WP Security: 5 plugin vulnerabilities in July 2018

WP SECURITY: 5 PLUGIN VULNERABILITIES IN JULY 2018

At your next scheduled WordPress Maintenance, be advised for your WordPress protection about the latest vulnerabilities in WordPress plugins identified and reported publicly this month:


  1. Open Graph for Facebook, Google+ and Twitter Card Tags
    • Unauthenticated Cross-Site Scripting (XSS) reported by Thomas Chauchefoin. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
      • WordPress Maintenance recommendation: immediately upgrade to version 2.2.4.2 to fix the vulnerability

  2. All In One Favicon
    • Unauthenticated Cross-Site Scripting (XSS) reported by Javier Olmedo (https://hackpuntes.com). Multiple Persistent cross-site scripting (XSS) issues in the Techotronic all-in-one-favicon (aka All In One Favicon) plugin 4.6 for WordPress allow remote attackers to inject arbitrary web script or HTML via Apple-Text, GIF-Text, ICO-Text, PNG-Text, or JPG-Text.
      • WordPress Maintenance recommendation: immediately upgrade to version 4.7 to fix the vulnerability

  3. Geo Mashup
    • Unspecified Cross-Site Scripting (XSS) reported by Ryan (Dewhurst Security). The Geo Mashup plugin before 1.10.4 for WordPress has insufficient sanitization of the post editor and other user input.
      • WordPress Maintenance recommendation: immediately upgrade to version 1.10.4 to fix the vulnerability

  4. Our only security is our ability to change. ~ John Lilly


  5. Multi Step Form
    • Unauthenticated Cross-Site Scripting (XSS) reported by Javier Olmedo (https://hackpuntes.com). WordPress Plugin Multi-Step Form before 1.2.5 allows remote users to execute JavaScript code through Reflected XSS attacks. This issue can be exploited by unauthenticated attackers, with the use of CSRF.
      • WordPress Maintenance recommendation: IMMEDIATELY UNISTALL THIS PLUGIN! This plugin was closed on July 30, 2018 and is no longer available for download.

  6. Snazzy Maps
    • Unspecified Cross-Site Scripting (XSS) reported by Ryan (Dewhurst Security). During the security audit of Snazzy Maps plugin for WordPress CMS, multiple Cross-Site Scripting (XSS) vulnerabilities were discovered using DefenseCode ThunderScan application source code security analysis platform.
      • WordPress Maintenance recommendation: IMMEDIATELY UNISTALL THIS PLUGIN! This plugin was closed on July 29, 2018 and is no longer available for download.

Protect your WordPress: BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!

Related Posts

owl power EUROPE
×





0
owl power EUROPE
error: Content is protected !!