of launching an Online Marketplace? Well, worry no more WC Marketplace provides you with the best marketplace software, you can get, to kickstart your own virtual eCommerce marketplace. This free WordPress plugin equips you with the best of features that help to create any marketplace of your choice. So, create a website like Amazon, Etsy or Airbnb without any worries. Active installations: 10,000+
- Tab – Accordion, FAQ – Unauthenticated AJAX Calls
- Tab allows you to create a simple tabs, accordions and faq for elementor, and all themes. tab and accordion plugin is for creating responsive tab panels with unlimited options and transition animations support. Active installations: 2,000+
- Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier) – Unauthenticated Arbitrary Option Update
- Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier) is an impressive, lightweight, responsive Image hover effects gallery. Use modern and elegant CSS hover effects and animations. Best Used for portfolio/ gallery/image showcase items in WordPress site using shortcodes and custom post. Consider the comfort of developers, we lunch an advanced pure CSS3 based hover effect plugin named Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier). It is fully responsive. Bring your images to live with some beautiful animation and transition with this awesome plugin. Active installations: 20,000+
- True Ranker – Unauthenticated Arbitrary File Access via Path Traversal
- Now you can enjoy for free with the only SEO App that gives you total control of your geolocated Google results with 100% real accuracy. Active installations: 200+
- The Plus Addons for Elementor – Unauthenticated SQL Injection
- The Plus Addons for Elementor – Sensitive Data Disclosure
- Unlock a Faster Elementor Experience with Extra 120+ Powerful Widgets & Extensions for your next big idea! Active installations: N/A
- Contact Form 7 Database Addon – CFDB7 – Arbitrary Form Deletion via CSRF
- Contact Form 7 Database Addon – CFDB7 – Unauthenticated Stored Cross-Site Scripting (XSS)
- The “CFDB7” plugin saves contact form 7 submissions to your WordPress database. Export the data to a CSV file. By simply installing the plugin, it will automatically begin to capture form submissions from contact form 7. Active installations: 400,000+
- Relevanssi – A Better Search – Unauthenticated Stored Cross-Site Scripting (XSS)
- Relevanssi replaces the standard WordPress search with a better search engine, with lots of features and configurable options. You’ll get better results, better presentation of results – your users will thank you. Active installations: 100,000+
- Contact Form Entries – Contact Form 7, WPforms and more – Unauthenticated Stored Cross-Site Scripting (XSS)
- Contact Form 7 Entries Plugin automatically saves form submissions from Contact Form 7, WPforms, CRM Perks Forms and many other popular contact form plugins to wordpress database when anyone submits a form. Active installations: 40,000+
- Protect WP Admin – Unauthenticated Plugin Deactivation
- WP Protect Admin Plugin has Provide Extra Secutiry Layer to Protect Your WordPress Admin Area. Using this plugin you can safe your site using necessary features like change default admin login url (/wp-admin) user name & login history log. Active installations: 30,000+
- Affiliates Manager – Unauthenticated Stored Cross-Site Scripting (XSS)
- Running your WordPress site with an e-Commerce plugin or solution? WP Affiliate Manager can help you manage an affiliate marketing program to drive more traffic and more sales to your store. Active installations: 10,000+
- Tabs – Responsive Tabs with WooCommerce Product Tab Extension – Unauthenticated Arbitrary Option Update
- Tabs – Responsive Tabs with WooCommerce Product Tab Extension brought to you the exclusive WordPress Tabs with WooCommerce integrated product tabs. It was designed to be the best way for adding dynamic content tabs very easily within any professional website and eCommerce store. This awesome animated tabs with CSS3 plugin is the best while creating responsive tabs with dropdown and unlimited effects & animation support. It is the most lightweight yet customizable WordPress Tabs plugin with major page builder integration. Active installations: 10,000+
- Shortcode Addons- with Visual Composer, Divi, Beaver Builder and Elementor Extension – Unauthenticated Arbitrary Option Update
- Shortcode Addons- with Visual Composer, Divi, Beaver Builder, and Elementor Extension is the ultimate addons bundle for major page builders and general users that is packed with 10000+ awesome Templates, Blocks and stunning Pre-designs.Add some more flexibility into that, and you have easier options in form of page builders like Visual Composer, Divi, Elementor or Beaver Builder With over 120+ essential elements and extensions, you will find the ultimate advantage of enhancing your web creation while using Shortcode Addons in WordPress. With the mighty Shortcode Addons, you’ll get the power of having access to all the essential widgets that you have never gotten ever before in one place. Active installations: 4,000+
- WP Mail Logging – Outdated Redux Framework
- WP Mail Logging is the most popular plugin to log emails sent by WordPress or WooCommerce. Simply activate it and it will work immediately, no configuration necessary. Active installations: 100,000+
- OMGF | Host Google Fonts Locally – Arbitrary Folder Deletion via Path Traversal
- Leverage Browser Cache, Minimize DNS requests, reduce Cumulative Layout Shift and serve your Google Fonts in a 100% GDPR compliant way with OMGF! Active installations: 40,000+
- CAOS | Host Google Analytics Locally – Arbitrary Folder Deletion via Path Traversa
- CAOS (Complete Analytics Optimization Suite) for Google Analytics allows you to host analytics.js/gtag.js locally and keep it updated using WordPress’ built-in Cron-schedule. Fully automatic! Active installations: 20,000+
- RegistrationMagic – Custom Registration Forms, User Registration and User Login Plugin – Authentication Bypass
- RegistrationMagic – Custom Registration Forms, User Registration and User Login Plugin – SQL Injection
- Create custom WordPress Registration Forms, allow secure user registration, accept payments, track submissions, manage users, analyze stats, assign user roles, automate processes, send bulk emails and much more. If you need to build a custom WordPress Registration Forms process, look no further! Active installations: 10,000+
- Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins. – CSRF Bypass
- Spreadsheet Integration – Automate Google Sheets With WordPress, WooCommerce & Most Popular Form Plugins. – Reflected Cross-Site Scripting (XSS)
- WordPress Google Sheets Integration, Connects WordPress events and its most popular plugin with Google Spreadsheet via Google API and Service Account. Active installations: 1,000+
- Stars Rating – Comments Denial of Service
- A simple and easy to use plugin that turns post, pages and custom post types comments into reviews. Active installations: 800+
- All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic – Authenticated Privilege Escalation
- All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic – Authenticated SQL Injection
- All in One SEO for WordPress is the original WordPress SEO plugin started in 2007. Over 3 million smart website owners use AIOSEO to properly setup WordPress SEO, so their websites can rank higher in search engines. Active installations: 3+ million
BRIEF: Open and Unrestricted Access JAN 2022 to anything within a website is one thing everybody considers to be a total disaster. Many employees have come to rely on the Internet both for work and day-to-day life. As such, they demand unrestricted access at work, and many company bosses have obliged. Without the knowledge to them, however, there may be a risk associated with this.
What is Unauthenticated Insecure Deserialisation?
Insecure Deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary code upon it being deserialized. If the function that is responsible for converting serial data into a structured object assumes that the data is trusted, an attacker may format the serial data in such a way that the result of deserialization is malicious. Unfortunately, many standard deserialization functions in programming languages assume that the data is safe.
What is Unauthenticated Backup Download?
The plugin does not restrict access to a BACKUP file containing sensitive information, such as the internal path of backups, which may then allow unauthenticated users to download them.
What is Unrestricted File Upload?
By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website. By doing this, it allows an attacker to inject malicious content such as web shells into the sites, and providing a method for initial access into the system.
What is Login Rate Limiting Bypass?
When the plugin is configured with a custom header in its Trusted IP Origins setting (e.g X-Forwarded-For), attackers could bypass the protection offered by tampering the header sent in requests. When the plugin is configured to accept an arbitrary header as client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does never reach the maximum allowed retries.
What is Improper Authorisation Check?
An attacker could leverage these issues to dump the database including administrative user credentials, to steal cookie-based authentication credentials, or launch other attacks. An anonymous user may create a new dive entry with a crafted HTTP POST.