WP Security: plugin vulnerabilities September


For your WP Security, be informed about the latest vulnerabilities in WP plugins:

  1. Participants Database
    • Cross site scripting (XSS) reported by Benjamin Lim (https://limbenjamin.com). Exploit allows attackers to inject arbitrary Javascript via the Name parameter.
      • immediately update to version to fix vulnerability
  2. Display Widgets
    • Backdoored reported by Jonas Lejon (https://wpscans.com). New plugin owner started adding tracking code and hacking code. The Display Widgets Plugin v2.6.3.1 has been removed from the plugin repository.
      • immediately REMOVE (or REPLACE) this plugin to fix vulnerability
  3. SmokeSignal
    • Authenticated Stored XSS reported by Paul Dannewitz https://mobile.twitter.com/padannewitz. Messages aren’t sanitized before they are displayed, so it’s possible to inject “script tags” for example. Low-privileged accounts like subscribers can write message too.
      • immediately update to version 1.2.6 to fix vulnerability
  4. WP Like Post
    • Authenticated SQL Injection reported by Paul Dannewitz https://mobile.twitter.com/padannewitz. It’s possible to inject SQL via several points (Client-IP Header for example) when using the [gs_lp_like_post] shortcode. A low-privileged account is necessary for this; subscriber is enough.
      • immediately update to version 1.5.2 to fix vulnerability
  5. SQL Shortcode
    • Authenticated SQL Execution reported by Paul Dannewitz https://mobile.twitter.com/padannewitz. It’s not an SQL injection actually, it’s just executing SQL with an account as low-privileged as a subscriber. Execute whatever SQL you want to execute.
      • immediately update to version 1.1 to fix vulnerability
  6. Responsive Image Gallery
    • Authenticated SQL Injection reported by Dewhurst Security. To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application. It is possible to inject SQL code.
      • immediately update to version 1.2.0 to fix vulnerability
  7. VaultPress
    • Unauthenticated RCE reported by Slavco (https://medium.com/websec). There are 2 methods via openssl PHP extension and hash_hmac signing. Both implementations were vulnerable => we have working RCE towards vaultpress protected WP instance.
      • immediately update to version 1.9.1 to fix vulnerability
  8. Content Audit
    • Cross-Site Scripting (XSS) & CSRF reported by Dewhurst Security. The plugin contains an admin_ajax action which is not protected with a nonce. One of the values submitted appears unescaped on the list of pages. CSRF/XSS in Content Audit allowing an unauthenticated attacker to do almost anything an admin can.
      • immediately update to version 1.9.2 to fix vulnerability
  9. Basic Contact Form
    • Potential Unauthenticated Shell Upload reported by Paul Dannewitz (twitter.com/padannewitz). Uploading attachments in the contact form allows running any kind of PHP code depending on the server config.
      • immediately update to version 1.0.3 to fix vulnerability
  10. MarketPress
    • PHP Object Injection reported by Robert R (twitter.com/@iamlei). The MarketPress plugin versions 3.2.6 and prior are vulnerable to a PHP Object Injection attack from the cart cookie value stored in connection with this plugin.
      • immediately update to version 3.2.6 to fix vulnerability
  11. 2kb Amazon Affiliates Store
    • Authenticated Cross-Site Scripting (XSS) reported by Dewhurst Security. The plugin fails to sufficiently sanitize user-supplied data. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. This may allow the attacker to steal cookie-based authentication credentials and to launch other attacks.
      • immediately update to version 2.1.1 to fix vulnerability
  12. BackWPup
    • Backup File Download reported by Dewhurst Security. There is a weakness in the way BackWPup creates and stores the backup files it generates. It creates a random string to obscure the location, but it uses that same string to create the storage directory under wp-content/uploads/ which in most installations of WordPress allows file listings.
      • immediately update to version 3.4.1 to fix vulnerability
  13. Student Result or Employee Database
    • Auth Bypass reported by Benjamin Lim (limbenjamin.com). Vulnerability allows unauthenticated attackers to update or delete student records with knowledge of only the student id number.
      • immediately update to version 1.6.3 to fix vulnerability

Protect your WordPress: BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!

Related Posts


error: Alert: owlpower.eu is protected!