Happy Holidays!
Work schedule: Reduced availability from 24 December to 8 January.
Merry Christmas and a Happy New Year!
Holiday work schedule: Reduced availability from 24 December to 8 January.

Plugin Vulnerability Affects Up To 1 Million Websites

In a significant security alert, Wordfence, a leading security service for WordPress websites, reported a severe SQL Injection vulnerability in the widely used WordPress plugin Better Search Replace. The vulnerability was identified as critical with a 9.8 score and was fixed in version 1.4.5:  

”Security: Unserializing an object during search and replace operations now passes ‘allowed_classes’ => false to avoid instantiating the object and potentially running malicious code stored in the database (thanks to Wordfence for responsible disclosure on December 18, 2023, followed by development and testing of the fix by WP Engine).” 

The vulnerability identified in the Better Search Replace plugin refers to PHP Object Injection, affecting all versions up to and including 1.4.4. The core issue lies in the deserialisation of untrusted input. It can allow unauthenticated attackers to inject harmful PHP Objects into the website. This vulnerability is particularly alarming as it can enable attackers to manipulate the website’s data and functionality without requiring authentication credentials.

The Better Search Replace plugin itself does not contain a PHP Object Injection (POP) chain. However, the presence of another vulnerable plugin or theme installed on the target system could escalate the threat. In such cases, attackers could take advantage of the vulnerability to perform destructive actions. Like deleting arbitrary files, collecting sensitive data, or executing malicious code. This increases the risk for websites that use a combination of plugins and themes, which is a common practice in WordPress environments.

Another similar case happened last year, where over 4 million websites were affected by a stored Cross-Site Scripting vulnerability in the LightSpeed Cache plugin. The issue could let hackers upload malicious scripts by exploiting a shortcode functionality. The vulnerability was later solved in a newer version of the plugin.

Summing up

Looking ahead, cybercrime is estimated to cost the world $10.5 trillion annually by 2025. And in 2020, the FBI got more than 2,000 complaints about internet crimes daily, with people losing over $4.2 billion.

The incidents serve as a reminder to all website owners to regularly update their plugins, themes, or any software used. Be vigilant and stay informed about all potential vulnerabilities to protect yourself against evolving cyber threats!

To the Newspaper Theme users, please make sure to keep the plugins, theme and WordPress updated to the latest version. Use a security plugin, like Wordfence and conduct regular WordPress security scans.

To ensure your website is up to date, you can always check the changelog. Also, you can find all the new features and improvements added with each update. If you find it challenging and need help updating your website, get in touch with us. Starting from $59*, we can assure you of a smooth and hassle-free update process. Stay safe!

*child theme and custom code adaptation will involve extra cost.

Share

Corina
Corina
Having a strong passion for digital marketing and a slight interest in graphic design, I aspire to become a better person and improve every day. With clear goals and big dreams, I am sure that nothing is impossible as long as my ambition and desire will guide me.

Do you need any help with the Newspaper or Newsmag WordPress Themes? Please send us all the necessary details via email or create a new topic on our online forum. We're always happy to assist you.

LEAVE A REPLY

Please enter your comment!
Please enter your name here

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Join our community

With over 2000+ fellow WordPress enthusiasts and digital creators

tagDiv’s 2024 Recap: Achievements, Memorable Moments, and What’s Next

tagDiv’s 2024 Recap: achievements, memorable moments, and what’s next

As 2024 comes to a close, we at tagDiv are taking a moment to...
Black friday checklist , Black friday website , checklist 2024 black friday checklist , Black friday ecommerce checklist

2024 Black Friday eCommerce Checklist

Are you an eCommerce business owner gearing up for a successful 2024 Black Friday...
seo , what is seo , seo optimization

What is SEO – Strategies and Recommendations for Beginners

What is SEO? SEO, or Search Engine Optimization, refers to a series of processes to...
benefits of website maintenance website maintenance cost benefits of website maintenance

Benefits of Website Maintenance and Associated Costs

Simply having a website online is not enough; it must be well-maintained and regularly...