Scroll Top

WP Security: 9 plugin vulnerabilities in December

By Csaba, Miklós WP Security WP SERVICES 3 January 2018

WP SECURITY: PLUGIN VULNERABILITIES DECEMBER

For your WP Security, be informed about the latest vulnerabilities in WordPress plugins:

  1. WP Mailster
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. The WP Mailster plugin before 1.5.5 for WordPress has XSS in the unsubscribe handler via the mes parameter to view/subscription/unsubscribe2.php.
      • immediately update to version 1.5.5 to fix vulnerability
  2. Smart Marketing SMS and Newsletters Forms
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. WordPress Smart Marketing SMS and Newsletters Forms plugin version 1.1.1 suffers from a persistent cross-site scripting vulnerability.
      • NO updates provided from developer to fix vulnerability. Remove plugin immediately.
  3. AccessPress Anonymous Post Pro
    • SQL Injection reported by Dewhurst Security. Improper sanitization allows the attacker to override the settings for allowed file extensions and upload file size. This allows the attacker to upload anything they want, bypassing the filters.
      • immediately update to version 3.2.0, to fix vulnerability.
  4. Content Cards
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. Cross-site scripting (XSS) vulnerability in the Content Cards plugin before 0.9.7 for WordPress allows remote attackers to inject arbitrary JavaScript via crafted OpenGraph data.
      • immediately update to version 0.9.7 to fix vulnerability
  5. Custom Map
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. A cross-site scripting (XSS) vulnerability in the custom-map plugin through 1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the map_id parameter to view/advancedsettings.php.
      • This plugin was closed on December 21, 2017 and is no longer available for download.
  6. WordPress Concours
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. A cross-site scripting (XSS) vulnerability in the wp-concours plugin through 1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the result_message parameter to includes/concours_page.php.
      • This plugin was closed on December 21, 2017 and is no longer available for download..
  7. Duplicate Page and Post
    • Backdoor reported by erwanlr (twitter.com/erwan_lr). The backdoor makes a request to cloud-wp.org and will return content based on the URL and user agent passed in the query string. This code runs on every request to the site, so it can be used to inject content to normal site visitors, web crawlers, or the site administrators.
      • This plugin was closed on December 14, 2017 and is no longer available for download..
  8. No Follow All External Links
    • Backdoor reported by erwanlr (twitter.com/erwan_lr). The backdoor makes a request to cloud.wpserve.org and returns content based on the URL and user agent passed in the query string. Content injection looks to be bound to a setting in the plugin called “Improvement scheme” which is enabled by default. Disabling the setting doesn’t actually turn off the injection since the code in the if statement is setting the value instead of comparing it to 1. The code verifies that the user agent matches a web crawler (like Googlebot), so it looks like this backdoor is used for SEO by injecting backlinks onto the page.
      • This plugin was closed on December 19, 2017 and is no longer available for download..
  9. WP No External Links
    • Backdoor reported by erwanlr (twitter.com/erwan_lr). In the same manner as the previous two backdoors, this one makes a request to wpconnect.org and returns content based on the URL and user agent passed in the query string. The code verifies that the user agent matches a web crawler, so, again, it looks like this backdoor is used for SEO by injecting backlinks onto the page. Wpconnect.org resolves to the same IP as cloud-wp.org, 52.14.28.183, the API endpoint used in the Duplicate Page and Post backdoor.
      • This plugin has been closed for new installs..

Protect your WordPress: BEFORE IT'S TOO LATE! You will also protect your customers, your reputation and your online business!

WP Security

Related Posts

FAIL IN SECURITY
WordPress Security vs DIY

WordPress Security is one of those topics that divide people into three separate groups: some people enjoy outsourced services, some people really enjoy saving a few bucks by doing it themselves and some business owners simply just don’t mind. Let’s see how this decision affects their business in short and…

22 May 2017
THEMES VULNERABILITY 2022
Disempowered WP Security: 6 WP themes vulnerability JUL 2021
18 Aug 2021
SAFETY
Convenience versus Safety for WordPress Security

Convenience vs Safety for WordPress Security It isn’t simple to be safe and secure all the time – this is especially true if you are brand-new to online security. Even the best WordPress Security plan needs intentional effort for everybody involved. And it must be supervised with constant vigilance. Unfortunately,…

27 Feb 2019
THEMES VULNERABILITY 2022
WP Themes vulnerability DEC 2022: 3 premium risks
12 Dec 2022
THEMES VULNERABILITY 2022
WP Themes vulnerability SEP 2022: 2 new risks
06 Sep 2022
WP SECURITY QUIZ
Minimal WordPress Security guidelines for online small businesses

WordPress Security: Minimal guidelines for online small businesses Every small company deals with unique problems in protecting its information, its WordPress Security. This guide will help you identify your risk model and take the essential actions safeguarding your business. Cybersecurity belongs to any online service since YESTERDAY. As profit-seeking entities…

26 Jun 2019
WP SECURITY
WP Security: plugin vulnerabilities September

For your WP Security, be informed about the latest vulnerabilities in WP plugins: Participants Database Cross site scripting (XSS) reported by Benjamin Lim (https://limbenjamin.com). Exploit allows attackers to inject arbitrary Javascript via the Name parameter. immediately update to version 1.7.5.9 to fix vulnerability Display Widgets Backdoored reported by Jonas Lejon…

01 Oct 2017
WP SECURITY
WordPress protection: Core vulnerabilities September

For your WordPress protection, be informed about the latest WordPress Core vulnerabilities fixed in security release WordPress 4.8.2 from September 2017. WordPress versions 4.8.1 and earlier are affected by these security issues: $wpdb->prepare() can create unexpected and unsafe queries leading to potential SQL injection (SQLi). WordPress core is not directly…

02 Oct 2017
PHISING MEME
Cybercrime PAY$$ phishing scams insider to deploy Ransomware
30 Aug 2021
BREAKING NEWS
BREAKING NEWS: 14 million attacks per hour and rising!

A MASSIVE distributed brute force attack campaign aimed only at WordPress sites started THIS MORNING at 3 AM UTC (Coordinated Universal Time), (3 AM United Kingdom, England; 4 AM Germany; 5 AM Romania). It uses a large number of attacking IPs, and each IP is generating a huge number of…

19 Dec 2017
THEMES VULNERABILITY 2022
WP Themes vulnerability AUG 2022: 3 new risks
16 Aug 2022
UNDERWATER FIRE
Why is your WordPress Security always under fire?

Why is your WordPress Security always under fire? WordPress IS THE SAFEST and most popular content management system (CMS). There is no doubt about this. However, the truth is, all sites are targets for hackers so nobody is immune. Even a fresh install of WordPress with nothing on it, without…

01 Mar 2019
WP SECURITY
Latest security concern – FEB 2017

A year ago, when DROWN hit the news (read more here: SSL vulnerability affects 33% of the web) it was covered everywhere. All websites talked about. We talked about. Our customers did not understand and they were not scared. We ran at that time a FREE check campaign to see…

15 Feb 2017
THEMES VULNERABILITY 2022
WP Theme CVE APR 2024: 20 Premium Hack risk
16 Apr 2024
WP SECURITY
WP Security: 21 plugin vulnerabilities in March 2019

WP Security bulletin – March 2019 At your next scheduled WordPress Maintenance, be advised for your WP Security about the latest 21 vulnerabilities in WordPress plugins identified and reported publicly. As these vulnerabilities are disclosed, when you use one (or more) of these outdated plugins – your risking serious WordPress…

09 Apr 2019
owlpower.eu
owlpower.eu
owlpower.eu
16+ years of owlsome experience
We're on an empowering mission for website owners, who desire not to be transformed forcefully into IT experts.