Enjoy priority support and immediate help for your WordPress sites!

WP Security: 14 plugin vulnerabilities in March 2018

WP Security: 14 plugin vulnerabilities in March 2018

For your WP Security, be informed about the latest vulnerabilities in WordPress plugins:

  1. NextGEN Gallery
    • BYPASS reported by Dewhurst Security. In the nextgen-gallery plugin before 2.2.50 for WordPress, gallery paths are not secured.
      • immediately upgrade to version 2.2.50 to fix the vulnerability

  2. Category Order and Taxonomy Terms Order
    • A1: Injection reported by Karim El Ouerghemmi https://www.ripstech.com/. Usage of unserialize() on user input in the saving request of the orders leads to PHP object injection vulnerability.
      • immediately upgrade to version 1.5.3 to fix the vulnerability

  3. MainWP Child
    • AUTHBYPASS - A2: Broken Authentication and Session Management reported by Slavco (https://medium.com/websec). A not authorized attacker could gain full control of target application if he knows the administrative username. In case of OpenSSL installed on the server then one request is enough and in case of md5 verification, ~100k requests will do the job.
      • immediately upgrade to version 3.4.5 to fix the vulnerability

  4. File Manager
    • Information Disclosure reported by Colette Chamberland (https://www.defiant.com). The Giribaz File Manager plugin logged activity related to the plugin in /wp-content/uploads/file-manager/log.txt. If the user edits the wp-config.php file using this plugin, the wp-config.php contents get added to the file which is not protected and contains database credentials, salts, etc. These files have been indexed by Google and a simple dork will find affected sites.
      • immediately upgrade to version 5.0.2 to fix the vulnerability

  5. iThemes Security
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. The iThemes Security plugin before 6.9.1 for WordPress does not properly perform data escaping for the logs page.
      • immediately upgrade to version 6.9.1 to fix the vulnerability

  6. Import any XML or CSV File to WordPress
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. Cross-site scripting vulnerability in WP All Import plugin prior to version 3.4.6 for WordPress allows an attacker to inject arbitrary web script or HTML via unspecified vectors.
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. Cross-site scripting vulnerability in WP All Import plugin prior to version 3.4.7 for WordPress allows an attacker to inject arbitrary web script or HTML via unspecified vectors.
      • immediately upgrade to version 3.4.7 to fix both vulnerabilities

  7. WP Retina 2x
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. Cross-site scripting vulnerability in WP Retina 2x prior to version 5.2.2 allows an attacker to inject arbitrary web script or HTML via unspecified vectors.
      • immediately upgrade to version 5.2.2 to fix the vulnerability

  8. WP Support Plus Responsive Ticket System
    • Multiple Authenticated SQL Injection reported by Dewhurst Security. Pradeep Makone WordPress Support Plus Responsive Ticket System version 9.0.2 and earlier contains a SQL Injection vulnerability in the function to get tickets, the parameter email in the cookie was injected that can result in the filter the parameter.
      • immediately upgrade to version 9.0.3 to fix the vulnerability

  9. WP Job Manager
    • Unauthenticated Object Injection reported by Slavco (https://medium.com/websec). Preauth PHP Object injection - none authenticated attacker could supply his own payload and system to perform unserialize over its data.
      • immediately upgrade to version 1.29.3 to fix the vulnerability

  10. Super Socializer
    • Authentication Bypass. When an actor claims to have a given identity, the software does not prove or insufficiently proves that the claim is correct.
      • immediately upgrade to version 7.11 to fix the vulnerability

  11. Site Editor
    • Local File Inclusion (LFI) reported by Nicolas Buzy-Debat working at Orange Cyberdefense Singapore (CERT-LEXSI). A Local File Inclusion vulnerability in the Site Editor plugin through 1.1.1 for WordPress allows remote attackers to retrieve arbitrary files via the ajax_path parameter to editor/extensions/pagebuilder/includes/ajax_shortcode_pattern.php, aka absolute path traversal.
      • Remove plugin immediately. NO updates provided from developer to fix the reported vulnerability. Contact us if you need a secure replacement.

  12. Events Manager
    • Unauthenticated Stored XSS reported by Luigi (https://www.gubello.me/blog/). An unauthenticated user or a user without privileges, who can submit an event, can inject javascript code in the Google Maps miniature. The malicious code runs in the admin panel when a user with privileges opens the submitted event.
      • immediately upgrade to version 5.8.1.2 to fix the vulnerability

  13. Duplicator
    • Cross-Site Scripting (XSS) reported by Ryan (Dewhurst Security). Cross-site scripting (XSS) vulnerability in the installer/build/view.step4.php of the SnapCreek Duplicator plugin 1.2.32 for WordPress allows remote attackers to inject arbitrary JavaScript or HTML via the JSON parameter.
      • immediately upgrade to version 1.2.33 to fix the vulnerability

  14. Activity Log
    • Multiple Cross-Site Scripting (XSS) reported by Ryan (Dewhurst Security). Multiple cross-site scripting (XSS) vulnerabilities in the Activity Log plugin before 2.4.1 for WordPress allow remote attackers to inject arbitrary JavaScript or HTML via a title that is not escaped.
      • immediately upgrade to version 2.4.1 to fix the vulnerability

Protect your WordPress: BEFORE IT'S TOO LATE! You will also protect your customers, your reputation and your online business!

Related Posts

Leave a comment