At your next scheduled WordPress Maintenance, be advised for your WordPress protection about the latest vulnerabilities in WordPress plugins identified and reported publicly this month:
- Gwolle Guestbook
- Cross-Site Scripting (XSS) reported by Ryan (Dewhurst Security). During the security audit of Gwolle Guestbook plugin for WordPress CMS, a security vulnerability was discovered using DefenseCode ThunderScan application source code security analysis platform. The Cross-Site Scripting vulnerability can enable the attacker to construct the URL that contains malicious JavaScript code. If the administrator of the site makes a request to such an URL, the attacker's code will be executed, with unrestricted access to the WordPress site in question. The attacker can entice the administrator to visit the URL in various ways, including sending the URL by email, posting it as a part of the comment on the vulnerable site or another forum.
- WordPress Maintenance recommendation: immediately upgrade to version 2.5.4 to fix the vulnerability
- Cross-Site Scripting (XSS) reported by Ryan (Dewhurst Security). During the security audit of Gwolle Guestbook plugin for WordPress CMS, a security vulnerability was discovered using DefenseCode ThunderScan application source code security analysis platform. The Cross-Site Scripting vulnerability can enable the attacker to construct the URL that contains malicious JavaScript code. If the administrator of the site makes a request to such an URL, the attacker's code will be executed, with unrestricted access to the WordPress site in question. The attacker can entice the administrator to visit the URL in various ways, including sending the URL by email, posting it as a part of the comment on the vulnerable site or another forum.
- Strong Testimonials
- Multiple Authenticated Cross-Site Scripting (XSS) reported by Ryan (Dewhurst Security). During the security analysis, ThunderScan discovered Cross-Site Scripting vulnerabilities in Strong Testimonials WordPress plugin. The Cross-Site Scripting vulnerability can enable the attacker to construct the URL that contains malicious JavaScript code. If the administrator of the site makes a request to such an URL, the attacker's code will be executed, with unrestricted access to the WordPress site in question. The attacker can entice the administrator to visit the URL in various ways, including sending the URL by email, posting it as a part of the comment on the vulnerable site or another forum.
- WordPress Maintenance recommendation: immediately upgrade to version 2.31.5 to fix the vulnerability
- Multiple Authenticated Cross-Site Scripting (XSS) reported by Ryan (Dewhurst Security). During the security analysis, ThunderScan discovered Cross-Site Scripting vulnerabilities in Strong Testimonials WordPress plugin. The Cross-Site Scripting vulnerability can enable the attacker to construct the URL that contains malicious JavaScript code. If the administrator of the site makes a request to such an URL, the attacker's code will be executed, with unrestricted access to the WordPress site in question. The attacker can entice the administrator to visit the URL in various ways, including sending the URL by email, posting it as a part of the comment on the vulnerable site or another forum.
- Ultimate Member
- Unauthenticated Arbitrary File Upload reported by Ryan (Dewhurst Security). Modification of some system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is limited. A previously known issue from 2015 (https://www.cvedetails.com/cve/CVE-2018-0587/) that got WordPress websites hacked (https://wordpress.org/support/topic/appears-um-got-hacked-on-my-site/).
- WordPress Maintenance recommendation: immediately upgrade to version 2.0.22 to fix the vulnerability
- Unauthenticated Arbitrary File Upload reported by Ryan (Dewhurst Security). Modification of some system files or information is possible, but the attacker does not have control over what can be modified, or the scope of what the attacker can affect is limited. A previously known issue from 2015 (https://www.cvedetails.com/cve/CVE-2018-0587/) that got WordPress websites hacked (https://wordpress.org/support/topic/appears-um-got-hacked-on-my-site/).
- Plainview Activity Monitor
- Remote Command Execution (RCE) reported by Ryan (Dewhurst Security). The Plainview Activity Monitor plugin 4.7.11 for WordPress is vulnerable to OS command injection via shell metacharacters in the ip parameter of a wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools request.
- WordPress Maintenance recommendation: immediately upgrade to version 20180826 to fix the vulnerability
- Remote Command Execution (RCE) reported by Ryan (Dewhurst Security). The Plainview Activity Monitor plugin 4.7.11 for WordPress is vulnerable to OS command injection via shell metacharacters in the ip parameter of a wp-admin/admin.php?page=plainview_activity_monitor&tab=activity_tools request.
- Chained Quiz
- Unauthenticated SQL Injection reported by Çlirim Emini (https://www.sentry.co.com/). WordPress Plugin Plugin Chained Quiz before 1.0.9 allows remote unauthenticated users to execute arbitrary SQL commands via the "$answer" backend variable.
- WordPress Maintenance recommendation: immediately upgrade to version 1.0.9 to fix the vulnerability
- Unauthenticated SQL Injection reported by Çlirim Emini (https://www.sentry.co.com/). WordPress Plugin Plugin Chained Quiz before 1.0.9 allows remote unauthenticated users to execute arbitrary SQL commands via the "$answer" backend variable.
- Ninja Forms
- CSV Injection reported by Ryan (Dewhurst Security). WordPress Ninja Forms plugin version 3.3.13 and before are affected by Remote Code Execution through the CSV injection vulnerability. This allows an application user to inject commands as part of the fields of forms and these commands are executed when a user with greater privilege exports the data in CSV and opens that file on his machine.
- WordPress Maintenance recommendation: immediately upgrade to version 3.3.14 to fix the vulnerability
- CSV Injection reported by Ryan (Dewhurst Security). WordPress Ninja Forms plugin version 3.3.13 and before are affected by Remote Code Execution through the CSV injection vulnerability. This allows an application user to inject commands as part of the fields of forms and these commands are executed when a user with greater privilege exports the data in CSV and opens that file on his machine.
- Ninja Forms
- Cross-Site Scripting (XSS) in Import Function reported by Ryan (Dewhurst Security). WordPress Ninja Forms plugin version 3.3.13 and before are affected by XSS vulnerability that allowed javascript injection into the form import function.
- WordPress Maintenance recommendation: immediately upgrade to version 3.3.14 to fix the vulnerability
- Cross-Site Scripting (XSS) in Import Function reported by Ryan (Dewhurst Security). WordPress Ninja Forms plugin version 3.3.13 and before are affected by XSS vulnerability that allowed javascript injection into the form import function.
- WooCommerce
- Potential Object Injection reported by Ryan (Dewhurst Security). Versions 3.4.4 and earlier are affected by an issue where a function that updates attributes could lead to object injection. This is related to the WordPress 4.8.3 security release. This issue can only be exploited by users who can edit attributes and should not be possible to exploit through the WordPress administrative screens, but we still recommend all users running WooCommerce 3.x upgrade to 3.4.5 to mitigate this issue.
- WordPress Maintenance recommendation: immediately upgrade to version 3.4.5 to fix the vulnerability
- Potential Object Injection reported by Ryan (Dewhurst Security). Versions 3.4.4 and earlier are affected by an issue where a function that updates attributes could lead to object injection. This is related to the WordPress 4.8.3 security release. This issue can only be exploited by users who can edit attributes and should not be possible to exploit through the WordPress administrative screens, but we still recommend all users running WooCommerce 3.x upgrade to 3.4.5 to mitigate this issue.
- Gift Voucher
- Authenticated Blind SQL Injection reported by Ryan (Dewhurst Security). The Gift Vouchers plugin through 2.0.1 for WordPress allows SQL Injection via the template_id parameter in a wp-admin/admin-ajax.php wpgv_doajax_front_template request.
- WordPress Maintenance recommendation: IMMEDIATELY UNISTALL THIS PLUGIN! This plugin hasn’t been tested with the latest 3 major releases of WordPress. It may no longer be maintained or supported and may have compatibility issues when used with more recent versions of WordPress.
- Authenticated Blind SQL Injection reported by Ryan (Dewhurst Security). The Gift Vouchers plugin through 2.0.1 for WordPress allows SQL Injection via the template_id parameter in a wp-admin/admin-ajax.php wpgv_doajax_front_template request.
- Export Users to CSV
- CSV Injection reported by Javier Olmedo (https://hackpuntes.com). WordPress Export users to CSV plugin version 1.1.1. and before are affected by Remote Code Execution through the CSV injection vulnerability. This allows an application user to inject commands as part of the fields of his profile and these commands are executed when a user with greater privilege exports the data in CSV and opens that file on his machine.
- WordPress Maintenance recommendation: IMMEDIATELY UNISTALL THIS PLUGIN! Latest update does not solve this vulnerability.
- CSV Injection reported by Javier Olmedo (https://hackpuntes.com). WordPress Export users to CSV plugin version 1.1.1. and before are affected by Remote Code Execution through the CSV injection vulnerability. This allows an application user to inject commands as part of the fields of his profile and these commands are executed when a user with greater privilege exports the data in CSV and opens that file on his machine.
- Ajax BootModal Login
- Captcha Reuse reported by Ryan (Dewhurst Security). Register form, login form and password recovery form need CAPTCHA solving to perform actions. However, these CAPTCHAs seem to be valid as long as the user session is valid. One could send as many requests as one wished by automatisation. This allows an attacker to spam a large number of mail addresses and brute-force credentials.
- WordPress Maintenance recommendation: IMMEDIATELY UNISTALL THIS PLUGIN! Latest update does not solve this vulnerability.
- Captcha Reuse reported by Ryan (Dewhurst Security). Register form, login form and password recovery form need CAPTCHA solving to perform actions. However, these CAPTCHAs seem to be valid as long as the user session is valid. One could send as many requests as one wished by automatisation. This allows an attacker to spam a large number of mail addresses and brute-force credentials.
Our only security is our ability to change. ~ John Lilly
Protect your WordPress: BEFORE IT'S TOO LATE! You will also protect your customers, your reputation and your online business!
Get Healthy, Stay Healthy: A healthier online business starts today and it begins with you!
