Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. Our weekly WordPress Vulnerability Report, now powered by Patchstack, covers new WordPress plugins, themes, and core vulnerabilities that have emerged since our last report. Our goal is to help you decide what to do if you are using one of these vulnerable plugins or themes […]
Vulnerable plugins and themes are the #1 reason WordPress websites get hacked. Our weekly WordPress Vulnerability Report, now powered by Patchstack, covers new WordPress plugins, themes, and core vulnerabilities that have emerged since our last report. Our goal is to help you decide what to do if you are using one of these vulnerable plugins or themes on your website. For a deeper, historical analysis of WordPress vulnerabilities and threat vectors, see our 2022 Annual Vulnerability Report.
Am I Vulnerable?
If you are an iThemes Security or Security Pro user, the Site Scan feature will notify you of any vulnerabilities in WordPress, plugins, and themes you have installed. You can also review the following list of new vulnerabilities and check them against your installed plugins and themes.
Each vulnerability will have a severity rating of low, medium, high, or critical. Severity levels do not indicate whether a vulnerability is being actively exploited or not. A severity rating indicates how easy it would be for an attacker to exploit the vulnerability and how damaging the impact of an effective exploit could be.
We will highlight active exploits as we become aware of them.
Vulnerabilities are assessed by many different authorities, who each interpret risk with their own perspective and priorities. We are providing you with Patchstack’s risk assessment for WordPress site owners like you.
Is There An Update?
The most important information about a vulnerability is whether it has been patched or not.
If a patch or security release exists to secure the vulnerability, you will see a note about this in a green footer closing the individual vulnerability report. You should immediately update the vulnerable software to the highest version available.
Please be aware that even a deactivated plugin or theme may be exploited by attackers as long as it remains installed in WordPress. You should either update or delete vulnerable plugins and themes as soon as possible when a vulnerability emerges in them.
What Should I Do?
If no update is available for a vulnerable plugin or theme that you are actively using, you will see a red footer closing the individual vulnerability report with a warning that no update has been provided yet. We will also highlight vulnerable plugins and themes that have no known fix.
Popular, widely used plugins and themes that remain vulnerable form a uniquely large and attractive attack surface so we will call special attention to them.
You should weigh the costs and benefits of removing vulnerable plugins and themes with no known fix. If they have been dropped from the wordpress.org repositories, we will note their status is “closed.” We recommend adopting a different, secure solution as soon as possible for plugins designated “closed” or that have “no known fix” forthcoming.
It is urgent to remove unpatched themes and plugins with vulnerabilities of any severity if they are being actively exploited and there’s no security update available.
The Future of Authentication is Passkeys! Log into your WordPress site with Biometrics only available in iThemes Security Pro.
Credential stuffing, phishing, and brute force attacks using stolen, guessable, or reused passwords have made our digital lives less secure. Two-Factor Authentication (2FA) offers some protection but at the cost of usability and accessibility. Fewer than 30% of all online account holders actually use 2FA. Password-based logins are broken.
The future of authentication is passkeys, and iThemes Security Pro is the first to bring this breakthrough technology to WordPress sites. Using breakthrough WebAuthn technology based on public/private cryptography, passkeys make passwords obsolete. Now, website admins and end users can have secure logins without the inconvenience of additional two-factor apps, password managers, or complex password requirements.
WordPress Core News
WordPress 6.1.1 was released on November 15, 2022, as a short-cycle maintenance release with 29 bug fixes in Core and 21 bug fixes for the block editor. Because this is a core update, be sure to update to WordPress 6.1.1 as soon as possible! As always, with a major release like this, ensure your site is backed up with BackupBuddy before updating.
WordPress 6.2 Beta 1
WordPress 6.2 Beta 1 is ready for download and testing! The current target for the final release is March 28, 2023. With the arrival of WordPress 6.2, Phase Two of Gutenberg’s development will have ended. Phase Two focused on the Block and Site Editor features that now allow deep customization of site designs and layouts. Next, Phase Three will focus on collaborative editing features. Take a look at the WordPress Development Roadmap to learn more.
No new WordPress core vulnerabilities were disclosed this week.
There is a known unpatched vulnerability in WordPress core affecting all versions of WordPress. If you’re using iThemes Security, you’ve probably been alerted to this. As we are unsure when this very low-severity vulnerability will be patched, emails from iThemes Security will no longer alert for this specific vulnerability. Read our blog post about this vulnerability.
WordPress Plugin Vulnerabilities
In this section, the latest WordPress plugin vulnerabilities have been disclosed. Each plugin listing includes the type of vulnerability, the active installations, the version number if patched, the severity rating, and the CVE.
WordPress All In One WP Security & Firewall plugin
In this section, the latest WordPress theme vulnerabilities have been disclosed. Each theme listing includes the type of vulnerability, the active installations, the version number if patched, the severity rating, and the CVE.
As you can see from this report, new WordPress plugin and theme vulnerabilities are disclosed every week. We know it can be difficult to stay on top of every reported vulnerability disclosure that matters to you, so the Themes Security Pro plugin makes it easy to ensure your site isn’t running a vulnerable theme, plugin, or version of WordPress core.
Scans Your Website Twice a Day for Vulnerabilities
Your website’s plugins, themes, and WordPress core versions are checked against the Patchstack Vulnerability Database for the latest vulnerability disclosures.
Automatically Updates if a Security Fix is Available
Paired with Version Management, iThemes Security will automatically update a plugin, theme, or WordPress core version if it has a vulnerability.
Emails You a Warning if Site Scan Detects a Vulnerability
You can receive an email report if your site is running vulnerable versions of a plugin, theme, or WordPress core. Customize the email addresses that receive scan results.
The Best WordPress Security Plugin to Secure & Protect WordPress Sites
WordPress currently powers over 40% of all websites, so it has become a popular target for hackers with malicious intent. The iThemes Security Pro plugin takes the guesswork out of WordPress security to make it easy to secure & protect your WordPress website. It’s like having a full-time security expert on staff who constantly monitors and protects your WordPress site for you.
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.