Connect with us

NEWS

300,00+ Installations of Catch Themes WordPress Plugins Vulnerable via @sejournal, @martinibuster

Published

on

Security researchers at WPScan and Wordfence have identified seventeen plugins published Catch Plugins (a division of Catch Themes, LLC) that have vulnerabilities. These vulnerabilities are rated as high and can result in an attacker being able to change the plugin configurations.

Cross Site Request Forgery (CSRF)

A user authentication exploit (lacking a capability check) and a Cross Site Request Forgery (CSRF) vulnerability are affecting 17 plugins published by Catch Themes.

These vulnerabilities allow any logged-in user, even a subscriber, to perform changes that are usually reserved for WordPress users with the highest editing privileges, like the administrator of the website.

According to WordPress security plugin publisher WPScan:

Advertisement

Continue Reading Below

“Multiple Plugins from the CatchThemes vendor do not perform capability and CSRF checks in the ctp_switch AJAX action, which could allow any authenticated users, such as Subscriber to change the plugin’s configurations.”

Wordfence Reports Vulnerability in Catch Demo Import WordPress Plugin

Wordfence published a notice about a critical vulnerability discovered in one of these plugins as well, the Catch Themes Demo Import (versions up to and including version 1.7).

The Catch Themes Demo Import WordPress plugin was found to have an Arbitrary File Upload Vulnerability.

It’s unclear how severe this specific vulnerability is. The vulnerability was rated by Wordfence as 9.1 on a scale of 1 – 10 and described as Critical. However, the vulnerability was listed on the US government National Vulnerability Database with a rating of 7.2 (High).

Advertisement

Advertisement

Continue Reading Below

According to Wordfence:

“The Catch Themes Demo Import WordPress plugin is vulnerable to arbitrary file uploads via the import functionality found in the ~/inc/CatchThemesDemoImport.php file, in versions up to and including 1.7, due to insufficient file type validation”

Wordfence recommends upgrading to version 1.8, or newer.

Vulnerabilities Discovered in Seventeen Catch Themes WordPress Plugins

WPScan lists seventeen Catch Themes WordPress plugins that were discovered to have vulnerabilities. All seventeen were disclosed to the plugin publisher and have been fixed.

Over 300,000 Installations Affected

Many of the seventeen plugins are highly popular.

These are the top 10 most popular Catch Themes plugins, with the number of installations listed next to them.

Ten Most Popular Vulnerable Catch Theme Plugins

  1. To Top80,000 Installations
  2. Essential Content Types – 50,000 Installations
  3. Catch IDs40,000 Installations
  4. Catch Web Tools20,000 Installations
  5. Social Gallery and Widget20,000 Installations
  6. Catch Infinite Scroll20,000 Installations
  7. Catch Gallery20,000 Installations
  8. Essential Widgets20,000 Installations
  9. Catch Instagram Feed Gallery & Widget (Social Gallery and Widget)20,000 Installations
  10. Catch Themes Demo Import10,000 Installations

Seventeen Catch Themes Vulnerable Plugins

These are the seventeen plugins reported by WPScan to have a vulnerability that was subsequently patched:

  1. Essential Widgets
    Fixed in version 1.9
  2. To Top
    Fixed in version 2.3
  3. Header Enhancement
    Fixed in version 1.5
  4. Generate Child Theme
    Fixed in version 1.6
  5. Essential Content Types
    Fixed in version 1.9
  6. Catch Web Tools
    Fixed in version 2.7
  7. Catch Under Construction
    Fixed in version 1.4
  8. Catch Themes Demo Import
    Fixed in version 1.6
  9. Catch Sticky Menu
    Fixed in version 1.7
  10. Catch Scroll Progress Bar
    Fixed in version 1.6
  11. Catch Instagram Feed Gallery & Widget (Social Gallery and Widget)
    Fixed in version 2.3
  12. Catch Infinite Scroll
    Fixed in version 1.9
  13. Catch Import Export
    Fixed in version 1.9
  14. Catch Gallery
    Fixed in version 1.7
  15. Catch Duplicate Switcher
    Fixed in version 1.6
  16. Catch Breadcrumb
    Fixed in version 1.7
  17. Catch IDs
    Fixed in version 2.4

Advertisement

Continue Reading Below

Advertisement

Users Recommended to Consider Updating to Latest Plugin Versions

Publishers who use the affected Catch Themes plugins who wish to avoid unintended consequences from using vulnerable versions of those plugins should consider upgrading to the very latest versions of the plugins now available.

Failure to do so may lead to unnecessary exposure to a hacking event.

Citations

Read WPScan Advisory on Catch Themes Plugins

Multiple Plugins from CatchThemes – Unauthorised Plugin’s Setting Change

Wordfence Advisory of Catch Themes Plugin

Catch Themes Demo Import <= 1.7 Admin+ Arbitrary File Upload

National Vulnerability Database Catch Themes Plugins Advisories

Catch Themes Demo Import WordPress plugin vulnerability CVE-2021-39352 Detail

Advertisement

Continue Reading Below

National Vulnerability Database Listing of Multiple Catch Themes Plugins Vulnerabilities

Advertisement

Searchenginejournal.com

NEWS

Google December Product Reviews Update Affects More Than English Language Sites? via @sejournal, @martinibuster

Published

on

Google’s Product Reviews update was announced to be rolling out to the English language. No mention was made as to if or when it would roll out to other languages. Mueller answered a question as to whether it is rolling out to other languages.

Google December 2021 Product Reviews Update

On December 1, 2021, Google announced on Twitter that a Product Review update would be rolling out that would focus on English language web pages.

The focus of the update was for improving the quality of reviews shown in Google search, specifically targeting review sites.

A Googler tweeted a description of the kinds of sites that would be targeted for demotion in the search rankings:

“Mainly relevant to sites that post articles reviewing products.

Think of sites like “best TVs under $200″.com.

Goal is to improve the quality and usefulness of reviews we show users.”

Advertisement

Advertisement

Continue Reading Below

Google also published a blog post with more guidance on the product review update that introduced two new best practices that Google’s algorithm would be looking for.

The first best practice was a requirement of evidence that a product was actually handled and reviewed.

The second best practice was to provide links to more than one place that a user could purchase the product.

The Twitter announcement stated that it was rolling out to English language websites. The blog post did not mention what languages it was rolling out to nor did the blog post specify that the product review update was limited to the English language.

Google’s Mueller Thinking About Product Reviews Update

Screenshot of Google's John Mueller trying to recall if December Product Review Update affects more than the English language

Screenshot of Google's John Mueller trying to recall if December Product Review Update affects more than the English language

Product Review Update Targets More Languages?

The person asking the question was rightly under the impression that the product review update only affected English language search results.

Advertisement

Advertisement

Continue Reading Below

But he asserted that he was seeing search volatility in the German language that appears to be related to Google’s December 2021 Product Review Update.

This is his question:

“I was seeing some movements in German search as well.

So I was wondering if there could also be an effect on websites in other languages by this product reviews update… because we had lots of movement and volatility in the last weeks.

…My question is, is it possible that the product reviews update affects other sites as well?”

John Mueller answered:

“I don’t know… like other languages?

My assumption was this was global and and across all languages.

But I don’t know what we announced in the blog post specifically.

Advertisement

But usually we try to push the engineering team to make a decision on that so that we can document it properly in the blog post.

I don’t know if that happened with the product reviews update. I don’t recall the complete blog post.

But it’s… from my point of view it seems like something that we could be doing in multiple languages and wouldn’t be tied to English.

And even if it were English initially, it feels like something that is relevant across the board, and we should try to find ways to roll that out to other languages over time as well.

So I’m not particularly surprised that you see changes in Germany.

But I also don’t know what we actually announced with regards to the locations and languages that are involved.”

Does Product Reviews Update Affect More Languages?

While the tweeted announcement specified that the product reviews update was limited to the English language the official blog post did not mention any such limitations.

Google’s John Mueller offered his opinion that the product reviews update is something that Google could do in multiple languages.

Advertisement

One must wonder if the tweet was meant to communicate that the update was rolling out first in English and subsequently to other languages.

It’s unclear if the product reviews update was rolled out globally to more languages. Hopefully Google will clarify this soon.

Citations

Google Blog Post About Product Reviews Update

Product reviews update and your site

Google’s New Product Reviews Guidelines

Write high quality product reviews

John Mueller Discusses If Product Reviews Update Is Global

Watch Mueller answer the question at the 14:00 Minute Mark

[embedded content]

Searchenginejournal.com

Continue Reading

DON'T MISS ANY IMPORTANT NEWS!
Subscribe To our Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

Trending

en_USEnglish