WP Security bulletin - March 2019
At your next scheduled WordPress Maintenance, be advised for your WP Security about the latest 21 vulnerabilities in WordPress plugins identified and reported publicly. As these vulnerabilities are disclosed, when you use one (or more) of these outdated plugins - your risking serious WordPress breaches to your site(s).
- Quiz And Survey Master (Formerly Quiz Master Next)
- Cross-Site Scripting (XSS) reported by Ryan Dewhurst. The Quiz And Survey Master WordPress plugin is vulnerable to reflected XSS as it echoes the quiz_id parameter without proper encoding.
- WP Security recommendation: immediately upgrade to version 6.2.2 to fix the vulnerability.
- Cross-Site Scripting (XSS) reported by Ryan Dewhurst. The Quiz And Survey Master WordPress plugin is vulnerable to reflected XSS as it echoes the quiz_id parameter without proper encoding.
- Blog2Social: Social Media Auto Post & Scheduler
- Cross-Site Scripting (XSS) reported by Ryan Dewhurst. The Blog2Social WordPress plugin is vulnerable to reflected XSS as it echoes the b2s_update_publish_date parameter without proper encoding.
- WP Security recommendation: immediately upgrade to version 5.0.3 to fix the vulnerability.
- Cross-Site Scripting (XSS) reported by Ryan Dewhurst. The Blog2Social WordPress plugin is vulnerable to reflected XSS as it echoes the b2s_update_publish_date parameter without proper encoding.
- WP Support Plus Responsive Ticket System
- Stored XSS reported by Christian Angel (KALASAG). Stored XSS is particularly dangerous in application areas where users with high privileges have access. When the administrator visits the vulnerable page, the attack is automatically executed by their browser. This might expose sensitive information such as session authorization tokens.
- WP Security recommendation: immediately upgrade to version 9.1.2 to fix the vulnerability.
- Stored XSS reported by Christian Angel (KALASAG). Stored XSS is particularly dangerous in application areas where users with high privileges have access. When the administrator visits the vulnerable page, the attack is automatically executed by their browser. This might expose sensitive information such as session authorization tokens.
- Better Search
- Unauthenticated SQL Injection reported by Ryan Dewhurst. Fixed security issue, WHERE clause is not replaced in seamless mode.
- WP Security recommendation: immediately upgrade to version 2.2.3 to fix the vulnerability.
- Unauthenticated SQL Injection reported by Ryan Dewhurst. Fixed security issue, WHERE clause is not replaced in seamless mode.
- WordPress Social Sharing Plugin – Social Warfare
- Unauthenticated Arbitrary Settings Update reported by Andrew Wilder (nerdpress.net). When the plugin is active, it causes the site to issue a JavaScript redirect to porn sites. Deactivating the plugin disables the redirect, but the malicious eval() is still in the database. The plugin has been pulled temporarily from the WordPress repository.
- WP Security recommendation: immediately upgrade to version 3.5.3 to fix the vulnerability.
- Unauthenticated Arbitrary Settings Update reported by Andrew Wilder (nerdpress.net). When the plugin is active, it causes the site to issue a JavaScript redirect to porn sites. Deactivating the plugin disables the redirect, but the malicious eval() is still in the database. The plugin has been pulled temporarily from the WordPress repository.
- Give – Donation Plugin and Fundraising Platform
- Cross-Site Scripting (XSS) reported by Tim Coen. The "Donation Plugin and Fundraising Platform" plugin before 2.3.1 for WordPress has wp-admin/edit.php csv XSS.
- WP Security recommendation: immediately upgrade to version 2.3.1 to fix the vulnerability.
- Cross-Site Scripting (XSS) reported by Tim Coen. The "Donation Plugin and Fundraising Platform" plugin before 2.3.1 for WordPress has wp-admin/edit.php csv XSS.
- WP Google Maps
- Cross-Site Scripting (XSS) reported by Tim Coen. The wpGoogleMaps WordPress plugin is vulnerable to reflected XSS as it echoes PHP_SELF without proper encoding. Successful exploitation allows an attacker to execute JavaScript in the context of the application in the name of an attacked user. This in turn enables an attacker to bypass CSRF protection and thus perform any actions the legitimate user can perform, as well as read data which the user can access.
- WP Security recommendation: immediately upgrade to version 7.10.43 to fix the vulnerability.
- Cross-Site Scripting (XSS) reported by Tim Coen. The wpGoogleMaps WordPress plugin is vulnerable to reflected XSS as it echoes PHP_SELF without proper encoding. Successful exploitation allows an attacker to execute JavaScript in the context of the application in the name of an attacked user. This in turn enables an attacker to bypass CSRF protection and thus perform any actions the legitimate user can perform, as well as read data which the user can access.
- YOP Poll
- Cross-Site Scripting (XSS) reported by Tim Coen. The YOP poll WordPress plugin is vulnerable to reflected XSS as it echoes the poll_id parameter without proper encoding. Successful exploitation allows an attacker to execute JavaScript in the context of the application in the name of an attacked user. This in turn enables an attacker to bypass CSRF protection and thus perform any actions the legitimate user can perform, as well as read data which the user can access.
- WP Security recommendation: immediately upgrade to version 6.0.3 to fix the vulnerability.
- Cross-Site Scripting (XSS) reported by Tim Coen. The YOP poll WordPress plugin is vulnerable to reflected XSS as it echoes the poll_id parameter without proper encoding. Successful exploitation allows an attacker to execute JavaScript in the context of the application in the name of an attacked user. This in turn enables an attacker to bypass CSRF protection and thus perform any actions the legitimate user can perform, as well as read data which the user can access.
Our only security is our ability to change. ~ John Lilly
- WP Live Chat Support
- Cross-Site Scripting (XSS) reported by Tim Coen. The WP Live Chat Support WordPress plugin is vulnerable to reflected XSS as it echoes the term parameter without proper encoding. Successful exploitation allows an attacker to execute JavaScript in the context of the application in the name of an attacked user. This in turn enables an attacker to bypass CSRF protection and thus perform any actions the legitimate user can perform, as well as read data which the user can access.
- WP Security recommendation: immediately upgrade to version 8.0.18 to fix the vulnerability.
- Cross-Site Scripting (XSS) reported by Tim Coen. The WP Live Chat Support WordPress plugin is vulnerable to reflected XSS as it echoes the term parameter without proper encoding. Successful exploitation allows an attacker to execute JavaScript in the context of the application in the name of an attacked user. This in turn enables an attacker to bypass CSRF protection and thus perform any actions the legitimate user can perform, as well as read data which the user can access.
- Abandoned Cart Lite for WooCommerce
- Stored Cross-Site Scripting (XSS) reported by Ryan Dewhurst. A lack of sanitation on both input and output allows attackers to inject malicious JavaScript payloads into various data fields, which will execute when a logged-in user with administrator privileges views the list of abandoned carts from their WordPress dashboard.
- WP Security recommendation: immediately upgrade to version 5.2.0 to fix the vulnerability.
- Stored Cross-Site Scripting (XSS) reported by Ryan Dewhurst. A lack of sanitation on both input and output allows attackers to inject malicious JavaScript payloads into various data fields, which will execute when a logged-in user with administrator privileges views the list of abandoned carts from their WordPress dashboard.
- SG Optimizer
- Unauthenticated File Upload reported by Ryan Dewhurst. This plugin is designed to link WordPress with the SiteGround Performance services. A successful attack on the SiteGround Optimizer would allow bad actors to store backdoors on vulnerable sites.
- WP Security recommendation: immediately upgrade to version 5.0.13 to fix the vulnerability.
- Unauthenticated File Upload reported by Ryan Dewhurst. This plugin is designed to link WordPress with the SiteGround Performance services. A successful attack on the SiteGround Optimizer would allow bad actors to store backdoors on vulnerable sites.
- WP Fastest Cache
- Unauthenticated Arbitrary File Deletion reported by Sebastian Neef. The bug is only exploitable if another plugin, WP Postratings, is installed and at least one rateable post or page exists! Furthermore, the WordPress site must have a "pretty" URL scheme configured, e.g. /data/title/ or so.
- WP Security recommendation: immediately upgrade to version 0.8.9.1 to fix the vulnerability.
- Unauthenticated Arbitrary File Deletion reported by Sebastian Neef. The bug is only exploitable if another plugin, WP Postratings, is installed and at least one rateable post or page exists! Furthermore, the WordPress site must have a "pretty" URL scheme configured, e.g. /data/title/ or so.
- NextScripts: Social Networks Auto-Poster
- Cross-Site Scripting (XSS) reported by Tim Coen. The Social Networks Auto-Poster WordPress plugin is vulnerable to reflected XSS as it echoes the item parameter without proper encoding. Successful exploitation allows an attacker to execute JavaScript in the context of the application in the name of an attacked user. This in turn enables an attacker to bypass CSRF protection and thus perform any actions the legitimate user can perform, as well as read data which the user can access.
- WP Security recommendation: immediately upgrade to version 4.2.8 to fix the vulnerability.
- Cross-Site Scripting (XSS) reported by Tim Coen. The Social Networks Auto-Poster WordPress plugin is vulnerable to reflected XSS as it echoes the item parameter without proper encoding. Successful exploitation allows an attacker to execute JavaScript in the context of the application in the name of an attacked user. This in turn enables an attacker to bypass CSRF protection and thus perform any actions the legitimate user can perform, as well as read data which the user can access.
- Easy WP SMTP
- Unauthenticated Arbitrary wp_options Import reported by JEROME BRUANDET (NinTechNet). It appears that an unauthenticated user can import arbitrary wp_options by providing a PHP serialized array in $ _POST ["swpsmtp_import_settings"]. This can be used to permit new user registrations and default their permissions to 'administrator'.
- WP Security recommendation: immediately upgrade to version 9.1.2 to fix the vulnerability.
- Unauthenticated Arbitrary wp_options Import reported by JEROME BRUANDET (NinTechNet). It appears that an unauthenticated user can import arbitrary wp_options by providing a PHP serialized array in $ _POST ["swpsmtp_import_settings"]. This can be used to permit new user registrations and default their permissions to 'administrator'.
Protect your WordPress: BEFORE IT'S TOO LATE! You will also protect your customers, your reputation and your online business!
The following WordPress plugin vulnerabilities are extremely dangerous since the active installations are in the millions OR the reported vulnerabilities were never patched. The potential risk goes up each day as more and more bad intended persons find out about these vulnerabilities. WP Security compromised by plugins are mostly form generators.
- Smart Forms – Calculated Fields, Form Builder, Easy To Use
- Cross-Site Request Forgery (CSRF) reported by Toshiharu Sugiyama. Cross-site request forgery (CSRF) vulnerability in Smart Forms 2.6.15 and earlier allows remote attackers to hijack the authentication of administrators via a specially crafted page.
- WP Security recommendation: immediately upgrade to version 2.6.16 to fix the vulnerability or consider owl CONTACTS as a more secure replacement candidate.
- Cross-Site Request Forgery (CSRF) reported by Toshiharu Sugiyama. Cross-site request forgery (CSRF) vulnerability in Smart Forms 2.6.15 and earlier allows remote attackers to hijack the authentication of administrators via a specially crafted page.
- Contact Form Email
- Multiple Cross-Site Scripting (XSS) & CSRF reported by Tim Coen. The Contact Form Email WordPress plugin is vulnerable to reflected XSS as it echoes the item parameter without proper encoding.
- WP Security recommendation: immediately upgrade to version 1.2.66 to fix the fix the vulnerability or consider owl CONTACTS as a more secure replacement candidate.
- WP Security recommendation: immediately upgrade to version 1.2.66 to fix the fix the vulnerability or consider owl CONTACTS as a more secure replacement candidate.
- Multiple Cross-Site Scripting (XSS) & CSRF reported by Tim Coen. The Contact Form Email WordPress plugin is vulnerable to reflected XSS as it echoes the item parameter without proper encoding.
- Caldera Forms Pro
- Unauthenticated Arbitrary File Read reported by Ryan Dewhurst. The Caldera Forms Pro vulnerability would allow attackers to read arbitrary files such as wp-config.php and leak database access credentials.
- WP Security recommendation: immediately upgrade to version 1.8.2 to fix the vulnerability or consider owl CONTACTS as a more secure replacement candidate.
- Unauthenticated Arbitrary File Read reported by Ryan Dewhurst. The Caldera Forms Pro vulnerability would allow attackers to read arbitrary files such as wp-config.php and leak database access credentials.
- gracemedia-media-player
- Local File Inclusion (LFI) reported by Manuel Garcia Cardenas. To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application. Public defacement, confidential data leakage, and database server compromise can result from these attacks. Client systems can also be targeted, and complete compromise of these client systems is also possible.
- WP Security recommendation: immediately remove THIS plugin to avoid the vulnerability. This plugin was closed on Mar 17, 2019 and is no longer available for download. Last updated: 6 years ago!
- Local File Inclusion (LFI) reported by Manuel Garcia Cardenas. To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application. Public defacement, confidential data leakage, and database server compromise can result from these attacks. Client systems can also be targeted, and complete compromise of these client systems is also possible.
- font-organizer
- Cross-Site Scripting (XSS) reported by Tim Coen. The Font_Organizer WordPress plugin is vulnerable to reflected XSS as it echoes the manage_font_id parameter without proper encoding. Successful exploitation allows an attacker to execute JavaScript in the context of the application in the name of an attacked user. This in turn enables an attacker to bypass CSRF protection and thus perform any actions the legitimate user can perform, as well as read data which the user can access.
- WP Security recommendation: immediately remove THIS plugin to avoid the vulnerability. This plugin was closed on March 18, 2019 and is no longer available for download. Last updated: 2 years ago!
- Cross-Site Scripting (XSS) reported by Tim Coen. The Font_Organizer WordPress plugin is vulnerable to reflected XSS as it echoes the manage_font_id parameter without proper encoding. Successful exploitation allows an attacker to execute JavaScript in the context of the application in the name of an attacked user. This in turn enables an attacker to bypass CSRF protection and thus perform any actions the legitimate user can perform, as well as read data which the user can access.
- Page Builder: KingComposer – Free Drag and Drop page builder by King-Theme
- Cross-Site Scripting (XSS) reported by Tim Coen. The KingComposer WordPress plugin is vulnerable to reflected XSS as it echoes the id parameter without proper encoding. Successful exploitation allows an attacker to execute JavaScript in the context of the application in the name of an attacked user. This in turn enables an attacker to bypass CSRF protection and thus perform any actions the legitimate user can perform, as well as read data which the user can access.
- WP Security recommendation: immediately remove THIS plugin to avoid the vulnerability. Last updated: 3 weeks ago!
- Cross-Site Scripting (XSS) reported by Tim Coen. The KingComposer WordPress plugin is vulnerable to reflected XSS as it echoes the id parameter without proper encoding. Successful exploitation allows an attacker to execute JavaScript in the context of the application in the name of an attacked user. This in turn enables an attacker to bypass CSRF protection and thus perform any actions the legitimate user can perform, as well as read data which the user can access.
- FormCraft – Contact Form Builder for WordPress
- Cross-Site Request Forgery (CSRF) reported by Masaki Saito of TDU Cryptography Lab. Unintended operations may be performed if a user logs into the WordPress administration screen and browses a malicious page. Those operations may include generating new forms, inserting JavaScript code to existing forms, and deleting existing forms.
- WP Security recommendation: immediately upgrade to version 1.2.2 to fix the vulnerability or consider owl CONTACTS as a more secure replacement candidate.
- Cross-Site Request Forgery (CSRF) reported by Masaki Saito of TDU Cryptography Lab. Unintended operations may be performed if a user logs into the WordPress administration screen and browses a malicious page. Those operations may include generating new forms, inserting JavaScript code to existing forms, and deleting existing forms.
Protect your WordPress: BEFORE IT'S TOO LATE! You will also protect your customers, your reputation and your online business!