Plugins are great and provide us with ways to add all kinds of functionality to our WordPress built websites.

But they are unfortunately not perfect. Those same plugins that provide so much benefit to us can also open the digital door of our websites to opportunistic hackers. That’s an invite we do not want to extend. 

So what can we do about it then? Well the first step is to stay informed. You can’t fix a problem you don’t know about.

That is why starting this month we will be posting a monthly report on the recently found vulnerabilities that exist in plugins. So read on to find out what vulnerable plugins could be putting your website at risk in January and take the first step in keeping your website safe. 

Contact Form Submissions Plugin

Summary of the vulnerability: Successful exploitation of this bug may allow authenticated attackers to steal sensitive user information like password hashes and in certain scenarios, lead to a complete compromise of your WordPress installation. 

Our recommendation: This plugin does not appear to be maintained anymore, the last update was 11 months ago and the developer is not active on the support forums. Therefore we recommend that the plugin is removed immediately and replaced with a similar more up to date plugin. 

Advanced Custom Fields Plugin

Summary of the vulnerability: Data from an attacker could be interpreted as code by site visitors’ web browsers. The ability to run code in another site visitors’ browser can be abused to steal information, or modify site configuration.

Our recommendation: Update the plugin to its latest version. 

Elementor Plugin

Summary of the vulnerability and patch (changelog): Data from an attacker could be interpreted as code by site visitors’ web browsers. The ability to run code in another site visitors’ browser can be abused to steal information, or modify site configuration. Additionally, SVG file uploads are enabled by default.

Our recommendation: Update the plugin to its latest version. 

Contact Form 7 Database Addon Plugin

Summary of the vulnerability: The plugin did not properly sanitise the form_ids from the contact_form POST array parameter before using them in a SQL statement in the process_bulk_action() function. This could allow high privilege users, such as admin to perform SQL Injection against the DBMS via the bulk actions: delete, read and unread.

Our recommendation: Update the plugin to its latest version. 

If you are comfortable making these changes then do so immediately. Or if you would like to know what options you have for us to do it for you, please let us know.