The WordPress Vulnerability report is as follows.
WordPress Themes Vulnerabilities
1. Divi WordPress Theme Vulnerability
- Critical vulnerability discovered in Elegant Themes Divi and Extra Themes as well as in the Divi Builder WordPress plugin.
- The Divi Builder Plugin is a standalone plugin that allows a user to use the Divi builder functionality on any third party theme.
What the Elegant Themes Vulnerability Is
- The Elegant Themes exploit takes advantage of a vulnerability in a Divi feature that allows an a user with publishing or editing privileges to upload malicious files.
- An attacker first needs to compromise a registered user with those privilege levels in order to launch the attack.
WordPress Plugin Vulnerabilities
Several new WordPress plugin vulnerabilities have been discovered this month so far. Make sure to follow the suggested action below to update the plugin or completely uninstall it.
WordPress Plugin Vulnerabilities
1. WPDiscuz wordpress plugins: critical Vulnerabilitily found And Patiched
- As Wordfence researchers discovered, the vulnerability was introduced in a recent update, more specifically, the patch before the fixed wpDiscuz plugin version (7.0.5).
- This is far from the first time a critical WordPress vulnerability has been uncovered.
- wpDiscuz is used to allow an interactive comments section on websites created and maintained with WordPress.
2. Critical Security Vulnerability Existed in wpDiscuz WordPress Plugin
- ACF to REST API versions below 3.3.0 have an Unauthenticated Arbitrary wp_options Disclosure vulnerability.
- The vulnerability is patched, and you should update to version 3.3.0.
3. Newsletter WordPress Plugin Opens Door to Site Takeover
- The Newsletter plugin offers site admins a visual editor that can be used to create newsletters and email campaigns from within WordPress.
- According to Wordfence, the issues are a reflected cross-site scripting (XSS) vulnerability and a PHP object-injection vulnerability, both of which can be rectified by updating to the latest version of Newsletter, v.6.8.2.
4. Facebook plugin bug lets hackers hijack WordPress sites’ chat
- A high severity bug found in Facebook’s official chat plugin for WordPress websites with over 80,000 active installations could allow attackers to intercept messages sent by visitors to the vulnerable sites’ owner.
- The Facebook Chat Plugin allows WordPress website owners to embed a chat pop-up to communicate with visitors in real-time through Facebook’s messaging platform for Facebook Pages.
5. The Official Facebook Chat Plugin for WordPress Was Vulnerable to Takeover
- Facebook’s official chat plugin for WordPress, which is found in more than 80,000 websites out there, could make it possible for malicious actors to engage in social engineering. The discovered flaw is given a CVSS score of 7.4 and was found on June 26, 2020.
6. Newsletter Plug-in Vulnerability in WordPress Lets Hackers Set Backdoors
- These can be exploited by hackers to create backdoors and make rouge admin accounts for later use. Though the patch is available, at least 150k sites are still vulnerable since not updated.
It is crucial to the security of your WordPress site that you have an update routine.
You should be logging into your sites at least once a week to perform updates.