WP Security: plugin vulnerabilities August

August 31, 2017
WP Security: plugin vulnerabilities August

For your , be informed about the latest vulnerabilities in WP plugins:

  1. AddToAny Share Buttons
    • Conditional Host Header Injection reported by Paul Dannewitz. It's possible to inject a custom Host-Header, that will be used for building the link, which is going to be shared on Social Media platforms when users click the buttons. Combined with a web cache poisoning, every user would share the malicious website.
      • immediately to version 1.7.14 to fix vulnerability
  2. Embed Images in Comments
    • Unauthenticated Stored XSS, Cross-Site Scripting (XSS) reported by Gennady (https://codeseekah.com). Unescaped src and href attribute replacements allows breaking out of the generated replacement tags.
      • immediately to version 0.5 to fix vulnerability
  3. Photo Gallery by WD
    • Authenticated Cross-Site Scripting (XSS) reported by Dewhurst . Exploit allows an attacker to inject arbitrary web script or HTML via unspecified vectors.
      • immediately to version 1.1.46 to fix vulnerability
  4. BackupGuard
    • Authenticated Cross-Site Scripting (XSS) reported by Dewhurst . Exploit allows an attacker to inject arbitrary web script or HTML via unspecified vectors.
      • immediately to version 1.1.46 to fix vulnerability
  5. WooCommerce Product Vendors
    • Unauthenticated Reflected Cross-Site Scripting (XSS) reported by Dewhurst . Exploit allows an attacker to inject arbitrary web script or HTML via unspecified vectors.
      • immediately to version 2.0.27 to fix vulnerability

Protect your WordPress!

BEFORE IT'S TOO LATE! You will also your customers, your reputation and your online business.

WP Security: plugin vulnerabilities August

by Csaba Miklós time to read: 3 min
0