28 Unrestricted Access MAR 2021
Managed WordPress Security Report
Be informed about the latest Unrestricted Access MAR 2021 – WP Security Circumvention, identified and reported publicly. These breaches create even more problems and vulnerability exploitation with a severe negative impact on any WordPress Security. Consider our FREE security AUDIT.
An estimated 3.061.000+ active WordPress installations are susceptible to these attack types, considering only the publicly available numbers. The estimated number can double with premium versions as they are private purchases.
Furthermore, the initial estimation can multiply if we consider the already patched versions BUT NOT UPDATED by owners, as the vulnerability remains active within their domain. As these owners start changing their hosting provider (due to constant unexplained issues), they actively migrate these vulnerabilities behind protected areas, possibly exposing other clean WP to different attack types.
It is a 459% increase compared to December 2020. We compare last month versus previous winter holiday season, which has the biggest shopping traffic and attack spike throughout the year. Read more about our previous report here: 18 Unrestricted Access FEB 2021 – WP Security Circumvention and 5 Unrestricted Access Issues – WordPress Security DEC. The following cases made headlines PUBLICLY just last month in the SQL Injections MAR 2021 category:
- Conversion Focused WordPress Plugins – Unauthenticated Option Update
- Conversion Focused WordPress Themes – Unauthenticated Option Update
- Themes & plugins, built from the ground up to make your entire website convert more of your visitors into subscribers, customers & clients! Active installations: Not public info
- BuddyPress < 7.2.1 - Force a Friendship
- BuddyPress < 7.2.1 - Invite Member to Join Group
- BuddyPress < 7.2.1 - Manage BuddyPress Member Types
- BuddyPress < 7.2.1 - Read Private Messages
- BuddyPress < 7.2.1 - REST API Privilege Escalation
- Are you looking for modern, robust, and sophisticated social network software? BuddyPress is a suite of components that are common to a typical social network, and allows for great add-on features through WordPress’s extensive plugin system. Active installations: 200,000+
- Controlled Admin Access < 1.5.2 - Improper Access Control & Privilege Escalation
- Controlled Admin Access < 1.5.6 - Improper Access Control to Privilege Escalation
- Give a temporary limited admin. access to themes designers, plugins developers and support agents. The plugin is simple and clean, it helps the administrator to create a user with a temporary access and choose which pages in your admin area which you don’t want the user to access. send the details to the user and when he finished his task, you can easily deactivate the account and activate it later. Active installations: 8,000+
- Cooked Pro < 1.7.5.6 - Unauthenticated Reflected Cross Site Scripting (XSS)
- Cooked is the absolute best way to create & display recipes with WordPress. SEO optimized (rich snippets), galleries, cooking timers, printable recipes and much more. Active installations: 8,000+
- Easy Form Builder <= 1.0 - Authenticated Arbitrary File Upload
- No known fix – plugin closed
- Facebook for WordPress < 3.0.0 - PHP Object Injection with POP Chain
- This plugin will install a Facebook Pixel for your page so you can capture the actions people take when they interact with your page, such as Lead, ViewContent, AddToCart, InitiateCheckout and Purchase events. Active installations: 500,000+
- Five Star Restaurant Menu – WordPress Ordering Plugin < 2.2.1 - Unauthenticated PHP Object Injection
- Easily and quickly create a stylish, responsive restaurant menu for your site, and also set up a restaurant menu ordering system within minutes. With the easy-to-use menu builder, and the included layout and customization options, you’ll have your menu set up in no time. Active installations: 10,000+