Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

Vulnerability Roundup: 3 Vulnerable WP Plugins and Update Your Joomla

This entry was posted in Wordfence, WordPress Security on July 6, 2017 by Mark Maunder   12 Replies

It’s been a tough week for the WP Statistics plugin. Last Friday, Sucuri (now owned by GoDaddy) discovered a SQL injection vulnerability in the WP Statistics plugin version 12.0.7 and older. To exploit the vulnerability, an attacker needs to register an account (or use a compromised account) with subscriber-level access. They can then exploit a weakness in a WP Statistics shortcode to launch a SQL injection attack. This allows them to, for example, create an admin-level user and sign in to your website as an admin.

Then, 2 days ago Ryan Dewhurst discovered a cross site scripting vulnerability in the same plugin, which was fixed within a few hours of discovery.

Over 300,000 websites use WP Statistics. If you use the plugin, you should immediately update to version 12.0.9 which fixes both of these vulnerabilities.

Wordfence includes built-in protection against SQL injection attacks and cross site scripting (XSS) attacks. As a precautionary measure, we’ve released an additional rule to our Wordfence Premium customers in real-time to protect them against the specific SQL injection attack that targets this plugin.

Other WordPress Vulnerabilities You Should Be Aware Of

The All-in-One WP Migration plugin for WordPress reportedly suffered from a cross site scripting vulnerability which was fixed about 6 weeks ago. Wordfence free and Premium has built-in XSS protection, as mentioned above, so even if you were running the vulnerable plugin, you would have been safe. Nevertheless, if you haven’t already, we recommend you update to 6.51, the newest version of All-in-One WP Migration.

A few weeks ago, a reflected cross site scripting vulnerability was discovered in the WordPress Download Manager plugin versions 2.9.51 and older. We suggest you update to 2.9.53, which is the newest version of this plugin. Wordfence also protects against this exploit (free and Premium).

Don’t Forget to Update Your Joomla Installations

Joomla released a security update 48 hours ago which fixes three vulnerabilities. The new release is Joomla 3.7.3 and includes fixes for two XSS vulnerabilities and an information disclosure vulnerability. If you run Joomla on your website, you can visit https://www.gravityscan.com/ to run a quick scan on your Joomla site and find out if you are vulnerable and need to take action. Details on the release can be found on Joomla.org and we also mentioned this update on the Gravityscan blog.

That’s all for today’s updates. As always, I’ll be around to reply to your comments if needed.

Did you enjoy this post? Share it!

12 Comments on "Vulnerability Roundup: 3 Vulnerable WP Plugins and Update Your Joomla"

John McCormack July 6, 2017 at 10:21 am

I'm really impressed with WordFence's sense of community spirit. Not only in providing details of vulnerabilities and solutions to issues that relate specifically to WordPress, but also to general IT security issues and even concerns related to other CMS platforms like Joomla!
Well done WordFence!

Carlos July 6, 2017 at 11:01 am

Agree! Great sense of community and security. Most of developers like me, uses Joomla and Wordpress,

Berrie July 6, 2017 at 11:34 pm

I agree also, this is very nice work!

Ben July 7, 2017 at 5:32 am

I, too, am very impressed and appreciative as someone who uses WordPress and Joomla on many sites. Thank you, Wordfence!

Faheem July 7, 2017 at 10:37 pm

Agree! They are just awesome. They are the only one in my regular inbox. Thanks wordfence :)

Sara July 6, 2017 at 10:57 am

My rule of thumb these days, is use as few plugins as possible, update asap, review as needed. If they become outdated, remove completely. Stay safe.

Aaron July 6, 2017 at 11:13 am

We use Wordfence for all our clients website projects and website security

Endurance July 6, 2017 at 12:49 pm

Since I started using WordFence, I have less worries about WordPress security issues. I am hoping that one day WordFence will launch into other CMS like Joomla. Great job team, keep up the good work!

Fatima Jesus July 6, 2017 at 1:31 pm

Security of Wordpress sites need secure plugins, the major door entrance of hacking attempts. On this matter, I am sure that if I didn't have Wordfence on my sites, probably they wouldn't be up and malware free as they are. And your posts are always on top of information about new threats , thanks for your public service.

Jessica July 6, 2017 at 2:25 pm

Really appreciate the updates and security news.

Greg July 6, 2017 at 3:16 pm

Always impressed by your team. Keep up the good work.

I am not impressed with WordPress. They should have more systems in place to stop Plugins from being distributed via their website that could harm others.

There should be a Wordfence gate they have to pass. :)

Vincent Lowe July 7, 2017 at 12:39 pm

These issues were newly discovered vulnerabilities. It's impossible to test for an unknown vulnerability until it becomes known. Wordpress also does a decent job of notifying people about issues once they surface.

But certainly the care with which Wordfence provides updates and advice gives me confidence that my money spent on their products and services is money well spent.

Follow Us


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 200 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates