WP GDPR AUG 2021: Covert Sensitive Data Disclosures AUG 2021

MANAGED WP GDPR AUG 2021 REPORT

Sensitive Data Disclosures AUG 2021

Be informed about the latest WP GDPR AUG 2021 – Sensitive Data Disclosures AUG 2021, identified and reported publicly. These Sensitive or Private Data Disclosures have a severe negative financial impact on any business. Consider our FREE GDPR AUDIT.

An estimated 626.000+ active WordPress installations are susceptible to these personal data exfiltrations, considering only the publicly available numbers. The estimated number can double with versions already closed due to security concerns.

It is a whooping 500% increase compared to December 2020. We compare last month versus previous winter holiday season, which has the biggest shopping traffic and attack spike throughout the year. Read more about our previous reports here: WP GDPR JUL 2021: Sensitive Data Disclosures JUL 2021 and WP GDPR JAN 2021: 3 Sensitive Data Disclosures JAN 2021. The following cases made headlines PUBLICLY just last month in the WP GDPR AUG 2021 category:

---

• Image Export – Directory Traversal
  • This plugin has been closed and is no longer available for download.

---

• User Rights Access Manager – Access Restriction Bypass
  • This plugin has been closed as of July 19, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• Simple eCommerce – Arbitrary File Upload
  • This plugin has been closed as of June 21, 2022 and is not available for download. Reason: Security Issue.

---

• Shopp eCommerce – Unauthenticated Arbitrary File Upload
  • This plugin has been closed as of June 29, 2022 and is not available for download. Reason: Security Issue.

---

• Fileviewer – Arbitrary File Upload/Deletion via CSRF
  • This plugin has been closed as of June 28, 2022 and is not available for download. Reason: Security Issue.

---

• Email Artillery – Multiple Authenticated SQL Injections
• Email Artillery – Multiple Reflected Cross-Site Scripting
• Email Artillery – CSRF to Stored XSS
• Email Artillery – Arbitrary File Upload
• Email Artillery – Multiple Authenticated SQL Injections
  • This plugin has been closed as of June 28, 2022 and is not available for download. Reason: Security Issue.

---

• WP Cerber Security, Anti-spam & Malware Scan – Rest-API Protection Bypass
• WP Cerber Security, Anti-spam & Malware Scan – 2FA Authentication Bypass
  • Defends WordPress against hacker attacks, spam, trojans, and malware. Mitigates brute-force attacks by limiting the number of login attempts through the login form, XML-RPC / REST API requests, or using auth cookies. Tracks user and bad actors activity with flexible email, mobile and desktop notifications. Stops spammers by using a specialized anti-spam engine. Uses Google reCAPTCHA to protect registration, contact, and comments forms. Restricts access with IP Access Lists. Monitors the website integrity with an advanced malware scanner and integrity checker. Reinforces the security of WordPress with a set of flexible security rules and sophisticated security algorithms. Active installations: 200,000+

---

• BuddyPress – Activation Key Disclosure
• BuddyPress – SQL Injections
  • Are you looking for modern, robust, and sophisticated social network software? BuddyPress is a suite of components that are common to a typical social network, and allows for great add-on features through WordPress’s extensive plugin system. Active installations: 200,000+

---

• WordPress Download Manager – Authenticated Directory Traversal
• WordPress Download Manager – Authenticated File Upload
• WordPress Download Manager – Email Template Setting Update via CSRF
  • WordPress Download Manager is a Files / Documents Management Plugin to manage, track and control file downloads from your WordPress Site. Use Passwords, User Roles to control access to your files, control downloads by speed or by putting a limit on download count per user, block bots or unwanted users or spammers using Captcha Lock or IP Block feature, you may also ask users to agree with your terms and conditions before they download. Active installations: 100,000+

---

• Bold Page Builder – PHP Object Injection
  • Bold Page Builder for WordPress is 100% free – there is no premium version and you can use it freely in your commercial and noncommercial projects. Even in your Premium WordPress themes. Active installations: 50,000+

---

• HM Multiple Roles – Arbitrary Role Change
  • This HM Multiple Roles plugin provides a user interface and allows you to select multiple roles for a user. It hides the default role dropdown list and displays a list of role checkboxes for both new user and update user page. Multiple roles can be visible from the All User list page. Active installations: 500+

---

• Welcart e-Commerce – Unauthenticated Information Disclosure
• Welcart e-Commerce – Authenticated System Information Disclosure
  • Welcart is a free e-commerce plugin for WordPress with top market share in Japan. Welcart comes with many features and customizations for making an online store. You can easily create your own original online store. Active installations: 20,000+

---

• Post Grid, Post Carousel, & List Category Posts – by Smart Post Show – Unauthorised AJAX Calls
  • Smart Post Show (formerly Post Carousel) allows you to filter and display posts, pages, taxonomy (categories, tags, & post formats) in the beautiful carousel and grid layout easily without coding! The plugin helps you to create a beautiful post carousel or post grid in minutes for making your WordPress site content stand out and keep visitors engaged. Active installations: 10,000+

---

• Stop User Enumeration – REST API Bypass
  • Stop User Enumeration is a security plugin designed to detect and prevent hackers scanning your site for user names. User Enumeration is a type of attack where nefarious parties can probe your website to discover your login name. This is often a pre-cursor to brute-force password attacks. Stop User Enumeration helps block this initial attack and allows you to log IPs launching these attacks to block further attacks in the future. Active installations: 30,000+

---

• Visual Link Preview – Unauthorised AJAX Calls
  • Easily create a Facebook-like link preview for any link on your website. You can choose the image and text to display and create your very own custom template. The default template can be styled from the settings to match your website. Active installations: 9,000+

---

• WP Learn Manager – Unauthenticated Stored Cross-Site Scripting (XSS)
• WP Learn Manager – Unauthenticated Arbitrary User Field Edition/Creation
  • WP Learn Manager is extensive, featured rich and comprehensive learning management system for WordPress. WP Learn Manager comes with a lots of features like course list, course search with many filters, create course, create lectures, Add Quizzes, take lectures, enrollment, shortlist courses, Messaging, Social logins, Social sharing, Awards and many more. Active installations: 80+

---

• SP Project & Document Manager – Authenticated Shell Upload
• SP Project & Document Manager – Reflected Cross-Site Scripting
  • Project & Document management plugin, Remote file sharing, maintain and control unlimited number of documents, records, files, media, videos and images. You can create unlimited folders and sub folders to share, organize, manage client, student & supplier documents and accounts, control individual documents, and select specific file sharing of documents all in an easy to manage online process. Active installations: 3,000+

---

• Listing, Classified Ads & Business Directory – uListing – Unauthenticated SQL Injection
• Listing, Classified Ads & Business Directory – uListing – Authenticated IDOR
• Listing, Classified Ads & Business Directory – uListing – Authenticated Reflected XSS
• Listing, Classified Ads & Business Directory – uListing – Multiple CSRF
• Listing, Classified Ads & Business Directory – uListing – Modify User Roles via CSRF
• Listing, Classified Ads & Business Directory – uListing – Settings Update via CSRF
• Listing, Classified Ads & Business Directory – uListing – Unauthenticated Privilege Escalation
  • Developing listing and classified ads websites is a lucrative business opportunity, but in the past, it could be complicated to set up and maintain such a site. Doing it through WordPress previously meant investing quite a bit of money on a multitude of plugins that could be difficult to understand and to run together. Active installations: 3,000+

WP GDPR AUG 2021 BRIEF: Personal or Private data is information that must be protected against unauthorised access, preventing Sensitive Data Disclosures and data breaches.

---

What is Sensitive Data Disclosures AUG 2021?

The loss, misuse, modification or unauthorised access to your most sensitive data or personal data can damage your business, ruin customer trust, breach customer privacy and in extreme cases, might attract hefty fines by law regulations.

What is the impact of a WP GDPR AUG 2021?

Data privacy is becoming more and more imperative. Fines vary from country to country in Europe. In over 80 countries, personally identifiable information (PII) is protected by information privacy laws that outline limits to collecting and using PII by public and private organisations.

These laws require organisations to give clear notice to individuals about what sensitive data is collected, the reason for collecting and the planned uses of the data. In consent-based legal frameworks, like GDPR, explicit consent from the individual is required.

What kind of Sensitive Data are exploited??

Sensitive information includes all Private Data, whether original or copied, which contains:

– Personal data: as defined by The EU General Data Protection Regulation (GDPR). A series of broad laws to prevent or discourage identity theft and to guard and protect individual privacy. In general, sensitive data is any data that reveals: Racial or ethnic origin; Political opinion; Religious or philosophical beliefs; Trade union membership; Genetic data; Biometric data; Health data; Sex life or sexual orientation; Financial information (bank account numbers and credit card numbers); Classified information.

– Protected Health Information (PHI): as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). PHI under the law is any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity (or a third-party associate) that can be linked to a specific individual.

– Education records: as defined by the Family Educational Rights and Privacy Act of 1974 (FERPA). FERPA governs access to educational information and records by potential employers, publicly funded educational institutions, and foreign governments.

– Customer information: as required by financial institutions to explain how they share and protect their customers’ private information.

MANAGED GDPR for your WP/Woo: Sensitive Data Disclosures AUG 2021 Related Posts