For your WP Security, be informed about the latest vulnerabilities in WordPress plugins:
- Redirection
- Authenticated Local File Inclusion reported by Ryan (Dewhurst Security). ACE via file inclusion in Redirection allows admins to execute any PHP file in the filesystem. If you are logged in as an administrator on any site by using the setup page for the redirection plugin you can run arbitrary code and completely compromise the system. The software uses the external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
- immediately upgrade to version 2.8 to fix the vulnerability
- Authenticated Local File Inclusion reported by Ryan (Dewhurst Security). ACE via file inclusion in Redirection allows admins to execute any PHP file in the filesystem. If you are logged in as an administrator on any site by using the setup page for the redirection plugin you can run arbitrary code and completely compromise the system. The software uses the external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
- Tooltipy (tooltips for WP)
- Unauthenticated Cross-Site Scripting (XSS) reported by Ryan (Dewhurst Security). Reflected XSS in Tooltipy (tooltips for WP) could allow anybody to do almost anything an admin can. Tootipy contains reflected XSS in the [kttg_glossary] shortcode meaning that admin users’ browsers can be hijacked by anybody who sends them a link. The hijacked browser can be made to do almost anything an admin user can normally do. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- Cross-Site Request Forgery (CSRF) reported by Ryan (Dewhurst Security). CSRF in Tooltipy (tooltips for WP) could allow anybody to duplicate posts. There is a CSRF vulnerability in Tooltipy’s “KTTG Converter” feature which allows anybody able to convince an admin to follow a link to duplicate posts. The PoC provided below allows duplicating every post with post_type post. The most obvious malicious use of this vulnerability would be to fill up a disk or database quota which might lead to denial of service or other issues.
- immediately upgrade to version 5.1 to fix both vulnerabilities
- Pie Register
- Authenticated Blind SQL Injection reported by Ryan (Dewhurst Security). SQL injection vulnerability in the Pie Register plugin before 3.0.10 for WordPress allows remote attackers to execute arbitrary SQL commands via the invitation codes grid.
- immediately upgrade to version 3.0.10 to fix the vulnerability
- Authenticated Blind SQL Injection reported by Ryan (Dewhurst Security). SQL injection vulnerability in the Pie Register plugin before 3.0.10 for WordPress allows remote attackers to execute arbitrary SQL commands via the invitation codes grid.
- Ultimate Form Builder Lite
- Multiple Vulnerabilities reported by Ryan (Dewhurst Security). SQL injection vulnerability in the Pie Register plugin before 3.0.10 for WordPress allows remote attackers to execute arbitrary SQL commands via the invitation codes grid. The Cross-Site Scripting vulnerability can enable the attacker to construct the URL that contains malicious JavaScript code. If the administrator of the site makes a request to such an URL, the attacker's code will be executed, with unrestricted access to the WordPress site in question.
- immediately upgrade to version 1.3.8 to fix the vulnerability
- Consider owl CONTACTS as a more secure replacement candidate.
- Multiple Vulnerabilities reported by Ryan (Dewhurst Security). SQL injection vulnerability in the Pie Register plugin before 3.0.10 for WordPress allows remote attackers to execute arbitrary SQL commands via the invitation codes grid. The Cross-Site Scripting vulnerability can enable the attacker to construct the URL that contains malicious JavaScript code. If the administrator of the site makes a request to such an URL, the attacker's code will be executed, with unrestricted access to the WordPress site in question.
- Advanced Order Export For WooCommerce
- CSV Injection reported by Ryan (Dewhurst Security). The plugin "Advanced Order Export For WooCommerce" for WordPress (v1.5.4 and before) is vulnerable to CSV Injection.
- immediately upgrade to version 1.5.5 to fix the vulnerability
- CSV Injection reported by Ryan (Dewhurst Security). The plugin "Advanced Order Export For WooCommerce" for WordPress (v1.5.4 and before) is vulnerable to CSV Injection.
- WordPress Comments Import & Export
- CSV Injection reported by Ryan (Dewhurst Security). The plugin "WordPress Comments Import & Export" for WordPress (v2.0.4 and before) is vulnerable to CSV Injection.
- immediately upgrade to version 2.0.5 to fix the vulnerability
- CSV Injection reported by Ryan (Dewhurst Security). The plugin "WordPress Comments Import & Export" for WordPress (v2.0.4 and before) is vulnerable to CSV Injection.
- Open Graph for Facebook, Google+ and Twitter Card Tags
- Authenticated Reflected XSS reported by hakluke . There is a reflected XSS vulnerability caused by "Open Graph for Facebook, Google+ and Twitter Card Tags" in the wd_fb_og_error parameter on a GET request when editing a post. This can be exploited by tricking an authenticated WordPress administrator into clicking a malicious link.
- immediately upgrade to version 2.2.4.1 to fix the vulnerability
- Authenticated Reflected XSS reported by hakluke . There is a reflected XSS vulnerability caused by "Open Graph for Facebook, Google+ and Twitter Card Tags" in the wd_fb_og_error parameter on a GET request when editing a post. This can be exploited by tricking an authenticated WordPress administrator into clicking a malicious link.
- iThemes Security
- Authenticated SQL Injection reported by Çlirim Emini https://www.sentry.co.com/. The iThemes Security (better-wp-security) plugin before 7.0.3 for WordPress allows SQL Injection (by attackers with Admin privileges) via the logs page. iThemes Security appears to be vulnerable to time-based SQL-Injection. The parameter "orderby" is vulnerable because backend variable $sort_by_column is not escaped. Privileges required: Admin user.
- immediately upgrade to version 7.0.3 to fix the vulnerability
- Authenticated SQL Injection reported by Çlirim Emini https://www.sentry.co.com/. The iThemes Security (better-wp-security) plugin before 7.0.3 for WordPress allows SQL Injection (by attackers with Admin privileges) via the logs page. iThemes Security appears to be vulnerable to time-based SQL-Injection. The parameter "orderby" is vulnerable because backend variable $sort_by_column is not escaped. Privileges required: Admin user.
- Email Subscribers & Newsletters
- Cross-Site Scripting (XSS) reported by Ryan (Dewhurst Security). Cross-site scripting vulnerability in Email Subscribers & Newsletters versions prior to 3.5.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- immediately upgrade to version 3.5.0 to fix the vulnerability
- Cross-Site Scripting (XSS) reported by Ryan (Dewhurst Security). Cross-site scripting vulnerability in Email Subscribers & Newsletters versions prior to 3.5.0 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- Site Reviews
- Cross-Site Scripting (XSS) reported by Ryan (Dewhurst Security). Cross-site scripting vulnerability in Site Reviews versions prior to 2.15.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- immediately upgrade to version 2.15.3 to fix the vulnerability
- Cross-Site Scripting (XSS) reported by Ryan (Dewhurst Security). Cross-site scripting vulnerability in Site Reviews versions prior to 2.15.3 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
Our only security is our ability to change. ~ John Lilly
At the end of the day, the goals are simple: safety and security. ~ Jodi Rell
Protect your WordPress: BEFORE IT'S TOO LATE! You will also protect your customers, your reputation and your online business!