April 8, 2024 by Paul G. | Security, ShieldNOTES

ShieldNOTES Ep#8: LayerSlider, Oxygen & HTTP/2

Shield Image

There are a couple of big premium plugins with major vulnerabilities. If you’re running these, we urge you to review them:

#1 – Critical Vulnerability in LayerSlider Plugin

This plugin is practically everywhere with estimated 1M+ installs.

How will I know I’m okay?
Upgrade the plugin to v7.10.1+

What’s the risk?
Unauthenticated SQL Injection: 9.8/10 severity.

Editor Comment
If you use ShieldPRO’s automatic upgrader for vulnerable plugins/themes, this will be done automatically for you.

More Info →

#2 – RCE Vulnerability in Oxygen Builder Plugin

With over 150,000 estimated installs, it’s widely used.

How will I know I’m okay?
There is some debate with the developer as to whether this is actually a vulnerability and so they never provided a patch. Their argument is that the issue stems from a lack of clear documentation on the actual authorization granted to non-admins, and it’s not a vulnerability.

What’s the risk?
If you’re using the theme and you’ve granted a non-admin user “Client Control” (so-called) priviledges, they can potentially take control of a site, without having administrator priviledges.

Editor Comment
We can see both sides to the argument, but without doubt, we would never use such a system, as it violates the principles of access control and “least priviledge”.

More Info →

#3 – HTTP/2 DoS Attack Vulnerability

The newer HTTP/2 protocol, depending on its implementation, may be subject to DoS attacks.

What’s Should I Do?
Apache httpd (web server) is listed as being potentially vulnerable to this attack, so it might be worth contacting your web hosting provider and asking whether they have applied any available updates to mitigate this..

Editor Comment
Ensuring your webhost is on top of this is why it’s so important that your webhost is proactive and keeps their infrastructure secure. Choosing a good webhost is critical.

More Info →

Thanks for reading, and have a wonderful week!

Paul Goodchild
Shield Security for WordPress

Hello dear reader!

If you want to level-up your WordPress security with ShieldPRO, click to get started today. (risk-free, with our no-quibble 14-day satisfaction promise!)

You'll get all PRO features, including AI Malware Scanning, WP Config File Protection, Plugin and Theme File Guard, import/export, exclusive customer support, and much, much more.

We'd be honoured to have you as a member, and look forward to serving you during your journey towards powerful, WordPress security.

Try ShieldPRO Today →

ShieldPRO Testimonials
@ilias1979's Gravatar @ilias1979

GREAT

THIS PLUGIN IS A WIN TIME SITUATION

@heritagetiling's Gravatar @heritagetiling

brilliant plugin

I used the Co to remove a hack and then set up the premium version . Great so far plenty of info and no more hacks.

@legalmax's Gravatar @legalmax

Fantastic piece of kit

Fantastic piece of kit. Really kills viruses.

@alezzzzz's Gravatar @alezzzzz

Nice!

Easy to use and straighforward, so far seems to be doing its job silently and effectively.

Leave a Comment

Your email address will not be published. Required fields are marked *

Click to access the login or register cheese