ISPA Winner 2018 16 Years of Krystal

Recent WordPress plugin malware exploits - how to keep your site safe


Krystal

By: Krystal in Security

Posted on: July 19th 2019 at 13:23pm


We wanted to bring to your attention recent malware exploits within outdated versions of two WordPress plugins, WooCommerce and Yoast.

What’s malware? Malware is specifically designed software to disrupt, damage or gain unauthorised access to a computer system. It can be a big worry when there are breaches within plugins as it causes major vulnerabilities to your system and business.
Since the details regarding these latest malware issues in WooCommerce and Yoast were released, we’ve had many clients come to us with the same concerns and our malware detection systems have been working hard to keep our platform safe.

We want to work with you to make your website safe again, in the quickest and easiest way possible.

So, here’s what you need to know:
Yoast SEO versions 1.2.0-11.5 and below are vulnerable to an Authenticated Stored XSS attack.
WooCommerce version 3.6.4 and below are vulnerable to a Cross-Site Request Forgery and File Type Check.

How to solve it:
Solving the issue is as simple as updating the plugin concerned. Both WooCommerce and Yoast have released updates to patch the exploit.

Yoast 11.6 was released 7 days ago and has resolved the Authenticated Stored XSS attack risk
WooCommerce version 3.6.5 has also been released which patches their exploit.

It’s important to keep all your plugins updated via the WordPress dashboard, particularly as by default, Wordpress doesn’t update these automatically. The longer a plugin is left without any updates, the higher the risk of malware issues occurring.

Have you had a report? Click here to read our guide on how to identify and understand our malware reports.