November 2020 Vulnerabilities

WordPress Core Vulnerabilities

WordPress 5.5.2 was released on October 29th and included 10 WordPress core security fixes.

Here is the list of security fixes mentioned in the WordPress 5.5.2 release post.

• Hardened deserialization requests.
• Fix to disable spam embeds from disabled sites on a multisite network.
• Fixed a security issue that could lead to an XSS from global variables.
• Fixed a privilege escalation issue in XML-RPC.
• Fixed an issue around privilege escalation around post commenting via XML-RPC.
• Fixed a security issue where a DoS attack could lead to RCE.
• Removed a method to store XSS in post slugs.
• Removed method to bypass protected meta that could lead to arbitrary file deletion.
• Removed a method that could lead to CSRF.

WordPress Plugin Vulnerabilities

1. SW Ajax WooCommerce Search

SW Ajax WooCommerce Search versions below 1.2.8 have an Unauthenticated Reflected XSS & XFS vulnerabilities.

2. AccessPress Social Icons

AccessPress Social Icons versions below 1.8.1 have an Authenticated SQL Injection vulnerability.

3. GDPR CCPA Compliance Support

GDPR CCPA Compliance Support versions below 2.4 have an Unauthenticated PHP Object Injection vulnerability.

4. Augmented Reality

All versions of Augmented Reality have an Unauthenticated PHP File Upload leading to RCE vulnerability.

5. Welcart e-Commerce

Welcart e-Commerce versions below 1.9.36 have Authenticated PHP Object Injection vulnerability.

6. WooCommerce

WooCommerce versions below 4.6.2 have a Guest Account Creation vulnerability.

7. WooCommerce Blocks

WooCommerce Blocks versions below 3.7.1 have a Guest Account Creation vulnerability.

8. Abandoned Cart Lite for WooCommerce

Abandoned Cart Lite for WooCommerce versions below 5.8.3 have an Unauthenticated SQL Injection vulnerability.

9. WP Activity Log

WP Activity Log versions below 4.1.5 have an SQL Injection in External Database Module vulnerability.

10. Ultimate Member

Ultimate Member versions below 2.1.12 have an Unauthenticated Privilege Escalation via User Roles, Profile Update & User Meta vulnerabilities.

11. Ultimate Reviews

Ultimate Reviews versions below 2.1.33 have an Unauthenticated PHP Object Injection vulnerability.

WordPress Theme Vulnerabilities

1. GreenMart

GreenMart versions below 2.4.3 have a Reflected Cross-Site Scripting vulnerability.

November Security Tip: Why You Need a WordPress Security Log

Logging is an essential part of your WordPress security strategy. Insufficient logging and monitoring can lead to a delay in the detection of a security breach. Most breach studies show that the time to detect a breach is over 200 days! That amount of time allows an attacker to breach other systems, modify, steal, or destroy more data. It is for those reasons that Insufficient Logging landed on the OWASP top 10 of web application security risks.

Most breach studies show that the time to detect a breach is over 200 days!Most breach studies show that the time to detect a breach is over 200 days!

WordPress security logs have several benefits in your overall security strategy.

1. Identity and stop malicious behavior.
2. Spot activity that can alert you of a breach.
3. Assess how much damage was done.
4. Aide in the repair of a hacked site.

If your site does get hacked, you will want to have the best information to aid in a quick investigation and recovery.