WP Security bulletin - May 2019
At your next scheduled WordPress Maintenance, be advised for your WP Security about the latest 31 vulnerabilities in WordPress plugins identified and reported publicly in May 2019. As these vulnerabilities are disclosed, when you use one (or more) of these outdated plugins - your risking serious WordPress breaches to your site(s).
- My Calendar
- Unauthenticated Cross-Site Scripting (XSS) reported by Andreas Hell and Joe Dolson. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- WP Security recommendation: immediately upgrade to version 3.1.10 to fix the vulnerability.
- Unauthenticated Cross-Site Scripting (XSS) reported by Andreas Hell and Joe Dolson. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- All-in-One Event Calendar
- Cross-Site Scripting (XSS) reported by Ryan Dewhurst. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- WP Security recommendation: immediately upgrade to version 2.5.39 to fix the vulnerability.
- Cross-Site Scripting (XSS) reported by Ryan Dewhurst. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- Ninja Forms File Uploads Extension
- Unauthenticated Arbitrary File Upload reported by Jasper Weijts, Onvio. Path Traversal and Unrestricted File Upload exists in the Ninja Forms plugin before 3.0.23 for WordPress (when the Uploads add-on is activated). This allows an attacker to traverse the file system to access files and execute code via the includes/fields/upload.php (aka upload/submit page) name and tmp_name parameters.
- WP Security recommendation: immediately upgrade to version 3.0.23 to fix the vulnerability.
- Unauthenticated Arbitrary File Upload reported by Jasper Weijts, Onvio. Path Traversal and Unrestricted File Upload exists in the Ninja Forms plugin before 3.0.23 for WordPress (when the Uploads add-on is activated). This allows an attacker to traverse the file system to access files and execute code via the includes/fields/upload.php (aka upload/submit page) name and tmp_name parameters.
- Custom Field Suite
- Authenticated Cross-Site Scripting (XSS) reported by Ryan Dewhurst. Cross-site scripting (XSS) vulnerability in the plugin Custom Field Suite, allows attackers to inject arbitrary web script or HTML via the field name parameter.
- WP Security recommendation: immediately upgrade to version 2.5.15 to fix the vulnerability.
- Authenticated Cross-Site Scripting (XSS) reported by Ryan Dewhurst. Cross-site scripting (XSS) vulnerability in the plugin Custom Field Suite, allows attackers to inject arbitrary web script or HTML via the field name parameter.
- Register IPs
- Unauthenticated Stored Cross-Site Scripting (XSS) reported by Ryan Dewhurst. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- WP Security recommendation: immediately upgrade to version 1.8.1 to fix the vulnerability.
- Unauthenticated Stored Cross-Site Scripting (XSS) reported by Ryan Dewhurst. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- WP Live Chat Support
- Unauthenticated Stored XSS reported by John Castro (Sucuri.net). Unauthenticated Persistent Cross-Site Scripting (XSS) affecting 60,000+ users of the WP Live Chat Support WordPress plugin.
- WP Security recommendation: immediately upgrade to version 8.0.27 to fix the vulnerability.
- Unauthenticated Stored XSS reported by John Castro (Sucuri.net). Unauthenticated Persistent Cross-Site Scripting (XSS) affecting 60,000+ users of the WP Live Chat Support WordPress plugin.
- WPGraphQL
- Multiple Vulnerabilities reported by Simone Quatrini. Without authorisation, weak access controls allow us to:
* Create administrative users
* Post comments on articles bypassing article restrictions and global moderation
* Retrieve content of password-protected posts/articles/pages
* Retrieve full list of registered users in the platform
* Retrieve full list of media, comments, themes and plugins with one simple request- WP Security recommendation: immediately upgrade to version 0.3.0 to fix the vulnerability.
- Multiple Vulnerabilities reported by Simone Quatrini. Without authorisation, weak access controls allow us to:
Our only security is our ability to change. ~ John Lilly
- Form Maker by 10Web
- Authenticated SQL Injection reported by Daniele Scanu. In the Form Maker plugin before 1.13.3 for WordPress, it's possible to achieve SQL injection in the function get_labels_parameters in the file form-maker/admin/models/Submissions_fm.php with a crafted value of the asc_or_desc parameter.
- WP Security recommendation: immediately upgrade to version 1.13.3 to fix the vulnerability or consider owl CONTACTS as a more secure replacement candidate.
- Authenticated SQL Injection reported by Daniele Scanu. In the Form Maker plugin before 1.13.3 for WordPress, it's possible to achieve SQL injection in the function get_labels_parameters in the file form-maker/admin/models/Submissions_fm.php with a crafted value of the asc_or_desc parameter.
- Hostel Plugin
- Unauthenticated Stored XSS reported by Admavidhya N. This vulnerability allows any user can inject Javascript code and the code will be executed on the admin side when he visits the Bookings Page.
- WP Security recommendation: immediately upgrade to version 1.1.4 to fix the vulnerability.
- Unauthenticated Stored XSS reported by Admavidhya N. This vulnerability allows any user can inject Javascript code and the code will be executed on the admin side when he visits the Bookings Page.
- WP Database Backup
- Unauthenticated OS Command Injection reported by Ryan Dewhurst. In unpatched versions of WP Database Backup, an attacker is able to inject operating system (OS) commands arbitrarily, which are then executed when the plugin performs a database backup. Injected commands would persist until manually removed, executing each time a backup is run.
- WP Security recommendation: immediately upgrade to version 5.2 to fix the vulnerability.
- Unauthenticated OS Command Injection reported by Ryan Dewhurst. In unpatched versions of WP Database Backup, an attacker is able to inject operating system (OS) commands arbitrarily, which are then executed when the plugin performs a database backup. Injected commands would persist until manually removed, executing each time a backup is run.
- WP Live Chat Support Pro
- File Upload Bypass reported by Ryan Dewhurst. The WP Live Chat Support Pro plugin through 8.0.26 for WordPress contains an arbitrary file upload vulnerability. This results from an incomplete patch for CVE-2018-12426. Arbitrary file upload is achieved by using a non-blacklisted executable file extension in conjunction with a whitelisted file extension, and prepending "magic bytes" to the payload to pass MIME checks. Specifically, an unauthenticated remote user submits a crafted file upload POST request to the REST api remote_upload endpoint. The file contains data that will fool the plugin's MIME check into classifying it as an image (which is a whitelisted file extension) and finally a trailing .phtml file extension.
- WP Security recommendation: immediately upgrade to version 8.0.34 to fix the vulnerability.
- File Upload Bypass reported by Ryan Dewhurst. The WP Live Chat Support Pro plugin through 8.0.26 for WordPress contains an arbitrary file upload vulnerability. This results from an incomplete patch for CVE-2018-12426. Arbitrary file upload is achieved by using a non-blacklisted executable file extension in conjunction with a whitelisted file extension, and prepending "magic bytes" to the payload to pass MIME checks. Specifically, an unauthenticated remote user submits a crafted file upload POST request to the REST api remote_upload endpoint. The file contains data that will fool the plugin's MIME check into classifying it as an image (which is a whitelisted file extension) and finally a trailing .phtml file extension.
- Live Chat with Facebook Messenger
- Stored XSS reported by The WPScan Team. Saves option "ztb_domainid" without authentication with any code that will be embedded in every page.
- WP Security recommendation: immediately upgrade to version 1.4.7 to fix the vulnerability.
- Stored XSS reported by The WPScan Team. Saves option "ztb_domainid" without authentication with any code that will be embedded in every page.
- WP Booking System
- CSRF to Authenticated SQL Injection reported by Magnus K. Stubman. No CSRF nonces were present and therefore could be exploited by chaining with the CSRF issue.
- WP Security recommendation: immediately upgrade to version 1.5.2 to fix the vulnerability.
- CSRF to Authenticated SQL Injection reported by Magnus K. Stubman. No CSRF nonces were present and therefore could be exploited by chaining with the CSRF issue.
- Slimstat
- Unauthenticated Stored XSS from Visitors reported by Antony Garand. This vulnerability allows a visitor to inject arbitrary JavasScript code on the plugin access log functionality, which is visible both on the plugin’s access log page and on the admin dashboard index—‚ the default page shown once you log in.
- WP Security recommendation: immediately upgrade to version 4.8.1 to fix the vulnerability.
- Unauthenticated Stored XSS from Visitors reported by Antony Garand. This vulnerability allows a visitor to inject arbitrary JavasScript code on the plugin access log functionality, which is visible both on the plugin’s access log page and on the admin dashboard index—‚ the default page shown once you log in.
- Blog Designer
- Unauthenticated Stored Cross-Site Scripting (XSS) reported by Luka Sikic. Since the vulnerable function is being loaded on every page that is part of the administrator interface, simply sending a POST request to /wp-admin/admin-ajax.php?action=save&updated=true will trigger the plugin settings update function.
- WP Security recommendation: immediately upgrade to version 1.8.11 to fix the vulnerability.
- Unauthenticated Stored Cross-Site Scripting (XSS) reported by Luka Sikic. Since the vulnerable function is being loaded on every page that is part of the administrator interface, simply sending a POST request to /wp-admin/admin-ajax.php?action=save&updated=true will trigger the plugin settings update function.
Protect your WordPress: BEFORE IT'S TOO LATE! You will also protect your customers, your reputation and your online business!
The following WordPress plugin vulnerabilities are extremely dangerous since the active installations are in the millions OR the reported vulnerabilities were never patched. The potential risk goes up each day as more and more bad intended persons find out about these vulnerabilities.
- Virim
- Unauthenticated Object Injection reported by Magnus K. Stubman. The Virim plugin 0.4 for WordPress allows Insecure Deserialization via s_values, t_values, or c_values in graph.php.
- WP Security recommendation: immediately remove THIS plugin to avoid the vulnerability. This plugin was closed on May 22, 2019 and is no longer available for download.
- Unauthenticated Object Injection reported by Magnus K. Stubman. The Virim plugin 0.4 for WordPress allows Insecure Deserialization via s_values, t_values, or c_values in graph.php.
- Newsletter Manager
- Unauthenticated Open Redirect reported by posix. A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
- WP Security recommendation: immediately remove THIS plugin to avoid the vulnerability. This plugin was closed on May 20, 2019 and is no longer available for download.
- Unauthenticated Open Redirect reported by posix. A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
- Slick Popup
- Privilege Escalation reported by Ryan Dewhurst. Subscriber users are able to create an administrator account with hardcoded login credentials.
- WP Security recommendation: immediately remove THIS plugin to avoid the vulnerability. This plugin was closed on May 28, 2019 and is no longer available for download.
- Privilege Escalation reported by Ryan Dewhurst. Subscriber users are able to create an administrator account with hardcoded login credentials.
- Simple File List Plugin
- Unauthenticated Arbitrary File Download reported by Admavidhya N. This vulnerability allows any user can download sensitive information by traversing the path.
- WP Security recommendation: immediately upgrade to version 3.2.5 to fix the vulnerability.
- Unauthenticated Arbitrary File Download reported by Admavidhya N. This vulnerability allows any user can download sensitive information by traversing the path.
- Simple File List Plugin
- Authenticated Arbitrary File Delete reported by Admavidhya N. Arbitrary File Delete exist in Simple File List Plugin v 3.2.4 or below.
- WP Security recommendation: immediately upgrade to version 3.2.5 to fix the vulnerability.
- Authenticated Arbitrary File Delete reported by Admavidhya N. Arbitrary File Delete exist in Simple File List Plugin v 3.2.4 or below.
- Event Management Tickets Booking By Event Monster
- Stored XSS reported by Admavidhya N. Bug Fix: vulnerability fix in registreation form
- WP Security recommendation: immediately upgrade to version 1.0.6 to fix the vulnerability.
- Stored XSS reported by Admavidhya N. Bug Fix: vulnerability fix in registreation form
- Carts Guru
- Unauthenticated Object Injection reported by Magnus K. Stubman. The Carts Guru plugin 1.4.5 for WordPress allows Insecure Deserialization via a cartsguru-source cookie to classes/wc-cartsguru-event-handler.php.
- WP Security recommendation: immediately upgrade to version 1.4.6 to fix the vulnerability.
- Unauthenticated Object Injection reported by Magnus K. Stubman. The Carts Guru plugin 1.4.5 for WordPress allows Insecure Deserialization via a cartsguru-source cookie to classes/wc-cartsguru-event-handler.php.
- Popup Plugin For WordPress - ConvertPlus
- Unauthenticated Arbitrary User Role Creation reported by Wordfence Threat Intelligence Team. This flaw allowed unauthenticated attackers to register new accounts with arbitrary user roles, up to and including Administrator accounts.
- WP Security recommendation: immediately upgrade to version 3.4.4 to fix the vulnerability.
- Unauthenticated Arbitrary User Role Creation reported by Wordfence Threat Intelligence Team. This flaw allowed unauthenticated attackers to register new accounts with arbitrary user roles, up to and including Administrator accounts.
- KingComposer
- Authenticated Stored XSS reported by Luigi (gubello.me/blog/). An user with the Contributor or Author privileges can inject arbitrary Javascript code in a KC section. When an admin or editor opens the malicious KC section the arbitrary JS code runs.
- WP Security recommendation: immediately upgrade to version 2.8.2 to fix the vulnerability.
- Authenticated Stored XSS reported by Luigi (gubello.me/blog/). An user with the Contributor or Author privileges can inject arbitrary Javascript code in a KC section. When an admin or editor opens the malicious KC section the arbitrary JS code runs.
- W3 Total Cache
- Cross-Site Scripting (XSS) reported by Thomas Chauchefoin. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- WP Security recommendation: immediately upgrade to version 0.9.7.4 to fix the vulnerability.
- Cross-Site Scripting (XSS) reported by Thomas Chauchefoin. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- W3 Total Cache
- SSRF / RCE via phar reported by Thomas Chauchefoin. The implementation of `opcache_flush_file` calls `file_exists` with a parameter fully controlled by the user.
- WP Security recommendation: immediately upgrade to version 0.9.7.4 to fix the vulnerability.
- SSRF / RCE via phar reported by Thomas Chauchefoin. The implementation of `opcache_flush_file` calls `file_exists` with a parameter fully controlled by the user.
- W3 Total Cache
- Cryptographic Signature Bypass reported by Thomas Chauchefoin. The return value of `openssl_verify` is not properly validated, which allows to bypass the cryptographic check.
- WP Security recommendation: immediately upgrade to version 0.9.7.4 to fix the vulnerability.
- Cryptographic Signature Bypass reported by Thomas Chauchefoin. The return value of `openssl_verify` is not properly validated, which allows to bypass the cryptographic check.
- FV Flowplayer Video Player
- Unauthenticated Stored XSS reported by WebARX Security. The vulnerable function is exposed to unauthenticated users over `wp_ajax_nopriv_fv_wp_flowplayer_email_signup` ajax hook. It saves anything that user provides in `email` POST parameter.
- WP Security recommendation: immediately upgrade to version 7.3.14.727 to fix the vulnerability.
- Unauthenticated Stored XSS reported by WebARX Security. The vulnerable function is exposed to unauthenticated users over `wp_ajax_nopriv_fv_wp_flowplayer_email_signup` ajax hook. It saves anything that user provides in `email` POST parameter.
- FV Flowplayer Video Player
- SQL Injection reported by Ryan Dewhurst. The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
- WP Security recommendation: immediately upgrade to version 7.3.15.727 to fix the vulnerability.
- SQL Injection reported by Ryan Dewhurst. The software constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component.
- FV Flowplayer Video Player
- CSV Export BYPASS reported by Ryan Dewhurst. Security - fix for email subscription CSV export capability available to guest users.
- WP Security recommendation: immediately upgrade to version 7.3.15.727 to fix the vulnerability.
- CSV Export BYPASS reported by Ryan Dewhurst. Security - fix for email subscription CSV export capability available to guest users.
- Ultimate Member
- Multiple Vulnerabilities reported by Antony Garand (Sucuri). The Ultimate member plugin version 2.0.45 and lower is affected by multiple vulnerabilities, among them is a critical vulnerability allowing malicious users to read and delete your wp-config.php file, which can lead to a complete website takeover.
- WP Security recommendation: immediately upgrade to version 2.0.46 to fix the vulnerability.
- Multiple Vulnerabilities reported by Antony Garand (Sucuri). The Ultimate member plugin version 2.0.45 and lower is affected by multiple vulnerabilities, among them is a critical vulnerability allowing malicious users to read and delete your wp-config.php file, which can lead to a complete website takeover.
Protect your WordPress: BEFORE IT'S TOO LATE! You will also protect your customers, your reputation and your online business!