Scroll Top

35 Unrestricted Access JUL 2021 – WP Security Circumvention


Unrestricted Access JUL 2021

Tailored WordPress Security Report

Be informed about the latest Unrestricted Access JUL 2021 – WP Security Circumvention, identified and reported publicly. These breaches create even more problems and vulnerability exploitation with a severe negative impact on any WordPress Security. Consider our FREE security AUDIT.

An jaw-dropping estimated 1.171.000+ active WordPress installations are susceptible to these attack types, considering only the publicly available numbers. The estimated number can double with premium versions as they are private purchases.

Furthermore, the initial estimation can multiply if we consider the already patched versions BUT NOT UPDATED by owners, as the vulnerability remains active within their domain. As these owners start changing their hosting provider (due to constant unexplained issues), they actively migrate these vulnerabilities behind protected areas, possibly exposing other clean WP to different attack types.

It is a mind-boggling 600% increase compared to December 2020. We compare last month versus previous winter holiday season, which has the biggest shopping traffic and attack spike throughout the year. Read more about our previous reports here: 29 Unrestricted Access JUN 2021 – WP Security Circumvention and 5 Unrestricted Access Issues – WordPress Security DEC. The following cases made headlines PUBLICLY just last month in the SQL Injections JUL 2021 category:

Hire security professionals to protect your WordPress from publicly reported cases of Unrestricted Access JUL 2021 BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!

  • ECPay Logistics for WooCommerce – Unauthenticated Reflected XSS
    • 綠界科技物流外掛套件,提供合作特店以及個人會員使用開放原始碼商店系統時,無須自行處理複雜的檢核,直接透過安裝設定外掛套件,便可以較快速的方式介接綠界科技的物流系統。 Active installations: 2,000+

  • LifterLMS – Access Other Student Grades/Answers via IDOR
    • LifterLMS is a powerful WordPress LMS plugin that makes it easy to create, sell, and protect engaging online courses and training based membership websites. LifterLMS is a complete course building and LMS solution that works with any well-coded WordPress theme, modern WordPress blocks, and all the popular WordPress page builders (like Elementor, Beaver Builder, Divi, Gutenberg, etc.). As an engaged WordPress community member, LifterLMS actively encourages and helps other great plugins integrate with LifterLMS like Affiliate WP, Monster Insights, WP Fusion, the most popular form plugins, GamiPress, Astra Pro, the Course Scheduler, and many more. You can also connect your WordPress LMS website to 1,500+ other apps via Zapier. LifterLMS is one of only 11 WordPress plugins listed in the Zapier app directory. Active installations: 10,000+

  • Adapta RGPD – Unauthorized Consent via CSRF
    • Adapta RGPD es una herramienta que te ayuda a crear las páginas legales en español, adaptar tu sitio web al RGPD y cumplir la ley de Cookies de una forma clara y fácil. Active installations: 30,000+

  • WP Prayer – Unauthorized AJAX call via CSRF
    • Prayer request application that allows users to submit requests, or pray for existing requests. All requests can be moderated from the admin section. Active installations: 1,000+

  • Alkubot – Unauthorized AJAX call via CSRF
    • Say goodbye to intrusive, low converting pop-ups. Boost your revenue and optimize coupons/discounts with an intelligent gamified sales chatbot. Active installations: 10+

Get Healthy, Stay Healthy! A healthier online business starts today and it begins with you. Hire security experts to solve all your vulnerabilities created from Unrestricted Access JUL 2021.

BRIEF: Open and Unrestricted Access JUL 2021 to anything within a website is one thing everybody considers to be a total disaster. Many employees have come to rely on the Internet both for work and day-to-day life. As such, they demand unrestricted access at work, and many company bosses have obliged. Without the knowledge to them, however, there may be a risk associated with this.

What is Unauthenticated Insecure Deserialisation?

Insecure Deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary code upon it being deserialized. If the function that is responsible for converting serial data into a structured object assumes that the data is trusted, an attacker may format the serial data in such a way that the result of deserialization is malicious. Unfortunately, many standard deserialization functions in programming languages assume that the data is safe.

What is Unauthenticated Backup Download?

The plugin does not restrict access to a BACKUP file containing sensitive information, such as the internal path of backups, which may then allow unauthenticated users to download them.

What is Unrestricted File Upload?

By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website. By doing this, it allows an attacker to inject malicious content such as web shells into the sites, and providing a method for initial access into the system.

What is Login Rate Limiting Bypass?

When the plugin is configured with a custom header in its Trusted IP Origins setting (e.g X-Forwarded-For), attackers could bypass the protection offered by tampering the header sent in requests. When the plugin is configured to accept an arbitrary header as client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does never reach the maximum allowed retries.

What is Improper Authorisation Check?

An attacker could leverage these issues to dump the database including administrative user credentials, to steal cookie-based authentication credentials, or launch other attacks. An anonymous user may create a new dive entry with a crafted HTTP POST.


CONTACT US TODAY with any reported Unrestricted Access JUL 2021 vulnerability! Do you suspect any security circumvention in your WordPress?

Do you suspect any Unrestricted Access JUL 2021 within your WordPress? Contact us today for a FREE AUDIT!

Related Posts