Unrestricted Access MAY 2021
Tailored WordPress Security Report
Be informed about the latest Unrestricted Access MAY 2021 – WP Security Circumvention, identified and reported publicly. These breaches create even more problems and vulnerability exploitation with a severe negative impact on any WordPress Security. Consider our FREE security AUDIT.
An estimated 4.499.000+ active WordPress installations are susceptible to these attack types, considering only the publicly available numbers. The estimated number can double with premium versions as they are private purchases.
Furthermore, the initial estimation can multiply if we consider the already patched versions BUT NOT UPDATED by owners, as the vulnerability remains active within their domain. As these owners start changing their hosting provider (due to constant unexplained issues), they actively migrate these vulnerabilities behind protected areas, possibly exposing other clean WP to different attack types.
It is a 400% increase compared to December 2020. We compare last month versus previous winter holiday season, which has the biggest shopping traffic and attack spike throughout the year. Read more about our previous reports here: 35 Unrestricted Access APR 2021 – WP Security Circumvention and 5 Unrestricted Access Issues – WordPress Security DEC. The following cases made headlines PUBLICLY just last month in the SQL Injections MAY 2021 category:
- DSGVO All in one for WP < 4.0 – Unauthenticated Stored Cross-Site Scripting (XSS)
- Bring WordPress up to date according to the General Data Protection Regulation GDPR. Active installations: 20,000+
- Parcel Tracker eCourier < 1.0.2 – Plugin’s Settings Update via CSRF
- A simple WordPress plugin to give your customer an user friendly and simple interface to track their parcel status from your WordPress website. Active installations: 10+
- ReDi Restaurant Reservation < 21.0426 – Unauthenticated Stored Cross-Site Scripting (XSS)
- The one and only fully automated reservation system. Real time available seats check with instant reservation confirmation for your guests. Don’t spent anymore time for manually reviewing and confirming reservations. Turn your web site visitors into restaurant’s guests. Don’t let your guest wait, surprise him with instant confirmation. Active installations: 1,000+
- Simple Giveaways – Grow your business, email lists and traffic with contests < 2.36.2 – Unauthenticated Reflected Cross-Site Scripting (XSS)
- Simple Giveaways helps you host giveaways which is entirely what this plugin is all about. You can host them on a separate page and also drive people to it through widgets & shortcodes. Active installations: 1,000+
- Spam protection, AntiSpam, FireWall by CleanTalk < 5.153.4 – Unauthenticated Blind SQL Injection
- No CAPTCHA, no questions, no animal counting, no puzzles, no math and no spam bots. Universal AntiSpam plugin. Active installations: 100,000+
- Target First Plugin 2.0 – Unauthenticated Stored XSS via Licence Key
- The Target First WordPress Plugin, also previously known as Watcheezy, suffered from a critical unauthenticated stored XSS vulnerability. Active installations: Not public info
- visitors-app <= 0.3 – Unauthenticated Stored Cross-Site Scripting (XSS)
- This plugin has been closed as of May 26, 2022 and is not available for download. This closure is temporary, pending a full review.
- All in One SEO – Best WordPress SEO Plugin – Easily Improve Your SEO Rankings < 126.96.36.199 – Admin RCE via unserialize
- CM Registration Pro < 3.2.1 – PHP Object Injection
- Add a user registration and login pop-up box to any page with this WordPress login plugin. This superb user registration plugin gives you user invitation codes, social login, email verification, custom registration forms, forgot password option, custom fields, front-end user profile builders and more. Active installations: Not public info
- External Media < 1.0.34 – Authenticated Arbitrary File Upload
- Import files from or create external links from third-party services into WordPress Media Library (Dropbox, Box, OneDrive, Google Drive and any other external file from URL). Active installations: 8,000+
- gallery-from-files <= 1.6.0 – Unauthenticated RCE
- This plugin has been closed as of May 24, 2022 and is not available for download. This closure is temporary, pending a full review.
- leads5050-visitor-insights < 1.0.4 – Unauthenticated License Change
- leads5050-visitor-insights < 1.1.0 – Unauthorised License Change
- Leads5050 allows you to monitor visits to your website and turn anonymous visits into potential new business opportunities. This plugin allows you easily to add the Leads5050 tracking code and straight away allows you to identify the origin of visits whether it is from a search engine, social media or an external source directly from your WordPress dashboard. The allows you to identify leads, prospects, existing customers and competitors that visit the site. Active installations: 10+
- Multivendor Marketplace Solution for WooCommerce – WC Marketplace < 3.7.4 – Unauthenticated Arbitrary Product Comment
- Afraid of launching an Online Marketplace? Well, worry no more WC Marketplace provides you with the best marketplace software, you can get, to kickstart your own virtual eCommerce marketplace. This free WordPress plugin equips you with the best of features that help to create any marketplace of your choice. So, create a website like Amazon, Etsy or Airbnb without any worries. Active installations: 10,000+
- NinjaFirewall (WP Edition) – Advanced Security Plugin and Firewall < 4.3.4 – Authenticated (admin+) PHAR Deserialization
- NinjaFirewall (WP Edition) is a true Web Application Firewall. Although it can be installed and configured just like a plugin, it is a stand-alone firewall that stands in front of WordPress. Active installations: 60,000+
- Simple 301 Redirects by BetterLinks – 2.0.0 – 2.0.3 – Unauthenticated Redirect Export
- Simple 301 Redirects by BetterLinks – 2.0.0 – 2.0.3 – Unauthenticated Redirect Import
- Simple 301 Redirects by BetterLinks – 2.0.0 – 2.0.3 – Update and Retrieve Wildcard Value
- Got “404 not found” errors? Launching a marketing campaign with a new URL? Or relaunching your website with a new URL? Let’s redirect your old URLs to new ones automatically by creating 301 redirects to existing pages. Active installations: 300,000+
- Simple Admin Language Change < 2.0.2 – Arbitrary User Locale Change
- The lightweight plugin extends the default functionality and pulls out the language selection to the admin bar so you can easily switch between them. Active installations: 6,000+
- SP Project & Document Manager <= 4.21 – Authenticated Shell Upload
- Project & Document management plugin, Remote file sharing, maintain and control unlimited number of documents, records, files, media, videos and images. You can create unlimited folders and sub folders to share, organize, manage client, student & supplier documents and accounts, control individual documents, and select specific file sharing of documents all in an easy to manage online process. Active installations: 3,000+
- The Plus Addons for Elementor < 4.1.10 – Open Redirect
- The Plus Addons for Elementor < 4.1.11 – Arbitrary Reset Pwd Email Sending
- Collection of 100+ Powerful Elementor Widgets, 18+ Templates, 300+ UI Blocks and Amazing Listing Builder for Post Types to surprise your clients with amazing Websites. Active installations: Not public info
- ThemeHigh WooCommerce Wishlist and Comparison < 1.0.5 – Unauthorised AJAX call
- Wishlist and Comparison Plugin enables your customer to move products to the wishlist for future purchases. The comparison aspect of the plugin enables you to determine the best in terms of product features. Active installations: 10+
- ultimatewoo <= 0.1.10 – PHP Object Injection
- This plugin has been closed and is no longer available for download.
- WP Super Cache < 1.7.3 – Authenticated Remote Code Execution
- This plugin generates static html files from your dynamic WordPress blog. After a html file is generated your webserver will serve that file instead of processing the comparatively heavier and more expensive WordPress PHP scripts. Active installations: 2+ million
BRIEF: Open and Unrestricted Access MAY 2021 to anything within a website is one thing everybody considers to be a total disaster. Many employees have come to rely on the Internet both for work and day-to-day life. As such, they demand unrestricted access at work, and many company bosses have obliged. Without the knowledge to them, however, there may be a risk associated with this.
What is Unauthenticated Insecure Deserialisation?
Insecure Deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary code upon it being deserialized. If the function that is responsible for converting serial data into a structured object assumes that the data is trusted, an attacker may format the serial data in such a way that the result of deserialization is malicious. Unfortunately, many standard deserialization functions in programming languages assume that the data is safe.
What is Unauthenticated Backup Download?
The plugin does not restrict access to a BACKUP file containing sensitive information, such as the internal path of backups, which may then allow unauthenticated users to download them.
What is Unrestricted File Upload?
By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website. By doing this, it allows an attacker to inject malicious content such as web shells into the sites, and providing a method for initial access into the system.
What is Login Rate Limiting Bypass?
When the plugin is configured with a custom header in its Trusted IP Origins setting (e.g X-Forwarded-For), attackers could bypass the protection offered by tampering the header sent in requests. When the plugin is configured to accept an arbitrary header as client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does never reach the maximum allowed retries.
What is Improper Authorisation Check?
An attacker could leverage these issues to dump the database including administrative user credentials, to steal cookie-based authentication credentials, or launch other attacks. An anonymous user may create a new dive entry with a crafted HTTP POST.