WordPress plugins can allow you to add almost unlimited functionality to your site. But they do have one problem. Unlike the WordPress core system, which is constantly checked on by hundreds of developers — individual plugins are managed by their own smaller teams, or sometimes just a single developer.
As a result, you get a real mixed bag as far as security is concerned. It’s dangerous to install a plugin from an untrustworthy developer. And even some reputable, established developers can let a vulnerability slip in!
Checking out a vulnerability report recently, I found 3 plugins that I think are pretty widely used by site owners in Japan, and one that we often use in our own sites.
Any of the vulnerabilities listed below have already been patched for our Hoshu Plan customers.
1. Ninja Forms
This is a contact form plugin that gives you very dynamic controls and powerful features, right out of the box. I trust them and have installed this plugin on many sites.
The vulnerabilities:
- Unprotected REST-API to Sensitive Information Disclosure
- Unprotected REST-API to Email Injection
- Admin+ Stored Cross-Site Scripting
If you are in our Hoshu Plan, you will already have the patched version, 3.5.8.
2. WordPress Popular Posts
This cool little plugin measures hot or popular blog posts and allows you to display links to them. I’ve seen it installed on sites from time to time, and I feel like it’s popular for Do-It-Yourself type site owners who like to control the direction of their site themselves.
The vulnerability:
- Admin+ Stored Cross-Site Scripting
To patch this vulnerability, update the plugin to at least version 5.3.4.
3. WooCommerce
WooCommerce is a powerful plugin that extends WordPress into a full-fledged eCommerce system. It’s such a comprehensive plugin that it feels comparable in scale to the WordPress system itself.
It’s incredibly popular, with over 5 million active installations. Its developer, Automattic, is behind the WordPress hosting platform, wordpress.com. They have always been heavily involved in WordPress’s development. So I think it’s fair to say that WooCommerce should be trustworthy.
But like any software with such a large scale, security issues will arise.
The vulnerability:
- Analytics Report Leaks
To patch this vulnerability, update the plugin to at least version 5.7.0.
Conclusion
Of the various security notices I’ve seen, these 3 are the ones I felt would be relevant to our customers and site owners in this region. If you have these installed, check the versions today. On that note, check if you have updates that are overdue on your site. Updating your WordPress code is one of the most crucial security measures you can take.
If you need help managing your updates safely, don’t hesitate to contact us about our Hoshu Plan!
