In all likelihood, your site is powered by WordPress, the world’s most popular website content management system. With over 40% of websites relying on this platform, it’s no wonder that it’s the go-to choice for many. One of the biggest draws of WordPress is its ability to extend its functionality through plugins. There are tens of thousands of plugins available, making it easy to tailor the platform to meet your specific needs.
But while a regularly updated WordPress site is (typically) secure, threat actors are turning to gaps left by these plugins, which are more open to attack – instead of targeting the site itself.
LearnPress: a target ripe for attack
LearnPress is a popular WordPress plugin used for creating and selling online courses. With its growing popularity, it has become a target for exploitation and targeted attacks. Around 100,000 sites make use of this plugin, and it’s essential that they upgrade to the latest version, 4.2.0, to protect against three known vulnerabilities.
These vulnerabilities include:
- CVE-2022-47615: An unauthenticated Local File Inclusion vulnerability that allows remote viewing of local files on a web server, potentially exposing API keys, credentials, and other secrets.
- CVE-2022-45808 and CVE-2022-45820: A pair of SQL injection vulnerabilities that could lead to data modification and code execution.
Patchstack discovered these vulnerabilities between November 30, 2022, and December 4, 2022, and the issues were patched by December 20. This quick turnaround is relatively rare, as some plugins can go without updates for months or even be abandoned altogether.
Upgrading to the latest version of LearnPress is the best way to lock down these vulnerabilities. And, while you’re at it, it’s a good idea to have a quick check of your other plugins to make sure they’re all up-to-date and secure.
Cleaning up your WordPress plugins
There are a few steps you can take to ensure your plugins are up-to-date and secure:
- Update existing plugins. You can check for updates by logging into your site and going to Dashboard > Updates.
- Enable automatic updates for plugins. This is not a default setting in WordPress, but when turned on ensures updates are not dependent on teams’ availability or resources. You can enable this setting for each individual plugin on the Plugins screen.
- Remove unsupported plugins. Check the details of each plugin to see when it was last tested and updated. Remove the ones no longer supported.
- Remove unnecessary plugins. Take a look at how many plugins and themes you have installed and consider removing those that are not essential.
It’s crucial to keep your WordPress plugins up-to-date and secure. With the increasing focus on exploiting vulnerabilities in plugins, it’s more important than ever to take the time to check and update your site.
Next steps
New vulnerabilities serve as reminders of where we stand, and what we need to do better. Check out the following resources to help you maintain cyber hygiene and stay ahead of the threat actors:
- Cyber risk in 2022- a 360° view report
- MITRE ATTACK framework – Mapping techniques to CVEs
- Exploit maturity: an introduction
- How to properly tackle zero-day threats
- OWASP Top 10 vulnerabilities 2022: what we learned
And finally…
Don’t get found out by new vulnerabilities. Vulcan Cyber gives you full visibility and oversight of your threat environment and lets you prioritize, remediate and communicate your cyber risk across your entire organization. Get a demo today.
