Are you concerned about how vulnerable WordPress plugins are endangering your website?
We wish we’re able to tell you never to worry, nevertheless, you using vulnerable plugins will be the biggest reason your WordPress website(s) is hacked. Actually, vulnerable plugins cause 55.9% of the attacks made on WordPress sites.
So do you stop using plugins altogether? In today’s web development, it’s quite very hard to build and run a WordPress site without plugins because they add functionality and more features to your website.
As luck would have it, there exists a way to use plugins and keep your site safe and healthy. When developers of plugins locate a bug and vulnerability within their software, they correct and fix it, thereafter release an updated version immediately. Thus, once you update the plugin on your own site, it really is safe and healthy to make use of it on your site. Yet, an incredible number of WordPress users delay updates which leaves their sites susceptible to hackers.
If your website gets hacked, hackers may use it to perform a variety of malicious activities such as for example stealing sensitive data, running unwanted ads, and defacing your site. A hack can possess devastating consequences on your own business and result in a lack of visitors, customers, and revenue.
For this reason studying vulnerable plugins and their security issues are so important. In this post, we’ll demonstrate probably the most vulnerable WordPress plugins that WordPress site owners use.
What Are The Possibilities Of A WordPress Plugin Becoming Vulnerable?
It’s of a great important to understand that 3rd-party developers create WordPress plugins, not the WordPress team of developers. Most plugins can be found in the WordPress repository, that said, there are also plugins in popular marketplaces like CodeCanyon or on the plugin’s website.
There are over 50,000 WordPress plugins around and there are more created as the clock ticks daily. Developers manage and keeps the maintenance of their plugins well to make sure they are secure, premium ones especially.
These plugins adhere to certain guidelines which ensures it is secure and safe for users. However, developers continue to enhance their products and face time constraints to release new features sometimes. At various times and cases, during plugin development, you can overlook some security flaws which leaves the product insecure and penetrable for hackers to exploit.
Once hackers discovers a loophole, they are able to exploit it to handle many hacks, a few of such as:
Hack attacks like these will slow down your site severely, decreasing your SEO ranks. They jeopardize your business also, your revenue, as well as your reputation also.
As vulnerable plugins will be the biggest real cause of most site hackers, it’s vital that you know which plugins are most vulnerable and what fixes can be found.
Note: If you work with some of this plugin on your own WordPress site, we strongly help you to update to the most recent version available immediately or deactivate until there’s an update for these plugin(s) to avert any hack attacks.
The 8 Popular WordPress Plugins That Are Currently Being Exploited By Hackers
There are many popular WordPress plugins were attacked in the past like: Yoast SEO, Ninja Forms, NextGen Gallery, which have been fixed and resolved. Here, we focus on the list of vulnerable WordPress plugins that were most recently exploited by hackers.
1. Duplicator – WordPress Migration Plugin
The Duplicator plugin is a migration plugin extension also used for WordPress backups primarily. Users can create a backup of their WordPress site and download a copy of it afterwards. They can also clone and migrate their sites to a different domain or host. It is a significant popular plugin with over 1 million active installation.
Recently, a vulnerability was discovered in the plugin known as an arbitrary file download. This vulnerability allowed attackers to export the contents of a WordPress site that had the plugin installed. Hackers could download confidential files and steal database credentials also. This allowed them to break right into the site, manage it, and their attack further.
The developers detected the vulnerability and were quick to release a crucial WordPress security update in Duplicator version 1.3.28 and Duplicator Pro Version 3.8. in February 2020 71.
Website security experts say that a lot more than 500,000 users are employing the vulnerable version of the plugin and also have yet to update to the brand new version.
2. ThemeGrill Demo Importer
ThemeGrill offers free and premium responsive themes that enable you to build a professional-looking site.
The ThemeGrill Demo Importer plugin enables WordPress users to import official themes from ThemeGrill directly onto their WordPress dashboard. Users can also import content, widgets, and theme settings. This plugin has over 200,000 active installs.
However, a vulnerability in this plugin enables hackers to take control of the admin account. Hackers could lock you out of your own website and even wipe out your site completely.
The developers at ThemeGrill promptly released a patch in version 1.6.3 in February 2020.
3. Profile Builder Plugin
Profile Builder enables you to give your customers the option to create an account on your website. You can build front-end user logins and registration forms on your site. It also has profile forms for your customers to personalize their accounts.
The plugin has three variants – Free, Pro, and Hobbyist. The Pro and Hobbyist versions are both premium versions. Pro allows you to use the plugin on unlimited WordPress websites while Hobbyist gives you a license to use it on a single site.
The free WordPress version of the plugin has over 50,000 active installs while it’s Pro and Hobbyist versions collectively have about 15,000 installations.
In February 2020, a critical vulnerability was discovered that affected all variants of the plugin. A bug in the plugin made it possible for a hacker to register unauthorized admin accounts on WordPress sites. This allowed a hacker to create a rogue admin account and take complete control of the site.
This vulnerability affects all versions of the plugin up to and including 3.1.0. A security patch was released in version 3.1.1.
4. Flexible Checkout Fields For WooCommerce
This add-on plugin for WooCommerce enables users to customize their checkout fields. This means users can edit default fields on the checkout page and add their own labels instead. The plugin has over 20,000 active installations.
The Flexible Checkout Fields plugin is well-maintained and regularly updated by its developers.
The plugin has a vulnerability that hackers started to actively exploit. The vulnerability allowed hackers to inject malicious code into WordPress sites. This enabled them to carry out all sorts of activities such as creating rogue WP admin accounts, stealing data, and locking the admin user out of their own website.
The developers quickly released a security patch in version 2.3.2 and 2.3.3 on 25 February 2020. Since then, the plugin has been updated multiple times. We strongly advise updating to the latest version available.
5. ThemeREX Addons
The ThemeREX Addons plugin is designed to be a companion plugin to a variety of themes created by ThemeREX. This addon has several features and widgets that extend the functionality of their themes. The plugin is installed on around 44,000 WordPress sites.
Hackers found a vulnerability in the plugin and started attacking websites with this plugin. Here too, hackers could exploit a weakness in the plugin to create new admin user accounts.
ThemeREX released an update promptly but updating ThemeREX Addons is a bit more complex. As the plugin isn’t available in the WordPress repository, you will not see an update available for the plugin on your WordPress dashboard. You need to subscribe to the ThemeREX newsletter to receive information about updates to any of its plugins and themes.
Plus, the ThemeREX Addon plugin is bundled in with a number of themes. Many site owners may have installed a theme from the ThemeREX theme and may not be aware that this plugin was automatically installed on their site as part of the package.
If you are using any ThemeREX theme, we strongly recommend you update it to the latest version. You can update the plugin from your ThemeREX account. In case you are unable to do so, you might need to install the ThemeREX updater plugin. Contact ThemeREX for more information on updating this plugin.
6. Async JavaScript
Async Javascript plugin helps reduce page loading time, thus increases page speed and user experience. Your WordPress site is made up of different coding languages such as PHP, CSS, and Javascript. This Async Javascript plugin enhances how javascript is loaded on your site. The plugin has 100,000+ active installations.
A vulnerability in the plugin allowed hackers to remotely execute an attack. Recommended read: Cross-site scripting (XSS) attacks. This opened up the possibility of hackers stealing sensitive information, changing the appearance of the victim’s site, and tricking the site’s visitors into downloading malware or disclosing personal data.
The developers fixed all issues present and also took additional security measures to secure the plugin. The most secure version available at the time of writing this article is version 2.20.03.01.
In many cases, WordPress developers install this plugin while creating the website but their clients may not be aware of the plugin’s existence on their site. But luckily, this plugin is available in the WordPress repository, and update notifications appear on the WordPress dashboard.
7. Modern Events Calendar Lite
This events calendar plugin makes managing events on WordPress websites easy! It has a responsive and mobile-friendly interface that allows site owners to easily display well-designed events calendars on their site. Modern Events Calendar Lite is free to use and has over 40,000 active installations.
In February 2020, the plugin experienced a vulnerability that allowed hackers to inject malware into the WordPress site to run further attacks like altering the appearance of the site and stealing sensitive data.
All versions of the plugin up to 5.1.6 were vulnerable. The developers released a patch immediately and have since updated the plugin many times.
If you are using this plugin, we strongly recommend updating to the latest version as soon as possible.
8. 10Web Map Builder for Google Maps
The 10Web Map Builder for Google Maps plugin offers WordPress users an easy way to add maps to their WordPress websites. It offers powerful features and customizations that make it quite popular with over 20,000 active installations.
Recently, a vulnerability appeared in the plugin’s setup process. It allowed hackers to inject malicious scripts into a WordPress site. They can use the scripts to attack admins as well as site visitors.
The developers released an updated version 1.0.64 in February. If you have this plugin installed on your site, once you update to the latest version, the injection vulnerability will be patched.
So, it’s never a bad period to do an analysis of your website’s security, whether you utilize WordPress or not. The web could be a dangerous place, so pursuing best practices to safeguard your business’ data is usually, never a bad idea.
How best to secure your website
- Make sure your site uses an SSL connection.
- Enforce strict strong-password policies for admins.
- Keep your software up-to-date
- Procure a web hosting service that has security top-of-mind and forces customers to follow suit.
- Make sure you follow file and permission best practices
Final Words
Vulnerabilities tend to pop up in many WordPress plugins but most developers also act fast and fix them promptly. From there on, the responsibility lies with you, the site owner, to update your plugin to the latest version immediately.
Thus, updating your site regularly will keep hackers out and ensure your site is secure.