Unrestricted Access MAY 2021
Managed WordPress Security Report
Be informed about the latest Unrestricted Access MAY 2021 - WP Security Circumvention, identified and reported publicly. These breaches create even more problems and vulnerability exploitation with a severe negative impact on any WordPress Security. Consider our FREE security AUDIT.
An estimated 4.499.000+ active WordPress installations are susceptible to these attack types, considering only the publicly available numbers. The estimated number can double with premium versions as they are private purchases.
Furthermore, the initial estimation can multiply if we consider the already patched versions BUT NOT UPDATED by owners, as the vulnerability remains active within their domain. As these owners start changing their hosting provider (due to constant unexplained issues), they actively migrate these vulnerabilities behind protected areas, possibly exposing other clean WP to different attack types.
It is a 400% increase compared to December 2020. We compare last month versus previous winter holiday season, which has the biggest shopping traffic and attack spike throughout the year. Read more about our previous report here: 35 Unrestricted Access APR 2021 – WP Security Circumvention and 5 Unrestricted Access Issues – WordPress Security DEC. The following cases made headlines PUBLICLY just last month in the Unrestricted Access MAY 2021 – WP Security Circumvention category:
- visitors-app <= 0.3 - Unauthenticated Stored Cross-Site Scripting (XSS)
- This plugin has been closed as of May 26, 2022 and is not available for download. This closure is temporary, pending a full review.
- All in One SEO – Best WordPress SEO Plugin – Easily Improve Your SEO Rankings < 4.1.0.2 - Admin RCE via unserialize
- All in One SEO for WordPress is the original WordPress SEO plugin started in 2007. Over 2 million smart website owners use AIOSEO to properly setup WordPress SEO, so their websites can rank higher in search engines. Active installations: 2+ million
- CM Registration Pro < 3.2.1 - PHP Object Injection
- Add a user registration and login pop-up box to any page with this WordPress login plugin. This superb user registration plugin gives you user invitation codes, social login, email verification, custom registration forms, forgot password option, custom fields, front-end user profile builders and more. Active installations: Not public info
- External Media < 1.0.34 - Authenticated Arbitrary File Upload
- Import files from or create external links from third-party services into WordPress Media Library (Dropbox, Box, OneDrive, Google Drive and any other external file from URL). Active installations: 8,000+
- gallery-from-files <= 1.6.0 - Unauthenticated RCE
- This plugin has been closed as of May 24, 2022 and is not available for download. This closure is temporary, pending a full review.
- leads5050-visitor-insights < 1.0.4 - Unauthenticated License Change
- leads5050-visitor-insights < 1.1.0 - Unauthorised License Change
- Leads5050 allows you to monitor visits to your website and turn anonymous visits into potential new business opportunities. This plugin allows you easily to add the Leads5050 tracking code and straight away allows you to identify the origin of visits whether it is from a search engine, social media or an external source directly from your WordPress dashboard. The allows you to identify leads, prospects, existing customers and competitors that visit the site. Active installations: 10+
- Multivendor Marketplace Solution for WooCommerce – WC Marketplace < 3.7.4 - Unauthenticated Arbitrary Product Comment
- Afraid of launching an Online Marketplace? Well, worry no more WC Marketplace provides you with the best marketplace software, you can get, to kickstart your own virtual eCommerce marketplace. This free WordPress plugin equips you with the best of features that help to create any marketplace of your choice. So, create a website like Amazon, Etsy or Airbnb without any worries. Active installations: 10,000+