WP Security: 17 plugin vulnerabilities in January 2018

For your WP Security, be informed about the latest vulnerabilities in WordPress plugins:

1. Church Admin
   • Unauthenticated Directory Traversal reported by malwrforensics.com. The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
   • immediately update to version 0.565 to fix vulnerability
2. SagePay Server Gateway for WooCommerce
   • Unauthenticated Cross-Site Scripting (XSS) reported by Dewhurst Security. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
   • immediately update to version 1.0.9 to fix vulnerability
3. WordPress Download Manager
   • Cross-Site Request Forgery (CSRF) reported by Dewhurst Security. Plugin implements the AJAX action `wpdm-install-addon` which calls the function `wpdm_install_addon`. This function doesn’t take any anti-CSRF measures thus making it susceptible to those kind of attacks.
   • immediately update to version 2.9.61 to fix vulnerability
4. Dbox 3D Slider Lite
   • Multiple Authenticated SQL injections reported by Dewhurst Security. During the security analysis, ThunderScan discovered several SQL injection vulnerabilities.
   • Remove plugin immediately. NO updates provided from developer to fix vulnerability. This plugin was closed on January 15, 2018 and is no longer available for download.
5. Smooth Slider
   • Authenticated SQL Injection reported by Dewhurst Security. During the security analysis, ThunderScan discovered SQL injection vulnerability in Smooth Slider WordPress plugin. Due to the missing nonce token, the vulnerable code is also directly exposed to attack vectors such as Cross-Site request forgery (CSRF)
   • immediately update to version 2.8.7 to fix vulnerability
6. Testimonial Slider
   • Authenticated SQL Injection reported by Dewhurst Security. Users that do not have full administrative privileges could abuse the database access the vulnerability provides to either escalate their privileges or obtain and modify database contents they were not supposed to be able to. Due to the missing nonce token, the vulnerable code is also directly exposed to attack vectors such as Cross-Site request forgery (CSRF).
   • immediately update to version 1.2.5 to fix vulnerability
7. WPGlobus – Multilingual Everything!
   • Several Stored XSS & CSRF vulnerabilities reported by Dewhurst Security.
   • CSRF via wp-admin/options.php
   • XSS via the wpglobus_option[post_type][page] parameter to wp-admin/options.php
   • XSS via the wpglobus_option[enabled_languages][en] or wpglobus_option[enabled_languages][fr] (or any other language) parameter to wp-admin/options.php
   • XSS via the wpglobus_option[browser_redirect][redirect_by_language] parameter to wp-admin/options.php
   • XSS via the wpglobus_option[selector_wp_list_pages][show_selector] parameter to wp-admin/options.php
   • XSS via the wpglobus_option[selector_wp_list_pages][show_selector] parameter to wp-admin/options.php
   • XSS via the wpglobus_option[more_languages] parameter to wp-admin/options.php
   • XSS via the wpglobus_option[post_type][post] parameter to wp-admin/options.php
   • immediately update to version 1.9.7.5 to fix above vulnerabilities
8. SrbTransLatin
   • Stored XSS & CSRF vulnerabilities reported by Dewhurst Security.
   • CSRF via an srbtranslatoptions action to wp-admin/options-general.php
   • XSS via an srbtranslatoptions action to wp-admin/options-general.php with a lang_identificator parameter
   • immediately update to version 1.52 to fix above vulnerabilities
9. YITH WooCommerce Wishlist
   • Authenticated SQL Injection vulnerabilities reported by Dewhurst Security. A logged in attacker (with at least a subscriber account) could leak sensitive data, and in certain configurations, could compromise your entire WordPress installation.
   • immediately update to version 2.2.0 to fix above vulnerabilities
10. Email Subscribers & Newsletters
    • A2: Broken Authentication and Session Management reported by Dewhurst Security. The vulnerability allows an unauthenticated user to download the entire list of particular website subscribers with names and e-mail addresses.
    • immediately update to version 3.4.8 to fix above vulnerabilities
11. BuddyBoss Media
    • A3: Cross-Site Scripting (XSS) reported by @ozzi_____ https://mobile.twitter.com/ozzi_____. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
    • Remove plugin immediately. NO updates provided yet from developer to fix vulnerability.
12. Dark Mode
    • A3: Cross-Site Scripting (XSS) reported by Dewhurst Security.
    • XSS exists via the wp-admin/profile.php dark_mode_start parameter
    • XSS exists via the wp-admin/profile.php dark_mode_end parameter
    • immediately update to version 1.7 to fix above vulnerabilities
13. Pinterest Feed
    • Authenticated XSS & CSRF reported by Dewhurst Security.
    • XSS exists via the wp-admin/admin-ajax.php weblizar_pffree_settings_save_get-users parameter
    • XSS exists via the wp-admin/admin-ajax.php PFFREE_Access_Token parameter
    • XSS exists via the wp-admin/admin-ajax.php security parameter
    • CSRF exists via wp-admin/admin-ajax.php
    • immediately update to version 1.1.2 to fix above vulnerabilities
14. Coming Soon
    • Multiple Authenticated Stored XSS & CSRF vulnerabilities reported by Dewhurst Security.
    • XSS exists via the wp-admin/admin.php coming-soon_sub_title parameter
    • XSS exists via the wp-admin/admin.php logo_width parameter
    • XSS exists via the wp-admin/admin.php counter_title parameter
    • XSS exists via the wp-admin/admin.php button_text_link parameter
    • XSS exists via the wp-admin/admin.php social_icon_1 parameter
    • XSS exists via the wp-admin/admin.php logo_height parameter
    • XSS exists via the wp-admin/admin.php bg_color parameter
    • XSS exists via the wp-admin/admin.php counter_title_icon parameter
    • XSS exists via the wp-admin/admin.php coming-soon_title parameter
    • immediately update to version 1.1.19 to fix above vulnerabilities
15. read-and-understood
    • Multiple Authenticated Stored XSS & CSRF vulnerabilities reported by Dewhurst Security.
    • XSS exists via the wp-admin/options-general.php rnu_username_validation_pattern parameter.
    • XSS exists via the wp-admin/options-general.php rnu_username_validation_title parameter.
    • CSRF exists via wp-admin/options-general.php.
    • Remove plugin immediately. NO updates provided from developer to fix vulnerability. This plugin was closed on January 12, 2018 and is no longer available for download.
16. Booking calendar
    • Multiple Authenticated Stored XSS & CSRF vulnerabilities reported by Dewhurst Security.
    • XSS exists via the wp-admin/admin.php sale_conditions[count][] parameter.
    • XSS exists via the wp-admin/admin.php extra_field1[items][field_item1][price_percent] parameter.
    • XSS exists via the wp-admin/admin.php form_field5[label] parameter.
    • CSRF exists via wp-admin/admin.php.
    • immediately update to version 2.1.8 to fix above vulnerabilities
17. Google Forms
    • A5: Security Misconfiguration – Unauthenticated Server-Side Request Forgery (SSRF) reported by Dewhurst Security. The bug was reported to the author on October 13, 2017, and fixed in January 2018 (version 0.92).
    • immediately update to version 0.92 to fix vulnerability