Enjoy priority support and immediate help for your WordPress sites!

WP Security: 31 plugin vulnerabilities in May 2019

WP Security: 31 plugin vulnerabilities in May 2019

WP Security bulletin – May 2019

At your next scheduled WordPress Maintenance, be advised for your WP Security about the latest 31 vulnerabilities in WordPress plugins identified and reported publicly in May 2019. As these vulnerabilities are disclosed, when you use one (or more) of these outdated plugins – your risking serious WordPress breaches to your site(s).


  • My Calendar
    • Unauthenticated Cross-Site Scripting (XSS) reported by Andreas Hell and Joe Dolson. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
      • WP Security recommendation: immediately upgrade to version 3.1.10 to fix the vulnerability.

    • All-in-One Event Calendar
      • Cross-Site Scripting (XSS) reported by Ryan Dewhurst. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
        • WP Security recommendation: immediately upgrade to version 2.5.39 to fix the vulnerability.

      • Ninja Forms File Uploads Extension
        • Unauthenticated Arbitrary File Upload reported by Jasper Weijts, Onvio. Path Traversal and Unrestricted File Upload exists in the Ninja Forms plugin before 3.0.23 for WordPress (when the Uploads add-on is activated). This allows an attacker to traverse the file system to access files and execute code via the includes/fields/upload.php (aka upload/submit page) name and tmp_name parameters.
          • WP Security recommendation: immediately upgrade to version 3.0.23 to fix the vulnerability.

        • Custom Field Suite
          • Authenticated Cross-Site Scripting (XSS) reported by Ryan Dewhurst. Cross-site scripting (XSS) vulnerability in the plugin Custom Field Suite, allows attackers to inject arbitrary web script or HTML via the field name parameter.
            • WP Security recommendation: immediately upgrade to version 2.5.15 to fix the vulnerability.

          • Register IPs
            • Unauthenticated Stored Cross-Site Scripting (XSS) reported by Ryan Dewhurst. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
              • WP Security recommendation: immediately upgrade to version 1.8.1 to fix the vulnerability.

            • WP Live Chat Support
              • Unauthenticated Stored XSS reported by John Castro (Sucuri.net). Unauthenticated Persistent Cross-Site Scripting (XSS) affecting 60,000+ users of the WP Live Chat Support WordPress plugin.
                • WP Security recommendation: immediately upgrade to version 8.0.27 to fix the vulnerability.

              • WPGraphQL
                • Multiple Vulnerabilities reported by Simone Quatrini. Without authorisation, weak access controls allow us to:
                  * Create administrative users
                  * Post comments on articles bypassing article restrictions and global moderation
                  * Retrieve content of password-protected posts/articles/pages
                  * Retrieve full list of registered users in the platform
                  * Retrieve full list of media, comments, themes and plugins with one simple request

                  • WP Security recommendation: immediately upgrade to version 0.3.0 to fix the vulnerability.
              •  

Our only security is our ability to change. ~ John Lilly


  • Form Maker by 10Web
    • Authenticated SQL Injection reported by Daniele Scanu. In the Form Maker plugin before 1.13.3 for WordPress, it’s possible to achieve SQL injection in the function get_labels_parameters in the file form-maker/admin/models/Submissions_fm.php with a crafted value of the asc_or_desc parameter.
      • WP Security recommendation: immediately upgrade to version 1.13.3 to fix the vulnerability or consider owl CONTACTS as a more secure replacement candidate.

    • Hostel Plugin
      • Unauthenticated Stored XSS reported by Admavidhya N. This vulnerability allows any user can inject Javascript code and the code will be executed on the admin side when he visits the Bookings Page.
        • WP Security recommendation: immediately upgrade to version 1.1.4 to fix the vulnerability.

      • WP Database Backup
        • Unauthenticated OS Command Injection reported by Ryan Dewhurst. In unpatched versions of WP Database Backup, an attacker is able to inject operating system (OS) commands arbitrarily, which are then executed when the plugin performs a database backup. Injected commands would persist until manually removed, executing each time a backup is run.
          • WP Security recommendation: immediately upgrade to version 5.2 to fix the vulnerability.

        • WP Live Chat Support Pro
          • File Upload Bypass reported by Ryan Dewhurst. The WP Live Chat Support Pro plugin through 8.0.26 for WordPress contains an arbitrary file upload vulnerability. This results from an incomplete patch for CVE-2018-12426. Arbitrary file upload is achieved by using a non-blacklisted executable file extension in conjunction with a whitelisted file extension, and prepending “magic bytes” to the payload to pass MIME checks. Specifically, an unauthenticated remote user submits a crafted file upload POST request to the REST api remote_upload endpoint. The file contains data that will fool the plugin’s MIME check into classifying it as an image (which is a whitelisted file extension) and finally a trailing .phtml file extension.
            • WP Security recommendation: immediately upgrade to version 8.0.34 to fix the vulnerability.

          • Live Chat with Facebook Messenger
            • Stored XSS reported by The WPScan Team. Saves option “ztb_domainid” without authentication with any code that will be embedded in every page.
              • WP Security recommendation: immediately upgrade to version 1.4.7 to fix the vulnerability.

            • WP Booking System
              • CSRF to Authenticated SQL Injection reported by Magnus K. Stubman. No CSRF nonces were present and therefore could be exploited by chaining with the CSRF issue.
                • WP Security recommendation: immediately upgrade to version 1.5.2 to fix the vulnerability.

              • Slimstat
                • Unauthenticated Stored XSS from Visitors reported by Antony Garand. This vulnerability allows a visitor to inject arbitrary JavasScript code on the plugin access log functionality, which is visible both on the plugin’s access log page and on the admin dashboard index—‚ the default page shown once you log in.
                  • WP Security recommendation: immediately upgrade to version 4.8.1 to fix the vulnerability.

                • Blog Designer
                  • Unauthenticated Stored Cross-Site Scripting (XSS) reported by Luka Sikic. Since the vulnerable function is being loaded on every page that is part of the administrator interface, simply sending a POST request to /wp-admin/admin-ajax.php?action=save&updated=true will trigger the plugin settings update function.
                    • WP Security recommendation: immediately upgrade to version 1.8.11 to fix the vulnerability.
                •  

Protect your WordPress: BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!

The following WordPress plugin vulnerabilities are extremely dangerous since the active installations are in the millions OR the reported vulnerabilities were never patched. The potential risk goes up each day as more and more bad intended persons find out about these vulnerabilities.


 

Protect your WordPress: BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!

Do you have any concerns with WP Security? Leave your thoughts in the comments below!
Summary
WP Security: 31 plugin vulnerabilities in May 2019
Article Name
WP Security: 31 plugin vulnerabilities in May 2019
Description
At your next scheduled WordPress Maintenance, be advised for your WP Security about the latest 31 vulnerabilities in WordPress plugins identified and reported publicly in May 2019.
Author
Publisher
owl power EUROPE

Related Posts

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Do NOT follow this link or you will be banned from the site!