For your WP Security, be informed about the latest vulnerabilities in WordPress plugins:
- Form Maker by WD
- CSV Injection reported by Ryan (Dewhurst Security). Custom Forms version 1.12.20 is affected by the vulnerability Remote Command Execution using CSV Injection. This allows a public user to inject commands as a part of form fields and when a user with higher privilege exports the form data in CSV opens the file on their machine, the command is executed.
- immediately upgrade to version 1.12.24 to fix the vulnerability
- CSV Injection reported by Ryan (Dewhurst Security). Custom Forms version 1.12.20 is affected by the vulnerability Remote Command Execution using CSV Injection. This allows a public user to inject commands as a part of form fields and when a user with higher privilege exports the form data in CSV opens the file on their machine, the command is executed.
- WF Cookie Consent
- Authenticated Persistent Cross-Site Scripting (XSS) reported by B0UG. An issue was discovered in the wunderfarm WF Cookie Consent plugin 1.1.3 for WordPress. A persistent cross-site scripting vulnerability has been identified in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in a victim's web browser via a page title.
- immediately upgrade to version 1.1.4 to fix the vulnerability
- Authenticated Persistent Cross-Site Scripting (XSS) reported by B0UG. An issue was discovered in the wunderfarm WF Cookie Consent plugin 1.1.3 for WordPress. A persistent cross-site scripting vulnerability has been identified in the web interface of the plugin that allows the execution of arbitrary HTML/script code to be executed in a victim's web browser via a page title.
- WP User Groups
- Cross-Site Request Forgery (CSRF) reported by Ryan (Dewhurst Security). The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. WP User Groups creates new bulk actions to put users into (or remove them from) “groups” and “types”. A nonce is sent with the request, but it is not checked.
- immediately upgrade to version 2.1.0 to fix the vulnerability
- Cross-Site Request Forgery (CSRF) reported by Ryan (Dewhurst Security). The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request. WP User Groups creates new bulk actions to put users into (or remove them from) “groups” and “types”. A nonce is sent with the request, but it is not checked.
- GD bbPress Attachments
- Authenticated Stored XSS reported by Luigi https://www.gubello.me/blog/. An authenticated user of a bbPress forum, who can attach a file, can inject arbitrary JavaScript code via the image filename. The arbitrary code runs both on the topic page and in the admin panel, and it only affects the administrators, moderators and the attacker. The variable $error[‘file’] in /code/attachments/front.php (line 349) is not escaped.
- immediately upgrade to version 2.6 to fix the vulnerability
- Authenticated Stored XSS reported by Luigi https://www.gubello.me/blog/. An authenticated user of a bbPress forum, who can attach a file, can inject arbitrary JavaScript code via the image filename. The arbitrary code runs both on the topic page and in the admin panel, and it only affects the administrators, moderators and the attacker. The variable $error[‘file’] in /code/attachments/front.php (line 349) is not escaped.
- WP ULike
- Unauthenticated Stored XSS reported by Ryan (Dewhurst Security). The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- immediately upgrade to version 3.2 to fix the vulnerability
- Unauthenticated Stored XSS reported by Ryan (Dewhurst Security). The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- Metronet Tag Manager
- Cross-Site Request Forgery (CSRF) reported by Ryan (Dewhurst Security). The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
- immediately upgrade to version 1.2.9 to fix the vulnerability
- Cross-Site Request Forgery (CSRF) reported by Ryan (Dewhurst Security). The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
- WP Live Chat Support
- Cross-Site Scripting (XSS) reported by Ryan (Dewhurst Security). Authenticated Cross site Scripting exists in the User Profile & Membership plugin before 2.0.11 for WordPress via the "Account Deletion Custom Text" input field on the wp-admin/admin.php?page=um_options§ion=account page.
- immediately upgrade to version 8.0.08 to fix the vulnerability
- Cross-Site Scripting (XSS) reported by Ryan (Dewhurst Security). Authenticated Cross site Scripting exists in the User Profile & Membership plugin before 2.0.11 for WordPress via the "Account Deletion Custom Text" input field on the wp-admin/admin.php?page=um_options§ion=account page.
- ProfileGrid – User Profiles, Groups and Communities
- Authenticated Code Execution reported by Karim El Ouerghemmi https://www.ripstech.com/. The plugin ProfileGrid – User Profiles, Groups and Communities versions prior to 2.8.6 is vulnerable to Arbitrary Code Execution. An authenticated user with a role as low as Subscriber can execute arbitrary PHP code on websites using the plugin.
- immediately upgrade to version 2.8.6 to fix the vulnerability
- Authenticated Code Execution reported by Karim El Ouerghemmi https://www.ripstech.com/. The plugin ProfileGrid – User Profiles, Groups and Communities versions prior to 2.8.6 is vulnerable to Arbitrary Code Execution. An authenticated user with a role as low as Subscriber can execute arbitrary PHP code on websites using the plugin.
- Loginizer
- Unauthenticated Stored Cross-Site Scripting (XSS) reported by Ryan (Dewhurst Security). An unauthenticated attacker could inject malicious JavaScript into the Loginizer - Brute Force Settings page where attempted brute force logs are displayed. When an administrative user visits the page, the JavaScript would be executed, which could allow an unauthenticated attacker to entirely compromise the WordPress application.
- immediately upgrade to version 1.4.0 to fix the vulnerability
- Unauthenticated Stored Cross-Site Scripting (XSS) reported by Ryan (Dewhurst Security). An unauthenticated attacker could inject malicious JavaScript into the Loginizer - Brute Force Settings page where attempted brute force logs are displayed. When an administrative user visits the page, the JavaScript would be executed, which could allow an unauthenticated attacker to entirely compromise the WordPress application.
- wpForo Forum
- Unauthenticated Stored Cross-Site Scripting (XSS) reported by Ryan (Dewhurst Security). The wpForo plugin through 2018-02-05 for WordPress has SQL Injection via a search with the /forum/ wpfo parameter.
- immediately upgrade to version 1.4.11 to fix the vulnerability
- Unauthenticated Stored Cross-Site Scripting (XSS) reported by Ryan (Dewhurst Security). The wpForo plugin through 2018-02-05 for WordPress has SQL Injection via a search with the /forum/ wpfo parameter.
Our only security is our ability to change. ~ John Lilly
At the end of the day, the goals are simple: safety and security. ~ Jodi Rell
Protect your WordPress: BEFORE IT'S TOO LATE! You will also protect your customers, your reputation and your online business!