The Cyber Express uses WordPress, the most widely used content management system (CMS) on the Internet. Its popularity also means that it also faces higher developer scrutiny for WordPress vulnerabilities and, subsequently, hacking.
While it is impossible to predict the number of daily threats your site may face, it is important to be aware of and understand potential WordPress-specific vulnerabilities in case you become a victim of an attack.
We’ve already seen multiple zero-day vulnerabilities in the WordPress environment and the consequences of failing to patch them as soon as possible. The WordFence threat intelligence team issued a warning in September about the WPGateway plugin.
The CVE-2022-3180 (CVSS score of 9.8) was assigned to the vulnerability, which allows attackers to add an administrator account to websites utilizing WPGateway.
According to the Wordfence, other critical WordPress vulnerabilities exists in the YITH WooCommerce gift cards premium WordPress extension. This vulnerability can be exploited by attackers to take over the system.
Through the YITH WooCommerce Gift Card extension, online retailers can create and sell gift cards for their customers. Its developer claims that the premium version has over 50,000 installations.
The CVE-2022-45359 vulnerability (CVSS score of 9.8)) was fixed in November after it was reported.
A security firm noted that an attacker can take over the system by placing a backdoor on a vulnerability-ridden installation.
Another critical thing to know is that once an attacker gets administrator privileges, they can practically take control of the website and add/remove the administrators from it.
Here are some of the WordPress vulnerabilities spotted in 2022.
Contest Gallery among Key WordPress Vulnerabilities
The Contest Gallery plugin before version 19.1.5.1 also falls prey to a vulnerability. According to experts, the plugin fails to bolt the Fields POST parameter before concatenating it to a SQL query in users-registry-check-registering-and-login.php. What it means is that any unauthorized user can access the site’s database, causing a threat to sensitive information and ownership.
Stop Spammers Security
Stop Spammers Security is a security-rich WordPress plugin that offers protection against spam comments. However, a vulnerability caused the plugin to malfunction — failing to provide protection. According to sources, the plugin passes base64 encoded user input to the unserialize() PHP function. This could lead to PHP Object injection if the plugin installed on the blog has an appropriate gadget chain.
Booster for WooCommerce
Booster for WooCommerce allows store owners to create offers for customers at product & checkout pages to increase sales. The versions before 6.0.0 provide limited security as some URL fails to pass and opens doors for Reflected Cross-Site Scripting, a web vulnerability that allows an attacker to inject malicious code into a website. This code is executed by the victim’s web browser, allowing the attacker to steal sensitive information or perform other malicious actions.
Menu Item Visibility
Menu Item Visibility is a WordPress plugin that provides primary control to WordPress menus, and according to the source, the plugin doesn’t offer any protection and validate the “Visibility logic” option for WordPress menu items. This vulnerability could allow “highly privileged” users to execute arbitrary PHP code.
Last but not least, passwords!
WordPress admins must know the importance of using strong passwords and the risks associated with weak ones. Strong passwords can be challenging to remember, so people may opt for more straightforward, more vulnerable passwords that are easier to remember.
This contributes to more frequent attacks, and the risk of getting unauthorized access increases several folds. In the last few months, there have been several WordPress vulnerabilities that could still damage WordPress websites.
These WordPress websites may have limitations on the types of passwords that can be used, such as requiring a certain number of characters or prohibiting using specific characters, among other vulnerabilities that could be exploited.