Scroll Top

WP Security: 11 plugin vulnerabilities in February 2018

WP SECURITY: 11 PLUGIN VULNERABILITIES IN FEBRUARY 2018

For your WP Security, be informed about the latest vulnerabilities in WordPress plugins:

  1. Splashing Images
    • Authenticated PHP Object Injection reported by Dewhurst Security. The /admin/partials/wp-splashing-admin-main.php in the wp-splashing-images plugin before 2.1.1 for WordPress allows authenticated (administrator, editor, or author) remote attackers to conduct PHP Object Injection attacks via crafted serialized data in the 'session' HTTP GET parameter to wp-admin/upload.php.
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. A cross-site scripting (XSS) vulnerability in admin/partials/wp-splashing-admin-sidebar.php in the wp-splashing-images plugin before 2.1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the search parameter to wp-admin/upload.php.
      • immediately update to version 2.1.1 to fix both vulnerabilities
  2. Social Media Widget by Acurax
    • Stored XSS & CSRF reported by Dewhurst Security. The acx_asmw_saveorder_callback function in function.php in the acurax-social-media-widget plugin before 3.2.6 for WordPress has CSRF via the recordsArray parameter to wp-admin/admin-ajax.php, with resultant social_widget_icon_array_order XSS.
      • immediately update to version 3.2.6 to fix vulnerability
  3. User Control
    • Unauthenticated SQL Injection reported by JustThomas (https://github.com/JustThomas). The User Control plugin has a vulnerability that allows every (unauthenticated) website visitor to perform arbitrary SQL queries.
      • Remove plugin immediately. NO updates provided from developer to fix vulnerability. This plugin has been closed and is no longer available for download.
  4. PropertyHive
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. The PropertyHive plugin before 1.4.15 for WordPress has XSS via the body parameter to includes/admin/views/html-preview-applicant-matches-email.php.
      • immediately update to version 1.4.15 to fix vulnerability
  5. flickrRSS
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. A cross-site scripting (XSS) vulnerability in flickrRSS.php in the flickrRSS plugin 5.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the flickrRSS_set parameter to wp-admin/options-general.php.
    • CSRF reported by Dewhurst Security. The flickrRSS plugin 5.3.1 for WordPress has CSRF via wp-admin/options-general.php.
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. A cross-site scripting (XSS) vulnerability in flickrRSS.php in the flickrRSS plugin 5.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the flickrRSS_id parameter to wp-admin/options-general.php.
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. A cross-site scripting (XSS) vulnerability in flickrRSS.php in the flickrRSS plugin 5.3.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the flickrRSS_tags parameter to wp-admin/options-general.php.
      • Remove plugin immediately. NO updates provided from developer to fix vulnerability. This plugin was closed on February 11, 2018 and is no longer available for download.
  6. Instagram Feed
    • Authenticated PHP Object Injection reported by Chris Atomix (https://www.atomix.com.au). A reflective cross-site scripting (XSS) vulnerability was found in instagram-feed v1.5.1. The XSS payload attempts to upload a malicious PHP webshell, resulting in remote code execution (RCE) if successful.
      • immediately update to version 1.6 to fix vulnerability
  7. Bookly #1 WordPress Booking Plugin (Lite)
    • Unauthenticated Blind Stored XSS reported by Luigi (https://www.gubello.me/blog/). An unauthenticated user can inject arbitrary persistent javascript code in the admin panel via Bookly plug-in.
      • immediately update to version 14.5 to fix vulnerability
  8. Ninja Forms
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
      • immediately update to version 3.2.14 to fix vulnerability
  9. WP Fastest Cache
    • Blind SQL Injection reported by Karim El Ouerghemmi https://www.ripstech.com/. Improper escaping of user input when deleting the cache of specific pages leads to SQL injection vulnerability. esc_sql() was used on input but the result was used unquoted in the constructed SQL query.
      • immediately update to version 0.8.7.5 to fix vulnerability
  10. Photo Gallery by WD
    • Cross-Site Scripting (XSS) reported by Karim El Ouerghemmi https://www.ripstech.com/. User input gets first escaped with esc_html() and then urldecoded. This leads to the possibility of reflected XSS with a double url encoded payload.
      • immediately update to version 1.3.67 to fix vulnerability
  11. Custom Permalinks
    • Cross-Site Scripting (XSS) reported by Karim El Ouerghemmi https://www.ripstech.com/. User controllable input in the admin page of Custom Permalinks gets output without any escaping.
    • Authenticated SQL Injection reported by Karim El Ouerghemmi https://www.ripstech.com/. Missing checking of user-controllable input during Bulk Action in the Custom Permalinks backend page leads to SQL injection vulnerability.
      • immediately update to version 1.2 to fix both vulnerabilities

Protect your WordPress: BEFORE IT'S TOO LATE! You will also protect your customers, your reputation and your online business!

Related Posts

owlpower.eu
owlpower.eu
owlpower.eu