WP Security bulletin – April 2019
Wait… what? April? Yes, you read correctly. There was quite a bit of drama involved with several big names, affecting a lot of online WordPress sites. We offered time to clear their names and to patch up their “not guilty until proven otherwise” code. Unfortunately, its the otherwise case. “It is nice to be important, but it’s more important to be nice.”
At your next scheduled WordPress Maintenance, be advised for your WP Security about the latest 14 vulnerabilities in WordPress plugins identified and reported publicly in April 2019. As these vulnerabilities are disclosed, when you use one (or more) of these outdated plugins – your risking serious WordPress breaches to your site(s).
- WP Statistics
- Referer Cross-Site Scripting (XSS) reported by Manuel Fernández-Aramburu (Innotec Security). The WP Statistics plugin through 12.6.2 for WordPress has XSS, allowing a remote attacker to inject arbitrary web script or HTML via the Referer header of a GET request.
- WP Security recommendation: immediately upgrade to version 12.6.4 to fix the vulnerability.
- Referer Cross-Site Scripting (XSS) reported by Manuel Fernández-Aramburu (Innotec Security). The WP Statistics plugin through 12.6.2 for WordPress has XSS, allowing a remote attacker to inject arbitrary web script or HTML via the Referer header of a GET request.
- Duplicate Page
- Authenticated SQL Injection reported by Marc-Alexandre Montpas. This vulnerability is exploitable by any users with an account on the vulnerable site (regardless of the privileges they have – e.g., subscribers).
- WP Security recommendation: immediately upgrade to version 3.4 to fix the vulnerability.
- Authenticated SQL Injection reported by Marc-Alexandre Montpas. This vulnerability is exploitable by any users with an account on the vulnerable site (regardless of the privileges they have – e.g., subscribers).
- Print My Blog
- Unauthenticated Server Side Request Forgery (SSRF) reported by Magnus K. Stubman and Ryan Dewhurst. Server Side Request Forgery (SSRF) exists in the Print My Blog plugin before 1.6.7 for WordPress via the site parameter.
- WP Security recommendation: immediately upgrade to version 1.6.6 to fix the vulnerability.
- Unauthenticated Server Side Request Forgery (SSRF) reported by Magnus K. Stubman and Ryan Dewhurst. Server Side Request Forgery (SSRF) exists in the Print My Blog plugin before 1.6.7 for WordPress via the site parameter.
- YellowPencil Visual CSS Style Editor
- Unauthenticated Arbitrary Options Updates reported by Ryan Dewhurst. The WaspThemes Visual CSS Style Editor (aka yellow-pencil-visual-theme-customizer) plugin before 7.2.1 for WordPress allows yp_option_update CSRF, as demonstrated by use of yp_remote_get to obtain admin access.
- WP Security recommendation: immediately upgrade to version 7.2.1 to fix the vulnerability.
- Unauthenticated Arbitrary Options Updates reported by Ryan Dewhurst. The WaspThemes Visual CSS Style Editor (aka yellow-pencil-visual-theme-customizer) plugin before 7.2.1 for WordPress allows yp_option_update CSRF, as demonstrated by use of yp_remote_get to obtain admin access.
- WordPress Download Manager
- Authenticated Cross-Site Scripting (XSS) reported by MgThuraMoeMyint. In the pro features of the WordPress download manager plugin, there is a Category Short-code feature witch will execute any added payload. Another reflected cross-site scripting via advance search.
- WP Security recommendation: immediately upgrade to version 2.9.94 to fix the vulnerability.
- Authenticated Cross-Site Scripting (XSS) reported by MgThuraMoeMyint. In the pro features of the WordPress download manager plugin, there is a Category Short-code feature witch will execute any added payload. Another reflected cross-site scripting via advance search.
Our only security is our ability to change. ~ John Lilly
- Contact Form Builder
- CSRF to LFI reported by Panagiotis Vagenas. he WebDorado Contact Form Builder plugin before 1.0.69 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST[‘action’] value and the $_GET[‘action’] value, and the latter is unsanitized.
- WP Security recommendation: immediately upgrade to version 1.0.69 to fix the vulnerability or consider owl CONTACTS as a more secure replacement candidate.
- CSRF to LFI reported by Panagiotis Vagenas. he WebDorado Contact Form Builder plugin before 1.0.69 for WordPress allows CSRF via the wp-admin/admin-ajax.php action parameter, with resultant local file inclusion via directory traversal, because there can be a discrepancy between the $_POST[‘action’] value and the $_GET[‘action’] value, and the latter is unsanitized.
- Contact Form by WD
- Cross-Site Request Forgery to LFI reported by panVagenas. Plugin Contact Form by WD suffers from CSRF issues that could lead to an LFI attack.
- WP Security recommendation: immediately upgrade to version 1.13.5 to fix the vulnerability or consider owl CONTACTS as a more secure replacement candidate.
- Cross-Site Request Forgery to LFI reported by panVagenas. Plugin Contact Form by WD suffers from CSRF issues that could lead to an LFI attack.
- Form Maker by 10Web
- Cross-Site Request Forgery (CSRF) to LFI reported by panVagenas. Form Maker by WD plugin suffers from a CSRF issue that could lead to an LFI attack.
- WP Security recommendation: immediately upgrade to version 1.13.5 to fix the vulnerability or consider owl CONTACTS as a more secure replacement candidate.
- Cross-Site Request Forgery (CSRF) to LFI reported by panVagenas. Form Maker by WD plugin suffers from a CSRF issue that could lead to an LFI attack.
- Download Advanced Contact form 7 DB
- Authenticated SQL Injection reported by Ryan Dewhurst. While plugin users won’t necessarily see anything malicious on the website, the most obvious indicator of compromise would be malicious content found within the database.
- WP Security recommendation: immediately upgrade to version 1.6.1 to fix the vulnerability or consider owl CONTACTS as a more secure replacement candidate.
- Authenticated SQL Injection reported by Ryan Dewhurst. While plugin users won’t necessarily see anything malicious on the website, the most obvious indicator of compromise would be malicious content found within the database.
Protect your WordPress: BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!
The following WordPress plugin vulnerabilities are extremely dangerous since the active installations are in the millions OR the reported vulnerabilities were never patched. The potential risk goes up each day as more and more bad intended persons find out about these vulnerabilities.
- Yuzo Related Posts
- Unauthenticated Call Any Action or Update Any Option reported by Daniel van Dorp. At the time of writing, no patch was available and the plugin had been removed from the official WordPress plugin repository.
- WP Security recommendation: immediately remove THIS plugin to avoid the vulnerability. This plugin was closed on March 30, 2019 and is no longer available for download. Reason: Security Issue.
- Unauthenticated Call Any Action or Update Any Option reported by Daniel van Dorp. At the time of writing, no patch was available and the plugin had been removed from the official WordPress plugin repository.
- WooCommerce Checkout Manager
- Arbitrary File Upload reported by Ryan Dewhurst. Conditional Arbitrary File Upload + Unauthenticated Media Deletion Flaw. Critical Unpatched Flaw Disclosed in WordPress WooCommerce Extension.
- WP Security recommendation: immediately upgrade to version 4.3 to fix the vulnerability.
- Arbitrary File Upload reported by Ryan Dewhurst. Conditional Arbitrary File Upload + Unauthenticated Media Deletion Flaw. Critical Unpatched Flaw Disclosed in WordPress WooCommerce Extension.
- Social Warfare
- Unauthenticated Remote Code Execution (RCE) reported by Luka Sikic. Unauthenticated remote code execution has been discovered in functionality that handles settings import.
- WP Security recommendation: immediately upgrade to version 3.5.3 to fix the vulnerability.
- Unauthenticated Remote Code Execution (RCE) reported by Luka Sikic. Unauthenticated remote code execution has been discovered in functionality that handles settings import.
- WP Google Maps
- Unauthenticated SQL Injection reported by Thomas Chauchefoin. In the wp-google-maps plugin before 7.11.18 for WordPress, includes/class.rest-api.php in the REST API does not sanitize field names before a SELECT statement.
- WP Security recommendation: immediately upgrade to version 7.11.18 to fix the vulnerability.
- Unauthenticated SQL Injection reported by Thomas Chauchefoin. In the wp-google-maps plugin before 7.11.18 for WordPress, includes/class.rest-api.php in the REST API does not sanitize field names before a SELECT statement.
- Ultimate Member
- Cross-Site Request Forgery (CSRF) reported by Georg Knabl and Ryan Dewhurst. A CSRF vulnerability in a logged-in user’s profile edit form in the Ultimate Member plugin 2.0.38 for WordPress allows attackers to become admin and subsequently extract sensitive information and execute arbitrary code. This occurs because the attacker can change the e-mail address in the administrator profile, and then the attacker is able to reset the administrator password using the WordPress ‘password forget’ form.
- WP Security recommendation: immediately upgrade to version 2.0.40 to fix the vulnerability.
- Cross-Site Request Forgery (CSRF) reported by Georg Knabl and Ryan Dewhurst. A CSRF vulnerability in a logged-in user’s profile edit form in the Ultimate Member plugin 2.0.38 for WordPress allows attackers to become admin and subsequently extract sensitive information and execute arbitrary code. This occurs because the attacker can change the e-mail address in the administrator profile, and then the attacker is able to reset the administrator password using the WordPress ‘password forget’ form.
Protect your WordPress: BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!
