WP Security bulletin – June 2019
At your next scheduled WordPress Maintenance, be advised for your WP Security about the latest 47 vulnerabilities in WordPress plugins identified and reported publicly in June 2019. As these vulnerabilities are disclosed, when you use one (or more) of these outdated plugins – your risking serious WordPress breaches to your site(s).
- Download Manager
- Various Sanitisation Issues reported officially.
- WP Security recommendation: immediately upgrade to version 2.9.97 to fix the vulnerability.
- Various Sanitisation Issues reported officially.
- Easy Digital Downloads
- Stored XSS reported officially. Stored XSS (Cross Site Scripting) via the IP addresses in logs.
- WP Security recommendation: immediately upgrade to version 2.9.16 to fix the vulnerability.
- Stored XSS reported officially. Stored XSS (Cross Site Scripting) via the IP addresses in logs.
- Affiliates Manager
- CRSF Issues reported officially. The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
- WP Security recommendation: immediately upgrade to version 2.6.6 to fix the vulnerability.
- CRSF Issues reported officially. The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
- Related YT Videos
- CSRF & XSS reported officially.
- WP Security recommendation: immediately upgrade to version 1.9.9 to fix the vulnerability.
- CSRF & XSS reported officially.
- Finale WooCommerce Sale Countdown
- Arbitrary File Upload reported officially. The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment.
- WP Security recommendation: immediately upgrade to version 2.9.1 to fix the vulnerability.
- Arbitrary File Upload reported officially. The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment.
- Breadcrumbs by menu
- Multiple Issues reported officially. XSS, CSRF leading to options update.
- WP Security recommendation: immediately upgrade to version 1.0.3 to fix the vulnerability.
- Multiple Issues reported officially. XSS, CSRF leading to options update.
- WP-Members
- Cross-Site Request Forgery (CSRF) reported by Akash Labade (s-labsecurity.com). No CSRF Protection on Add new Fields. Can also Edit and Delete fields the same way.
- WP Security recommendation: immediately upgrade to version 3.2.8.1 to fix the vulnerability.
- Cross-Site Request Forgery (CSRF) reported by Akash Labade (s-labsecurity.com). No CSRF Protection on Add new Fields. Can also Edit and Delete fields the same way.
- WebP Express
- Multiple Issues reported. Arbitrary File Viewing, CRSF, XSS, and Unauthorised Access. The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
- Authenticated Stored XSS reported by Akash Labade. The reported issue has been fixed in 0.14.5. Other sanitisation checks have been implemented in newest versions (such as 0.14.6 and 0.14.8) while the plugin was closed, so the fixed in is set to 0.14.8
- WP Security recommendation: immediately upgrade to version 0.14.11 to fix the vulnerability.
- IP Address Blocker
- CSRF leading to Arbitrary File Upload reported. The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment.
- WP Security recommendation: immediately upgrade to version 10.5 to fix the vulnerability.
- CSRF leading to Arbitrary File Upload reported. The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment.
- Share This Image
- Stored XSS reported by Kishan Kumar. Stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores that input in a data store for later use. The input that is stored is not correctly filtered.
- WP Security recommendation: immediately upgrade to version 1.20 to fix the vulnerability.
- Stored XSS reported by Kishan Kumar. Stored XSS occurs when a web application gathers input from a user which might be malicious, and then stores that input in a data store for later use. The input that is stored is not correctly filtered.
- Messenger Customer Chat
- CSRF reported. The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
- WP Security recommendation: immediately upgrade to version 1.3 to fix the vulnerability.
- CSRF reported. The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
- Seo by Rank Math
- XSS Issues reported. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- Authenticated Settings Reset reported. Allows any authenticated user (with a role as low as subscriber) to reset Settings of the plugin.
- WP Security recommendation: immediately upgrade to version 1.0.27 to fix the vulnerability.
- GA Backend Tracking
- XSS reported.The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- WP Security recommendation: immediately upgrade to version 1.2.1 to fix the vulnerability.
- XSS reported.The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- Easy Pdf Restaurant Menu Upload
- XSS reported. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- WP Security recommendation: immediately upgrade to version 1.2 to fix the vulnerability.
- XSS reported. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Our only security is our ability to change. ~ John Lilly
- Facebook for WooCommerce
- Cross-Site Request Forgery (CSRF) reported. The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
- WP Security recommendation: immediately upgrade to version 1.9.15 to fix the vulnerability.
- Cross-Site Request Forgery (CSRF) reported. The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
- Shortlinks by Pretty Links
- Stored XSS and CSV Injection reported by Jerome Bruandet (nintechnet.com). In the “app/models/PrliUtils.php” script, the track_link() function retrieves some user input for statistical purposes: HTTP_REFERER, REQUEST_URI, HTTP_USER_AGENT and the user IP. But this data is neither validated nor sanitized.
- WP Security recommendation: immediately upgrade to version 2.1.10 to fix the vulnerability.
- Stored XSS and CSV Injection reported by Jerome Bruandet (nintechnet.com). In the “app/models/PrliUtils.php” script, the track_link() function retrieves some user input for statistical purposes: HTTP_REFERER, REQUEST_URI, HTTP_USER_AGENT and the user IP. But this data is neither validated nor sanitized.
- Dropshix
- Arbitrary Product Import reported. Due to lack of authorisation and CSRF checks in the AJAX function xoxImportItem()
- WP Security recommendation: immediately upgrade to version 4.0.14 to fix the vulnerability.
- Arbitrary Product Import reported. Due to lack of authorisation and CSRF checks in the AJAX function xoxImportItem()
- Paid Memberships Pro
- Authenticated Open Redirect reported by Ryan Dewhurst. A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
- WP Security recommendation: immediately upgrade to version 2.0.6 to fix the vulnerability.
- Authenticated Open Redirect reported by Ryan Dewhurst. A web application accepts a user-controlled input that specifies a link to an external site, and uses that link in a Redirect. This simplifies phishing attacks.
- Crelly Slider
- Arbitrary File Upload reported by NinTechNet. The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment.
- WP Security recommendation: immediately upgrade to version 1.3.5 to fix the vulnerability.
- Arbitrary File Upload reported by NinTechNet. The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment.
- User Submitted Posts
- Arbitrary File Upload reported by NinTechNet. The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment.
- WP Security recommendation: immediately upgrade to version 20190501 to fix the vulnerability.
- Arbitrary File Upload reported by NinTechNet. The software allows the attacker to upload or transfer files of dangerous types that can be automatically processed within the product’s environment.
- WP Statistics
- Authenticated Stored XSS reported by kuqadk3. The WP Statistics plugin through 12.6.5 for WordPress has stored XSS in includes/class-wp-statistics-pages.php. This is related to an account with the Editor role creating a post with a title that contains JavaScript, to attack an admin user.
- WP Security recommendation: immediately upgrade to version 12.6.6.1 to fix the vulnerability.
- Authenticated Stored XSS reported by kuqadk3. The WP Statistics plugin through 12.6.5 for WordPress has stored XSS in includes/class-wp-statistics-pages.php. This is related to an account with the Editor role creating a post with a title that contains JavaScript, to attack an admin user.
- Hustle
- CSV Injection Vulnerability reported by Mark Parfeniuk (REDdy Solutions). The Hustle (aka wordpress-popup) plugin 6.0.7 for WordPress is vulnerable to CSV Injection as it allows for injecting malicious code into a pop-up window. Successful exploitation grants an attacker with a right to execute malicious code on the administrator’s computer through Excel functions as the plugin does not sanitize the user’s input and allows insertion of any text.
- WP Security recommendation: immediately upgrade to version 6.0.8.1 to fix the vulnerability.
- CSV Injection Vulnerability reported by Mark Parfeniuk (REDdy Solutions). The Hustle (aka wordpress-popup) plugin 6.0.7 for WordPress is vulnerable to CSV Injection as it allows for injecting malicious code into a pop-up window. Successful exploitation grants an attacker with a right to execute malicious code on the administrator’s computer through Excel functions as the plugin does not sanitize the user’s input and allows insertion of any text.
Protect your WordPress: BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!
The following WordPress plugin vulnerabilities are extremely dangerous since the active installations are in the millions OR the reported vulnerabilities were never patched. The potential risk goes up each day as more and more bad intended persons find out about these vulnerabilities.
- WP Google Maps
- Admin Settings CSRF reported publicly. The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
- WP Security recommendation: immediately REMOVE this plugin to avoid the vulnerability. This plugin was closed on July 5, 2019 and is no longer available for download.
- Admin Settings CSRF reported publicly. The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
- Real Estate Manager
- Due to lack of authorisation and CSRF checks in the AJAX function save_admin_settings().
- WP Security recommendation: immediately REMOVE this plugin to avoid the vulnerability. This plugin was closed on May 9, 2019 and is no longer available for download.
- Due to lack of authorisation and CSRF checks in the AJAX function save_admin_settings().
- Support Board – Chat And Help Desk | Support & Chat
- Stored XSS reported by m0ze. Weak security measures like bad textarea data filtering has been discovered in the «Support Board – Chat And Help Desk | Support & Chat».
- WP Security recommendation: immediately upgrade to version 1.2.9 to fix the vulnerability.
- Stored XSS reported by m0ze. Weak security measures like bad textarea data filtering has been discovered in the «Support Board – Chat And Help Desk | Support & Chat».
- Popup Plugin For WordPress – ConvertPlus
- Multiple Issues reported. User with none role gets created on form submission by curl request for variants. Improved sanitization, escaping and other security improvements.
- WP Security recommendation: immediately upgrade to version 3.4.5 to fix the vulnerability.
- Multiple Issues reported. User with none role gets created on form submission by curl request for variants. Improved sanitization, escaping and other security improvements.
- Sina Extension For Elementor
- LFI reported. The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
- WP Security recommendation: immediately upgrade to version 2.2.1 to fix the vulnerability.
- LFI reported. The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
- Import users from CSV with meta
- XSS reported by lckjack. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- CSRF leading to attachment deletion reported. CSRF leading to attachment deletion via the acui_delete_attachment() AJAX function
- WP Security recommendation: immediately upgrade to version 1.14.2.2 to fix the vulnerability.
- Deny All Firewall
- CSRF reported. CSRF leading to disabling of the plugin protection (rules in the .htaccess removed)
- WP Security recommendation: immediately upgrade to version 1.1.7 to fix the vulnerability.
- CSRF reported. CSRF leading to disabling of the plugin protection (rules in the .htaccess removed)
- CP Contact Form with Paypal
- Multiple XSS reported. reported. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- WP Security recommendation: immediately upgrade to version 1.3.02 to fix the vulnerability.
- Multiple XSS reported. reported. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- Custom 404 Pro
- Authenticated Reflected XSS reported. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- WP Security recommendation: immediately upgrade to version 3.2.9 to fix the vulnerability.
- Authenticated Reflected XSS reported. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- Advanced Woo Search
- CSRF & XSS reported. CSRF leading to XSS. Sanitisation against XSS added in 1.70, however no CSRF checks are performed.
- WP Security recommendation: immediately upgrade to version 1.70 to fix the vulnerability.
- CSRF & XSS reported. CSRF leading to XSS. Sanitisation against XSS added in 1.70, however no CSRF checks are performed.
- Revamp CRM for WooCommerce
- LFI reported. The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
- WP Security recommendation: immediately upgrade to version 1.0.4 to fix the vulnerability.
- LFI reported. The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
- User Email Verification for WooCommerce
- CSRF leading to Option Update reported.
- WP Security recommendation: immediately upgrade to version 3.4.0 to fix the vulnerability.
- CSRF leading to Option Update reported.
- WP Ultimate Recipe
- Authenticated Stored XSS reported. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- WP Security recommendation: immediately upgrade to version 3.12.7 to fix the vulnerability.
- Authenticated Stored XSS reported. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- Ads For WP
- Cross-Site Request Forgery (CSRF) reported. CSRF allowing attacker to disconnect the linked Google Analytics from the plugin’s settings
- WP Security recommendation: immediately upgrade to version 1.9 to fix the vulnerability.
- Cross-Site Request Forgery (CSRF) reported. CSRF allowing attacker to disconnect the linked Google Analytics from the plugin’s settings
- SAML SP Single Sign On
- Cross-Site Scripting (XSS) reported by Ryan Dewhurst. This exploit works by passing a crafted SAMLReponse and RelayState variable to https://domain/wp-login.php. It will then parse out the SAMLResponse message and in the event that the SAML is anything other than a “Success” the script will dump the contents of the expected parameter, so you can inject any HTML into this variable.
- WP Security recommendation: immediately upgrade to version 4.8.73 to fix the vulnerability.
- Cross-Site Scripting (XSS) reported by Ryan Dewhurst. This exploit works by passing a crafted SAMLReponse and RelayState variable to https://domain/wp-login.php. It will then parse out the SAMLResponse message and in the event that the SAML is anything other than a “Success” the script will dump the contents of the expected parameter, so you can inject any HTML into this variable.
- WP Better Permalinks
- CSRF allowing Option Update reported. The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
- WP Security recommendation: immediately upgrade to version 3.0.5 to fix the vulnerability.
- CSRF allowing Option Update reported. The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
- ACF Better Search
- Cross-Site Request Forgery (CSRF) reported. The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
- WP Security recommendation: immediately upgrade to version 3.3.1 to fix the vulnerability.
- Cross-Site Request Forgery (CSRF) reported. The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
- WebP Converter for Media
- Cross-Site Request Forgery (CSRF) reported. The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
- WP Security recommendation: immediately upgrade to version 1.0.3 to fix the vulnerability.
- Cross-Site Request Forgery (CSRF) reported. The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.
- Block WP Login
- CSRF and Unauthorised Settings Update reported. Lack of CSRF and authorisation checks in the bwpl_configure_slug() function registered as an admin_init action could allow attacker (via CSRF, or unauthenticated using the admin-ajax.php) to change the plugin settings (located at /wp-admin/options-permalink.php) and disable the protection offered.
- WP Security recommendation: immediately upgrade to version 1.3.2 to fix the vulnerability.
- CSRF and Unauthorised Settings Update reported. Lack of CSRF and authorisation checks in the bwpl_configure_slug() function registered as an admin_init action could allow attacker (via CSRF, or unauthenticated using the admin-ajax.php) to change the plugin settings (located at /wp-admin/options-permalink.php) and disable the protection offered.
- Widget Logic
- CSRF to RCE reported by Paul Dannewitz. Widget Logic provides a comfortable way to dynamically toggle widget visibility with custom PHP code. By eval’ing the logic registered for each widget, the plugin determines if it should be shown or not. Due to a nested CSRF vulnerability, attackers are able to make administrators add malicious code to custom sidebar widgets registered with wp_register_sidebar_widget. This results in a Remote Code Execution.
- WP Security recommendation: immediately upgrade to version 5.10.2 to fix the vulnerability.
- CSRF to RCE reported by Paul Dannewitz. Widget Logic provides a comfortable way to dynamically toggle widget visibility with custom PHP code. By eval’ing the logic registered for each widget, the plugin determines if it should be shown or not. Due to a nested CSRF vulnerability, attackers are able to make administrators add malicious code to custom sidebar widgets registered with wp_register_sidebar_widget. This results in a Remote Code Execution.
- 360 Product Rotation
- Reflected XSS reported by ImplosionSec. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- WP Security recommendation: immediately upgrade to version 1.4.8 to fix the vulnerability.
- Reflected XSS reported by ImplosionSec. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- Watu Quizz
- Reflected XSS reported. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
- WP Security recommendation: immediately upgrade to version 3.1.2.6 to fix the vulnerability.
- Reflected XSS reported. The software does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users.
Protect your WordPress: BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!