Critical Vulnerability Patched in External Media Plugin

On February 2, 2021, the WordFence Threat Intelligence team discovered a vulnerability inĀ External Media, a WordPress plugin used by over 8,000 sites, and reported it to the developer. This flaw made it possible for authenticated users, such as subscribers, to upload arbitrary files on any site running the plugin. This vulnerability could be used to achieve remote code execution and take over a WordPress site.

After several minor patches and follow-ups with the developer, a fully patched version was released as version 1.0.34.

This is considered a critical vulnerability. Therefore, we highly recommend updating to the latest patched version available, 1.0.34, immediately.

All of our client sites have of course been updated.

SQL Injection Vulnerability Patched in CleanTalk AntiSpam Plugin

The CleanTalk WordPress plugin has a number of uses, but one of its primary purposes is to protect sites against spam comments. Part of how it does this is by maintaining a blocklist and tracking the behavior of different IP addresses, including the user-agent string that browsers send to identify themselves.

Many of our users have CleanTalk installed.

The vulnerability was patched on March 10 and the update was applied to all our client sites within 24 hrs. Fortunately, we’re not aware of any clients having become victims.

Article source: