Hackers are always searching for new and sophisticated ways to exploit the WordPress ecosystem including WP plugins. So, you need to keep on checking the present security status of the plug-in to make sure that it is still safe to use. The reputed plugins take immediate action on such vulnerabilities and introduce security patches which might take some time. Here is a list of some plugins that were detected to have security vulnerabilities/bugs, and their present status:
Duplicator
Duplicator, a poplar plug-in allowing people to execute site content export process with a simple and intuitive process, was identified to be affected with a bug.
This bug facilitated the exporting of content as well as database credentials by unauthorized elements like hackers.
The bug was later patched in 1.3.28 version of Duplicator.
Profile Builder
Profile Builder Plug-in is a relatively less known yet fairly good WP plug-in with above-average competency.
It was found to be affected by a bug that facilitated the registration of unauthorized admin accounts. Eventually, hackers and other malicious elements could use this loophole to take undue advantage in diverse ways.
Taking timely action the Plug-in patched this bug last month, on 10th February.
ThemeREX
With the help of a zero-day exploit in ThemeREX plug-in, the hackers were able to register fake admin accounts, misusing the admin rights to achieve their malicious end objectives. It is worth mentioning the ThemeREX add-ons are included in every commercial theme of ThemeREX.
As per the latest information the bug is yet to be patched.
To prevent your site from being a victim of the bug, it is highly recommendable to remove it outright.
10Web Map Builder for Google Maps
Due to the lack of appropriate sanitization provisions of the data supplied by the users, 10Web Map Builder for Google Maps got infected with a bug that allowed for injection and execution of arbitrary HTML and script code in the browser.
In terms of site damage, it facilitated data theft, unauthorized visual editing, drive-by-download, and phishing attacks.
The vulnerability has been patched and readers are advised to use the latest updated version.
Modern Events Calendar Lite
Modern Events Calendar Lite, en event management plug-in for WP sites, was identified to house a bug allowing the attackers to inject XSS code thus facilitating the fake admin account creation.
The hackers were also able to affect the site visitors by exploiting the front page.
The issue was patched and the readers are advised to look for the latest version or update if they are still using the outdated plug-in.
Conclusion
WordPress plugins are always on the radar of hackers who find a new and sophisticated way to explore the loopholes and exploit the same to invade related WP sites. In this blog post, we mentioned some of the vulnerable WP plugins that encountered security issues in 2020 and their present status. Readers are advised to uninstall the plugins with unresolved security issues. For the plugins with security patches, make sure that you are using the latest, updated version.