Unrestricted Access MAR 2022
Tailored WP/Woo Security Report
Be informed about the latest Unrestricted Access MAR 2022 – WP Security Circumvention, identified and reported publicly. These breaches create even more problems and vulnerability exploitation with a severe negative impact on any WordPress Security. Consider our security audit.
An jaw-dropping estimated 7.794.000+ active WordPress installations are susceptible to these attack types, considering only the publicly available numbers. It is a significant -47% decrease compared to last month. The estimated number can double with premium versions as they are private purchases.
Furthermore, the initial estimation can multiply if we consider the already patched versions BUT NOT UPDATED by owners, as the vulnerability remains active within their domain. As these owners start changing their hosting provider (due to constant unexplained issues), they actively migrate these vulnerabilities behind protected areas, possibly exposing other clean WP to different attack types.
The following cases made headlines PUBLICLY in the Unrestricted Access MAR 2022 category:
Hire security professionals to protect your WP/Woo from publicly reported cases of Unrestricted Access MAR 2022 BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!
- Sparkling – Unauthenticated Function Injection
- Sparkling is a clean minimal and responsive WordPress theme well suited for travel, health, business, finance, portfolio, design, art, photography, personal, ecommerce and any other creative websites and blogs. Active installations: 30,000+
- Essential Addons for Elementor – Unauthenticated LFI
- Essential Addons for Elementor – Reflected Cross-Site Scripting (XSS)
- Enhance your Elementor page building experience with 80+ creative elements and extensions. Add powers to your page builder using our easy-to-use elements those were designed to make your next WordPress page and posts design easier and prettier than ever before. Active installations: 1+ million
- Use Any Font | Custom Font Uploader – Unauthenticated Arbitrary CSS Appending
- Upload any custom fonts you wish and give your site a elegant look. Quickly change font without need of css knowledge. Or you can select from our 23,871+ predefined font collection to add in your site. It even has google fonts which you can store in your own server. Active installations: 200,000+
- TI WooCommerce Wishlist – Unauthenticated Blind SQL Injection (SQLi)
- WooCommerce Wishlist is a simple but powerful tool that can help you to convert your site visitors into loyal customers. There are many situations when customers can’t buy a product at this time or simply don’t want. Possibility to save products for later encourages users to return to your site and after all, make a purchase. Active installations: 100,000+
- Migration, Backup, Staging – WPvivid Backup and Migration Plugin – Unauthenticated Stored Cross-Site Scripting (XSS)
- WPvivid Backup Plugin offers backup, migration, and staging as basic features, and is integrating more and more elegant features, such as unused images cleaner etc. Active installations: 100,000+
- WS Form LITE – Drag & Drop Contact Form Builder for WordPress – Stored Cross-Site Scripting (XSS)
- WS Form LITE – Drag & Drop Contact Form Builder for WordPress – Unauthenticated Stored Cross-Site Scripting (XSS)
- Create professional, mobile friendly, accessible contact forms. WS Form LITE comes complete with features other form builder plugins charge a premium for. Active installations: 1,000+
- Ultimate GDPR & CCPA Compliance Toolkit for WordPress – Unauthenticated Plugin Settings Export and Import
- The General Data Protection Regulation standardizes data protection law across all twenty-eight EU countries and imposes strict new rules on controlling and processing identifiable information. All websites collecting data from EU citizens must meet these GDPR requirements. Failure to comply can result in fines up to €20 million or 4% global turnover, or compensation claims for damages incurred. Active installations: 7800+
- TI WISHLIST WooCommerce Plugin – Unauthenticated Blind SQL Injection (SQLi)
- Simply adding the product to wishlist encourages users to come back, but together with such options as follow, social share, fully manageable private and shared wishlists, promotional emails and so on… makes it a powerful marketing tool. Integrated analytics will help you build your sales strategy and drastically increase revenue. Active installations: N/A
- Crazy Bone – Unauthenticated Stored Cross-Site Scripting (XSS)
- This plugin has been closed as of January 26, 2022 and is not available for download. This closure is temporary, pending a full review.
- Page View Count – Unauthenticated SQL Injection (SQLi)
- A beautifully simple to set up plugin that gives site visitors and site owners the ability to quickly and easily see how many people have visited that page or post. Active installations: 20,000+
- MasterStudy LMS – WordPress LMS Plugin – Unauthenticated Admin Account Creation
- WordPress LMS Plugin MasterStudy is the comprehensive software for feature-rich educational websites. The LMS plugin can turn any WordPress website into a professional online platform that ejoys all industry-specific e-learning & LMS features. It provides you with the tools to create and sell online courses. Active installations: 10,000 +
- NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor – Unauthenticated Blind SQL Injection (SQLi)
- NotificationX – Best FOMO, Social Proof, WooCommerce Sales Popup & Notification Bar Plugin With Elementor – Unauthenticated SQL Injection (SQLi)
- Want to build instant credibility for your business and boost your conversion rate right away? 97% of your total website visitors don’t buy the product due to the lack of trust and credibility. Get instant success with WooCommerce Sales Popup Notification! Active installations: 30,000 +
- WP Spell Check – Unauthenticated SQL Injection (SQLi)
- Proofread & audit your WordPress website with One Click! Find & fix Spelling errors, Punctuation errors, Grammar errors, Broken Shortcodes & HTML, SEO Empty Fields, and Create a professional image with WP Spell Check. Active installations: 3,000+
- WP Statistics – Unauthenticated SQL Injection (SQLi)
- WP Statistics – Unauthenticated Stored Cross-Site Scripting (XSS)
- Do you need a simple tool to know your website statistics? Do you need to represent these statistics? Are you caring about your users’ privacy while analyzing who are interested in your business or website? With WP Statistics you can know your website statistics without any need to send your users’ data anywhere. Active installations: 600,000+
- Better WordPress Google XML Sitemaps (support Sitemap Index, Multi-site and Google News) – Unauthenticated Stored Cross-Site Scripting (XSS)
- This plugin has been closed as of February 14, 2022 and is not available for download. This closure is temporary, pending a full review.
- Login with phone number – Unauthenticated Remote Plugin Deletion
- Login/register with phone number Active installations: 600+
- WCFM – Frontend Manager for WooCommerce along with Bookings Subscription Listings Compatible – Unauthenticated SQL Injection (SQLi)
- WCFM is the smartest and most featured frontend vendor store/shop manager on WordPress, powered by WooCommerce. It works as vendors’ frontend dashboard for most popular woocommerce multi vendor marketplace plugins along with WooCommerce Bookings, Appointments, Rental & Bookings System, Subscriptions compatibility. Active installations: 40,000+
- 5 Stars Rating Funnel WordPress Plugin | RRatingg – Unauthenticated SQL Injection (SQLi)
- This plugin has been closed as of February 14, 2022 and is not available for download. This closure is temporary, pending a full review.
- CommonsBooking – Unauthenticated SQL Injection (SQLi)
- This plugin gives associations, groups and individuals the ability to share items (e.g. cargo bikes, tools) with users. It is based on the idea of Commons and sharing resources for the benefit of the community. Active installations: 100+
- WPCargo Track & Trace – Unauthenticated Remote Code Execution (RCE)
- WPCargo is a WordPress plug-in designed to provide ideal technology solution for your freight forwarding, transportation & logistics operations. Whether you are an exporter, freight forwarder, importer, supplier, customs broker, overseas agent, or warehouse operator, WPCargo helps you increase the visibility, efficiency, and quality services of your cargo and shipment business. Active installations: 10,000+
- Contact Form Submissions – Unauthenticated Stored Cross-Site Scripting (XSS)
- Easy install, no configuration necessary. Once activated all contact form 7 submissions will be saved so you can view them in wp-admin. Active installations: 50,000+
- WP Cerber Security, Anti-spam & Malware Scan – Unauthenticated Stored Cross-Site Scripting (XSS)
- Defends WordPress against hacker attacks, spam, trojans, and malware. Mitigates brute-force attacks by limiting the number of login attempts through the login form, XML-RPC / REST API requests, or using auth cookies. Active installations: 200,000+
- Email Subscribers & Newsletters – Simple and Effective Email Marketing WordPress Plugin – Blind SQL Injection (SQLi)
- Email Subscribers & Newsletters – Simple and Effective Email Marketing WordPress Plugin – Unauthenticated arbitrary option update
- Email Subscribers is a complete newsletter plugin that lets you collect leads, send automated new blog post notification emails, create & send broadcasts and also manage them all in one single place. Active installations: 100,000+
- Yoast SEO – Unauthenticated Full Path Disclosure
- To rank highly in search engines, you need to beat the competition. You need a better, faster, stronger website than the people who sell or do the same kinds of things as you. Active installations: 5+ million
- Photo Gallery by 10Web – Mobile-Friendly Image Gallery – Unauthenticated SQL Injection (SQLi)
- Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes. Active installations: 300,000 +
- BookingPress – Appointments Booking Calendar Plugin and Online Scheduling Plugin – Unauthenticated SQL Injection (SQLi)
- BookingPress is a full-fledged appointment booking plugin that allows setting up a complete booking system according to your requirements on your WordPress website with super ease. Active installations: 300+
Get Healthy, Stay Healthy! A healthier online business starts today and it begins with your WP/Woo. Hire security experts to solve all your vulnerabilities created from Unrestricted Access MAR 2022.
BRIEF: Open and Unrestricted Access MAR 2022 to anything within a website is one thing everybody considers to be a total disaster. Many employees have come to rely on the Internet both for work and day-to-day life. As such, they demand unrestricted access at work, and many company bosses have obliged. Without the knowledge to them, however, there may be a risk associated with this.
What is Unauthenticated Insecure Deserialisation?
Insecure Deserialisation is a vulnerability which occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary code upon it being deserialised. If the function that is responsible for converting serial data into a structured object assumes that the data is trusted, an attacker may format the serial data in such a way that the result of deserialisation is malicious. Unfortunately, many standard deserialisation functions in programming languages assume that the data is safe.
What is Unauthenticated Backup Download?
The plugin does not restrict access to a BACKUP file containing sensitive information, such as the internal path of backups, which may then allow unauthenticated users to download them.
What is Unrestricted File Upload?
By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website. By doing this, it allows an attacker to inject malicious content such as web shells into the sites, and providing a method for initial access into the system.
What is Login Rate Limiting Bypass?
When the plugin is configured with a custom header in its Trusted IP Origins setting (e.g X-Forwarded-For), attackers could bypass the protection offered by tampering the header sent in requests. When the plugin is configured to accept an arbitrary header as client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomising the header input, the login count does never reach the maximum allowed retries.
What is Improper Authorisation Check?
An attacker could leverage these issues to dump the database including administrative user credentials, to steal cookie-based authentication credentials, or launch other attacks. An anonymous user may create a new dive entry with a crafted HTTP POST.
SOLVE any reported Unrestricted Access MAR 2022 vulnerability! Do you suspect any security circumvention in your WordPress / WooCommerce?
