WP Security: Plugin Vulnerabilities September

By Csaba, Miklós WP Security WP SERVICES 1 October 2017

For your WP Security, be informed about the latest vulnerabilities in WP plugins:

Participants Database
- Cross site scripting (XSS) reported by Benjamin Lim (https://limbenjamin.com). Exploit allows attackers to inject arbitrary Javascript via the Name parameter.
Display Widgets
- Backdoored reported by Jonas Lejon (https://wpscans.com). New plugin owner started adding tracking code and hacking code. The Display Widgets Plugin v2.6.3.1 has been removed from the plugin repository.
SmokeSignal
- Authenticated Stored XSS reported by Paul Dannewitz https://mobile.twitter.com/padannewitz. Messages aren't sanitized before they are displayed, so it's possible to inject "script tags" for example. Low-privileged accounts like subscribers can write message too.
WP Like Post
- Authenticated SQL Injection reported by Paul Dannewitz https://mobile.twitter.com/padannewitz. It's possible to inject SQL via several points (Client-IP Header for example) when using the [gs_lp_like_post] shortcode. A low-privileged account is necessary for this; subscriber is enough.
SQL Shortcode
- Authenticated SQL Execution reported by Paul Dannewitz https://mobile.twitter.com/padannewitz. It's not an SQL injection actually, it's just executing SQL with an account as low-privileged as a subscriber. Execute whatever SQL you want to execute.
Responsive Image Gallery
- Authenticated SQL Injection reported by Dewhurst Security. To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application. It is possible to inject SQL code.
VaultPress
- Unauthenticated RCE reported by Slavco (https://medium.com/websec). There are 2 methods via openssl PHP extension and hash_hmac signing. Both implementations were vulnerable => we have working RCE towards vaultpress protected WP instance.
Content Audit
- Cross-Site Scripting (XSS) & CSRF reported by Dewhurst Security. The plugin contains an admin_ajax action which is not protected with a nonce. One of the values submitted appears unescaped on the list of pages. CSRF/XSS in Content Audit allowing an unauthenticated attacker to do almost anything an admin can.
Basic Contact Form
- Potential Unauthenticated Shell Upload reported by Paul Dannewitz (twitter.com/padannewitz). Uploading attachments in the contact form allows running any kind of PHP code depending on the server config.
MarketPress
- PHP Object Injection reported by Robert R (twitter.com/@iamlei). The MarketPress plugin versions 3.2.6 and prior are vulnerable to a PHP Object Injection attack from the cart cookie value stored in connection with this plugin.
2kb Amazon Affiliates Store
- Authenticated Cross-Site Scripting (XSS) reported by Dewhurst Security. The plugin fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
BackWPup
- Backup File Download reported by Dewhurst Security. There is a weakness in the way BackWPup creates and stores the backup files it generates. It creates a random string to obscure the location, but it uses that same string to create the storage directory under wp-content/uploads/ which in most installations of WordPress allows file listings.
Student Result or Employee Database
- Auth Bypass reported by Benjamin Lim (limbenjamin.com). Vulnerability allows unauthenticated attackers to update or delete student records with knowledge of only the student id number.