Scroll Top

WP Security: 11 plugin vulnerabilities in February 2018

By Csaba, Miklós WP Security WP SERVICES 2 March 2018

WP SECURITY: 11 PLUGIN VULNERABILITIES IN FEBRUARY 2018

For your WP Security, be informed about the latest vulnerabilities in WordPress plugins:

  1. Splashing Images
    • Authenticated PHP Object Injection reported by Dewhurst Security. The /admin/partials/wp-splashing-admin-main.php in the wp-splashing-images plugin before 2.1.1 for WordPress allows authenticated (administrator, editor, or author) remote attackers to conduct PHP Object Injection attacks via crafted serialized data in the ‘session’ HTTP GET parameter to wp-admin/upload.php.
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. A cross-site scripting (XSS) vulnerability in admin/partials/wp-splashing-admin-sidebar.php in the wp-splashing-images plugin before 2.1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the search parameter to wp-admin/upload.php.
      • immediately update to version 2.1.1 to fix both vulnerabilities
  2. Social Media Widget by Acurax
    • Stored XSS & CSRF reported by Dewhurst Security. The acx_asmw_saveorder_callback function in function.php in the acurax-social-media-widget plugin before 3.2.6 for WordPress has CSRF via the recordsArray parameter to wp-admin/admin-ajax.php, with resultant social_widget_icon_array_order XSS.
      • immediately update to version 3.2.6 to fix vulnerability
  3. User Control
    • Unauthenticated SQL Injection reported by JustThomas (https://github.com/JustThomas). The User Control plugin has a vulnerability that allows every (unauthenticated) website visitor to perform arbitrary SQL queries.
      • Remove plugin immediately. NO updates provided from developer to fix vulnerability. This plugin has been closed and is no longer available for download.
  4. PropertyHive
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. The PropertyHive plugin before 1.4.15 for WordPress has XSS via the body parameter to includes/admin/views/html-preview-applicant-matches-email.php.
      • immediately update to version 1.4.15 to fix vulnerability
  5. flickrRSS
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. A cross-site scripting (XSS) vulnerability in flickrRSS.php in the flickrRSS plugin 5.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the flickrRSS_set parameter to wp-admin/options-general.php.
    • CSRF reported by Dewhurst Security. The flickrRSS plugin 5.3.1 for WordPress has CSRF via wp-admin/options-general.php.
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. A cross-site scripting (XSS) vulnerability in flickrRSS.php in the flickrRSS plugin 5.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the flickrRSS_id parameter to wp-admin/options-general.php.
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. A cross-site scripting (XSS) vulnerability in flickrRSS.php in the flickrRSS plugin 5.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the flickrRSS_tags parameter to wp-admin/options-general.php.
      • Remove plugin immediately. NO updates provided from developer to fix vulnerability. This plugin was closed on February 11, 2018 and is no longer available for download.
  6. Instagram Feed
    • Authenticated PHP Object Injection reported by Chris Atomix (https://www.atomix.com.au). A reflective cross-site scripting (XSS) vulnerability was found in instagram-feed v1.5.1. The XSS payload attempts to upload a malicious PHP webshell, resulting in remote code execution (RCE) if successful.
      • immediately update to version 1.6 to fix vulnerability
  7. Bookly #1 WordPress Booking Plugin (Lite)
    • Unauthenticated Blind Stored XSS reported by Luigi (https://www.gubello.me/blog/). An unauthenticated user can inject arbitrary persistent javascript code in the admin panel via Bookly plug-in.
      • immediately update to version 14.5 to fix vulnerability
  8. Ninja Forms
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
      • immediately update to version 3.2.14 to fix vulnerability
  9. WP Fastest Cache
    • Blind SQL Injection reported by Karim El Ouerghemmi https://www.ripstech.com/. Improper escaping of user input when deleting the cache of specific pages leads to SQL injection vulnerability. esc_sql() was used on input but the result was used unquoted in the constructed SQL query.
      • immediately update to version 0.8.7.5 to fix vulnerability
  10. Photo Gallery by WD
    • Cross-Site Scripting (XSS) reported by Karim El Ouerghemmi https://www.ripstech.com/. User input gets first escaped with esc_html() and then urldecoded. This leads to the possibility of reflected XSS with a double url encoded payload.
      • immediately update to version 1.3.67 to fix vulnerability
  11. Custom Permalinks
    • Cross-Site Scripting (XSS) reported by Karim El Ouerghemmi https://www.ripstech.com/. User controllable input in the admin page of Custom Permalinks gets output without any escaping.
    • Authenticated SQL Injection reported by Karim El Ouerghemmi https://www.ripstech.com/. Missing checking of user-controllable input during Bulk Action in the Custom Permalinks backend page leads to SQL injection vulnerability.
      • immediately update to version 1.2 to fix both vulnerabilities

Protect your WordPress: BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!

WP Security

Related Posts

WP SECURITY
7 WordPress Security Core Vulnerabilities in December 2018

7 WordPress Security Core Vulnerabilities in December 2018 For your WordPress Security, be informed about the NEW WP Core Vulnerabilities. Publicly known since its first official report on December 14, 2018. WordPress <= 5.0 – Authenticated File Delete Description: Karim El Ouerghemmi discovered that authors could alter meta data to…

10 Jan 2019
WP SECURITY
WP Security: plugin vulnerabilities October

For your WP Security, be informed about the latest vulnerabilities in WordPress plugins: Content Timeline Multiple Blind SQL Injection reported by Jeroen (IT Nerdbox). One unauthenticated and two authenticated injections in the premium ‘Content Timeline’ WP plugin. Author contacted twice without any response. remove this plugin to fix vulnerabilities, as…

01 Nov 2017
THEMES VULNERABILITY 2022
Disempowered WP Security: 9 WP themes vulnerability MAY 2021
14 Jun 2021
WP CORE VULNERABILITY 2022
WP Core Vulnerability JUN 2023: 6 patches
06 Jun 2023
THEMES VULNERABILITY 2022
Disempowered WP Security: 1 WP themes vulnerability FEB 2022
17 Feb 2022
SAFETY
Convenience versus Safety for WordPress Security

Convenience vs Safety for WordPress Security It isn’t simple to be safe and secure all the time – this is especially true if you are brand-new to online security. Even the best WordPress Security plan needs intentional effort for everybody involved. And it must be supervised with constant vigilance. Unfortunately,…

27 Feb 2019
WP SECURITY PLUGIN VULNERABILITIES
16 WP Security Plugin Vulnerabilities APR 2023
24 Apr 2023
WP SECURITY
WP Vulnerability DEC 2022 Centralised Abuse Highlights
26 Dec 2022
WP CORE VULNERABILITY 2022
Caution: 3 WP Core Vulnerability SEP 2021
11 Nov 2021
WP SECURITY
WP Security: 21 plugin vulnerabilities in January 2019

WP Security bulletin – January 2019 At your next scheduled WordPress Maintenance, be advised for your WP Security about the latest 21 vulnerabilities in WordPress plugins identified and reported publicly. As these vulnerabilities are disclosed, when you use one (or more) of these outdated plugins – your risking serious WordPress…

05 Feb 2019
WP SECURITY
WP Vulnerability APR 2022 Centralised Abuse Highlights
14 Apr 2022
FAIL IN SECURITY
WordPress Security vs DIY

WordPress Security is one of those topics that divide people into three separate groups: some people enjoy outsourced services, some people really enjoy saving a few bucks by doing it themselves and some business owners simply just don’t mind. Let’s see how this decision affects their business in short and…

22 May 2017
VULNERABILITY
WordPress Plugin Vulnerabilities MAY 2022 – owl WPS Alarming Report
24 May 2022
WP SECURITY
WP Security: 3 theme vulnerabilities in May 2019

WP Security bulletin – May 2019 At your next scheduled WordPress Maintenance, be advised for your WP Security about the latest 3 vulnerabilities in a premium WordPress theme identified and reported publicly in May 2019. As these vulnerabilities are disclosed, when you use one (or more) of these outdated themes…

17 Jun 2019
WP SECURITY PLUGIN VULNERABILITIES
19 WP Security Plugin Vulnerabilities JUN 2022 Threat
17 Jun 2022
owlpower.eu
owlpower.eu
owlpower.eu
16+ years of owlsome experience
We're on an empowering mission for website owners, who desire not to be transformed forcefully into IT experts.