Three critical vulnerabilities in WordPress plugins in May 2023: overview and fixes
13:55, 29.05.2023
As one of the most widely used CMS in the world, WordPress is under continuous development with new vulnerabilities arising and being fixed with each update. Today we want to have a look at three main vulnerabilities of WordPress that have been fixed in May 2023.
During the current month, about 140 weak spots have been spotted. Today we want to have a look at the most critical 3 ones, that affected as much as 3 million websites.
Download manager vulnerability
On April 25, 2023, Wordfence's cybersecurity team discovered a critical security flaw in the Download Manager plugin. This vulnerability, affecting versions up to 3.2.70, allows authenticated users with member-level privileges or higher to inject malicious web scripts.
Download Manager is widely used on over 100,000 WordPress websites for file upload management.
The flaw lies in the handling of certain shortcodes (wpdm_members, wpdm_login_form, wpdm_reg_form), making them vulnerable to saved cross-site scripting due to improper handling of user-provided data.
Exploiting this vulnerability enables attackers to execute XSS attacks, gaining unauthorized access to sensitive information, manipulating site content, acquiring administrative privileges, editing files, or redirecting users to malicious websites.
The developer swiftly addressed the issue with the release of version 3.2.71 on May 1, 2023.
Essential Addons for Elementor Vulnerability
A widely used plugin called "Essential Addons for Elementor" recently had a vulnerability discovered. This flaw allowed unauthorized users to reset passwords for any account, including administrative ones. It was reported by security researcher Rafi Mohammed on May 8, 2023.
Exploiting this vulnerability gave attackers the ability to reset passwords on multiple WordPress sites using the plugin. The issue stemmed from a flawed password reset function that didn't properly verify requests. Attackers could specify a username, extract a valid code from the site's homepage, input arbitrary data, and reset the password with a single request.
WordPress doesn't treat usernames as sensitive information, making it easy for attackers to target sites. Many site owners also use default usernames like "admin," making it even simpler for attackers to identify valid accounts. Once they gain access to an administrative account, attackers can install malicious plugins and compromise the site.
A patch for this critical vulnerability was released on May 11, 2023. It is crucial to apply the patch promptly to protect your site. Additionally, check for any suspicious accounts added to the admin list, as they may have been created earlier for ongoing access.
MonsterInsights Google Analytics Vulnerability
MonsterInsights is another popular plugin used by about 3 million users and has an XSS vulnerability, detected by Rafi Mohammed.
The vulnerability can be exploited, allowing criminals to steal the users’ information or even take hold of the website.
Through the vulnerability, a cybercriminal can send a malicious script that will look like a safe one to the browser, extracting the user’s information from the cookies.
The vulnerability was fixed in version 8.14.1.
Summing up
The three vulnerabilities discussed could pose significant risks to a vast number of websites on the web. Luckily, they’ve been already fixed. But to take advantage of it, make sure to update your WordPress as well as its plugins s with each update released. Stay tuned!