This post reviews WordPress themes and plugins vulnerabilities that received little to no coverage until today. None of them were discovered by us, but we’ve been aware of those issues since they were fixed. Our customers were informed and protected at that time.
To provide other users enough time to update and secure their blog, we disclose them only after 30 to 45 days, depending on the severity and popularity of the plugin or theme. This post is updated regularly.
March 21, 2020
On February 14, 2020, the Super Socializer plugin (60,000+ active installations) fixed a critical vulnerability affecting version 7.12.37 and below. An unauthenticated user could bypass the LiveJournal (a Russian social network) authentication process.
On February 19, 2020, the Advanced Import plugin (10,000+ active installations) fixed a critical vulnerability affection version 1.0.7 and below that could allow an unauthenticated user to reset the database and potentially gain administrator privileges. Note that the vulnerability is very similar to the ThemeGrill Demo Importer < 1.6.3 vulnerability.
On January 28, 2020, the Wordable plugin (1,000+ active installations) fixed an important vulnerability affecting version 3.1.1 and below that could allow an unauthenticated user to bypass the plugin authentication process and temporarily gain administrative privileges, allowing the publication of pages and posts on the blog, as well as the upload of media files.
On January 29, 2020, the Merge + Minify + Refresh plugin (10,000+ active installations) fixed an arbitrary file deletion vulnerability affecting version 1.10.6 and below. Because of missing capability checks, an authenticated user such as a subscriber could delete any files on the blog.
Stay informed about the latest vulnerabilities in WordPress plugins and themes: @nintechnet