The United States Government Vulnerability Database and WordPress security researchers published alerts of WordPress plugin vulnerabilities. Among those plugins, nine of the most popular plugins affect over 1.3 million websites.
Vulnerabilities in Nine WordPress Plugins
While there were many more plugins found vulnerable, the nine most popular plugins affected well over 1.3 million websites. The vulnerabilities were rated
The following are on the list of nine vulnerable plugins:
- Header Footer Code Manager 300,000+ installations
- Ad Inserter – Ad Manager & AdSense Ads 200,000+ installations
- Popup Builder WordPress plugin 200,000+ installations
- Anti-Malware Security and Brute-Force Firewall 200,000+ installations
- WP Content Copy Protection & No Right Click 100,000+ installations
- Database Backup for WordPress 100,000+ installations
- GiveWP – Donation Plugin and Fundraising Platform 100,000+ installations
- Download Manager 100,000+ installations
- Advanced Database Cleaner WordPress plugin 80,000+ installations
Header Footer Code Manager WordPress Plugin
The Header Footer Code Manager WordPress Plugin was discovered by Wordfence security researchers to have a Reflected Cross-Site Scripting vulnerability.
The vulnerability requires the hacker to trick an administrator into clicking a link or other action in order to make it vulnerable to a full site take over.
The researchers noted that because this plugin affects a sensitive area of WordPress sites in that it’s for adding code to websites, the variety of malicious actions could extend to adding backdoors and attacking site visitors.
Publishers are recommended by Wordfence to update their installations to at least version 1.1.17.
Ad Inserter – Ad Manager & AdSense Ads (Free and Pro Versions)
The Ad Inserter – Ad Manager & AdSense Ads was reported by WPScan to also have a vulnerability that can lead to a Reflected Cross-Site Scripting exploit.
Publishers are advised to update to at least version 2.7.10.