The Cyber Security Agency of Singapore has raised an alarm about the existence of critical vulnerabilities in numerous WordPress plugins, accentuating the need for immediate action from users. These vulnerabilities are classified as critical and could open up websites to unauthorized access and exploitation by malicious entities.
In response to these alarming findings, security updates have been swiftly rolled out to address the identified vulnerabilities in multiple WordPress plugins. SingCERT, the Singapore Computer Emergency Response Team, has specifically highlighted 9 critical vulnerabilities in various WordPress plugins and has shared mitigation strategies to help users protect their websites from potential threats.
SingCERT has pinpointed several WordPress vulnerabilities that pose significant risks to website security. These vulnerabilities range from allowing arbitrary file uploads to enabling SQL injection attacks. The highlighted vulnerabilities in popular WordPress plugins include the following:
1. WordPress Copymatic: This vulnerability, identified as CVE-2024-31351, allows unauthenticated attackers to upload arbitrary files to a website, potentially compromising its integrity. The severity of this vulnerability is underscored by its maximum CVSSv3.1 score of 10 out of 10, affecting plugin versions before 1.7.
2. Pie Register: The vulnerability, known as CVE-2024-4544, permits authentication bypass, potentially granting unauthorized access to user accounts. Versions of the plugin before 1.7.8 are affected, with a CVSSv3.1 score of 9.8 out of 10.
3. Hash Form Drag & Drop Form Builder: This vulnerability, designated as CVE-2024-5084, allows unauthenticated attackers to upload arbitrary files, leading to remote code execution on compromised sites. The severity of this vulnerability, rated at 9.8 out of 10, impacts versions of the plugin before 1.1.1.
4. Country State City Dropdown CF7 Plugin: The vulnerability (CVE-2024-3495) associated with this plugin enables SQL injection, potentially jeopardizing sensitive data stored in the website’s database. Versions before 2.7.3 are affected, with a severity rating of 9.8 out of 10.
5. WPZOOM Addons for Elementor (Templates, Widgets): This vulnerability (CVE-2024-5147) allows unauthenticated attackers to upload and execute arbitrary files on the server, posing a severe threat to website security. Versions before 1.1.38 are vulnerable, with a CVSSv3.1 score of 9.8 out of 10.
6. Business Directory Plugin: Vulnerable to SQL injection (CVE-2024-4443), this plugin exposes sensitive information in the website’s database to unauthenticated attackers. Versions before 6.4.3 are at risk, with a CVSSv3.1 score of 9.8 out of 10.
7. UserPro Plugin: This vulnerability (CVE-2024-35700) facilitates privilege escalation, potentially granting attackers full control of the affected website. Versions before 5.1.9 are affected, with a CVSSv3.1 score of 9.8 out of 10.
8. Fluent Forms Contact Form Plugin: Vulnerable versions of this plugin (CVE-2024-2771) permit privilege escalation, posing significant risks to website security. Versions before 5.1.17 are affected, with a severity rating of 9.8 out of 10. Additionally, this vulnerability is actively exploited.
9. Web Directory Free Plugin: This vulnerability (CVE-2024-3552) enables unauthenticated attackers to interact directly with the website’s database through SQL injection, potentially leading to data theft. Versions before 1.7.0 are affected, with a CVSSv3.1 score of 9.3 out of 10.
To mitigate these vulnerabilities, users and administrators utilizing the affected versions of these WordPress plugins are strongly urged to update to the latest versions immediately. By doing so, users can effectively address these vulnerabilities and secure their websites against potential exploitation. Additionally, users can refer to the respective plugin documentation and updates provided by developers for further guidance on mitigation strategies. Employing security measures like virtual patching can provide interim protection while awaiting official updates.
Safeguarding the security of WordPress websites necessitates proactive measures, including staying informed about security vulnerabilities and promptly implementing necessary updates. By taking proactive steps and addressing security concerns in a timely manner, website owners can bolster the protection of their online assets against potential threats.