For your WP Security, be informed about the latest vulnerabilities in WordPress plugins:
- WP Security Audit Log Plugin
- Sensitive Information Disclosure reported by Colette Chamberland (https://www.defiant.com; @cjchamberland). No protection on the wp-content/uploads/wp-security-audit-log/*; which is indexed by google and allows for attackers to possibly find user information (bad login attempts). Google Dork: inurl:/wp-content/uploads/wp-security-audit-log/
- immediately upgrade to version 3.1.2 to fix the vulnerability
- Sensitive Information Disclosure reported by Colette Chamberland (https://www.defiant.com; @cjchamberland). No protection on the wp-content/uploads/wp-security-audit-log/*; which is indexed by google and allows for attackers to possibly find user information (bad login attempts). Google Dork: inurl:/wp-content/uploads/wp-security-audit-log/
- WordPress File Upload
- Security Issue in Shortcodes reported by Ryan (https://dewhurstsecurity.com/; @ethicalhack3r). The Iptanus WordPress File Upload plugin before 4.3.3 for WordPress mishandles shortcode attributes.
- Cross-Site Scripting (XSS) reported by Ryan (https://dewhurstsecurity.com/; @ethicalhack3r). The Iptanus WordPress File Upload plugin before 4.3.4 for WordPress mishandles Settings attributes, leading to XSS.
- immediately upgrade to version 4.3.4 to fix both vulnerabilities
- My Calendar
- Authenticated Cross-Site Scripting (XSS) reported by Ryan (@ethicalhack3r; https://dewhurstsecurity.com/. An authenticated user, who can add new events, can inject arbitrary javascript code via event_time_label input. The arbitrary code runs both on the event page and in the admin panel. In my-calendar-event-manager.php, line 1873, the variable $eventTime is not sanitized.
- immediately upgrade to version 2.5.17 to fix the vulnerability
- Authenticated Cross-Site Scripting (XSS) reported by Ryan (@ethicalhack3r; https://dewhurstsecurity.com/. An authenticated user, who can add new events, can inject arbitrary javascript code via event_time_label input. The arbitrary code runs both on the event page and in the admin panel. In my-calendar-event-manager.php, line 1873, the variable $eventTime is not sanitized.
- WP Background Takeover
- Directory Traversal reported by Colette Chamberland (@cjchamberland; https://defiant.com). Allows for an attacker to browse files via the download.php file. https://target[.]com/wp-content/plugins/wpsite-background-takeover/exports/download.php?filename=../../../../wp-config.php
- immediately upgrade to version 4.1.5 to fix the vulnerability
- Directory Traversal reported by Colette Chamberland (@cjchamberland; https://defiant.com). Allows for an attacker to browse files via the download.php file. https://target[.]com/wp-content/plugins/wpsite-background-takeover/exports/download.php?filename=../../../../wp-config.php
- Relevanssi
- Cross-Site Scripting (XSS) reported by Ryan (@ethicalhack3r; https://dewhurstsecurity.com). Cross-site scripting (XSS) vulnerability in lib/interface.php of the Relevanssi plugin 4.0.4 for WordPress allows remote attackers to inject arbitrary JavaScript or HTML via the tab GET parameter.
- immediately upgrade to version 4.0.5 to fix the vulnerability
- Cross-Site Scripting (XSS) reported by Ryan (@ethicalhack3r; https://dewhurstsecurity.com). Cross-site scripting (XSS) vulnerability in lib/interface.php of the Relevanssi plugin 4.0.4 for WordPress allows remote attackers to inject arbitrary JavaScript or HTML via the tab GET parameter.
- Contact Form 7 to Database Extension
- CSV Injection reported by Ryan (@ethicalhack3r; https://dewhurstsecurity.com). CSV Injection vulnerability in ExportToCsvUtf8.php of the Contact Form 7 to Database Extension plugin 2.10.32 for WordPress allows remote attackers to inject spreadsheet formulas into CSV files via the contact form.
- immediately upgrade to version 2.10.36 to fix the vulnerability
- This plugin has been closed and is no longer available for download. https://wordpress.org/plugins/contact-form-7-to-database-extension/
- CSV Injection reported by Ryan (@ethicalhack3r; https://dewhurstsecurity.com). CSV Injection vulnerability in ExportToCsvUtf8.php of the Contact Form 7 to Database Extension plugin 2.10.32 for WordPress allows remote attackers to inject spreadsheet formulas into CSV files via the contact form.
- WP Live Chat Support
- Unauthenticated Stored XSS reported by Luigi https://www.gubello.me/blog/. An unauthenticated user can inject arbitrary javascript code in the admin panel by using the text field “Name” of WP Live Chat Support. The arbitrary code runs on the page wplivechat-menu-history. In the file wp-live-chat-support.php there is no sanitization of $result->id (row 4439). WP Live Chat Support 8.0.05 is vulnerable, probably earlier versions too.
- immediately upgrade to version 8.0.06 to fix the vulnerability
- Unauthenticated Stored XSS reported by Luigi https://www.gubello.me/blog/. An unauthenticated user can inject arbitrary javascript code in the admin panel by using the text field “Name” of WP Live Chat Support. The arbitrary code runs on the page wplivechat-menu-history. In the file wp-live-chat-support.php there is no sanitization of $result->id (row 4439). WP Live Chat Support 8.0.05 is vulnerable, probably earlier versions too.
- WP Image Zoom
- Cross-Site Request Forgery (CSRF) reported by Ryan (@ethicalhack3r; https://dewhurstsecurity.com). The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
- immediately upgrade to version 1.24 to fix the vulnerability
- Cross-Site Request Forgery (CSRF) reported by Ryan (@ethicalhack3r; https://dewhurstsecurity.com). The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
- Responsive Cookie Consent
- Authenticated Stored Cross-Site Scripting (XSS) reported by B0UG. A persistent cross-site scripting vulnerability has been found in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in the victim's browser when they visit the website.
- immediately upgrade to version 1.8 to fix the vulnerability
- Authenticated Stored Cross-Site Scripting (XSS) reported by B0UG. A persistent cross-site scripting vulnerability has been found in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in the victim's browser when they visit the website.
- UK Cookie Consent
- Authenticated Stored Cross-Site Scripting (XSS) reported by B0UG. A persistent cross-site scripting vulnerability has been identified in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in a victim's web browser.
- immediately upgrade to version 2.3.10 to fix the vulnerability
- Authenticated Stored Cross-Site Scripting (XSS) reported by B0UG. A persistent cross-site scripting vulnerability has been identified in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in a victim's web browser.
- Caldera Forms
- Multiple Cross-Site Scripting (XSS) reported by Ryan (@ethicalhack3r; https://dewhurstsecurity.com). Multiple cross-site scripting (XSS) vulnerabilities in the Caldera Forms plugin before 1.6.0-rc.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a greeting message, (2) the email transaction log, or (3) an imported form.
- immediately upgrade to version 1.6.0 to fix the vulnerability
- Multiple Cross-Site Scripting (XSS) reported by Ryan (@ethicalhack3r; https://dewhurstsecurity.com). Multiple cross-site scripting (XSS) vulnerabilities in the Caldera Forms plugin before 1.6.0-rc.1 for WordPress allow remote attackers to inject arbitrary web script or HTML via vectors involving (1) a greeting message, (2) the email transaction log, or (3) an imported form.
Our only security is our ability to change. ~ John Lilly
At the end of the day, the goals are simple: safety and security. ~ Jodi Rell
Get Healthy, Stay Healthy: A healthier online business starts today and it begins with you!
Protect your WordPress: BEFORE IT'S TOO LATE! You will also protect your customers, your reputation and your online business!
We're passionate about helping you grow and make your impact
Continue being informed
Monthly vulnerability reports about WordPress and WooCommerce, plugins, themes.
Weekly inspiration, news and occasional with hand-picked deals. Unsubscribe anytime.