Scroll Top

WP Security: 10 plugin vulnerabilities in May 2018

WP SECURITY: 11 PLUGIN VULNERABILITIES IN MAY 2018

For your WP Security, be informed about the latest vulnerabilities in WordPress plugins:

  1. Form Maker by WD
    • CSV Injection reported by Ryan (Dewhurst Security). Custom Forms version 1.12.20 is affected by the vulnerability Remote Command Execution using CSV Injection. This allows a public user to inject commands as a part of form fields and when a user with higher privilege exports the form data in CSV opens the file on their machine, the command is executed.
      • immediately upgrade to version 1.12.24 to fix the vulnerability

  2. WF Cookie Consent
    • Authenticated Persistent Cross-Site Scripting (XSS) reported by B0UG. An issue was discovered in the wunderfarm WF Cookie Consent plugin 1.1.3 for WordPress. A persistent cross-site scripting vulnerability has been identified in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in a victim's web browser via a page title.
      • immediately upgrade to version 1.1.4 to fix the vulnerability

  3. WP User Groups
    • Cross-Site Request Forgery (CSRF) reported by Ryan (Dewhurst Security). The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. WP User Groups creates new bulk actions to put users into (or remove them from) “groups” and “types”. A nonce is sent with the request, but it is not checked.
      • immediately upgrade to version 2.1.0 to fix the vulnerability

  4. Our only security is our ability to change. ~ John Lilly


  5. GD bbPress Attachments
    • Authenticated Stored XSS reported by Luigi https://www.gubello.me/blog/. An authenticated user of a bbPress forum, who can attach a file, can inject arbitrary JavaScript code via the image filename. The arbitrary code runs both on the topic page and in the admin panel, and it only affects the administrators, moderators and the attacker. The variable $error[‘file’] in /code/attachments/front.php (line 349) is not escaped.
      • immediately upgrade to version 2.6 to fix the vulnerability

  6. WP ULike
    • Unauthenticated Stored XSS reported by Ryan (Dewhurst Security). The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
      • immediately upgrade to version 3.2 to fix the vulnerability

  7. Metronet Tag Manager
    • Cross-Site Request Forgery (CSRF) reported by Ryan (Dewhurst Security). The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
      • immediately upgrade to version 1.2.9 to fix the vulnerability

  8. At the end of the day, the goals are simple: safety and security. ~ Jodi Rell


  9. WP Live Chat Support
    • Cross-Site Scripting (XSS) reported by Ryan (Dewhurst Security). Authenticated Cross site Scripting exists in the User Profile & Membership plugin before 2.0.11 for WordPress via the "Account Deletion Custom Text" input field on the wp-admin/admin.php?page=um_options§ion=account page.
      • immediately upgrade to version 8.0.08 to fix the vulnerability

  10. ProfileGrid – User Profiles, Groups and Communities
    • Authenticated Code Execution reported by Karim El Ouerghemmi https://www.ripstech.com/. The plugin ProfileGrid – User Profiles, Groups and Communities versions prior to 2.8.6 is vulnerable to Arbitrary Code Execution. An authenticated user with a role as low as Subscriber can execute arbitrary PHP code on websites using the plugin.
      • immediately upgrade to version 2.8.6 to fix the vulnerability

  11. Loginizer
    • Unauthenticated Stored Cross-Site Scripting (XSS) reported by Ryan (Dewhurst Security). An unauthenticated attacker could inject malicious JavaScript into the Loginizer - Brute Force Settings page where attempted brute force logs are displayed. When an administrative user visits the page, the JavaScript would be executed, which could allow an unauthenticated attacker to entirely compromise the WordPress application.
      • immediately upgrade to version 1.4.0 to fix the vulnerability
  12. wpForo Forum
    • Unauthenticated Stored Cross-Site Scripting (XSS) reported by Ryan (Dewhurst Security). The wpForo plugin through 2018-02-05 for WordPress has SQL Injection via a search with the /forum/ wpfo parameter.
      • immediately upgrade to version 1.4.11 to fix the vulnerability

Protect your WordPress: BEFORE IT'S TOO LATE! You will also protect your customers, your reputation and your online business!

Related Posts

owlpower.eu
owlpower.eu
owlpower.eu