The U.S. Government Vulnerability Database and WordPress security researchers have issued an alert about a WordPress plugin vulnerability. Of these plugins, the nine most popular plugins affect more than 1.3 million websites.
Vulnerabilities in nine WordPress plugins
While more plugins were found to be vulnerable, the nine most popular plugins affected more than 1.3 million websites.Vulnerability rating is
Here is a list of nine vulnerable plugins:
- Header Footer Code Manager 300,000+ installs
- Ad Inserter – 200,000+ installs for Ad Manager and AdSense ads
- Popup Builder WordPress plugin 200,000+ installs
- Anti-Malware Security & Brute Force Firewall 200,000+ installs
- WP Content Copy Protection & No Right Click 100,000+ installs
- Database backup for 100,000+ WordPress installations
- GiveWP – Donation Plugin and Fundraising Platform with 100,000+ Installs
- Download Manager 100,000+ installs
- Advanced Database Cleaner WordPress plugin 80,000+ installs
Header Footer Code Manager WordPress Plugin
Wordfence security researchers discovered a reflective cross-site scripting vulnerability in the header-footer code manager WordPress plugin.
The flaw requires hackers to trick administrators into clicking a link or other action, making them vulnerable to a site-wide takeover.
The researchers noted that since the plugin affects sensitive areas of WordPress sites as it is used to add code to the site, various malicious behaviors may extend to adding backdoors and attacking site visitors.
Wordfence recommends that publishers update their installations to at least version 1.1.17.
Ad Inserter – Ad Manager and AdSense Ads (Free and Pro)
WPScan reports Ad Inserter – Ad Manager & AdSense Ads also has a vulnerability that could lead to reflective cross-site scripting attacks.
Publishers are advised to update to at least version 2.7.10.
The plugin contains a vulnerability that could lead to a SQL injection vulnerability.
According to the National Vulnerability Database:
“Popup Builder WordPress plugin prior to 4.0.7 does not validate and properly escape the orderby and order parameters before using them in SQL statements in the admin dashboard, which could allow a privileged user to perform SQL injection”
Publishers are advised to update to at least version 4.0.7 of the WordPress plugin.
Anti-Malware Security and Brute Force Firewall
This WordPress plugin also contains a reflected cross-site scripting vulnerability. An attacker must have administrator-level credentials to perform an attack.
Publishers are advised to update to at least version 4.20.94.
WP Content Copy Protection and No Right Click
This WordPress plugin has been discovered by security personnel Patchstack researchers report the plugin There is a Cross Site Request Forgery (CSRF) vulnerability.
Publishers are advised to update to at least version 3.4.5.
WordPress Database Backup
Security researchers at WPScan have reported a SQL injection vulnerability that affects database backups of the WordPress plugin that handles the most sensitive part of any WordPress installation, the database.
WPScan Notes:
“The plugin did not properly sanitize and escape fragment parameters before being used in SQL statements in the admin dashboard, causing SQL injection issues”
National Vulnerability Database recommends that publishers update the Database Backup for WordPress plugin to at least version 2.5.1.
GiveWP – Donation Plugin and Fundraising Platform
The GiveWP donation plugin was found to contain a reflective cross-site scripting vulnerability. Publishers are advised to update to at least version 2.17.3 of the plugin.
Download Manager WordPress Plugin
The plugin contains an SQL injection vulnerability that could lead to reflective cross-site scripting attacks. Publishers are advised to update to at least version 3.2.34.
Advanced Database Cleaner WordPress Plugin
Security researchers discovered that this plugin contains issues that could lead to reflective cross-site scripting attacks. Publishers are advised to update to at least version 3.0.4 of the plugin.
Multiple WordPress plugins are vulnerable
There are many plugins reported to be vulnerable. But these nine are the most popular plugins.
All plugins have received patches to fix bugs, but publishers need to make sure they are using the latest version to keep their sites and site visitors safe.
Citation
Header Footer Code Manager
https://www.wordfence.com/blog/2022/02/reflected-xss-in-header-footer-code-manager/
Ad Inserter – Ads Manager and AdSense Ads
https://nvd.nist.gov/vuln/detail/CVE-2022-0288
Popup Builder WordPress Plugin
https://nvd.nist.gov/vuln/detail/CVE-2022-0228
Anti-Malware Security and Brute Force Firewall
https://nvd.nist.gov/vuln/detail/CVE-2021-25101
https://wpscan.com/vulnerability/5fd0380c-0d1d-4380-96f0-a07be5a61eba
WP Content Copy Protection and No Right Click
https://nvd.nist.gov/vuln/detail/CVE-2022-23983
WordPress Database Backup
https://nvd.nist.gov/vuln/detail/CVE-2022-0255
GiveWP – Donation Plugin and Fundraising Platform
https://nvd.nist.gov/vuln/detail/CVE-2021-25100
https://nvd.nist.gov/vuln/detail/CVE-2021-25099
download manager
https://nvd.nist.gov/vuln/detail/CVE-2021-25069
https://wpscan.com/vulnerability/4ff5e638-1b89-41df-b65a-f821de8934e8
Advanced Database Cleaner WordPress Plugin
https://nvd.nist.gov/vuln/detail/CVE-2021-24921
