Weekly WordPress Vulnerability Report for June 17 to June 23 2024

Weekly WordPress Vulnerabilities Report

Introduction

Welcome to the WP-Firewall weekly vulnerability report, dedicated to keeping WordPress site administrators informed and secure. This report covers the period from June 17, 2024, to June 23, 2024, highlighting the latest security vulnerabilities in WordPress plugins and themes. Staying updated with these reports is crucial for maintaining the integrity of your website and protecting user data from potential threats.

WordPress is one of the most popular content management systems globally, powering millions of websites. However, this popularity makes it a prime target for hackers and cybercriminals. By understanding and addressing the vulnerabilities discovered each week, you can ensure that your site remains safe from malicious attacks.

Summary of Key Vulnerabilities

During this period, 185 vulnerabilities were disclosed across 137 WordPress plugins and 14 WordPress themes. Among these, 103 vulnerabilities have been patched, while 82 remain unpatched. The vulnerabilities are categorized by their severity levels:

• Critical: 17 vulnerabilities
• High: 24 vulnerabilities
• Medium: 144 vulnerabilities

Notable Vulnerabilities

1. InstaWP Connect <= 0.1.0.38Severity: Critical (10.0)
   CVE-ID: CVE-2024-37228
   Type: Unauthenticated Arbitrary File Upload
   Patch Status: Patched
2. WishList Member X <= 3.25.1Severity: Critical (10.0)
   CVE-ID: CVE-2024-37112
   Type: Unauthenticated Arbitrary SQL Execution
   Patch Status: Unpatched
3. WP Hotel Booking <= 2.1.0Severity: Critical (10.0)
   CVE-ID: CVE-2024-3605
   Type: Unauthenticated SQL Injection
   Patch Status: Unpatched
4. Consulting Elementor Widgets <= 1.3.0Severity: Critical (9.9)
   CVE-ID: CVE-2024-37090
   Type: Authenticated (Contributor+) SQL Injection
   Patch Status: Patched
5. Image Optimizer, Resizer and CDN – Sirv <= 7.2.6Severity: Critical (9.9)
   CVE-ID: CVE-2024-5853
   Type: Authenticated (Contributor+) Arbitrary File Upload
   Patch Status: Patched

Detailed Analysis of Notable Vulnerabilities

InstaWP Connect (<= 0.1.0.38) – Arbitrary File Upload

• Severity: Critical (10.0)
• CVE-ID: CVE-2024-37228
• Patch Status: Patched

Description: This vulnerability allows unauthenticated users to upload arbitrary files to the server. This could include malicious scripts that, once uploaded, can be executed to take control of the site.

Technical Breakdown: Attackers exploit this vulnerability by sending a specially crafted request to the server, which bypasses authentication checks and allows file uploads. Once the malicious file is uploaded, it can be executed to perform various malicious activities such as injecting malware, defacing the site, or stealing sensitive information.

Impact: If exploited, this vulnerability can lead to complete site takeover. Attackers can gain administrative access, manipulate site content, steal user data, and deploy additional malware.

Mitigation: To mitigate this risk, it is crucial to update the InstaWP Connect plugin to the latest version where the vulnerability has been patched. Additionally, implementing a robust security plugin that scans for and blocks suspicious file uploads can provide an added layer of protection.

WishList Member X (<= 3.25.1) – SQL Execution

• Severity: Critical (10.0)
• CVE-ID: CVE-2024-37112
• Patch Status: Unpatched

Description: This vulnerability allows unauthenticated users to execute arbitrary SQL commands on the database. This can be used to retrieve, modify, or delete data, and in some cases, gain administrative access.

Technical Breakdown: SQL injection vulnerabilities occur when user input is not properly sanitized, allowing attackers to manipulate SQL queries. By injecting malicious SQL code, attackers can alter the query execution process, gaining unauthorized access to data and performing operations that compromise the database integrity.

Impact: The exploitation of this vulnerability can lead to data breaches, loss of data integrity, and unauthorized access to sensitive information. Attackers can manipulate user data, steal credentials, and potentially gain full control over the site.

Mitigation: Until a patch is released, administrators should consider disabling the WishList Member X plugin or employing a web application firewall (WAF) to block malicious SQL queries. Regular monitoring of database activity for unusual behavior is also recommended.

Impact of Vulnerabilities

These vulnerabilities pose significant risks to WordPress sites, including:

• Data Breaches: Unauthorized access to sensitive data can lead to severe breaches, compromising user information.
• Site Defacement: Attackers can alter site content, damaging credibility and user trust.
• Malware Infections: Vulnerabilities can be exploited to inject malware, potentially spreading to users and other sites.

Real-World Examples

1. InstaWP Connect File Upload Exploit: A critical flaw allowed unauthenticated users to upload arbitrary files, which could lead to a full site takeover. This vulnerability, if unpatched, could result in the site being used to distribute malware.
2. WishList Member SQL Injection: This vulnerability enabled attackers to execute arbitrary SQL commands, risking the exposure of user data and the potential to alter database records.

Mitigation and Recommendations

To mitigate these vulnerabilities, WordPress site administrators should:

1. Regularly Update Plugins and Themes: Ensure all plugins and themes are updated to the latest versions. Patched vulnerabilities are often included in updates.
2. Implement Security Plugins: Utilize security plugins to monitor site activity and provide additional layers of protection.
3. Backup Regularly: Maintain regular backups of your site to quickly restore it in case of an attack.
4. Enable Two-Factor Authentication: Strengthen login security by enabling two-factor authentication (2FA) for all user accounts.

Step-by-Step Guide

1. Update Plugins/Themes:Navigate to the WordPress dashboard.
   Go to Updates.
   Select and update all plugins and themes.
2. Install Security Plugins:Search for and install reputable security plugins like WP-Firewall.
   Configure settings for optimal protection.
3. Setup Regular Backups:Choose a reliable backup plugin.
   Schedule regular backups and store them in a secure location.
4. Enable 2FA:Install a two-factor authentication plugin.
   Follow the setup instructions to enable 2FA for all user accounts.

In-Depth Analysis of Specific Vulnerabilities

InstaWP Connect (<= 0.1.0.38) – Arbitrary File Upload

• Severity: Critical
• Mechanics: This vulnerability allows unauthenticated users to upload arbitrary files to the server, potentially executing malicious code.
• Impact: Exploiting this can lead to full site control by attackers.
• Technical Breakdown: Attackers can exploit this vulnerability by sending a crafted request to the server, bypassing authentication mechanisms and gaining access to upload and execute arbitrary files. This could lead to a full compromise of the site's integrity and availability.

WishList Member X (<= 3.25.1) – SQL Execution

• Severity: Critical
• Mechanics: This flaw enables unauthenticated users to execute arbitrary SQL queries, exposing and modifying database content.
• Impact: Compromises data integrity and confidentiality.
• Technical Breakdown: Through SQL injection, attackers can manipulate queries made to the database. This can allow them to retrieve sensitive information, alter or delete data, and execute administrative operations, potentially leading to a complete site compromise.

Historical Comparison

Comparing this week's data with previous reports reveals:

• An increase in medium-severity vulnerabilities, indicating a trend towards less severe but still significant threats.
• Consistent discovery of critical vulnerabilities in widely used plugins, underscoring the need for constant vigilance.
• A notable pattern of SQL injection and arbitrary file upload vulnerabilities, highlighting common attack vectors that need robust defenses.

Importance of Staying Informed

The frequency and severity of vulnerabilities discovered underscore the importance of staying informed and proactive. Regularly updating your knowledge on the latest threats and implementing recommended security practices can significantly enhance your site's defenses.

Future Trends and Predictions

Based on current trends, it is likely that:

• The number of medium-severity vulnerabilities will continue to rise, as attackers find new ways to exploit less critical flaws.
• Developers will increasingly focus on securing plugins and themes against common vulnerabilities like SQL injection and arbitrary file uploads.
• Security tools and plugins will evolve to provide more comprehensive protection, integrating advanced threat detection and response capabilities.

Conclusion

Staying informed about the latest vulnerabilities is crucial for WordPress site administrators. Regular updates, security practices, and awareness can significantly reduce the risk of exploitation. Sign up for the WP-Firewall free plan to receive weekly reports and real-time notifications, ensuring your site remains secure.

For detailed information and updates, visit blog on WP-Firewall.

Appendix – Reported Vulnerability WordPress List in week 4 of Jun 2024.