Scroll Top

WP Security: plugin vulnerabilities October

By Csaba, Miklós WP Security WP SERVICES 1 November 2017

WP SECURITY: PLUGIN VULNERABILITIES OCTOBER

For your WP Security, be informed about the latest vulnerabilities in WordPress plugins:

  1. Content Timeline
    • Multiple Blind SQL Injection reported by Jeroen (IT Nerdbox). One unauthenticated and two authenticated injections in the premium ‘Content Timeline’ WP plugin. Author contacted twice without any response.
      • remove this plugin to fix vulnerabilities, as these seriously affects your WordPress Security
  2. Appointments
    • Unauthenticated PHP Object Injection reported by Dewhurst Security. This vulnerability allowed attackers to cause a vulnerable website to fetch a remote file (a PHP backdoor) and save it to a location of their choice. It required no authentication or elevated privileges.
      • immediately update to version 2.2.2 to fix vulnerability
  3. Flickr Gallery
    • Unauthenticated PHP Object Injection reported by Dewhurst Security. This vulnerability allowed attackers to cause a vulnerable website to fetch a remote file (a PHP backdoor) and save it to a location of their choice. It required no authentication or elevated privileges. For sites running Flickr Gallery, the attackers only had to send the exploit as POST request to the site’s root URL.
      • immediately update to version 1.5.3 to fix vulnerability
  4. RegistrationMagic-Custom Registration Forms
    • Unauthenticated PHP Object Injection reported by Dewhurst Security. This vulnerability allowed attackers to cause a vulnerable website to fetch a remote file (a PHP backdoor) and save it to a location of their choice. It required no authentication or elevated privileges.
      • immediately update to version 3.7.9.3 to fix vulnerability
  5. Smush Image Compression and Optimization
    • File Transversal reported by Dewhurst Security. This vulnerability allowed attackers to create or overwrite critical files that are used to execute code, such as programs or libraries.
      • immediately update to version 2.7.6 to fix vulnerability
  6. Simple Login Log
    • Authenticated SQL Injection reported by Dewhurst Security. Users that do not have full administrative privileges could abuse the database access the vulnerability provides to either escalate their privileges or obtain and modify database contents they were not supposed to be able to. Due to the missing nonce token, the attacker the vulnerable code is also directly exposed to attack vectors such as Cross-Site request forgery (CSRF).
      • immediately update to version 1.1.2 to fix vulnerability
  7. WPHRM
    • Authenticated SQL Injection reported by David Hayes (https://wpshout.com). The vulnerability allows an employee users to inject SQL commands.
      • immediately update to version 1.1 to fix vulnerability
  8. Pootle button
    • Authenticated Cross-Site Scripting (XSS) reported by Dewhurst Security. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
      • immediately update to version 1.2.0 to fix vulnerability
  9. Invite Anyone
    • Unauthenticated PHP Object Injection reported by Robert R (https://pagely.com). The plugin invite-anyone insecurely trusts serialized data submitted over HTTP requests. This opens up the site to a PHP object injection vulnerability potential exploit vector
      • immediately update to version 1.3.19 to fix vulnerability

Protect your WordPress: BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!

WP Security

Related Posts

WP SECURITY
WP Security: 12 plugin vulnerabilities in SEPT 2018

WP Security bulletin – SEPTEMBER 2018 At your next scheduled WordPress Maintenance, be advised for your WP Security about the latest 12 vulnerabilities in WordPress plugins identified and reported publicly during. As these vulnerabilities are disclosed, when you use one (or more) of these outdated plugins – your risking serious…

01 Oct 2018
THEMES VULNERABILITY 2022
Disempowered WP Security: 1 WP themes vulnerability FEB 2022
17 Feb 2022
THEMES VULNERABILITY 2022
Disempowered WP Security: 9 WP themes vulnerability MAY 2021
14 Jun 2021
WP BACKUP FAIL
Never let your WP become an attack vector

What is an attack vector? An attack vector is a path or means by which a hacker gains access to your server or WordPress (or both) to execute a malicious payload. Attack vectors enable hackers to exploit system vulnerabilities, including the human element. Why the WordPress attack vector is so…

09 Feb 2017
WP SECURITY PLUGIN VULNERABILITIES
14 WP Security Plugin Vulnerabilities MAR 2022 Threat
14 Mar 2022
BLOG PICTURE 256 5
Why secure your WordPress site?

WordPress sites are notoriously lacking when it comes to security. Be it due to an insufficient security expertise of the developer, or the use of one of the many FREE plugins available (of which the security cannot be guaranteed). With WordPress running on 1 in 5 sites on the internet,…

23 Feb 2016
THEMES VULNERABILITY 2022
WP Theme CVE MAR 2024: 13 Premium Hack risk
14 Mar 2024
WP SECURITY
WP Security: 27 plugin vulnerabilities in November

For your WP Security, be informed about the latest vulnerabilities in WordPress plugins: Qards Stored Cross-Site Scripting (XSS) + Server Side Request Forgery (SSRF) reported by theMiddle https://mobile.twitter.com/Menin_TheMiddle. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web…

04 Dec 2017
CLOUD SERVICES
New Attack Vectors: CLOUD SERVICES

Social Engineering exploits More businesses are moving to the cloud, creating new kinds of risk. Analysing how attackers are getting access to this infrastructure—and how some users are inadvertently misusing it — provides critical insight into how to better protect against these new threats. The cloud and software-as-a-service (SaaS) apps…

13 Aug 2018
WP SECURITY
WP Security: 14 plugin vulnerabilities in March 2018

For your WP Security, be informed about the latest vulnerabilities in WordPress plugins: NextGEN Gallery BYPASS reported by Dewhurst Security. In the nextgen-gallery plugin before 2.2.50 for WordPress, gallery paths are not secured. immediately upgrade to version 2.2.50 to fix the vulnerability Category Order and Taxonomy Terms Order A1: Injection…

02 Apr 2018
WP SECURITY
WP SECURITY APR 2021 centralised abuse highlights
20 May 2021
PITCH
Pitch our services to Your Boss

This makes your life at work much better. We do the hard work, you get the glory! Pleasant win-win! ;) So….Why not? Pitch our WordPress Services to your boss! WordPress upkeep has a fundamental connection with outsourcing. Ever since the industry grew from a novelty to a full-blown profession, businesses…

19 May 2017
WP SECURITY PLUGIN VULNERABILITIES
30 WP Security Plugin Vulnerabilities JUN 2023
26 Jun 2023
THEMES VULNERABILITY 2022
Disempowered WP Security: #1 WP themes vulnerability MAY 2022
11 May 2022
WP SECURITY
WP Security: 21 plugin vulnerabilities in March 2019

WP Security bulletin – March 2019 At your next scheduled WordPress Maintenance, be advised for your WP Security about the latest 21 vulnerabilities in WordPress plugins identified and reported publicly. As these vulnerabilities are disclosed, when you use one (or more) of these outdated plugins – your risking serious WordPress…

09 Apr 2019
owlpower.eu
owlpower.eu
owlpower.eu
16+ years of owlsome experience
We're on an empowering mission for website owners, who desire not to be transformed forcefully into IT experts.