Unrestricted Access JUL 2021
Tailored WordPress Security Report
Be informed about the latest Unrestricted Access JUL 2021 – WP Security Circumvention, identified and reported publicly. These breaches create even more problems and vulnerability exploitation with a severe negative impact on any WordPress Security. Consider our FREE security AUDIT.
An jaw-dropping estimated 1.171.000+ active WordPress installations are susceptible to these attack types, considering only the publicly available numbers. The estimated number can double with premium versions as they are private purchases.
Furthermore, the initial estimation can multiply if we consider the already patched versions BUT NOT UPDATED by owners, as the vulnerability remains active within their domain. As these owners start changing their hosting provider (due to constant unexplained issues), they actively migrate these vulnerabilities behind protected areas, possibly exposing other clean WP to different attack types.
It is a mind-boggling 600% increase compared to December 2020. We compare last month versus previous winter holiday season, which has the biggest shopping traffic and attack spike throughout the year. Read more about our previous reports here: 29 Unrestricted Access JUN 2021 – WP Security Circumvention and 5 Unrestricted Access Issues – WordPress Security DEC. The following cases made headlines PUBLICLY just last month in the SQL Injections JUL 2021 category:
- ProfilePress – Authenticated Stored XSS
- ProfilePress – Unauthenticated Privilege Escalation
- ProfilePress – Arbitrary File Upload in Image Uploader Component
- ProfilePress – Unauthenticated Cross-Site Scripting
- ProfilePress (formerly WP User Avatar) is a lightweight membership plugin that lets you create beautiful user profiles, member directories and frontend user registration form, login form, password reset and editing profile information. It also allows you to protect sensitive content and control user access. Active installations: 400,000+
- Cooked – Recipe Plugin – Unauthenticated Reflected Cross-Site Scripting
- Cooked is the absolute best way to create & display recipes with WordPress. SEO optimized (rich snippets), galleries, cooking timers, printable recipes and much more. Active installations: 8,000+
- Calendar Event Multi View – Unauthenticated Reflected Cross-Site Scripting
- The Calendar Event Multi View is an event calendar for WordPress websites that features multiple visualization modes and multiple predefined styles. Active installations: 2,000+
- Astra Pro Addon – Unauthenticated SQL Injection
- Woocommerce Blocks – Unauthenticated SQL Injection
- WooCommerce Blocks are the easiest, most flexible way to display your products on posts and pages! Active installations: 200,000+
- Frontend File Manager – Privilege Escalation
- Frontend File Manager – Unauthenticated Content Injection and Stored XSS
- Frontend File Manager – Authenticated Arbitrary Settings Change to Arbitrary File Upload
- Frontend File Manager – Unauthenticated Arbitrary Post Deletion
- Frontend File Manager – Unauthenticated Post Meta Change to Arbitrary File Download
- Frontend File Manager – Unauthenticated HTML Injection
- This plugin lets the wordpress site users to upload files for admin. Each file is saved in private directory so each user can download/delete their own files after login. Active installations: 2,000+
- ECPay Logistics for WooCommerce – Unauthenticated Reflected XSS
- 綠界科技物流外掛套件，提供合作特店以及個人會員使用開放原始碼商店系統時，無須自行處理複雜的檢核，直接透過安裝設定外掛套件，便可以較快速的方式介接綠界科技的物流系統。 Active installations: 2,000+
- Cooked Pro – Unauthenticated Reflected Cross-Site Scripting (XSS)
- This plugin has been closed as of July 4, 2021 and is not available for download. Reason: Security Issue.
- Grid Gallery – Unauthenticated Reflected Cross-Site Scripting (XSS)
- There are dozens of “Grid Gallery” out there, but the problem is that they always work the same! Grid Gallery uses a brand new algorithm to make much more interesting image grids, how does it work? Active installations: 700+
- WP Custom Fields Search – Unauthenticated Reflected Cross-Site Scripting (XSS)
- With this you can give your readers the ability to search and filter your posts / catalogue to quickly find the information they need. Any custom fields you have added to your posts can be made searchable as well as the core post fields like title, author, categories etc. Configurable input widgets allow you to customise the form further to build exactly the search you need for your site. Active installations: 4,000+
- Charitable – Donation Plugin – Authenticated Stored Cross-Site Scripting (XSS)
- Charitable – Donation Plugin – Unauthenticated Stored Cross-Site Scripting (XSS)
- Email Subscriber – Unauthenticated Stored Cross-Site Scripting (XSS)
- This plugin has been closed as of May 19, 2021 and is not available for download. Reason: Security Issue.
- Edit Comments – Unauthenticated SQL Injection
- Edit Comments – Reflected Cross-Site Scripting
- This plugin has been closed as of June 2, 2021 and is not available for download. Reason: Security Issue.
- Profile Builder – Authenticated Stored XSS
- Profile Builder – Admin Access via Password Reset Bug
- Easy to use user profile plugin for creating front-end login, user registration and edit profile forms by using shortcodes. Active installations: 60,000+
- WP Upload Restriction – CSRF Bypass
- WP Upload Restriction – Missing Access Control in deleteCustomType
- WP Upload Restriction – Missing Access Control in getSelectedMimeTypesByRole
- This plugin has been closed as of July 1, 2021 and is not available for download. This closure is temporary, pending a full review.
- LifterLMS – Access Other Student Grades/Answers via IDOR
- LifterLMS is a powerful WordPress LMS plugin that makes it easy to create, sell, and protect engaging online courses and training based membership websites. LifterLMS is a complete course building and LMS solution that works with any well-coded WordPress theme, modern WordPress blocks, and all the popular WordPress page builders (like Elementor, Beaver Builder, Divi, Gutenberg, etc.). As an engaged WordPress community member, LifterLMS actively encourages and helps other great plugins integrate with LifterLMS like Affiliate WP, Monster Insights, WP Fusion, the most popular form plugins, GamiPress, Astra Pro, the Course Scheduler, and many more. You can also connect your WordPress LMS website to 1,500+ other apps via Zapier. LifterLMS is one of only 11 WordPress plugins listed in the Zapier app directory. Active installations: 10,000+
- Strong Testimonials – Unauthorized AJAX Call
- In just a few steps, you will be collecting and publishing your testimonials or reviews. Beginners and pros alike will appreciate the wealth of flexible features refined over 4 years from user feedback and requests. Active installations: 100,000+
- Adapta RGPD – Unauthorized Consent via CSRF
- Adapta RGPD es una herramienta que te ayuda a crear las páginas legales en español, adaptar tu sitio web al RGPD y cumplir la ley de Cookies de una forma clara y fácil. Active installations: 30,000+
- MailOptin – Unauthorized AJAX Call
- MailOptin is a form builder and popup builder for creating popups, subscribe forms, user registration form and sending email newsletters. Active installations: 30,000+
- YITH Request a Quote for WooCommerce – Unauthorized AJAX call via CSRF
- YITH Request a Quote for WooCommerce is a powerful tool to hide prices and/or add to cart buttons and let your customers request a custom quote for every product. Active installations: 10,000+
- ReviewX – Unauthorized AJAX call via CSRF
- Boost Sales With The Power of Multicriteria Customer Reviews for WooCommerce Product Active installations: 9,000+
- Food Store – Unauthorized AJAX call via CSRF
- Food Store is created by extending the core functionalities of WordPress and WooCommerce, which make it very minimal, clutter free and very familiar to use. All your WooCommerce Categories, Settings and ease of setting up store and moving around the settings panel is still there. Active installations: 2,000+
- WP Prayer – Unauthorized AJAX call via CSRF
- Prayer request application that allows users to submit requests, or pray for existing requests. All requests can be moderated from the admin section. Active installations: 1,000+
- KONTXT Content Advisor – Unauthorized AJAX call via CSRF
- The KONTXT Content Advisor WordPress plugin provides in-depth text analysis on your posts, pages, and product listings. Experiment with your words and get an objective review of the tone and emotions of your language and identify hidden keywords and concepts buried inside your content. Use these discoveries to fine-tune your writing style to your target audience and optimize search engine indexing (SEO). Active installations: 900+
- MZ Mindbody API – Unauthorized AJAX call via CSRF
- Display special events, class schedules and instructors from Mindbody. Active installations: 40+
- Journey Analytics – Unauthorized AJAX call via CSRF
- Track your customer journeys by intent and by business goal. Identify your most lucrative paths and those where customers are dropping off. Active installations: 20+
- Alkubot – Unauthorized AJAX call via CSRF
- Say goodbye to intrusive, low converting pop-ups. Boost your revenue and optimize coupons/discounts with an intelligent gamified sales chatbot. Active installations: 10+
- MZ MBO Access – Unauthorized AJAX call
- Install and you can limit content based on user MBO memberships Active installations: 10+
- SEO Wizard – Unauthorized robots.txt & .htaccess Edit via CSRF
- This plugin has been closed and is no longer available for download.
- Title Field Validation – Unauthorized AJAX call via CSRF
- This plugin has been closed as of March 24, 2021 and is not available for download. Reason: Security Issue.
- Filter Gallery – Unauthorized AJAX Calls
- Filter gallery is a free WordPress plugin with multiple use case. You can publish a filter gallery within a few minutes. For this, create new filters, upload images and apply filters to them, configure setting, generate shortcode and publish the gallery on page or post. Active installations: 20+
- CRM: Contact Management Simplified – UkuuPeople – Unauthorized Favourite Addition/Deletion
- This plugin has been closed as of March 24, 2021 and is not available for download. Reason: Security Issue.
- Workreap – Freelance Marketplace and Directory WordPress Theme – Missing Authorization Checks in Ajax Actions
- Workreap – Freelance Marketplace and Directory WordPress Theme – Multiple CSRF + IDOR Vulnerabilities
- Workreap – Freelance Marketplace and Directory WordPress Theme – Unauthenticated Upload Leading to RCE
- Workreap is a Freelance Marketplace WordPress theme with some exciting features and excellent code quality. It has been designed and developed after thorough research to cater the requirements of people interested in building freelance marketplace or other similar projects. The design is contemporary but at the same time it focuses on the usability, visual hierarchy and aesthetics to ensure easy navigation for the end users.
- Photo Gallery – Stored XSS via Uploaded SVG in Zip
- Photo Gallery – Stored Cross-Site Scripting via Uploaded SVG
- Photo Gallery – File Upload Path Traversal
- Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes. Active installations: 300,000+
- WooCommerce Currency Switcher – Authenticated (Low Privilege) Local File Inclusion
- WOOCS – WooCommerce Currency Switcher WooCommerce multi currency switcher plugin for wooocmmerce, that allows your site visitors switch products prices currencies according to set currencies rates in the real time and pay in the selected currency (optionally). WOOCS is multi currency plugin that allows to add any currency to WooCommerce store. Ideal solution to make the serious WooCommerce store site in multiple currencies! Active installations: 60,000+
BRIEF: Open and Unrestricted Access JUL 2021 to anything within a website is one thing everybody considers to be a total disaster. Many employees have come to rely on the Internet both for work and day-to-day life. As such, they demand unrestricted access at work, and many company bosses have obliged. Without the knowledge to them, however, there may be a risk associated with this.
What is Unauthenticated Insecure Deserialisation?
Insecure Deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary code upon it being deserialized. If the function that is responsible for converting serial data into a structured object assumes that the data is trusted, an attacker may format the serial data in such a way that the result of deserialization is malicious. Unfortunately, many standard deserialization functions in programming languages assume that the data is safe.
What is Unauthenticated Backup Download?
The plugin does not restrict access to a BACKUP file containing sensitive information, such as the internal path of backups, which may then allow unauthenticated users to download them.
What is Unrestricted File Upload?
By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website. By doing this, it allows an attacker to inject malicious content such as web shells into the sites, and providing a method for initial access into the system.
What is Login Rate Limiting Bypass?
When the plugin is configured with a custom header in its Trusted IP Origins setting (e.g X-Forwarded-For), attackers could bypass the protection offered by tampering the header sent in requests. When the plugin is configured to accept an arbitrary header as client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does never reach the maximum allowed retries.
What is Improper Authorisation Check?
An attacker could leverage these issues to dump the database including administrative user credentials, to steal cookie-based authentication credentials, or launch other attacks. An anonymous user may create a new dive entry with a crafted HTTP POST.