Unrestricted Access JUL 2022
Tailored WP/Woo Security Report
Be informed about the latest Unrestricted Access JUL 2022 – WP Security Circumvention, identified and reported publicly. These breaches create even more problems and vulnerability exploitation with a severe negative impact on any WordPress Security. Consider our security audit.
A jaw-dropping estimated 6.154.000+ active WordPress installations are susceptible to these attack types, considering only the publicly available numbers. It is a significant +23.5% INCREASE compared to last month. The estimated number can double with premium versions as they are private purchases.
Furthermore, the initial estimation can multiply if we consider the already patched versions BUT NOT UPDATED by owners, as the vulnerability remains active within their domain. As these owners start changing their hosting provider (due to constant unexplained issues), they actively migrate these vulnerabilities behind protected areas, possibly exposing other clean WP to different attack types.
The following cases made headlines PUBLICLY in the Unrestricted Access JUL 2022 category:
Hire security professionals to protect your WP/Woo from publicly reported cases of Unrestricted Access JUL 2022 BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!
- HTML2WP – Unauthenticated Arbitrary File Upload
- HTML2WP – Authenticated Arbitrary File Deletion
- HTML2WP – Arbitrary Settings Update via Cross-Site Request Forgery (CSRF)
- This plugin has been closed as of May 4, 2022 and is not available for download. This closure is temporary, pending a full review.
- Consider for your online safety, switching with a TOP10LIST alternative WP Security Plugin – OR – Hire professionals for managed WP Security.
- Browser and Operating System Finder – Unauthenticated Settings Reset
- This plugin has been closed as of May 18, 2022 and is not available for download. This closure is temporary, pending a full review.
- Consider for your online safety, switching with a TOP10LIST alternative WP Security Plugin – OR – Hire professionals for managed WP Security.
- ARMember – Membership Plugin, Content Restriction, Member Levels, User Profile & User signup – Unauthenticated Admin Account Takeover
- Active installations: 2.000+
- Consider for your online safety, switching with a TOP10LIST alternative WP Security Plugin – OR – Hire professionals for managed WP Security.
- Backup, Restore and Migrate WordPress Sites With the XCloner Plugin – Unauthenticated Plugin Settings Reset
- Active installations: 20.000+
- Consider for your online disaster recovery, switching with a TOP10LIST alternative WP Backup Plugin – OR – Hire professionals for managed WP Backup.
- Consider for your online safety, switching with a TOP10LIST alternative WP Security Plugin – OR – Hire professionals for managed WP Security.
- Product Configurator for WooCommerce – Unauthenticated Arbitrary File Deletion
- Active installations: 1.000+
- Consider for your online safety, switching with a TOP10LIST alternative WP Security Plugin – OR – Hire professionals for managed WP Security.
- Consider for your online shop, switching with a TOP10LIST alternative WooCommerce Plugin – OR – Hire professionals for managed WooCommerce.
- Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress – Authenticated Stored Cross-Site Scripting (XSS)
- Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress – Unauthenticated PHP Object Injection
- Active installations: 1+ million
- Consider for your online safety, switching with a TOP10LIST alternative WP Security Plugin – OR – Hire professionals for managed WP Security.
- Download Manager – Reflected Cross-Site Scripting (XSS)
- Download Manager – Authenticated Stored Cross-Site Scripting (XSS)
- Download Manager – Unauthenticated Reflected Cross-Site Scripting (XSS)
- Active installations: 100.000+
- Consider for your online safety, switching with a TOP10LIST alternative WP Security Plugin – OR – Hire professionals for managed WP Security.
- Elementor Website Builder – Unauthenticated DOM-based Reflected Cross-Site Scripting (XSS)
- Active installations: 5+ million
- Consider for your online safety, switching with a TOP10LIST alternative WP Security Plugin – OR – Hire professionals for managed WP Security.
- ree Booking Plugin for Hotels, Restaurant and Car Rental – eaSYNC – Unauthenticated Arbitrary File Upload
- Active installations: 400+
- Consider for your online safety, switching with a TOP10LIST alternative WP Security Plugin – OR – Hire professionals for managed WP Security.
- Events Made Easy – Unauthenticated SQL Injection (SQLi)
- Active installations: 6.000+
- Consider for your online safety, switching with a TOP10LIST alternative WP Security Plugin – OR – Hire professionals for managed WP Security.
- Shortcode Addons- with Visual Composer, Divi, Beaver Builder and Elementor Extension – Unauthenticated Arbitrary Option Update
- Active installations: 3.000+
- Consider for your online safety, switching with a TOP10LIST alternative WP Security Plugin – OR – Hire professionals for managed WP Security.
- Accordions – Multiple Accordions or FAQs Builder – Unauthenticated WordPress Options Change
- Active installations: 800+
- Consider for your online safety, switching with a TOP10LIST alternative WP Security Plugin – OR – Hire professionals for managed WP Security.
- Pricing Deals for WooCommerce – Unauthenticated SQL Injection (SQLi)
- This plugin has been closed as of June 2, 2022 and is not available for download. This closure is temporary, pending a full review.
- Consider for your online safety, switching with a TOP10LIST alternative WP Security Plugin – OR – Hire professionals for managed WP Security.
- Awin Data Feed – Reflected Cross-Site Scripting (XSS)
- Awin Data Feed – Unauthenticated Stored Cross-Site Scripting (XSS)
- This plugin has been closed as of June 10, 2022 and is not available for download. This closure is temporary, pending a full review.
- Consider for your online safety, switching with a TOP10LIST alternative WP Security Plugin – OR – Hire professionals for managed WP Security.
- Wbcom Designs – BuddyPress Group Reviews – Unauthorized AJAX Actions due to Nonce Bypass
- Wbcom Designs – BuddyPress Group Reviews – Arbitrary Settings Update & Review Modification
- Active installations: 300+
- Consider for your online safety, switching with a TOP10LIST alternative WP Security Plugin – OR – Hire professionals for managed WP Security.
- Very Simple Contact Form – Captcha bypass
- Active installations: 10.000+
- Consider for your online safety, switching with a TOP10LIST alternative WP Security Plugin – OR – Hire professionals for managed WP Security.
- WP-EMail – Log Deletion via Cross-Site Request Forgery (CSRF)
- WP-EMail – Anti-Spam Protection Bypass via IP Spoofing
- Active installations: 5.000+
- Consider for your online safety, switching with a TOP10LIST alternative WP Security Plugin – OR – Hire professionals for managed WP Security.
- OAuth Single Sign On – SSO (OAuth Client) – Authentication Bypass
- Active installations: 3.000+
- Consider for your online safety, switching with a TOP10LIST alternative WP Security Plugin – OR – Hire professionals for managed WP Security.
- Wbcom Designs – BuddyPress Group Reviews – Unauthorized AJAX Actions due to Nonce Bypass
- Wbcom Designs – BuddyPress Group Reviews – Arbitrary Settings Update & Review Modification
- Active installations: 300+
- Consider for your online safety, switching with a TOP10LIST alternative WP Security Plugin – OR – Hire professionals for managed WP Security.
- Allow svg files – Arbitrary File Upload
- Active installations: 100+
- Consider for your online safety, switching with a TOP10LIST alternative WP Security Plugin – OR – Hire professionals for managed WP Security.
- Cache Images – Authenticated SQL Injection (SQLi)
- Cache Images – Image Upload / Import via Cross-Site Request Forgery (CSRF)
- Active installations: 2.000+
- Consider for your online disaster recovery, switching with a TOP10LIST alternative WP Backup Plugin – OR – Hire professionals for managed WP Backup.
- Consider for your loading time, switching with a TOP10LIST alternative WP Speed Plugin – OR – Hire professionals for managed WP Speed Up.
- Consider for your online safety, switching with a TOP10LIST alternative WP Security Plugin – OR – Hire professionals for managed WP Security.
Get Healthy, Stay Healthy! A healthier online business starts today and it begins with your WP/Woo. Hire security experts to solve all your vulnerabilities created from Unrestricted Access JUL 2022.
BRIEF: Open and Unrestricted Access JUL 2022 to anything within a website is one thing everybody considers to be a total disaster. Many employees have come to rely on the Internet both for work and day-to-day life. As such, they demand unrestricted access at work, and many company bosses have obliged. Without the knowledge to them, however, there may be a risk associated with this.
What is Unauthenticated Insecure Deserialisation?
Insecure Deserialisation is a vulnerability which occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary code upon it being deserialised. If the function that is responsible for converting serial data into a structured object assumes that the data is trusted, an attacker may format the serial data in such a way that the result of deserialisation is malicious. Unfortunately, many standard deserialisation functions in programming languages assume that the data is safe.
What is Unauthenticated Backup Download?
The plugin does not restrict access to a BACKUP file containing sensitive information, such as the internal path of backups, which may then allow unauthenticated users to download them.
What is Unrestricted File Upload?
By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website. By doing this, it allows an attacker to inject malicious content such as web shells into the sites, and providing a method for initial access into the system.
What is Login Rate Limiting Bypass?
When the plugin is configured with a custom header in its Trusted IP Origins setting (e.g X-Forwarded-For), attackers could bypass the protection offered by tampering the header sent in requests. When the plugin is configured to accept an arbitrary header as client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomising the header input, the login count does never reach the maximum allowed retries.
What is Improper Authorisation Check?
An attacker could leverage these issues to dump the database including administrative user credentials, to steal cookie-based authentication credentials, or launch other attacks. An anonymous user may create a new dive entry with a crafted HTTP POST.
SOLVE any reported Unrestricted Access JUL 2022 vulnerability! Do you suspect any security circumvention in your WordPress / WooCommerce?