WP GDPR JUL 2021: Sensitive Data Disclosures JUL 2021

MANAGED WP GDPR JUL 2021 REPORT

Sensitive Data Disclosures JUL 2021

Be informed about the latest WP GDPR JUL 2021 – Sensitive Data Disclosures JUL 2021, identified and reported publicly. These Sensitive or Private Data Disclosures have a severe negative financial impact on any business. Consider our FREE GDPR AUDIT.

An estimated 807.000+ active WordPress installations are susceptible to these personal data exfiltrations, considering only the publicly available numbers. The estimated number can double with versions already closed due to security concerns.

It is a whooping 400% increase compared to December 2020. We compare last month versus previous winter holiday season, which has the biggest shopping traffic and attack spike throughout the year. Read more about our previous reports here: WP GDPR JUN 2021: Sensitive Data Disclosures JUN 2021 and WP GDPR JAN 2021: 3 Sensitive Data Disclosures JAN 2021. The following cases made headlines PUBLICLY just last month in the WP GDPR JUL 2021 category:

---

• ProfilePress – Authenticated Stored XSS
• ProfilePress – Unauthenticated Privilege Escalation
• ProfilePress – Arbitrary File Upload in Image Uploader Component
• ProfilePress – Unauthenticated Cross-Site Scripting
  • ProfilePress (formerly WP User Avatar) is a lightweight membership plugin that lets you create beautiful user profiles, member directories and frontend user registration form, login form, password reset and editing profile information. It also allows you to protect sensitive content and control user access. Active installations: 400,000+

---

• Photo Gallery – Stored XSS via Uploaded SVG in Zip
• Photo Gallery – Stored Cross-Site Scripting via Uploaded SVG
• Photo Gallery – File Upload Path Traversal
  • Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes. Active installations: 300,000+

---

• BuddyPress Customer.io Analytics Integration – Arbitrary Plugin Settings Update via CSRF
  • This plugin has been closed as of June 26, 2018 and is not available for download. This closure is permanent. Reason: Author Request.

---

• SEO Wizard – Unauthorized robots.txt & .htaccess Edit via CSRF
  • This plugin has been closed and is no longer available for download.

---

• Haxcan – Arbitrary File Access
  • This plugin has been closed as of May 24, 2022 and is not available for download. Reason: Security Issue.

---

• WP Upload Restriction – CSRF Bypass
• WP Upload Restriction – Missing Access Control in deleteCustomType
• WP Upload Restriction – Missing Access Control in getSelectedMimeTypesByRole
  • This plugin has been closed as of July 1, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• Media File Organizer – Directory Traversal
  • This plugin has been closed as of July 23, 2020 and is not available for download. Reason: Security Issue.

---

• RSVPMaker – Authenticated SSRF
  • RSVPMaker is an event scheduling and RSVP tracking plugin for WordPress. Active installations: 600+

---

• Profile Builder – Authenticated Stored XSS
• Profile Builder – Admin Access via Password Reset Bug
  • Easy to use user profile plugin for creating front-end login, user registration and edit profile forms by using shortcodes. Active installations: 60,000+

---

• Adapta RGPD – Unauthorized Consent via CSRF
  • Adapta RGPD es una herramienta que te ayuda a crear las páginas legales en español, adaptar tu sitio web al RGPD y cumplir la ley de Cookies de una forma clara y fácil. Active installations: 30,000+

---

• Frontend File Manager – Privilege Escalation
• Frontend File Manager – Unauthenticated Content Injection and Stored XSS
• Frontend File Manager – Authenticated Arbitrary Settings Change to Arbitrary File Upload
• Frontend File Manager – Unauthenticated Arbitrary Post Deletion
• Frontend File Manager – Unauthenticated Post Meta Change to Arbitrary File Download
• Frontend File Manager – Unauthenticated HTML Injection
  • This plugin lets the wordpress site users to upload files for admin. Each file is saved in private directory so each user can download/delete their own files after login. Active installations: 2,000+

---

• RestroPress – Unauthorised AJAX Calls
• RestroPress – Cart Manipulation via CSRF
  • RestroPress is an Online Food Ordering system for WordPress. It is a standalone WordPress plugin which allows you to easily add Food Ordering System to your WordPress Website. Using RestroPress you can easily receive both PickUp/Takeaway and Delivery orders. Active installations: 3,000+

---

• HM Multiple Roles – Arbitrary Role Change
  • This HM Multiple Roles plugin provides a user interface and allows you to select multiple roles for a user. It hides the default role dropdown list and displays a list of role checkboxes for both new user and update user page. Multiple roles can be visible from the All User list page. Active installations: 400+

---

• LifterLMS – Access Other Student Grades/Answers via IDOR
  • LifterLMS is a powerful WordPress LMS plugin that makes it easy to create, sell, and protect engaging online courses and training based membership websites. LifterLMS is a complete course building and LMS solution that works with any well-coded WordPress theme, modern WordPress blocks, and all the popular WordPress page builders (like Elementor, Beaver Builder, Divi, Gutenberg, etc.). As an engaged WordPress community member, LifterLMS actively encourages and helps other great plugins integrate with LifterLMS like Affiliate WP, Monster Insights, WP Fusion, the most popular form plugins, GamiPress, Astra Pro, the Course Scheduler, and many more. You can also connect your WordPress LMS website to 1,500+ other apps via Zapier. LifterLMS is one of only 11 WordPress plugins listed in the Zapier app directory. Active installations: 10,000+

---

• Workreap – Freelance Marketplace and Directory WordPress Theme – Missing Authorization Checks in Ajax Actions
• Workreap – Freelance Marketplace and Directory WordPress Theme – Multiple CSRF + IDOR Vulnerabilities
• Workreap – Freelance Marketplace and Directory WordPress Theme – Unauthenticated Upload Leading to RCE
  • Workreap is a Freelance Marketplace WordPress theme with some exciting features and excellent code quality. It has been designed and developed after thorough research to cater the requirements of people interested in building freelance marketplace or other similar projects. The design is contemporary but at the same time it focuses on the usability, visual hierarchy and aesthetics to ensure easy navigation for the end users.

WP GDPR JUL 2021 BRIEF: Personal or Private data is information that must be protected against unauthorised access, preventing Sensitive Data Disclosures and data breaches.

---

What is Sensitive Data Disclosures JUL 2021?

The loss, misuse, modification or unauthorised access to your most sensitive data or personal data can damage your business, ruin customer trust, breach customer privacy and in extreme cases, might attract hefty fines by law regulations.

What is the impact of a WP GDPR JUL 2021?

Data privacy is becoming more and more imperative. Fines vary from country to country in Europe. In over 80 countries, personally identifiable information (PII) is protected by information privacy laws that outline limits to collecting and using PII by public and private organisations.

These laws require organisations to give clear notice to individuals about what sensitive data is collected, the reason for collecting and the planned uses of the data. In consent-based legal frameworks, like GDPR, explicit consent from the individual is required.

What kind of Sensitive Data are exploited??

Sensitive information includes all Private Data, whether original or copied, which contains:

– Personal data: as defined by The EU General Data Protection Regulation (GDPR). A series of broad laws to prevent or discourage identity theft and to guard and protect individual privacy. In general, sensitive data is any data that reveals: Racial or ethnic origin; Political opinion; Religious or philosophical beliefs; Trade union membership; Genetic data; Biometric data; Health data; Sex life or sexual orientation; Financial information (bank account numbers and credit card numbers); Classified information.

– Protected Health Information (PHI): as defined by the Health Insurance Portability and Accountability Act of 1996 (HIPAA). PHI under the law is any information about health status, provision of health care, or payment for health care that is created or collected by a Covered Entity (or a third-party associate) that can be linked to a specific individual.

– Education records: as defined by the Family Educational Rights and Privacy Act of 1974 (FERPA). FERPA governs access to educational information and records by potential employers, publicly funded educational institutions, and foreign governments.

– Customer information: as required by financial institutions to explain how they share and protect their customers’ private information.

Related Posts to MANAGED GDPR for your WP/Woo: