The United States Government Vulnerability Database and WordPress security researchers have published alerts on WordPress plugin vulnerabilities. Of those plugins, nine of the most popular plugins affect over 1.3 million websites.

Weaknesses in Nine WordPress Plugin

While many other plugins were found to be weak, the nine most popular plugins affected over 1.3 million websites. Weaknesses are rated

The following is a list of nine vulnerable plugins:

1. Header Footer Code Manager 300,000+ installations
2. Ad Inserter – Ad Manager and AdSense Ads 200,000+ installations
3. Popup Builder WordPress plugin 200,000+ installations
4. Anti-Malware Security and Brute-Force Firewall 200,000+ installations
5. WP Content Copy Protection & No Right Click 100,000+ installation
6. Database Backup for WordPress 100,000+ installations
7. GiveWP – Donation Plugin and Fundraising Platform 100,000+ installations
8. Download Manager 100,000+ installations
9. Advanced Database Cleaner WordPress plugin 80,000+ installations

Header Footer Code Manager WordPress Plugin

The Header Footer Code Manager WordPress Plugin was discovered by Wordfence security researchers to have a Reflected Cross-Site Scripting vulnerability.

The vulnerability requires the hacker to trick an administrator into clicking on a link or other action to make it vulnerable to an entire site to take over.

Researchers have noticed that because this plugin affects a sensitive area of ​​WordPress sites as it is for adding code to websites, various malicious actions can range from adding backdoors. and attacks on site visitors.

Publishers are recommended by Wordfence to update their installations to at least version 1.1.17.

Ad Inserter – Ad Manager and AdSense Ads (Free and Pro Versions)

Ad Inserter-Ad Manager and AdSense Ad have been reported by WPScan to also have vulnerabilities that could lead to a Reflected Cross-Site Scripting exploit.

Publishers are advised to update to at least version 2.7.10.

This plugin contains a vulnerability that could lead to exploitation in SQL injection.

According to the National Vulnerability Database:

“The Popup Builder WordPress plugin prior to 4.0.7 does not validate and properly escapes orderby and order parameters before using them in an SQL statement in the admin dashboard, which can allow high -privileged users to perform SQL injection “

Publishers are recommended to update to at least version 4.0.7 of the WordPress plugin.

Anti-Malware Security and Brute-Force Firewall

This WordPress plugin also contains a Reflected Cross-Site scripting vulnerability. An attacker must have admin level credentials to perform the attack.

Publishers are advised to update to at least version 4.20.94.

WP Content Copy Protection and No Right Click

This WordPress plugin was discovered by security researchers at Patchstack who reported the plugin as having a vulnerability in Cross Site Request Forgery (CSRF).

Publishers are advised to update to at least version 3.4.5.

Database Backup for WordPress

Security researchers at WPScan have reported a SQL Injection vulnerability that affects Database Backup for the WordPress plugin that handles the most sensitive part of any WordPress installation, the database.

WPScan notes:

“The plugin incorrectly cleans and bypasses the fragment parameter before it can be used in an SQL statement in the admin dashboard, leading to an SQL injection issue”

Publishers are advised by National Database Vulnerability to update Database Backup for WordPress plugin to at least version 2.5.1.

GiveWP – Donation Plugin and Fundraising Platform

The GiveWP Donation Plugin was found to contain a Reflected Cross-Site Scripting vulnerability. Publishers are advised to update to at least version 2.17.3 of the plugin.

Download the WordPress Manager Plugin

This plugin contains an exploit in SQL Injection that can lead to a Reflected Cross-Site Scripting attack. Publishers are advised to update to at least version 3.2.34.

Advanced Database Cleaner WordPress Plugin

This plugin was discovered by security researchers to contain an issue that could lead to a Reflected Cross-Site Scripting attack. Publishers are advised to update to at least version 3.0.4 of the plugin.

Multiple Vulnerable WordPress Plugins

There are many plugins reported to have vulnerabilities. But these nine are the most popular plugins.

All plugins have received a patch that closes the vulnerability but it’s up to publishers to make sure they use the latest versions to keep their websites and site visitors safe.

Citations

Header Footer Code Manager
https://www.wordfence.com/blog/2022/02/reflected-xss-in-header-footer-code-manager/

Ad Inserter – Ad Manager at AdSense Ad
https://nvd.nist.gov/vuln/detail/CVE-2022-0288

Popup Builder WordPress Plugin
https://nvd.nist.gov/vuln/detail/CVE-2022-0228

Anti-Malware Security and Brute-Force Firewall
https://nvd.nist.gov/vuln/detail/CVE-2021-25101
https://wpscan.com/vulnerability/5fd0380c-0d1d-4380-96f0-a07be5a61eba

WP Content Copy Protection and No Right Click
https://nvd.nist.gov/vuln/detail/CVE-2022-23983

Database Backup for WordPress
https://nvd.nist.gov/vuln/detail/CVE-2022-0255

GiveWP – Donation Plugin and Fundraising Platform
https://nvd.nist.gov/vuln/detail/CVE-2021-25100
https://nvd.nist.gov/vuln/detail/CVE-2021-25099

Download Manager
https://nvd.nist.gov/vuln/detail/CVE-2021-25069
https://wpscan.com/vulnerability/4ff5e638-1b89-41df-b65a-f821de8934e8

Advanced Database Cleaner WordPress Plugin
https://nvd.nist.gov/vuln/detail/CVE-2021-24921