WordPress vulnerability news is a monthly digest of highlighted vulnerable plugins for WordPress or vulnerability discloses
that have been published (there are other, less critical
vulnerabilities on smaller plugins that unfortunately don’t always make
it to the list).
Keeping up to date with security vulnerabilities in WordPress and
other CMS’s is an important part of security. That is why we are
analyzing vulnerable plugins and newly disclosed vulnerabilities to make
sure the sites using the mentioned plugins or themes are protected.
All the vulnerabilities you find from this article have received a
virtual patch to the WebARX firewall. It means that if you use the
WebARX web application firewall, your site is safe from these
vulnerabilities, but it’s always strongly advised to update or delete vulnerable plugins from your site.
Is your WordPress site secured? Take a look at how to secure your site here.
If you are a WordPress plugin developer read how to secure plugins from an attackers’ perspective.
Authenticated Stored XSS in GistPress Plugin
Example from github.com/bradyvercher/gistpress
A WordPress plugin to easily embed Gists via oEmbed or shortcode. Vulnerability: Authenticated stored XSS Vulnerable version: 3.0.2 and below Number of sites affected: N/A
XSS vulnerability that could be exploited by untrusted contributors on multi-author sites.
Read more about the vulnerable plugin from here.
Authenticated Stored XSS in Elementor Page Builder
A page builder for page designs and advanced capabilities for WordPress sites. Vulnerability: Authenticated stored XSS Vulnerable version: 2.7.6 and below Number of sites affected: 4+ million Exploitation Level: Easy/requires authentication
This vulnerability is exploitable on sites that allow users to have accounts and are using Elementor versions lower than 2.7.6, released last December.
A successful attack results in malicious scripts being injected on the plugin’s System Info page.
If an administrator visits that page, the malicious Javascript code can
execute privileged actions on the victim’s behalf, like creating new
administrative accounts or storing backdoors on the site to maintain
access.
Read more about the vulnerable plugin here.
Critical CSRF to RCE Vulnerability in Code Snippets Plugin
Code Snippets is an easy, clean and simple way to run PHP code
snippets on your site. It removes the need to add custom snippets to
your theme’s functions.php file. Vulnerability: Critical CSRF to RCE Vulnerable version: fixed in version 2.14.0 Number of sites affected: 200 000+
This issue could cause complete site takeovers. Vulnerabilities with
such magnitude are quickly targeted by adversaries and updating to the
patched version should be done immediately!
Read more about the vulnerable plugin here.
Authenticated Reflected XSS in Elementor Page Builder
A page builder for page designs and advanced capabilities for WordPress sites. Vulnerability: Authenticated reflected XSS Vulnerable version: 2.8.5 and below Number of sites affected: 4+ million
The PoC will be displayed on February 12, 2020, to give users the time to update.
CSV Injection in Flamingo Plugin
Flamingo is a message storage plugin originally created for Contact Form 7, which doesn’t store submitted messages. Vulnerability: CSV injection Vulnerable version: 2.1.1 and below Number of sites affected: 500 000+
A CSV Injection vulnerability was discovered in Flamingo Plugin v
2.1. It allows a user with low-level privileges to inject OS command
that will be included in the exported CSV file. It leads to possible
command/code execution.
Read more about the vulnerable plugin here.
Missing Authorization Check In wpCentral Plugin
The wpCentral plugin allows you to manage your sites on a single
panel. It gives you the power to login to any website,
install/delete/activate plugins, upload files and much more. Vulnerability: Privilege escalation Vulnerable version: 1.4.7 and below Number of sites affected: 50 000+
In versions 1.4.7 and below of this plugin, there’s a vulnerability
that allows anyone who is logged in with any user role to escalate their
privilege or alter/upload any file, or adjust any plugin and interact
with the site in many other ways.
You can read more about the vulnerable plugin here.
Secret Login Page Disclosure in WPS Hide Login Plugin
WPS Hide Login lets you change the URL of the login form page to anything you want. Vulnerability: Secret login page disclosure Vulnerable version: 1.5.5 and below Number of sites affected: 500 000+
A vulnerability in version 1.5.4.2 and below could allow an attacker to find and access the secret login page.
You can read more about the vulnerable plugin here.
Stored XSS in WP DS FAQ Plus Plugin
WP DS FAQ Plus plugin is a simple FAQ page management tool for your
website. WP DS FAQ Plus is the plugin which was improved based on WP DS
FAQ 1.3.3.
This plugin includes the fixed some issues (Quotation and Security,
such as SQL Injection and CSRF), Japanese translation, improvement of
the interface, and SSL Admin setting. Vulnerability: Stored XSS Vulnerable version: 1.0.354 and below Number of sites affected: 50 000+
The PoC will be displayed on February 07, 2020, to give users the time to update.
Authenticated Stored XSS in Calculated Fields Form Plugin
With Calculated Fields Form, you can create forms with dynamically calculated fields to display the calculated values. Vulnerability: Authenticated stored XSS Vulnerable version: 1.0.354 and below Number of sites affected: 50 000+
“An authenticated user with access to edit or create Calculated
Fields Form content can inject javascript into input fields such as
‘field name’ and ‘form name’.”
Read more about the vulnerable plugin here.
Unauthenticated Reflected XSS in Chained Quiz Plugin
This is a chained / conditional logic quiz plugin that lets you
create quizzes where the next question depends on the answer to the
previous question. Vulnerability: Unauthenticated reflected XSS Vulnerable version: 1.1.8.2 and below Number of sites affected: 1 000+
WordPress Plugin Plugin Chained Quiz before 1.1.8.2 suffers from a
Reflected XSS vulnerability in the ‘total_questions’ POST parameter when
a user completes a quiz.
The code in question accepts the ‘total_questions’ parameter without escaping the special characters: models/quiz.php $output = str_replace('{{questions}}', $_POST['total_questions'], $output);
The PoC will be displayed on January 30, 2020, to give users the time to update.
Read more about the vulnerable plugins here.
WordPress Hardening Bypass
Photo from https://blog.ripstech.com/
There is a Remote Code Execution (RCE) vulnerability in the WordPress
core that bypasses hardening mechanisms. The vulnerability is present
in the WordPress core in versions prior to 5.2.4.
The vulnerability in the WordPress core that can be exploited even if
the described hardening mechanism is in place, allowing for an
effective bypass. This re-enables attackers to leverage simple
Cross-Site Scripting vulnerabilities to full Remote Code Execution
impact on servers.
Make sure to update your WordPress installations to 5.2.4 or later to prevent the bypass.
Read more about the WordPress vulnerability here.
Authenticated Stored XSS in Contact Form Clean and Simple Plugin
An AJAX contact form with Google reCAPTCHA, Twitter Bootstrap markup, and Akismet spam filtering. Vulnerability: Authenticated stored XSS Vulnerable version: 4.7.0 and below Number of sites affected: 20 000+
Contact Form Clean and Simple is vulnerable to Authenticated stored
XSS. When a user has admin capabilities, malicious code can be submitted
through the plugin’s options. This code will then be executed on every
page with the contact form on the front-end.
January 22nd, 2020 – Escalated to the WP plugins team as no response from the developer according to the researcher.
Read more about the plugin vulnerability here.
Insecure Direct Object Reference (IDOR) in Ultimate Member Plugin
Ultimate Member is a user profile and membership plugin for
WordPress. The plugin makes it a breeze for users to sign-up and become a
member of your website. Vulnerability: Insecure direct object reference (IDOR) Vulnerable version: 2.1.3 and below Number of sites affected: 100 000+
IDOR issues allowing change of other users’ profiles and cover photos.
Read more about the vulnerable plugin here.
Arbitrary PHP Execution in AccessAlly Plugin
AccessAlly is a powerful, flexible customer-getting and retaining
system that grows with your business, and that pays for itself. Vulnerability: Arbitrary PHP execution Vulnerable version: 3.3.2 and below Number of sites affected: N/A
Prior to version 3.3.2, this plugin allowed arbitrary PHP execution
through the login_error function. This exploit is out in the wild now
and actively being exploited.
The PoC will be displayed on February 11, 2020, to give users the time to update.
Read more about the plugin vulnerability here.
DOM Cross-Site Scripting in Chatbot with IBM Watson Plugin
IBM Watson helps you to give support to your customers. You can train
Watson to answer frequently asked questions, provide useful information
and help them navigate your website. Vulnerability: DOM-based XSS Vulnerable version: 0.8.21 and below Number of sites affected: 2 000+
A DOM-based XSS vulnerability has been identified in the chat
functionality of the Watson Assistant plugin for WordPress, allowing a
remote attacker to execute JavaScript in the victim browser by tricking
the victim into pasting HTML inside the chatbox.
Read more about the vulnerable plugin here.
Authenticated Stored Cross-Site Scripting Issue in Contextual Adminbar Color Plugin
This plugin provides custom admin bar colors to differentiate environments (staging, pre-prod, production). Vulnerability: Authenticated stored cross-site scripting issue Vulnerable version: 0.3 and below Number of sites affected: 40+
The PoC will be displayed on February 03, 2020, to give users the time to update.
Read more about the vulnerable plugin here.
Authenticated Arbitrary Plugin Deactivation in 2J SlideShow Plugin
2J Slideshow is a responsive slideshow plugin with classic design and clean interface elements. Vulnerability: Authenticated arbitrary plugin deactivation Vulnerable version: 1.3.40 and below Number of sites affected: 3 000+
Lack of authorization checks in the twoj_slideshow_setup() function
registered as an AJAX call could allow authenticated users with low
privileges to deactivate arbitrary plugins.
Read more about the vulnerable plugin here.
Broken Authentication Leading To Unauthenticated Stored XSS in Batch-Move Posts Plugin
Picture from arevainna.com
This plugin has been closed as of December 11, 2018, and is not available for download. Reason: Security Issue. Vulnerability: Broken authentication leading to unauthenticated stored XSS Vulnerable version: 1.5 and below Number of sites affected: N/A
An attacker can add XSS Payload remotely without any authentication.
The Payload gets triggered when Admin visits the settings page of the
Plugin.
Read more about vulnerable plugins here.
CSRF to XSS in Marketo Forms and Tracking Plugin
Picture from marcommpro.net
The plugin has been closed.
The settings page for the Marketo-forms-and-tracking WordPress Plugin
is vulnerable to CSRF, this CSRF can be used to inject a script tag
into the WordPress Admin Panel, making this attack vector an
authenticated XSS attack. Vulnerability: CSRF to XSS Vulnerable version: 1.0.2 and below Number of sites affected: N/A
Read more about the vulnerable plugin here.
Reflected XSS in Chained Quiz Plugin
This is a unique chained / conditional logic quiz plugin that lets
you create quizzes where the next question depends on the answer to the
previous question.
WordPress Plugin Plugin Chained Quiz before 1.1.8.2 suffers from a
Reflected XSS vulnerability in the ‘total_questions’ POST parameter when
a user completes a quiz.
The code in question accepts the ‘total_questions’ parameter without
escaping the special characters: models/quiz.php $output =
str_replace(‘{{questions}}’, $_POST[‘total_questions’], $output); Vulnerability: Reflected XSS Vulnerable version: 1.1.8.2 and below Number of sites affected: 1 000+
The PoC will be displayed on January 30, 2020, to give users the time to update.
Multiple Vulnerabilities in WP Database Reset Plugin
The WordPress Database Reset plugin allows you to reset the
database (all tables or the ones you choose) back to its default
settings without having to go through the WordPress 5 minute
installation or having to modify any files. Vulnerability: Unauthenticated database reset Vulnerable version: 3.1 and below Number of sites affected: 80 000+
This flaw “allowed any unauthenticated user to reset any table from the database to the initial WordPress set-up state”.
The PoC will be displayed on January 30, 2020, to give users the time to update. Vulnerability: Privilege escalation Vulnerable version: 3.1 and below Number of sites affected: 80 000+
This flaw “allowed any authenticated user, even those with minimal
permissions, the ability to grant their account administrative
privileges while dropping all other users from the table with a simple
request.”
The PoC will be displayed on January 30, 2020, to give users the time to update.
Read more about the vulnerable plugin here.
Reflected Cross-Site Scripting in LearnDash Plugin
Create and sell courses, deliver quizzes, award certificates, manage users, download reports. Vulnerability: Reflected cross-site Scripting (XSS) issue on the [ld_profile] search field Vulnerable version: fixed in version 3.1.2 Number of sites affected: N/A
Reflected Cross-Site Scripting (XSS) issue on the [ld_profile] search
field. Only authenticated users are able to take advantage of the XSS
vulnerability.
First reported to Learndash on January 14, 2020, and update 3.1.2 to fix it was released the same day.
Check the LearnDash release notes about the vulnerable plugins here.
Authenticated Stored XSS in Video on Admin Dashboard
Videos on Admin Dashboard allow you to embed Youtube and Vimeo
tutorials, help or support videos quickly and easily into the dashboard
of your WordPress website. Vulnerability: Authenticated stored XSS Vulnerable version: fixed in version 1.1.4 Number of sites affected: 40+
Video on the Admin Dashboard is vulnerable to stored XSS. When a user
has admin capabilities, malicious code can be submitted through the
plugin’s options.
The PoC will be displayed on January 19, 2020, to give users the time to update.
Read more about the vulnerable plugins here.
Authenticated Stored XSS in Computer Repair Shop Plugin
Computer Repair Shop CRM WordPress Plugin can help you convert your
WordPress website into a better software. It can help you manage your
services, parts, jobs, and clients effectively. Vulnerability: Authenticated stored XSS Vulnerable version: fixed in version 2.0 Number of sites affected: 40+
Computer Repair Shop is vulnerable to stored XSS. When a user has
admin capabilities, malicious code can be submitted through the plugin’s
options. Fixed in version 2.0.
The PoC will be displayed on January 21, 2020, to give users the time to update.
Read more about the vulnerable plugin here.
CSV Injection in TablePress Plugin
TablePress allows you to easily create and manage beautiful tables. Vulnerability: CSV injection Vulnerable version: 1.10 and below Number of sites affected: 800 000+
“Through CSV injection vulnerability a malicious user can force other
users to execute code in his machine, for example, this can be used for
spread malware.”
Read more about the vulnerable plugin here.
CSV Injection in WooCommerce – Store Exporter Plugin
Store Exporter for WooCommerce creates the product, order, category, tag, and user exports to suit your store requirements. Vulnerability: CSV injection Vulnerable version: 2.4 and below Number of sites affected: 20 000+
“A CSV Injection vulnerability was discovered in WooCommerce – Store
Exporter v 2.3.1. It allows a user with low-level privileges to inject a
command that will be included in the exported CSV file, leading to
possible command/code execution.”
Read more about the plugin vulnerability here.
Authentication Bypass in Backup and Staging by WP Time Capsule
WP Time Capsule was created to ensure peace of mind with WP updates
and put the fun back into WordPress. It uses the cloud apps’ native file
versioning system to detect changes and backs up just the changed files
and DB entries to your account. Vulnerability: Authentication bypass Vulnerable version: 1.21.16 and below Number of sites affected: 20 000+
Read more about the vulnerable plugins here.
Authentication Bypass in InfiniteWP Client Plugin
InfiniteWP allows users to manage an unlimited number of WordPress sites from their own servers. Vulnerability: Authentication bypass Vulnerable version: 1.9.4.5 and below Number of sites affected: 300 000+
Read more about the vulnerable plugins here.
The Minimal Coming Soon & Maintenance Mode plugin allows you
to quickly & easily set up a Coming Soon Page, Maintenance Mode
Page, Landing Page or Launch Page for your website. Vulnerability: CSRF to Stored XSS and Setting Changes Vulnerable version: 2.15 and below Number of sites affected: 80 000+ Vulnerability: Insecure permissions: enable and disable maintenance mode Vulnerable version: 2.15 and below Number of sites affected: 80 000+ Vulnerabilities: Insecure permissions: export settings/theme change Vulnerable version: 2.15 and below Number of sites affected: 80 000+
Read more about the plugin vulnerabilities here.
Multiple CSRF & XSS in Ultimate Auction Plugin
Ultimate WordPress Auction plugin allows an easy and quick way to set up auctions on your site. Vulnerabilities: Multiple CSRF & XSS Vulnerable version: 4.0.6 and below Number of sites affected: 3 000+
“We have updated security-related changes to avoid XSS/CSRF kind of
injections. We have used WordPress nonces that are security tokens to
help protect URLs and forms. Used esc_attr, esc_url, esc_html for form’s
post and get data (form submission).”
Read more about the vulnerability here.
Authenticated Code Injection in ElegantThemes (Divi, Extra, Divi-Builder)
A library of popular WordPress themes and visual page builders. Vulnerability type: Authenticated code injection Vulnerable version: 4.0.10 and below Number of sites affected: N/A
A code injection vulnerability was discovered during a routine code
audit that could allow logged-in contributors, authors, and editors to
execute a small set of PHP functions.
Affected: – Divi version 3.23 and above – Extra 2.23 and above – Divi Builder version 2.23 and above.
Product versions 4.0.10 include the security patch.
Read more about the vulnerability here.
CSRF to XSS in WooCommerce Conversion Tracking Plugin
This plugin inserts those codes on the WooCommerce cart page,
checkout success page and after user registration. So you can track who
is adding your products to cart, who is buying them and who are
registering to your site. Vulnerability: CSRF to XSS Vulnerable version: 2.0.5 and below Number of sites affected: 20 000+
The settings page of the plugin is lacking CSRF checks as well as input sanitization, leading to stored XSS.
The PoC will be displayed on January 17, 2020, to give users the time to update.
Read more about the vulnerable plugin here.
Post Submission Spoofing & Stored XSS in Postie Plugin
Postie offers many advanced features for creating posts by email,
including the ability to assign categories by name, included pictures
and videos, and automatically strip off signatures. Vulnerability: Post submission spoofing & stored XSS Vulnerable version: 1.9.40 and below Number of sites affected: 20 000+
The Postie plugin for WordPress only allows posting of articles
submitted by authorized users through a mailing list registered in the
plugin settings.
However, through the email sender’s spoofing technique, it was
possible to bypass the plugin settings and publish a post as having been
sent by a valid user. This could be used to create a post with an XSS
payload.
Read more about the vulnerable plugin here.
Multiple Vulnerabilities in Import Users From CSV with Meta
Clean and easy-to-use Import users plugin. It includes custom user
meta to be included automatically from a CSV file and delimitation
auto-detector. Vulnerability: Unauthorised authenticated users export Vulnerable version: 1.15 Number of sites affected: 30 000+
The export_users_csv function, registered as an authenticated AJAX
call and allowing to export users, was missing the
authorization/capability check. CSRF check was in place, reducing the
severity of the issue.
Only version 1.15 seems to be affected as the export functionality is a new feature introduced by it.
Read more about the vulnerability here. Vulnerability: CSRF leading to attachment deletion & Path Traversal Vulnerable version: 1.14.1.3 Number of sites affected: 30 000+
CSRF leading to attachment deletion via the acui_delete_attachment() AJAX function.
WordPress Vulnerability News, January 2020
Reviewed by Zuck Rajput
on
March 09, 2020
Rating: 5
No comments
Please do not enter any spam link in comment box.