Weekly Summary of WordPress Vulnerabilities June 24 to June 30 2024

WordPress Vulnerability Report: June 24, 2024, to June 30, 2024

Introduction

The purpose of this report is to provide WordPress site administrators with critical information regarding vulnerabilities discovered in the past week. Keeping abreast of these updates is vital for maintaining site integrity and protecting user data. This report covers the period from June 24, 2024, to June 30, 2024, emphasizing the importance of staying updated with security reports to safeguard websites from potential threats.

Summary of Key Vulnerabilities

Unpatched Vulnerabilities

• Auto Featured Image: Arbitrary File Upload vulnerability (CVE-2024-6054) remains unpatched.
• Anima: Stored Cross-Site Scripting vulnerability (CVE-2024-37248) remains unpatched.

Patched Vulnerabilities

• WordPress Core < 6.5.5: Authenticated Stored Cross-Site Scripting (XSS) vulnerability via HTML API.
• PayPlus Payment Gateway: Unauthenticated SQL Injection vulnerability (CVE-2024-6205), patched as of June 28, 2024.
• Several Plugins: Injected Backdoor vulnerability (CVE-2024-6297), patched across multiple plugins including Social Sharing Plugin, Contact Form 7 Multi-Step Addon, Simply Show Hooks, and more.

Vulnerabilities by Severity

• Critical: 7 vulnerabilities including PayPlus Payment Gateway and several plugins with injected backdoors.
• High: 8 vulnerabilities including WP Maps SQL Injection and WPCafe File Inclusion.
• Medium: 104 vulnerabilities.
• Low: 2 vulnerabilities.

Vulnerabilities by CWE Type

• Cross-Site Scripting (XSS): 66 vulnerabilities.
• Missing Authorization: 16 vulnerabilities.
• Cross-Site Request Forgery (CSRF): 15 vulnerabilities.
• SQL Injection: 4 vulnerabilities.
• Path Traversal: 3 vulnerabilities.

Impact of Vulnerabilities

These vulnerabilities can severely affect WordPress sites, leading to data breaches, site defacement, malware infections, and loss of user trust. For example, SQL Injection vulnerabilities can allow attackers to execute arbitrary SQL commands, potentially leading to unauthorized data access and modification. XSS vulnerabilities can enable attackers to inject malicious scripts into web pages viewed by other users, compromising their data and potentially spreading malware.

Real-World Scenarios

1. SQL Injection in PayPlus Payment Gateway: This could allow attackers to manipulate database queries, leading to unauthorized access to sensitive payment information.
2. XSS in WordPress Core: Attackers could use this vulnerability to inject malicious scripts, potentially compromising admin accounts and spreading malware.

Mitigation and Recommendations

Updating Plugins and Themes

1. Regular Updates: Ensure all plugins, themes, and WordPress core are updated to the latest versions. This includes enabling automatic updates where possible.
2. Review Change Logs: Always review plugin and theme changelogs for any security-related updates.

Implementing Security Measures

1. Two-Factor Authentication (2FA): Implement 2FA for all admin accounts to add an extra layer of security.
2. Regular Backups: Schedule regular backups of your site to ensure data can be restored in case of an attack.
3. Security Plugins: Use security plugins to scan for vulnerabilities and protect against common threats.

Monitoring Site Activity

1. Log Monitoring: Regularly monitor server and application logs for suspicious activity.
2. User Activity Tracking: Use plugins to track user activity on your site to detect unauthorized changes.

In-Depth Analysis of Specific Vulnerabilities

PayPlus Payment Gateway SQL Injection

• Severity: Critical (10.0 CVSS score)
• Mechanics: This vulnerability allows unauthenticated users to inject malicious SQL commands.
• Impact: Can lead to complete database compromise, unauthorized data access, and potential data corruption.
• Mitigation: Apply the available patch immediately and review database logs for any signs of exploitation.

WordPress Core XSS via HTML API

• Severity: High
• Mechanics: Authenticated users can inject malicious scripts that are stored and executed in the browser of anyone viewing the affected page.
• Impact: Can lead to session hijacking, defacement, and spread of malware.
• Mitigation: Update to the latest WordPress core version and implement a Web Application Firewall (WAF) to block malicious scripts.

Historical Comparison

Comparing this week's report to previous weeks, there is a noticeable increase in medium-severity vulnerabilities. This could indicate a trend where more vulnerabilities are being discovered and patched before reaching critical severity levels. Additionally, the performance of specific plugins such as PayPlus Payment Gateway and Newspack Blocks has shown improvement due to recent patches.

Conclusion

Staying updated with the latest vulnerability reports is crucial for maintaining the security and integrity of WordPress sites. Implementing recommended security practices and promptly applying patches can significantly reduce the risk of exploitation. For detailed vulnerability data and real-time updates, consider utilizing tools like the WP-Firewall vulnerability database and subscribing to security mailing lists. By staying vigilant and proactive, site administrators can protect their sites and user data from emerging threats.

Appendix – Full list of WordPress Vulnerability