3 Severe Plugin Vulnerabilities Fixed in the Last 24 Hours
The following three plugins contain severe vulnerabilities that have all been fixed within the past 24 hours. Details of these vulnerabilities have been released to the public so they are likely already being exploited. If you use any of these plugins, upgrade immediately. Please share with the larger WordPress community.
- WooCommerce Store Toolkit Plugin (A plugin for WooCommerce made by Visser Labs, not the core product) version 1.5.6 contains a privilege escalation vulnerability. The vulnerability allows a registered user to delete all posts, comments, products, orders, media and more. Upgraded to version 1.5.7 immediately to fix this issue.
- WordPress User Meta Manager plugin version 3.4.6 contains an information disclosure vulnerability that allows an unprivileged user to download the user_meta table. It also contains a privilege escalation vulnerability that lets anyone upgrade themselves to admin along with a blind SQL injection vulnerability. These are fixed in 3.4.8. The fix was released within the last 24 hours. Upgrade immediately.
- The WP User Frontend plugin version 2.3.10 and older contains an unrestricted file upload vulnerability that allows anyone to upload a file to your WordPress installation. This is fixed in version 2.3.11 and newer (current version is 2.3.12). The fix was released within the past 24 hours. Upgrade immediately.
Upgrade immediately if you use any of these and please share this information with the larger WordPress community.
To learn more about SQL injection vulnerabilities or file upload vulnerabilities, visit our WordPress Security Learning Center.
Comments
9:03 am
Thanks for the info, folks. You're doing a great service. I use Wordfence on all of my sites, and hope to upgrade to Premium one day.
9:25 am
Thank guys.
I appreciate your information.
Regards
Richard
9:28 am
Thank you for raising the awareness, have advised a few people to check their plugins if they are using them.
9:37 am
Thanks for information! Much appreciated
9:54 am
Thanks!! Ever since I am a WordFence (platinum) user, I sleep confidently every night!!
10:02 am
Thanks for your very helpfull updates.
Dawit
10:07 am
Thanks so much for keeping the WP community in the loop. We find your blog and product and invaluable resource where security is concerned. Regards Tony Scott (CEO Akira Studio)
10:13 am
Thank you for the info.
10:59 am
Thank you for all
12:33 pm
It's always a breath of fresh air knowing you guys (and gals) are always keeping a sharp eye out for these vulnerabilities so the rest of us can spend time where we're supposed to, tending to our business ;) I am a premium user and I know sometimes people read comments and don't know if it's just some sort of plug to sell more. Makes no difference to me what others think. I just had to let you know "I love you guys!" thanx!!!!!
1:55 pm
Thanks Duncan. Much appreciated.
1:05 pm
Thanks for the heads up. I've used the User-Meta plugin on one of my clients websites. I'll upgrade now.
3:53 am
Thanks for the updates guys, so glad you are keeping an eye on these vulnerabilities!
10:53 am
Thanks for the heads up! Appreciate your hard work!
1:56 pm
Really appreciate what y'all do to keep WordPress sites safe. Thanks for spreading the word about these vulnerabilities.
4:50 pm
Thanks for this timely info!