WordPress Security Vulnerabilities in 2024
- Unauthenticated SQL Injection in LayerSlider: This critical vulnerability (CVE-2024-2879) affects over a million sites and allows attackers to execute SQL commands without authentication, potentially leading to data breaches. Users should update to version 7.10.1 of LayerSlider to address this flaw (BleepingComputer).
- Stored Cross-Site Scripting (XSS) in Multiple Plugins: Plugins like WP Chat App, Prime Slider, and Sassy Social Share were found to have XSS vulnerabilities that could allow attackers to inject malicious scripts. These have been patched in recent updates, so updating these plugins to their latest versions is crucial (Sucuri Blog).
- Remote Code Execution in WordPress Core: A potential remote code execution (RCE) vulnerability was patched in the WordPress 6.4.2 update. This was a critical security patch that prevents certain types of PHP object injections that could lead to RCE (SolidWP).
- Sensitive Data Exposure and SSRF in Plugins: Plugins like Nginx Helper and Contact Form 7 Extension For Mailchimp have vulnerabilities leading to sensitive data exposure and server-side request forgery (SSRF). These vulnerabilities have not been patched, and it's recommended to deactivate these plugins until fixes are available (SolidWP).
- Outdated Themes and Plugins: Outdated themes and plugins continue to be a major security risk. Approximately 97% of vulnerabilities are found in plugins and themes. Ensuring these components are regularly updated or using tools to automate updates can significantly reduce vulnerabilities (HubSpot Blog).
- Abandoned Plugins: A significant number of plugins and themes are no longer maintained by developers, leading to what's called the "zombie plugin pandemic." It's advised to avoid using abandoned plugins as they may contain unpatched security issues (Patchstack).
In 2024, several critical vulnerabilities have been identified in WordPress, affecting both plugins and core software. Here's a concise overview of some significant issues, along with their mitigation strategies: