4 Critical WordPress Plugin Vulnerabilities to Fix Right Now (Jan 2025)

4 Critical WordPress Plugin Vulnerabilities to Fix Right Now (Jan 2025)

Share this article

Imagine waking up to find your WordPress site hacked or your data compromised. More than a little frustrating, right? Security threats are on the rise, and outdated or vulnerable WordPress plugins are a major weak point.

Staying on top of these issues is crucial in keeping your website and visitors safe. Especially since most vulnerabilities have simple fixes that are easy to apply.

In this article, we’ll highlight four major plugin vulnerabilities that could put your site at risk and show you exactly what you need to do to fix them today.

1. W3 Total Cache (Version 2.8.1)

Authenticated subscriber missing authorization for server-side request forgery

W3 Total Cache, a performance optimization plugin, was found to have a vulnerability that permits authenticated subscribers to conduct server-side request forgery (SSRF) attacks. This vulnerability allows an attacker to manipulate server-side requests, potentially exposing sensitive server resources.

Vulnerability: CVE-2024-12365
Vendor: boldgrid

What could happen

Attackers can exploit this flaw to: 

  • Gain unauthorized access to internal server endpoints.
  • Steal sensitive data or compromise your site.

What to do

  • Upgrade promptly: Update to the latest version of the plugin.
  • Restrict subscriber permissions: Avoid granting unnecessary capabilities to subscribers.

2. GiveWP Donation Plugin and Fundraising Platform (Version 3.19.2)

Unauthenticated PHP object injection

The GiveWP plugin, a popular choice for nonprofits and organizations accepting online donations, was recently found to contain a critical unauthenticated PHP object injection vulnerability. This flaw allows attackers to execute arbitrary PHP code or manipulate application behavior remotely.

Vulnerability: CVE-2024-12877
Vendor: webdevmattcrom

What could happen

This security flaw can allow attackers to:

  • Gain unauthorized access to sensitive application data.
  • Take full control of your website.

What to do

  • Update immediately: Ensure your plugin is updated to the latest patched version.
  • Monitor website logs: Look for any unusual activity that might indicate attempted exploitation.
  • Implement a Web Application Firewall (WAF): Services like Wordfence can help block malicious requests targeting this vulnerability.

3. Page Builder by SiteOrigin (Version 2.3.10) 

Authenticated contributor stored cross-site scripting

SiteOrigin’s Page Builder plugin, utilized by many for crafting dynamic page layouts, was found to have an authenticated contributor stored cross-site scripting (XSS) vulnerability. This issue arises from improper sanitization of the Row Label parameter, enabling attackers with contributor-level access to inject malicious scripts.

Vulnerability: CVE-2024-12240
Vendor: gpriday

What could happen

This vulnerability can allow attackers to:

  • Execute malicious scripts in the administrator's browser, leading to session hijacking or redirection to phishing sites.

What to do

  • Apply plugin updates: Ensure the plugin is updated to a version that resolves this vulnerability.
  • Restrict user roles: Limit the use of the Contributor role to trusted individuals.
  • Use security plugins: Employ tools to scan for and prevent XSS attacks.

4. WPBookIt (Version 1.6.4)

Unauthenticated arbitrary user password change

WPBookIt, a plugin used for online booking systems, contains a critical flaw enabling unauthenticated arbitrary user password changes. This vulnerability allows an attacker to reset passwords for any user, including administrators.

Vulnerability: CVE-2024-10215
Vendor: Iqonic Design

What could happen

Hackers would be able to:

  • Take over your site by resetting an administrator's password.
  • Deny service for legitimate users.

What to do

  • Update immediately: Use the latest secure version of WPBookIt.
  • Audit user accounts: Regularly review and validate admin user access.
  • Two-factor authentication (2FA): Enable 2FA for administrator accounts to enhance login security.

General best practices for plugin security

To protect your website from these and future vulnerabilities:

  1. Keep plugins updated: Always use the latest versions of plugins, as developers frequently release patches for identified vulnerabilities.
  2. Remove unused plugins: Deactivate and delete plugins you no longer use to reduce your attack surface.
  3. Conduct regular security audits: Use tools like Wordfence or Sucuri to scan your website for vulnerabilities.
  4. Backup your website: Maintain regular backups to ensure quick recovery in case of an attack.
  5. Educate your team: Train users with admin or contributor access to recognize and avoid potential security risks.

Final thoughts

WordPress is a flexible, expansive, and powerful platform, but it also means vigilance is required to maintain security. By staying informed about vulnerabilities like those in GiveWP, SiteOrigin’s Page Builder, W3 Total Cache, and WPBookIt, you can take proactive steps to protect your website and its users. Remember, timely updates and robust security measures are your best defenses against potential threats.

You can also rely on WHC’s Pro Services to handle the legwork in keeping your site in the best shape possible, leaving you to focus on running your business.

Back
Share this article Facebook Twitter LinkedIn By Email
About the author: Daniel Bedard

As WHC’s Content Writer, Dan spends much of his time click-clacking on his keyboard. Outside of work, he performs music and comedy, often pondering the crushing weight of existence.

See all articles from this author Interested in writing for Web Hosting Canada?
Web Hosting Canada manages fast and reliable online infrastructure with 24/7 support. Learn more about WHC