Scroll Top

WP Security: 27 plugin vulnerabilities in November

By Csaba, Miklós WP Security WP SERVICES 4 December 2017

WP SECURITY: PLUGIN VULNERABILITIES OCTOBER

For your WP Security, be informed about the latest vulnerabilities in WordPress plugins:

  1. Qards
    • Stored Cross-Site Scripting (XSS) + Server Side Request Forgery (SSRF) reported by theMiddle https://mobile.twitter.com/Menin_TheMiddle. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
      • NO updates yet to premium plugin to fix vulnerabilities.
  2. Import any XML or CSV File to WordPress
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
      • immediately update to version 3.4.5 to fix vulnerability
  3. Contact Form for WordPress – Ultimate Form Builder Lite
    • SQL Injection reported by Dewhurst Security. The exploit being used combines a SQL injection vulnerability and a PHP object injection vulnerability. It allows attackers to take over a vulnerable site using just one request to /wp-admin/admin-ajax.php.
      • immediately update to version 1.3.7, to fix vulnerability. Consider owl CONTACTS as a more secure replacement candidate.
  4. PopCash.Net Code Integration Tool
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. PopCash.Net Publisher Code Integration plugin is prone to a cross-site scripting
      vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
      • immediately update to version 1.1 to fix vulnerability
  5. Easy Appointments
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. The Easy Appointments plugin before 1.12.0 for WordPress has XSS via a Settings values in the admin panel
      • immediately update to version 1.12.0 to fix vulnerability
  6. Caldera Forms
    • Authenticated Cross-Site Scripting (XSS) reported by Will Brand (https://wrbrand.com/). Caldera Forms is vulnerable to a reflected cross-site scripting vulnerability in the “edit” parameter, which is not properly escaped before being printed in an HTML attribute. An attacker can use this to craft URLs that, when clicked, result in malicious JavaScript being executed. Because Caldera Forms uses ‘wp_rest’ nonces to access the WordPress REST API – a common practice among plugin developers – this Javascript may include anything the user is capable of doing in the REST API.
      • immediately update to version 1.5.5 to fix vulnerability. Consider owl CONTACTS as a more secure replacement candidate.
  7. User Login History
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. Multiple cross-site scripting (XSS) vulnerabilities in the user-login-history plugin through 1.5.2 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) date_from, (2) date_to, (3) user_id, (4) username, (5) country_name, (6) browser, (7) operating_system, or (8) ip_address parameter to admin/partials/listing/listing.php.
      • immediately update to version 1.6 to fix vulnerability
  8. WordCamp Talks
    • Formula injection via CSV exports reported by Dewhurst Security. The WordCamp Talks plugin does not attempt to sanitize CSV exports, which can lead to spreadsheet formula injection via malicious inputs.
      • immediately update to version 1.0.0 Beta3 to fix vulnerability
  9. Shortcodes Ultimate
    • Authenticated Contributor Code Execution reported by Robert Mathews (https://tigertech.net/). The Shortcodes Ultimate plugin does not sanitize the "filter" argument to the "su_meta", "su_user", and "su_post" shortcodes, allowing the filter to be set to the "system()" function which runs arbitrary code. This is being exploited in the wild; I discovered this through analysis of mod_security audit logs on two compromised sites today.
      • immediately update to version 5.0.1 to fix vulnerability
  10. Ultimate Instagram Feed
    • Authenticated Cross-Site Scripting (XSS) reported by Dimopoulos Elias ). The vulnerability lies in the "*access_token*" parameter and can cause reflected *XSS* vulnerability.
    • immediately update to version 1.3.1 to fix vulnerability
    • Authenticated Cross-Site Scripting (XSS) reported by Gilzow https://missouri.edu/?q=giving&start=40). XSS vulnerability remains in 1.3 and 1.3.1 as the author passes _GET['access_token'] to sanitize_text_field(). However, the value is inserted into an attribute of an element, and sanitize_text_field() does not filter for quotes (single or double). Therefore, injecting %22+onblur%3D%22alert%281%29 for access_token will still result in an exploitable injection.
      • NO updates provided from developer to fix vulnerability. Remove plugin immediately.
  11. WPML Translation Management
    • PHP Object Injection reported by Thomas Chauchefoin (Synacktiv - https://www.synacktiv.com/en/. No public disclosure provided.
      • immediately update to version 2.4.2 to fix vulnerability
  12. Simple Events Calendar
    • Authenticated SQL Injection reported by Lenon Leite (https://lenonleite.com.br/). Type user access: administrator user. "$_POST[‘event_id’]" is not escaped.
      • NO updates provided from developer to fix vulnerability. Remove plugin immediately.
  13. Events
    • Authenticated SQL Injection reported by Lenon Leite (https://lenonleite.com.br/). Type user acces: administrator user. "$_GET[‘edit_event’]" is not escaped.
      • NO updates provided from developer to fix vulnerability. Remove plugin immediately.
  14. JTRT Responsive Tables
    • Authenticated SQL Injection reported by Dewhurst Security. Type user acces: registered single user. "$_POST[‘tableId’]" is not escaped.
      • immediately update to version 4.1.1 to fix vulnerability
  15. Active Directory Integration
    • Authenticated SQL Injection reported by Dewhurst Security. Type user access: administrator. Target need have configured LDAP and active. "$_GET[‘userid’]" is not escaped.
      • NO updates provided from developer to fix vulnerability. Remove plugin immediately.
  16. UserPro
    • Authentication Bypass reported by Colette Chamberland, Iain Hadgraft https://www.wordfence.com/. The UserPro plugin has the ability to bypass login authentication for the user 'admin'. If the site does not use the standard username 'admin' it is not affected. If the site has a default 'admin' user you will now see the wp menu at the top of the site and you are logged in will full administrator access.
      • immediately update to version 4.9.17.1 to fix vulnerability
  17. WP Support Plus Responsive Ticket System
    • Remote Code Execution (RCE) reported by Robert Mathews (https://tigertech.net/). WP Support Plus Responsive Ticket System <= 8.0.7 allows anyone to upload PHP files with extensions like ".phtml", ".php4", ".php5", and so on, all of which are run as if their extension was ".php" on most hosting platforms.
      • immediately update to version 8.0.8 to fix vulnerability
  18. Email Log
    • Stored Cross-Site Scripting (XSS) reported by Dewhurst Security. Only proof of concept disclosed.
      • immediately update to version 2.2.3 to fix vulnerability
  19. WP Mail Logging
    • Stored Cross-Site Scripting (XSS) reported by Dewhurst Security. Only proof of concept disclosed.
      • immediately update to version 1.8.3 to fix vulnerability
  20. bbPress
    • Unauthenticated SQL Injection reported by Dewhurst Security. Requires anonymous posting option to be enabled and WordPress version < 4.8.3.
      • NOT patched by bbPress! Updating to WordPress 4.8.3 fixes this issue
  21. Duplicator
    • Stored Cross-Site Scripting (XSS) reported by Dewhurst Security. installer.php in the Snap Creek Duplicator (WordPress Site Migration & Backup) plugin before 1.2.30 for WordPress has XSS because the values "url_new" (/wp-content/plugins/duplicator/installer/build/view.step4.php) and "logging" (wp-content/plugins/duplicator/installer/build/view.step2.php) are not filtered correctly.
      • immediately update to version 1.2.29 to fix vulnerability
  22. Formidable Forms
    • Multiple Vulnerabilities reported by Dewhurst Security. The plugin implemented a form preview AJAX function accessible to anyone without authentication. The function accepted some parameters affecting the way it generates the form preview HTML. Parameters after_html and before_html could be used to add custom HTML after and before the form. Most of the vulnerabilities relied on this feature.
      • immediately update to version 2.05.03 to fix vulnerability. Consider owl CONTACTS as a more secure replacement candidate.
  23. Yoast SEO
    • Unauthenticated Cross-Site Scripting (XSS) reported by Dewhurst Security. Vulnerability in admin/google_search_console/class-gsc-table.php in the Yoast SEO plugin before 5.8.0 for WordPress allows remote attackers to inject arbitrary web script or HTML.
      • immediately update to version 5.8 to fix vulnerability
  24. TablePress
    • Authenticated XML External Entity (XXE) reported by Dewhurst Security. TablePress prior to version 1.8.1 allows an attacker to conduct XML External Entity (XXE) attacks via unspecified vectors.
      • immediately update to version 1.8.1 to fix vulnerability
  25. InLinks
    • Authenticated SQL Injection reported by Dimopoulos Elias ). SQL injection is POST parameter "keyword". Affected file inlinks/inlinks.php
      • DELETE immediately to fix vulnerability. This plugin has been closed and is no longer available for download.
  26. Elementor Page Builder
    • Authenticated Unrestricted Editing reported by James Golovich (https://pritect.net/). Many AJAX actions are unsecured, allowing logged in users unrestricted access to the internal Elementor functions.
      • immediately update to version 1.8.0 to fix vulnerability
  27. Emag Marketplace Connector
    • Unauthenticated Cross-Site Scripting (XSS) reported by Dewhurst Security. The Emag Marketplace Connector plugin 1.0.0 for WordPress has reflected XSS because the parameter "post" to /wp-content/plugins/emag-marketplace-connector/templates/order/awb-meta-box.php is not filtered correctly.
      • immediately update to version 1.0.1 to fix vulnerability

Protect your WordPress: BEFORE IT'S TOO LATE! You will also protect your customers, your reputation and your online business!

WP Security

Related Posts

THEMES VULNERABILITY 2022
WP Theme CVE DEC 2023: 24 Premium Hack risk
04 Dec 2023
THEMES VULNERABILITY 2022
Disempowered WP Security: 2 WP themes vulnerability JUL 2022
14 Jul 2022
WP SECURITY PLUGIN VULNERABILITIES
WP Security CVE APR 2024: 18 public plugin risks
29 Apr 2024
WP SECURITY PLUGIN VULNERABILITIES
30 WP Security Plugin Vulnerabilities JUN 2023
26 Jun 2023
THEMES VULNERABILITY 2022
WP Theme CVE FEB 2024: 5 Premium Hack risk
05 Feb 2024
SECURITY
WP Security: 30 scary happenings worth reading from February 2019

WP Security: 30 scary happenings worth reading from February 2019     Do you have any concerns with WordPress Security? Leave your thoughts in the comments below!

07 Mar 2019
WP CORE VULNERABILITY 2022
WP Core Vulnerability JAN 2023: NO bug fix
09 Jan 2023
LOGS
The value of logs for WordPress Security and Audit

The value of logs for WordPress Security and Audit What is a Server LOG? A server log is a log file (or several files) automatically created and maintained by a server consisting of a list of activities it performed. More recent entries are typically appended to the end of the…

26 Feb 2019
CLOUD SERVICES
New Attack Vectors: CLOUD SERVICES

Social Engineering exploits More businesses are moving to the cloud, creating new kinds of risk. Analysing how attackers are getting access to this infrastructure—and how some users are inadvertently misusing it — provides critical insight into how to better protect against these new threats. The cloud and software-as-a-service (SaaS) apps…

13 Aug 2018
WP SECURITY
WP Security: 14 plugin vulnerabilities in March 2018

For your WP Security, be informed about the latest vulnerabilities in WordPress plugins: NextGEN Gallery BYPASS reported by Dewhurst Security. In the nextgen-gallery plugin before 2.2.50 for WordPress, gallery paths are not secured. immediately upgrade to version 2.2.50 to fix the vulnerability Category Order and Taxonomy Terms Order A1: Injection…

02 Apr 2018
THEMES VULNERABILITY 2022
WP Theme CVE DEC 2024: 21 Premium Hack risk
15 Dec 2024
BROWSER UPDATE
Update your browser

Security: Newer browsers protect you better against viruses, scams and other threats. Outdated browsers are slow and have security holes. Speed: Every new browser generation improves speed. Even minor updates can make a considerable difference to speed factors. Technological compatibility: Modern websites are taking advantages of all the new features…

17 May 2017
THEMES VULNERABILITY 2022
WP Themes vulnerability FEB 2023: 11 premium risks
07 Feb 2023
THEMES VULNERABILITY 2022
Disempowered WP Security: 6 WP themes vulnerability JUL 2021
18 Aug 2021
WP SECURITY INCREASE
WP Security needs constant care

Nothing online is 100% secure and your WordPress is no exception to this rule. Since WordPress is powering at least a quarter of all websites worldwide, the platform is naturally an irresistible target for many attacks over the years. In this post – Never let your WP become an attack…

16 Feb 2017
owlpower.eu
owlpower.eu
owlpower.eu
16+ years of owlsome experience
We're on an empowering mission for website owners, who desire not to be transformed forcefully into IT experts.