Connect with us

SEO

Nine WordPress Plugins Expose Over 1.3 Million Sites To Exploits

Published

on

Nine WordPress Plugins Expose Over 1.3 Million Sites To Exploits


The United States Government Vulnerability Database and WordPress security researchers published alerts of WordPress plugin vulnerabilities. Among those plugins, nine of the most popular plugins affect over 1.3 million websites.

Vulnerabilities in Nine WordPress Plugins

While there were many more plugins found vulnerable, the nine most popular plugins affected well over 1.3 million websites. The vulnerabilities were rated

The following are on the list of nine vulnerable plugins:

  1. Header Footer Code Manager 300,000+ installations
  2. Ad Inserter – Ad Manager & AdSense Ads 200,000+ installations
  3. Popup Builder WordPress plugin 200,000+ installations
  4. Anti-Malware Security and Brute-Force Firewall 200,000+ installations
  5. WP Content Copy Protection & No Right Click 100,000+ installations
  6. Database Backup for WordPress 100,000+ installations
  7. GiveWP – Donation Plugin and Fundraising Platform 100,000+ installations
  8. Download Manager 100,000+ installations
  9. Advanced Database Cleaner WordPress plugin 80,000+ installations

Header Footer Code Manager WordPress Plugin

The Header Footer Code Manager WordPress Plugin was discovered by Wordfence security researchers to have a Reflected Cross-Site Scripting vulnerability.

The vulnerability requires the hacker to trick an administrator into clicking a link or other action in order to make it vulnerable to a full site take over.

The researchers noted that because this plugin affects a sensitive area of WordPress sites in that it’s for adding code to websites, the variety of malicious actions could extend to adding backdoors and attacking site visitors.

Publishers are recommended by Wordfence to update their installations to at least version 1.1.17.

Ad Inserter – Ad Manager & AdSense Ads (Free and Pro Versions)

The Ad Inserter – Ad Manager & AdSense Ads was reported by WPScan to also have a vulnerability that can lead to a Reflected Cross-Site Scripting exploit.

Advertisement

Publishers are advised to update to at least version 2.7.10.

See also  Russia says 'limiting' sites of BBC, Deutsche Welle, Meduza

This plugin contains a vulnerability that could lead to SQL injection exploit.

According to the National Vulnerability Database:

“The Popup Builder WordPress plugin before 4.0.7 does not validate and properly escape the orderby and order parameters before using them in a SQL statement in the admin dashboard, which could allow high privilege users to perform SQL injection”

Publishers are recommended to update to at least version 4.0.7 of the WordPress plugin.

Anti-Malware Security and Brute-Force Firewall

This WordPress plugin also contains a Reflected Cross-Site scripting vulnerability. An attacker must have admin level credentials in order to carry out the attack.

Publishers are advised to update to at least version 4.20.94.

WP Content Copy Protection & No Right Click

This WordPress plugin was discovered by security researchers at Patchstack who reported the plugin to have a Cross Site Request Forgery (CSRF) vulnerability.

Publishers are advised to update to at least version 3.4.5.

Advertisement

Database Backup for WordPress

Security researchers at WPScan reported a SQL Injection vulnerability affecting the Database Backup for WordPress plugin that handles the most sensitive part of any WordPress installation, the database.

WPScan notes:

“The plugin does not properly sanitise and escape the fragment parameter before using it in a SQL statement in the admin dashboard, leading to a SQL injection issue”

Publishers are advised by the National Vulnerability Database to update the Database Backup for WordPress plugin to at least version 2.5.1.

GiveWP – Donation Plugin and Fundraising Platform

The GiveWP Donation Plugin was found to contain a Reflected Cross-Site Scripting vulnerability. Publishers are advised to update to at least version 2.17.3 of the plugin.

Download Manager WordPress Plugin

This plugin contains a SQL Injection exploit that could lead to a Reflected Cross-Site Scripting attack. Publishers are advised to update to at least version 3.2.34.

Advanced Database Cleaner WordPress Plugin

This plugin was discovered by security researchers to contain an issue that could lead to a Reflected Cross-Site Scripting attack. Publishers are advised to update to at least version 3.0.4 of the plugin.

Multiple WordPress Plugins Vulnerable

There were many plugins reported to have vulnerabilities. But these nine are the most popular plugins.

All of the plugins have received a patch that closes the vulnerability but it’s up to publishers to make sure that they are using the latest versions in order to keep their websites and site visitors safe.

Advertisement

Citations

Header Footer Code Manager
https://www.wordfence.com/blog/2022/02/reflected-xss-in-header-footer-code-manager/

Ad Inserter – Ad Manager & AdSense Ads
https://nvd.nist.gov/vuln/detail/CVE-2022-0288

Popup Builder WordPress Plugin
https://nvd.nist.gov/vuln/detail/CVE-2022-0228

Anti-Malware Security and Brute-Force Firewall
https://nvd.nist.gov/vuln/detail/CVE-2021-25101
https://wpscan.com/vulnerability/5fd0380c-0d1d-4380-96f0-a07be5a61eba

WP Content Copy Protection & No Right Click
https://nvd.nist.gov/vuln/detail/CVE-2022-23983

Database Backup for WordPress
https://nvd.nist.gov/vuln/detail/CVE-2022-0255

GiveWP – Donation Plugin and Fundraising Platform
https://nvd.nist.gov/vuln/detail/CVE-2021-25100
https://nvd.nist.gov/vuln/detail/CVE-2021-25099

Download Manager
https://nvd.nist.gov/vuln/detail/CVE-2021-25069
https://wpscan.com/vulnerability/4ff5e638-1b89-41df-b65a-f821de8934e8

Advertisement

Advanced Database Cleaner WordPress Plugin
https://nvd.nist.gov/vuln/detail/CVE-2021-24921





Source link

Advertisement

SEO

Reach Success With The Future Of Ad Exchanges [Podcast]

Published

on

Reach Success With The Future Of Ad Exchanges [Podcast]

Constantly looking for ways to optimize your ad spend? Dreaming of a high-ROI paid advertising future? We’ve got great news — The future is now.

Big changes are on the horizon, and we know how to amplify your ad potential into high-quality leads.

John Lee, Microsoft Ads’ Head of Evangelism at Microsoft, joined me on the SEJ Show to talk about the future of ad exchanges and their ability to supercharge your potential to thrive with high-performance, low-resource programmatic advertising.

People do hop, skip and jump around, so there are all kinds of opportunities to target consumers throughout their decision journey, and Microsoft advertising is a significant piece.–John Lee, 11:25

When people think Microsoft, a big chunk of the time, people assume enterprise business, B2B, and that’s the tried and true. While that’s still a significant portion of the bottom line for Microsoft, the consumer matters greatly, whether that’s gaming or devices.–John Lee, 22:46

There’s this shift in behavior online. We’re seeing effectively a new persona emerge. –John Lee, 46:05

[00:00] – A little about John Lee.
[05:35] – How does the Microsoft advertising ecosystem look like?
[07:25] – Where to find traditional advertising beyond Bing?
[09:38] – What you can find in the display component of Microsoft.
[12:02] – Targeting in LinkedIn with Microsoft advertising.
[17:13] – Are Microsoft advertising ads shown within the X-box experience?
[23:52] – Important & growing vertical industries that Microsoft has focused on.
[31:22] – Are people still scrolling down and clicking on organic links in the SERPS?
[37:45] – How important are images in search advertising?
[45:26] – The new emerging personas.

Advertisement

Resources mentioned:
Viva Goals – https://docs.microsoft.com/en-us/viva/goals/intro-to-ms-viva-goals
Microsoft Game Pass – https://www.xbox.com/en-us/games/store/pc-game-pass/cfq7ttc0kgq8?icid=CNavAllPCGamePass
Bing Webmaster Tools – https://www.bing.com/webmasters/about
Shutterstock – https://www.shutterstock.com/

See also  7 Tips To Keep Pop-Ups From Harming Your SEO

All of these other developments, these feed-based elements are new flavors and additional flavors to make an amazing user experience. Whether you’re talking SEO or paid ads, all of it is working together to create an on-point user experience on the server, whether that’s Google, whether that’s Bing.–John Lee, 34:28

There’s a lot happening in the verticals space, and that’s really just the tip of the iceberg. –John Lee, 28:22

Just as a reminder to all of you out there that are SEOs and are running websites. All of your sites do have a feed. It’s called an XML sitemap. Make sure it’s updated. Google is able to fetch it and not serve errors. All of these engines work off of feeds. Also, don’t be afraid to submit your RSS feeds for your blog categories into the search console as well. Mimic that within Webmaster Tools on the Bing side too. Search engines have gone very feed friendly. This is the way to go. It’s also the way to go from an advertising perspective.–Loren Baker, 33:08

For more content like this, subscribe to our YouTube channel: https://www.youtube.com/user/searchenginejournal

Connect with John Lee:

John Lee’s enthusiasm for digital marketing is infectious, and he has the knowledge to match. He’s been at it for years, and he knows how to get results—both as an entrepreneur himself with Clix Marketing (which he co-founded) or in his current role as Head of Evangelism at Microsoft Advertising.

He has a great deal of experience with search engine marketing, display advertising, and social media marketing–Content creator, speaker, trainer, and fan of all things digital (marketing and technology).

Advertisement

Connect with John on LinkedIn: https://www.linkedin.com/in/thejohnalee/
Follow him on Twitter: https://twitter.com/John_A_Lee

See also  Google on Penalizing Misinformation

Connect with Loren Baker, Founder of Search Engine Journal:

Follow him on Twitter: https://www.twitter.com/lorenbaker
Connect with him on LinkedIn: https://www.linkedin.com/in/lorenbaker

!function(f,b,e,v,n,t,s)
{if(f.fbq)return;n=f.fbq=function(){n.callMethod?
n.callMethod.apply(n,arguments):n.queue.push(arguments)};
if(!f._fbq)f._fbq=n;n.push=n;n.loaded=!0;n.version=’2.0′;
n.queue=[];t=b.createElement(e);t.async=!0;
t.src=v;s=b.getElementsByTagName(e)[0];
s.parentNode.insertBefore(t,s)}(window,document,’script’,
‘https://connect.facebook.net/en_US/fbevents.js’);

if( typeof sopp !== “undefined” && sopp === ‘yes’ ){
fbq(‘dataProcessingOptions’, [‘LDU’], 1, 1000);
}else{
fbq(‘dataProcessingOptions’, []);
}

fbq(‘init’, ‘1321385257908563’);

fbq(‘init’, ‘164237177383067’); // custom pixel

fbq(‘track’, ‘PageView’);

Advertisement

fbq(‘trackSingle’, ‘1321385257908563’, ‘ViewContent’, {
content_name: ‘microsoft-ads-exchanges-podcast-2’,
content_category: ‘pay-per-click search-engine-journal-show’
});

Source link

Continue Reading

DON'T MISS ANY IMPORTANT NEWS!
Subscribe To our Newsletter
We promise not to spam you. Unsubscribe at any time.
Invalid email address

Trending