28 Unrestricted Access MAR 2021
WordPress Security Report
Be informed about the latest Unrestricted Access MAR 2021 – WP Security Circumvention, identified and reported publicly. These breaches create even more problems and vulnerability exploitation with a severe negative impact on any WordPress Security. Consider our FREE security AUDIT.
An estimated 3.061.000+ active WordPress installations are susceptible to these attack types, considering only the publicly available numbers. The estimated number can double with premium versions as they are private purchases.
Furthermore, the initial estimation can multiply if we consider the already patched versions BUT NOT UPDATED by owners, as the vulnerability remains active within their domain. As these owners start changing their hosting provider (due to constant unexplained issues), they actively migrate these vulnerabilities behind protected areas, possibly exposing other clean WP to different attack types.
It is a 459% increase compared to December 2020. We compare last month versus previous winter holiday season, which has the biggest shopping traffic and attack spike throughout the year. Read more about our previous report here: 18 Unrestricted Access FEB 2021 – WP Security Circumvention and 5 Unrestricted Access Issues – WordPress Security DEC. The following cases made headlines PUBLICLY just last month in the SQL Injections MAR 2021 category:
- Tutor LMS – eLearning and online course solution < 1.7.7 – Unprotected AJAX including Privilege Escalation
- Tutor is a complete, feature-packed and robust WordPress LMS plugin to create & sell courses online easily. All the features of this learning management system hits all the checkpoints for a full-fledged online course marketplace. You can create challenging and fun quizzes, interactive lessons, powerful reports and stats making Tutor potentially the best free WordPress LMS plugin. Manage, administer and monetize your education, online school, and online courses without having to write a single line of code. Active installations: 30,000+
- WooCommerce Help Scout < 2.9.1 – Unauthenticated Arbitrary File Upload leading to RCE
- Using WooCommerce Help Scout, connect your WooCommerce-powered online store to a Help Scout mailbox, helping your customers to request assistance with orders and to receive their answers as quickly as possible. Active installations: Not public info
- WooCommerce Upload Files < 59.4 – Unauthenticated Arbitrary File Upload
- Upload any file any size from the product, cart, checkout, thank you, and/or order details pages! Preview images, add additional costs, fees, and many more options! Active installations: Not public info
- WP GDPR Compliance < 1.5.6 – Unauthenticated Stored Cross-Site Scripting (XSS)
- This plugin assists website and webshop owners to comply with European privacy regulations known as GDPR. Activating this plugin does not guarantee your site fully complies with GDPR. Active installations: 200,000+
- WP Page Builder < 1.2.4 – Multiple Stored Cross-Site scripting (XSS)
- WP Page Builder is the Ultimate Tool to Develop your Website. Absolutely no Coding Required. Active installations: Not public info
- WP Super Cache < 1.7.2 – Authenticated Remote Code Execution (RCE)
- This plugin generates static html files from your dynamic WordPress blog. After a html file is generated your webserver will serve that file instead of processing the comparatively heavier and more expensive WordPress PHP scripts. Active installations: 2+ million
- WP-Curricul Vitea Free <= 6.3 – Unauthenticated Arbitrary File Upload to RCE
- Active installations: No known fix – plugin closed
- wpDataTables – Tables & Table Charts < 3.4.2 – Improper Access Control leading to Table Data Deletion
- wpDataTables is a popular WordPress table plugin used to quickly create tables & table charts from Excel, CSV, PHP and other data sources. Use our WP table plugin to represent vast amounts of complicated data in concise, user-friendly way using tables or charts. Active installations: 40,000+
- Conversion Focused WordPress Plugins – Unauthenticated Option Update
- Conversion Focused WordPress Themes – Unauthenticated Option Update
- Themes & plugins, built from the ground up to make your entire website convert more of your visitors into subscribers, customers & clients! Active installations: Not public info
- BuddyPress < 7.2.1 – Force a Friendship
- BuddyPress < 7.2.1 – Invite Member to Join Group
- BuddyPress < 7.2.1 – Manage BuddyPress Member Types
- BuddyPress < 7.2.1 – Read Private Messages
- BuddyPress < 7.2.1 – REST API Privilege Escalation
- Are you looking for modern, robust, and sophisticated social network software? BuddyPress is a suite of components that are common to a typical social network, and allows for great add-on features through WordPress’s extensive plugin system. Active installations: 200,000+
- Controlled Admin Access < 1.5.2 – Improper Access Control & Privilege Escalation
- Controlled Admin Access < 1.5.6 – Improper Access Control to Privilege Escalation
- Give a temporary limited admin. access to themes designers, plugins developers and support agents. The plugin is simple and clean, it helps the administrator to create a user with a temporary access and choose which pages in your admin area which you don’t want the user to access. send the details to the user and when he finished his task, you can easily deactivate the account and activate it later. Active installations: 8,000+
- Cooked Pro < 126.96.36.199 – Unauthenticated Reflected Cross Site Scripting (XSS)
- Cooked is the absolute best way to create & display recipes with WordPress. SEO optimized (rich snippets), galleries, cooking timers, printable recipes and much more. Active installations: 8,000+
- Easy Form Builder <= 1.0 – Authenticated Arbitrary File Upload
- No known fix – plugin closed
- Facebook for WordPress < 3.0.0 – PHP Object Injection with POP Chain
- This plugin will install a Facebook Pixel for your page so you can capture the actions people take when they interact with your page, such as Lead, ViewContent, AddToCart, InitiateCheckout and Purchase events. Active installations: 500,000+
- Five Star Restaurant Menu – WordPress Ordering Plugin < 2.2.1 – Unauthenticated PHP Object Injection
- Easily and quickly create a stylish, responsive restaurant menu for your site, and also set up a restaurant menu ordering system within minutes. With the easy-to-use menu builder, and the included layout and customization options, you’ll have your menu set up in no time. Active installations: 10,000+
- JH 404 Logger <= 1.1 – Unauthenticated Stored Cross-Site Scripting (XSS)
- No known fix – plugin closed
- N5 Upload Form <= 1.0 – Unauthenticated Arbitrary File Upload to RCE
- No known fix – plugin closed
- Patreon WordPress < 1.7.0 – Unauthenticated Local File Disclosure
- Connect your WordPress site and your Patreon to increase your patrons and pledges! Active installations: 5,000+
- SecuPress Pro — WordPress Security < 2.0 – Unauthenticated Arbitrary IP Ban
- Super Interactive Maps for WordPress – Unauthenticated SQL Injections
- Super Interactive Maps is a fully-featured WordPress Plugin integrated with Google Geochart API that allows you to create maps of country, continent and regions. Create custom markers on top of your map to show location of interest such as hotel, cafes, airport and others. You can add interactivity to your map such as displaying interactive tooltips, lightbox window or linking to a web page content. Active installations: Not public info
- Super Store Finder for WordPress (Google Maps Store Locator) – Unauthenticated SQL Injections
- Super Store Finder for WordPress is a fully-featured store locator WordPress plugin integrated with the latest Google Maps API that allows customers to locate your stores easily. Tailor-made with intuitive responsive design for smartphones, tablets and touch screen devices. It has powerful administrator that allows you to manage stores, tags/categories and customize styles, colors, labels, notifications, regions and map settings. Active installations: Not public info
- The Plus Addons for Elementor Page Builder Lite < 4.1.7 – Authentication Bypass
- The Plus Addons is made by experienced designers and developers to fulfil all your needs while development of websites. It’s completely responsive, easy to use with tons of options. Which makes this plugin biggest, unique and most advance. Plugin is already used by lots of designers and developers and they have given very positive feedbacks. We keep improving plugin so you have the best available version with latest features as per trends. Active installations: 30,000+
BRIEF: Open and Unrestricted Access MAR 2021 to anything within a website is one thing everybody considers to be a total disaster. Many employees have come to rely on the Internet both for work and day-to-day life. As such, they demand unrestricted access at work, and many company bosses have obliged. Without the knowledge to them, however, there may be a risk associated with this.
What is Unauthenticated Insecure Deserialisation?
Insecure Deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary code upon it being deserialized. If the function that is responsible for converting serial data into a structured object assumes that the data is trusted, an attacker may format the serial data in such a way that the result of deserialization is malicious. Unfortunately, many standard deserialization functions in programming languages assume that the data is safe.
What is Unauthenticated Backup Download?
The plugin does not restrict access to a BACKUP file containing sensitive information, such as the internal path of backups, which may then allow unauthenticated users to download them.
What is Unrestricted File Upload?
By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website. By doing this, it allows an attacker to inject malicious content such as web shells into the sites, and providing a method for initial access into the system.
What is Login Rate Limiting Bypass?
When the plugin is configured with a custom header in its Trusted IP Origins setting (e.g X-Forwarded-For), attackers could bypass the protection offered by tampering the header sent in requests. When the plugin is configured to accept an arbitrary header as client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does never reach the maximum allowed retries.
What is Improper Authorisation Check?
An attacker could leverage these issues to dump the database including administrative user credentials, to steal cookie-based authentication credentials, or launch other attacks. An anonymous user may create a new dive entry with a crafted HTTP POST.