WordPress Website Security Weakened by Some Plugins



WordPress (WP) website security can be compromised by even the most useful plugins. In this post you will read about ten popular plugins with vulnerabilities. In a companion piece I wrote, I give tips on how to prevent plugins from being compromised, and what to do if you’ve been hacked. It is linked at the end of this post.

There is no denying that plugins significantly extend the functionality of WP websites. They boost the user experience and make it frictionless and intuitive. However, they are susceptible to exploitation. 

Since the WordPress core is rigorously vetted for vulnerabilities, cybercriminals focus on finding alternative entry points for their hacks. Plugins often turn out to be easy prey for crooks.  New bugs and website security loopholes are constantly surfacing in this ecosystem.

Common Security Flaws in WordPress Plugins

The following paragraphs list the recently discovered vulnerabilities in popular WP plugins that expose numerous websites to surreptitious exploitation. You can find any of these on the WordPress plugin site.

Page Builder 

Boasting over 1 million active installations, this plugin had two cross-site request forgery (CSRF) flaws that could be harnessed to add a new admin account and thereby pull off a website takeover. These bugs were discovered in early May 2020, and the publisher patched them in mere days. However, numerous webmasters have yet to update Page Builder so that their WordPress website security is improved.

Site Kit 

Created by Google, this plugin has more than 300,000 active installations. In April 2020, researchers found a bug that allowed attackers to access the Google Search Console of a website. This tampering could be used to affect the site’s search engine rankings. It caused indexing issues, injected malware, and stole SEO information. The vendor released a patched build (Site Kit 1.8.0) about two weeks after the report. Nonetheless thousands of websites are still running insecure versions.

Popup Builder

While bridging the gap between site owners and effective online marketing through a variety of promo pop-ups, previous versions of this plugin could be mishandled by perpetrators. Analysts identified several flaws in Popup Builder in early March 2020. The first one (CVE-2020-10195) allowed a hacker to obtain information related to the plugin, such as the full list of the newsletter subscribers. The other vulnerability (CVE-2020-10196) was a potential source of malicious redirects via JavaScript code injection. The fix for both issues arrived shortly but updating the plugin on all sites that run it takes time.

Duplicator, Profile Builder, and ThemeGrill Demo Importer 

Although these three plugins appear to be unrelated, they have one thing in common. Until recently, all of them had been susceptible to the same critical security weakness. It allowed an unauthenticated user to gain admin privileges, steal arbitrary files, redirect visitors to dodgy online resources, or even wipe a website’s database. What’s worse, there is evidence of two cybercriminal groups using this imperfection in real-world attacks.

ThemeREX Addons

In February 2020, white hats pinpointed an imperfection in this plugin that could be weaponized to add new WordPress administrator accounts and perpetrate remote code execution attacks. About a month later, the vendor issued a statement specifying the cause for this security risk. It instructed site owners to delete a vulnerable file named “~/plugin.rest-api.php.” This will not affect the plugin’s performance because the WordPress core supports the same functionality. It is unclear how many users of ThemeREX Addons have since followed this recommendation, though.

GDPR Cookie Consent

A serious cross-site scripting (XSS) flaw undermines website security when running older versions of this plugin, which is used on a huge number of WordPress websites (over 800,000). The vulnerability stems from the crude implementation of plugin access controls. It can fuel privilege escalation allowing felons to add, change, or delete any content in a snap. Covert injection of sketchy JavaScript code is another potential attack vector based on this bug. Updating GDPR Cookie Consent to the patched version (1.8.3), which was released on February 10, takes care of the issue.

WP Database Reset

More than 90,000 webmasters are using this plugin to reset their WordPress database tables to their initial state, if necessary. This experience might not be hassle-free in terms of security, though. In January 2020, researchers found that the plugin was exposed to bugs documented as CVE-2020-7047 and CVE-2020-7048. The former allows a hacker to execute a privilege escalation attack and remove all users from a vulnerable site. The latter is even more dangerous WordPress website security threat because it can be exploited to reset the whole WordPress database to its original condition. The patches for both weaknesses have been available for quite some time, but they will not take effect on a specific site until the plugin is updated.

InfiniteWP Client

This plugin makes it easy to manage multiple WordPress sites in a centralized way, so it comes as no surprise that it has more than 300,000 installations. According to analysts’ findings published in mid-January 2020, a critical vulnerability in InfiniteWP Client could become a springboard for bypassing website authentication. The attacker only needs to know the admin’s username and leverage a peculiar Base64 encoded payload to sign in without the password. The latest build of this plugin is safe to use, but thousands of WordPress websites are still stuck with out-of-date buggy versions.

If you know of other WordPress plugins that have vulnerabilities that threaten website security, please leave a comment below so we can continue to alert people.  

Want to know more about improving your WordPress website security? Read how to secure your plugins, and what to do if a WP plugin has been hacked. Read my companion piece, WordPress Plugins: Prevent and Recover from Hacks.

David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs Privacy-PC.com and MacSecurity.net projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.


Leave a Comment

Your email address will not be published. Required fields are marked *

Skip to toolbar