• Menu
  • Skip to right header navigation
  • Skip to main content

ゴートデザイン・GOAT DESIGN

  • Goat Log
  • 日本語日本語
  • Goat Log
  • 日本語日本語
ホーム > Goat Log > Security > Plugin vulnerabilities (Oct. 2021)

Plugin vulnerabilities (Oct. 2021)

2021/10/12

WordPress plugins can allow you to add almost unlimited functionality to your site. But they do have one problem. Unlike the WordPress core system, which is constantly checked on by hundreds of developers — individual plugins are managed by their own smaller teams, or sometimes just a single developer.

As a result, you get a real mixed bag as far as security is concerned. It’s dangerous to install a plugin from an untrustworthy developer. And even some reputable, established developers can let a vulnerability slip in!

Checking out a vulnerability report recently, I found 3 plugins that I think are pretty widely used by site owners in Japan, and one that we often use in our own sites.

Any of the vulnerabilities listed below have already been patched for our Hoshu Plan customers.

1. Ninja Forms

This is a contact form plugin that gives you very dynamic controls and powerful features, right out of the box. I trust them and have installed this plugin on many sites.

The vulnerabilities:

  • Unprotected REST-API to Sensitive Information Disclosure
  • Unprotected REST-API to Email Injection
  • Admin+ Stored Cross-Site Scripting

If you are in our Hoshu Plan, you will already have the patched version, 3.5.8.

2. WordPress Popular Posts

This cool little plugin measures hot or popular blog posts and allows you to display links to them. I’ve seen it installed on sites from time to time, and I feel like it’s popular for Do-It-Yourself type site owners who like to control the direction of their site themselves.

The vulnerability:

  • Admin+ Stored Cross-Site Scripting

To patch this vulnerability, update the plugin to at least version 5.3.4.

3. WooCommerce

WooCommerce is a powerful plugin that extends WordPress into a full-fledged eCommerce system. It’s such a comprehensive plugin that it feels comparable in scale to the WordPress system itself.

It’s incredibly popular, with over 5 million active installations. Its developer, Automattic, is behind the WordPress hosting platform, wordpress.com. They have always been heavily involved in WordPress’s development. So I think it’s fair to say that WooCommerce should be trustworthy.

But like any software with such a large scale, security issues will arise.

The vulnerability:

  • Analytics Report Leaks

To patch this vulnerability, update the plugin to at least version 5.7.0.

Conclusion

Of the various security notices I’ve seen, these 3 are the ones I felt would be relevant to our customers and site owners in this region. If you have these installed, check the versions today. On that note, check if you have updates that are overdue on your site. Updating your WordPress code is one of the most crucial security measures you can take.

If you need help managing your updates safely, don’t hesitate to contact us about our Hoshu Plan!

Previous Post: « 3 fundamental security measures for WordPress
See all Goat Log posts
Next Post: (Oct 18 2021) Broken WordPress admin »

Free consultation

Sign up

Contact us to arrange a free consultation session.

〒450-6321 愛知県名古屋市中村区名駅1-1-1
JPタワー名古屋21階

mail@goat-design.com

名駅
›

Services

  • Contact Us
  • Free Consultation
  • トップ – English

About Us

  • Contact Us
  • Free Consultation
  • トップ – English

Our Clients

  • Contact Us
  • Free Consultation
  • トップ – English

Blog

  • Contact Us
  • Free Consultation
  • トップ – English
Contact Us

Copyright © 2023 · Goat Design · All rights reserved.