1. Forum
  2. tqwNet
  3. TQW GENTECH

  • Top WordPress plugins found to have some serious security flaws,

    From TechnologyDaily@1337:1/100 to All on Tuesday, December 24, 2024 13:30:05
    Top WordPress plugins found to have some serious security flaws, so make sure you're protected

    Date:
    Tue, 24 Dec 2024 13:25:00 +0000

    Description:
    Almost two dozen flaws were found in two solutions, granting RCE and site takeover.

    FULL STORY ======================================================================Two WordPress plugins found carrying 18 security flaws Most of them are deemed critical, since they allow RCE, among other things All have now been patched, so make sure to upgrade your plugins

    Two premium WordPress plugins were found carrying more than a dozen vulnerabilities, some of which were deemed critical.

    This is according to WordPress cybersecurity platform Patchstack, who found the issues in the website builder in late March 2024, and reported them to
    the developers. Since then, all bugs have been mitigated.

    The bugs were found in WPLMS and VibeBP plugins. Updating plugins

    WordPress allows for Learning Management Systems (LMS), platforms that allow users to create, manage, and sell online courses directly from their
    WordPress website. LMS plugins integrate educational features and functionalities with WordPress, enabling instructors or organizations to deliver courses, track learner progress, and engage students effectively.

    One of the more popular LMS platforms around is WPLMS, built by a company called VibeThemes. Purchased more than 28,000 times already, it comes with numerous features such as course creation and management, quizzes and assessments, membership and subscription support, and more.

    VibeBP, on the other hand, is a WordPress plugin that integrates BuddyPress with WPLMS, enhancing its social learning features. It allows users to create communities by providing options for user profiles, activity streams, private messaging, and notifications. It was also built by VibeThemes.

    Patchstack says it found 18 vulnerabilities, most of which were critical in severity.

    They allowed remote, unauthenticated attackers to upload arbitrary files, execute code, escalate privileges, and perform SQL injections. In other
    words, they could use the bugs to take over websites, steal sensitive data, and more. One bug - CVE-2024-56046 - was even given the maximum score, 10/10, since it allows malicious actors to upload arbitrary files without authentication, potentially leading to remote code execution (RCE).

    The full list of vulnerabilities, as well as affected versions, can be found on this link .

    WPLMS users should make sure their platform is upgraded to version 1.9.9.5.3 or newer, and VibeBP to 1.9.9.7.7 or newer.

    As a rule of thumb, site owners should enforce secure file uploads, SQL query sanitation, and role-based access controls, Patchstack said.

    Via BleepingComputer You might also like Millions of WordPress sites could
    be at risk from "one of the most serious" plugin flaws ever found Here's a list of the best antivirus tools on offer These are the best endpoint protection tools right now



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/top-wordpress-plugins-found-to-have-som e-serious-security-flaws-so-make-sure-youre-protected


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)