Scroll Top

WP Security: 6 plugin vulnerabilities in February 2019

By Csaba, Miklós WP Security 8 March 2019

WP SECURITY: 6 PLUGIN VULNERABILITIES IN FEBRUARY 2019

WP Security bulletin - February 2019

At your next scheduled WordPress Maintenance, be advised for your WP Security about the latest 6 vulnerabilities in WordPress plugins identified and reported publicly. As these vulnerabilities are disclosed, when you use one (or more) of these outdated plugins - your risking serious WordPress breaches to your site(s).

  • NextGen Gallery
    • Authenticated PHP Object Injection reported by Slavco (@mslavco). Legacy serialization handling allows unserialize of user input for low privileged users, leading to RCE.
      • WP Security recommendation: immediately upgrade to version 3.1.7 to fix the vulnerability.
  • Parallax Scroll
    • Cross-Site Scripting (XSS) reported by Adam Robinson. In the Parallax Scroll (aka adamrob-parallax-scroll) plugin before 2.0 for WordPress, includes/adamrob-parralax-shortcode.php allows XSS via the title text. ("parallax" has a spelling change within the PHP filename.)
      • WP Security recommendation: immediately upgrade to version 2.1 to fix the vulnerability.
  • Simple Social Buttons
    • BYPASS reported by Luka Šikić (WebARX). Improper application design flow, chained with lack of permission check resulted in privilege escalation and unauthorized actions in WordPress installation allowing non-admin users, even subscriber user type to modify WordPress installation options from the wp_options table.
      • WP Security recommendation: immediately upgrade to version 2.0.22 to fix the vulnerability.

 


Get Healthy, Stay Healthy: A healthier online business starts today and it begins with you!

WP Security

The following WordPress plugin vulnerabilities are extremely dangerous since the active installations are in the millions OR the reported vulnerabilities were never patched. The potential risk goes up each day as more and more bad intended persons find out about these vulnerabilities. WP Security compromised by plugins from Automattic, WPMU DEV and Codecanyon.

  • WooCommerce
    • Stored Cross-Site Scripting (XSS) reported by Zhouyuan Yang of Fortinet's FortiGuard Labs. WooCommerce before 3.5.5 allows XSS via a Photoswipe caption. It is caused by inadequate filtering on the image caption.
      • WP Security recommendation: immediately upgrade to version 3.5.5 to fix the vulnerability.
  • Forminator
    • Unauthenticated Persistent XSS via polls reported by Tim Coen. Custom fields of a poll are not properly encoded when showing results of a poll, leading to persistent XSS.
    • Authenticated Blind SQL Injection: Delete Submission reported by Tim Coen. The action of deleting submissions is vulnerable to blind SQL injection. An attacker can exploit this to extract data from the database.
    • Self-XSS reported by Tim Coen. When uploading a file in a form, the filename is inserted into the DOM, leading to XSS.
    • Tab Napping reported by Tim Coen. The website input of a form does not use the noreferrer and noopener rel attributes and is thus vulnerable to tab napping.
    • CSV Injection reported by Tim Coen. The export feature is vulnerable to CSV injection. An attacker could inject malicious data via form submissions which may lead to the disclosure of information when exported and viewed with a spreadsheet program.
      • WP Security recommendation: immediately upgrade to version 1.6 to fix all the vulnerabilities.
  • WP Cost Estimation
    • Arbitrary File Upload and Delete reported by Chris (@_FireFart_). The workflow for exploiting an arbitrary file delete flaw is usually the same: Delete the vulnerable site’s wp-config.php file. With no database configuration, WordPress assumes a fresh install is taking place. The attacker is then free to connect the site to their own remote database, log in as an administrator, and upload backdoors through the dashboard.
    • Upload Directory Traversal reported by Chris (@_FireFart_). Unfortunately, only forms created in the patched version would have an associated randomSeed value stored in the database. Forms which existed prior to the patch, which would certainly be the case for the majority of users, had an empty randomSeed value. This empty value does nothing when appended to the $formSession path, which leaves these forms vulnerable.
      • WP Security recommendation: immediately upgrade to version 9.644 to fix both vulnerabilities.

 

 

Protect your WordPress: BEFORE IT'S TOO LATE! You will also protect your customers, your reputation and your online business!

WP Security
Do you have any concerns with WP Security? Leave your thoughts in the comments below!

Related Posts

THEMES VULNERABILITY 2022
Disempowered WP Security: 13 WP themes vulnerability APR 2021
19 May 2021
WP SECURITY
4 WordPress Core Vulnerabilities in March 2018

For your WordPress protection, be informed about the latest WordPress Core vulnerabilities, fixed in WordPress 4.9.5 Security and Maintenance Release from April 3, 2018. WordPress versions 4.9.4 and earlier are affected by three security issues. As part of the core team’s ongoing commitment to security hardening, the following fixes have…

12 Apr 2018
WP SECURITY PLUGIN VULNERABILITIES
WP Security Plugin CVE NOV 2023: 12 public risks
28 Nov 2023
WP SECURITY
WP Security: 3 theme vulnerabilities in May 2019

WP Security bulletin – May 2019 At your next scheduled WordPress Maintenance, be advised for your WP Security about the latest 3 vulnerabilities in a premium WordPress theme identified and reported publicly in May 2019. As these vulnerabilities are disclosed, when you use one (or more) of these outdated themes…

17 Jun 2019
WP SECURITY
7 WordPress Security Core Vulnerabilities in December 2018

7 WordPress Security Core Vulnerabilities in December 2018 For your WordPress Security, be informed about the NEW WP Core Vulnerabilities. Publicly known since its first official report on December 14, 2018. WordPress <= 5.0 – Authenticated File Delete Description: Karim El Ouerghemmi discovered that authors could alter meta data to…

10 Jan 2019
WP SECURITY
WP Security: 31 plugin vulnerabilities in May 2019

WP Security bulletin – May 2019 At your next scheduled WordPress Maintenance, be advised for your WP Security about the latest 31 vulnerabilities in WordPress plugins identified and reported publicly in May 2019. As these vulnerabilities are disclosed, when you use one (or more) of these outdated plugins – your…

13 Jun 2019
WP SECURITY PLUGIN VULNERABILITIES
66 WP Security Plugin Vulnerabilities AUG 2022
18 Aug 2022
WP SECURITY PLUGIN VULNERABILITIES
65 WP Security Plugin Vulnerabilities DEC 2022
07 Dec 2022
THEMES VULNERABILITY 2022
Disempowered WP Security: #1 WP themes vulnerability MAY 2022
11 May 2022
THEMES VULNERABILITY 2022
WP Themes vulnerability JUN 2023: 27 premium risks
05 Jun 2023
THEMES VULNERABILITY 2022
Disempowered WP Security: 6 WP themes vulnerability JUL 2021
18 Aug 2021
THEMES VULNERABILITY 2022
Disempowered WP Security: 2 WP themes vulnerability JUL 2022
14 Jul 2022
WP SECURITY
WP Security: 2 premium theme vulnerabilities in February 2018

For your WP Security, be informed about the latest vulnerabilities in WordPress themes: Enfold Theme Rewrite Portfolio Permalink Structure & Information Disclosure reported by Dan Benton https://www.dogsbodytechnology.com/. The changelog describes two security fixes: a security issue that would allow an attacker to export your enfold [theme] settings AND a security…

05 Mar 2018
COFFEE HOUSE
public WiFi dashboard access versus paranoid WordPress Security?

public WiFi dashboard access versus paranoid WordPress Security The world is a wonderful place, and we’re not going to say otherwise. It is not our style to exploit scare tactics. However, most of the time is highly advisable to have a dose of paranoia when it’s about your WP Security….

04 Jul 2019
ONE CLICK CHECKOUT PAGE
Social engineering – the power of a single click

Attackers have relied more and more on social engineering to trick users into revealing credentials, installing malware or wiring funds. Few of us are still tempted to send money to distressed Nigerian princes anymore. But the basic principles behind those early email scams are alive and well. We see them…

08 Aug 2018
owlpower.eu
owlpower.eu
owlpower.eu
16+ years of owlsome experience
We're on an empowering mission for website owners, who desire not to be transformed forcefully into IT experts.