Worried about how vulnerable WordPress plugins are endangering your website?
We wish we could tell you not to worry but the truth is using vulnerable plugins are the biggest reason why WordPress websites are hacked. In fact, vulnerable plugins cause 55.9% of the attacks made on WordPress sites.
So do you stop using plugins altogether? In website development, it’s hard to build and run a WordPress site without plugins as they add functionality and more features to your site.
Fortunately, there is a way to use plugins and keep your site safe. When developers of plugins discover a vulnerability in their software, they fix it and release an updated version immediately. Once you update the plugin on your site, it is safe to use on your site. However, millions of WordPress users delay updates which leaves their sites vulnerable to hackers.
If your site gets hacked, hackers can use it to run all sorts of malicious activities such as stealing sensitive data, running unwanted ads, and defacing your website. A hack can have devastating consequences on your business and result in a loss of visitors, customers, and revenue.
This is why learning about vulnerable plugins and their security issues are so important. In this article, we’ll show you some of the most vulnerable WordPress plugins that WordPress website owners use.
TL;DR – To keep your site secure against WordPress plugin vulnerabilities, it’s imperative that you update them as soon as new versions are available. Use our MalCare security plugin to keep a track of updates from a centralized dashboard. You can implement bulk updates on your WordPress site which makes managing updates a whole lot easier.
How Can A WordPress Plugin Become Vulnerable?
It’s important to know that third-party developers create WordPress plugins, not the WordPress team of developers. Most plugins are available in the WordPress repository, however, you can also find plugins in popular marketplaces like CodeCanyon or on the plugin’s website.
There are over 50,000 WordPress plugins in existence and there are more created every day. Developers manage and maintain their plugins well to ensure they are secure, especially premium ones.
These plugins adhere to certain guidelines which ensures it is safe and secure for users. However, developers continue to enhance their products and sometimes face time crunches to release new features. In some cases, during plugin development, you can overlook some security flaws which leaves the product vulnerable.
Once hackers find a vulnerability, they can exploit it to carry out many hacks, some of which include:
Hack attacks like these will severely slow down your site, bringing down your SEO ranks. They also jeopardize your business, your revenue, and your reputation as well.
As vulnerable plugins are the biggest root cause of most website hackers, it’s important to know which plugins are most vulnerable and what fixes are available.
Note: If you are using any of this plugin on your WordPress site, we strongly advise you to update to the latest version available immediately to avert any hack attacks.
8 Vulnerable WordPress Plugins That Were Most Recently Attacked
Many popular WordPress plugins were attacked in the past like NextGen Gallery, Yoast SEO, and Ninja Forms. Here, we focus on the list of vulnerable WordPress plugins that were most recently exploited by hackers.
1. Duplicator – WordPress Migration Plugin
The Duplicator plugin is primarily a migration plugin also used for WordPress backups. Users can create a backup of their WordPress site and then download a copy of it. They can also clone or migrate their sites to a different domain or host. It is quite a popular plugin with over 1 million active installs.
Recently, the plugin developed a vulnerability known as an arbitrary file download. This vulnerability allowed attackers to export the contents of a WordPress site that had the plugin installed. Hackers could also download confidential files and steal database credentials. This allowed them to break into the site, take control of it, and further their attack.
The developers detected the vulnerability and were quick to release a critical WordPress security update in Duplicator version 1.3.28 and Duplicator Pro Version 3.8.71 in February 2020.
Website security experts say that more than 500,000 users are using the vulnerable version of the plugin and have yet to update to the new version.
2. ThemeGrill Demo Importer
ThemeGrill offers free and premium responsive themes that enable you to build a professional-looking site.
The ThemeGrill Demo Importer plugin enables WordPress users to import official themes from ThemeGrill directly onto their WordPress dashboard. Users can also import content, widgets, and theme settings. This plugin has over 200,000 active installs.
However, a vulnerability in this plugin enables hackers to take control of the admin account. Hackers could lock you out of your own website and even wipe out your site completely.
The developers at ThemeGrill promptly released a patch in version 1.6.3 in February 2020.
3. Profile Builder Plugin
Profile Builder enables you to give your customers the option to create an account on your website. You can build front-end user logins and registration forms on your site. It also has profile forms for your customers to personalize their accounts.
The plugin has three variants – Free, Pro, and Hobbyist. The Pro and Hobbyist versions are both premium versions. Pro allows you to use the plugin on unlimited WordPress websites while Hobbyist gives you a license to use it on a single site.
The free WordPress version of the plugin has over 50,000 active installs while it’s Pro and Hobbyist versions collectively have about 15,000 installations.
In February 2020, a critical vulnerability was discovered that affected all variants of the plugin. A bug in the plugin made it possible for a hacker to register unauthorized admin accounts on WordPress sites. This allowed a hacker to create a rogue admin account and take complete control of the site.
This vulnerability affects all versions of the plugin up to and including 3.1.0. A security patch was released in version 3.1.1.
4. Flexible Checkout Fields For WooCommerce
This add-on plugin for WooCommerce enables users to customize their checkout fields. This means users can edit default fields on the checkout page and add their own labels instead. The plugin has over 20,000 active installations.
The Flexible Checkout Fields plugin is well-maintained and regularly updated by its developers.
The plugin has a vulnerability that hackers started to actively exploit. The vulnerability allowed hackers to inject malicious code into WordPress sites. This enabled them to carry out all sorts of activities such as creating rogue WP admin accounts, stealing data, and locking the admin user out of their own website.
The developers quickly released a security patch in version 2.3.2 and 2.3.3 on 25 February 2020. Since then, the plugin has been updated multiple times. We strongly advise updating to the latest version available.
5. ThemeREX Addons
The ThemeREX Addons plugin is designed to be a companion plugin to a variety of themes created by ThemeREX. This addon has several features and widgets that extend the functionality of their themes. The plugin is installed on around 44,000 WordPress sites.
Hackers found a vulnerability in the plugin and started attacking websites with this plugin. Here too, hackers could exploit a weakness in the plugin to create new admin user accounts.
ThemeREX released an update promptly but updating ThemeREX Addons is a bit more complex. As the plugin isn’t available in the WordPress repository, you will not see an update available for the plugin on your WordPress dashboard. You need to subscribe to the ThemeREX newsletter to receive information about updates to any of its plugins and themes.
Plus, the ThemeREX Addon plugin is bundled in with a number of themes. Many site owners may have installed a theme from the ThemeREX theme and may not be aware that this plugin was automatically installed on their site as part of the package.
If you are using any ThemeREX theme, we strongly recommend you update it to the latest version. You can update the plugin from your ThemeREX account. In case you are unable to do so, you might need to install the ThemeREX updater plugin. Contact ThemeREX for more information on updating this plugin.
A vulnerability in the plugin allowed hackers to remotely execute an attack. Recommended read: Cross-site scripting (XSS) attacks. This opened up the possibility of hackers stealing sensitive information, changing the appearance of the victim’s site, and tricking the site’s visitors into downloading malware or disclosing personal data.
The developers fixed all issues present and also took additional security measures to secure the plugin. The most secure version available at the time of writing this article is version 2.20.03.01.
In many cases, WordPress developers install this plugin while creating the website but their clients may not be aware of the plugin’s existence on their site. But luckily, this plugin is available in the WordPress repository, and update notifications appear on the WordPress dashboard.
7. Modern Events Calendar Lite
This events calendar plugin makes managing events on WordPress websites easy! It has a responsive and mobile-friendly interface that allows site owners to easily display well-designed events calendars on their site. Modern Events Calendar Lite is free to use and has over 40,000 active installations.
In February 2020, the plugin experienced a vulnerability that allowed hackers to inject malware into the WordPress site to run further attacks like altering the appearance of the site and stealing sensitive data.
All versions of the plugin up to 5.1.6 were vulnerable. The developers released a patch immediately and have since updated the plugin many times.
If you are using this plugin, we strongly recommend updating to the latest version as soon as possible.
8. 10Web Map Builder for Google Maps
The 10Web Map Builder for Google Maps plugin offers WordPress users an easy way to add maps to their WordPress websites. It offers powerful features and customizations that make it quite popular with over 20,000 active installations.
Recently, a vulnerability appeared in the plugin’s setup process. It allowed hackers to inject malicious scripts into a WordPress site. They can use the scripts to attack admins as well as site visitors.
The developers released an updated version 1.0.64 in February. If you have this plugin installed on your site, once you update to the latest version, the injection vulnerability will be patched.
If your website was hacked due to a vulnerability in a plugin, we recommend reading our guide on how to clean a hacked WordPress site.
That brings us to an end on the most recently attacked plugins. This list is not exhaustive. In our experience working with WordPress for over a decade, plugins tend to develop WordPress security vulnerabilities from time to time. The best way to mitigate attacks on your site due to vulnerable plugins is to update them as soon as a new version is available! Remember to update your WordPress core installation and WordPress themes as well.
If you liked this article, you would like reading more about vulnerabilities on your WordPress site. We discuss more about website security risks such as cross-site scripting, SQL injections, privilege escalation flaws, request forgeries, arbitrary file uploads, viewing of it, and more.
Vulnerabilities tend to pop up in many WordPress plugins but most developers also act fast and fix them promptly. From there on, the responsibility lies with you, the site owner, to update your plugin to the latest version immediately.
Thus, updating your site regularly will keep hackers out and ensure your site is secure. But we understand that updates aren’t always easy to keep track of and can become difficult to manage. We strongly recommend reading our Guide on How To Safely Update Your WordPress Site.
At MalCare, we understand the difficulties you may face with updates especially if you run multiple WordPress sites. Therefore, to make things easier, our plugin MalCare gives you access to a centralized dashboard to manage all updates together. Plus, the WordPress security plugin will protect your site from hack attempts.
Try Our MalCare Security Plugin Now!