Critical Vulnerabilities in WordPress Plugins Expose Thousands of Websites to Security Risks

WordPress is the most widely used content management system (CMS), making it a prime target for attackers. Recent vulnerabilities highlight the importance of staying updated on security issues surrounding this platform.

Vulnerable Plugin Exposes 150,000 Websites

Researchers have uncovered two critical vulnerabilities in the POST SMTP Mailer WordPress plugin. This plugin, installed on around 300,000 websites, is designed for email delivery but has significant security flaws that could allow attackers to take over websites. The first flaw, tracked as CVE-2023-6875, is a critical authorization bypass affecting versions 2.8.7 and earlier. It has a CVSS score of 9.8, allowing unauthenticated attackers to reset the mailer’s API key and access sensitive logs, including password reset emails. The second vulnerability, labeled CVE-2023-7027, is a cross-site scripting (XSS) flaw with a CVSS score of 7.2. It arises from insufficient input sanitization in the plugin’s device header. Attackers can exploit this to inject scripts into pages, compromising user security. Wordfence notified the vendor of these vulnerabilities, leading to the release of a patched version (2.8.8) on January 1, 2024. However, many users are still on vulnerable versions. It is critical for users to update immediately to prevent potential attacks.

LiteSpeed Cache Plugin Vulnerability

A serious vulnerability has also been identified in the LiteSpeed Cache plugin, affecting over six million active installations. Discovered by TaiYou through Patchstack’s bug bounty program, this flaw allows unauthenticated attackers to inject malicious code. The vulnerability, tracked as CVE-2024-47374, exploits the CSS queue generation process. Attackers can manipulate HTTP headers to inject harmful content into the WordPress admin panel. The exploit requires two settings in the LiteSpeed Cache plugin to be enabled: CSS Combine and Generate UCSS. In response to this security threat, LiteSpeed has released version 6.5.1, which implements proper input sanitization. Users are strongly urged to update to this version to mitigate risks.

Importance of Cybersecurity Monitoring

With the ongoing threats to WordPress security, organizations must prioritize cybersecurity monitoring. Solutions like GrackerAI empower marketing teams to stay informed about emerging threats and trends. By automating insight generation from the latest security news, GrackerAI helps teams create timely and relevant content for their audience. Explore how GrackerAI can transform your approach to cybersecurity marketing and keep your organization ahead of potential vulnerabilities. Visit GrackerAI for more information.