WordPress plugins provide a lot of flexibility and features to the users. They handle everything, right from security, backups, to payments, and more. Thus, it becomes very important to make sure that they are foolproof and do not have any plugin vulnerability that can put your website or your visitor’s data at risk.
In this article, we talk about 9 popular WordPress plugins that housed certain vulnerabilities which put websites and their sites under risk of malicious activities. I urge you to go through this article and update to the latest version to avert any type of digital threat! To get deeper insights about them, visit National Vulnerability Database.
1. Header Footer Code Manager
The Header Footer Code Manager plugin has 300,000+ installations. Wordfence security researchers discovered an XSS vulnerability that requires the hacker to trick an administrator into clicking a link or other action that could lead to a full site takeover. A sensitive area of the WordPress site is under scrutiny as it can be exploited to add backdoors and attack site visitors.
Users are recommended by Wordfence to update their plugin to at least version 1.1.17. The publishers fixed the issue, but for sites using the free version, expect full protection by March 17, 2022.
2. Advanced Database Cleaner
The Advanced Database Cleaner WordPress plugin has 80,000+ installations.
The Advanced Database Cleaner WordPress plugin version ≤ 3.0.4 does not sanitize and escape $_GET keys
. This creates a vulnerability that can lead to an XSS issue.
3. GiveWP
The GiveWP Donation Plugin and Fundraising Platform have 100,000+ installations.
The Give WP WordPress plugin version ≤ 2.17.3 has a vulnerability that does not escape the s parameter, leading to a Reflected Cross-Site Scripting.
4. Ad Inserter
Ad Manager & AdSense Ads have 200,000+ installations.
The researchers found that this plugin also has the same vulnerability, i.e. Reflected Cross-Site Scripting. This vulnerability exists in versions older than 2.7.10, where the plugin does not sanitize and escapes the html_element_selection
parameter.
5. WP Content Copy Protection & No Right Click
WP Content Copy Protection & No Right Click has 100,000+ installations.
The plugin versions ≤ 3.4.4 have a vulnerability that can lead to Cross-Site Request Forgery (CSRF) attacks.
6. Anti-Malware Security and Brute-Force Firewall
Anti-Malware Security and Brute-Force Firewall have 200,000+ installations.
The Anti-Malware Security and Brute-Force Firewall WordPress plugin version ≤ 4.20.94, does not sanitize and escape the POST data. This can lead to Reflected Cross-Site scripting.
Also, the presence of specific parameter values available to admin users can be exploited by one admin against another admin user. Thus, requires immediate support and correction of the vulnerability.
7. Database Backup for WordPress
Database Backup for WordPress has 100,000+ installations.
The Database Backup for WordPress plugin version ≤ 2.5.1 does not properly sanitize and escape the fragment parameter
. Thus, leading to a SQL injection issue.
8. Popup Builder
The Popup Builder plugin has 200,000+ installations.
This Reflected Cross-Site Scripting vulnerability in Popup Builder can allow high privilege users to perform SQL injection. Publishers are advised to check for the same in version ≤ 4.0.7 of the plugin.
9. Download Manager
The Download Manager plugin has 100,000+ installations.
The Download Manager WordPress plugin version ≤ 3.2.34 does not sanitize and escape the package_ids
parameter. This creates a vulnerability that can lead to SQL injection, which can further be exploited to cause an XSS issue.
Conclusion
As we know that security is of paramount importance, especially in today’s era of rapid digital transformation. The most pivotal factor to keep in mind is that security is not a one-time solution, it is a constant endeavor. So, your job as a host as a website owner is to make sure that you leverage the best available plugins to secure your website and its visitors.
In the research done, vulnerabilities were found in many plugins. But these are the most popular ones that have such grave vulnerabilities that can have cascading effects on websites and their security.
The important thing is that all of the plugins have received a patch that closes the vulnerability, but it is now up to users to make sure they are updated to the latest version. If you are using these plugins, and have the version mentioned above, I urge you to update ASAP!