WP Security bulletin – DECEMBER 2018
At your next scheduled WordPress Maintenance, be advised for your WP Security about the latest 17 vulnerabilities in WordPress plugins identified and reported publicly. As these vulnerabilities are disclosed, when you use one (or more) of these outdated plugins – your risking serious WordPress breaches to your site(s).
- Arigato Autoresponder and Newsletter
- Authenticated Blind SQL Injection & Multiple XSS reported by Larry W. Cashdollar, (@_larry0). There is an exploitable blind SQL injection vulnerability via the del_ids variable by a POST request. Plus, 9 Reflected XSS.
- WP Security recommendation: immediately upgrade to version 2.5.2 to fix the vulnerability
- Authenticated Blind SQL Injection & Multiple XSS reported by Larry W. Cashdollar, (@_larry0). There is an exploitable blind SQL injection vulnerability via the del_ids variable by a POST request. Plus, 9 Reflected XSS.
- Redirection
- Cross-Site Request Forgery (CSRF) reported by Ryan Dewhurst (dewhurstsecurity.com). The plugin suffered from a critical CSRF vulnerability that allows remote attackers to create a shell.php on the target server and execute arbitrary code. The only requirement for successful exploitation is that an administrator of the target site visits a malicious website set up by the attacker. The victim does not have to click anything on the malicious website in order to trigger the exploit.
- WP Security recommendation: immediately upgrade to version 3.6.3 to fix the vulnerability
- Cross-Site Request Forgery (CSRF) reported by Ryan Dewhurst (dewhurstsecurity.com). The plugin suffered from a critical CSRF vulnerability that allows remote attackers to create a shell.php on the target server and execute arbitrary code. The only requirement for successful exploitation is that an administrator of the target site visits a malicious website set up by the attacker. The victim does not have to click anything on the malicious website in order to trigger the exploit.
- Contact Form by WPForms – Drag & Drop Form Builder for WordPress
- Authenticated Stored Cross-Site Scripting (XSS) reported by Ryan Dewhurst (dewhurstsecurity.com). The commercial version of the plugin suffered from a reflected XSS vulnerability. If an attacker can lure a victim administrator to click on a malicious link, a full site takeover can be performed.
- WP Security recommendation: immediately upgrade to version 1.4.8 to fix the vulnerability or consider owl CONTACTS as a more secure replacement candidate.
- Authenticated Stored Cross-Site Scripting (XSS) reported by Ryan Dewhurst (dewhurstsecurity.com). The commercial version of the plugin suffered from a reflected XSS vulnerability. If an attacker can lure a victim administrator to click on a malicious link, a full site takeover can be performed.
- Google Analytics Dashboard Plugin for WordPress by MonsterInsights
- Authenticated Stored Cross-Site Scripting (XSS) reported by Ryan Dewhurst (dewhurstsecurity.com). The vulnerabilities occurred because lower privileged users were able to create new notifications for other user accounts on the site and inject “script” tags into the rendered HTML markup of the notification. The malicious notifications are then displayed on the index site of the admin dashboard of WordPress. The next time an administrator logs into the admin dashboard, evil JavaScript code executes which compromises the entire server.
- WP Security recommendation: immediately upgrade to version 7.2.0 to fix the vulnerability.
- Authenticated Stored Cross-Site Scripting (XSS) reported by Ryan Dewhurst (dewhurstsecurity.com). The vulnerabilities occurred because lower privileged users were able to create new notifications for other user accounts on the site and inject “script” tags into the rendered HTML markup of the notification. The malicious notifications are then displayed on the index site of the admin dashboard of WordPress. The next time an administrator logs into the admin dashboard, evil JavaScript code executes which compromises the entire server.
- WP Mail SMTP by WPForms
- Authenticated Stored Cross-Site Scripting (XSS) reported by Ryan Dewhurst (dewhurstsecurity.com). The vulnerabilities occurred because lower privileged users were able to create new notifications for other user accounts on the site and inject “script” tags into the rendered HTML markup of the notification. The malicious notifications are then displayed on the index site of the admin dashboard of WordPress. The next time an administrator logs into the admin dashboard, evil JavaScript code executes which compromises the entire server.
- WP Security recommendation: immediately upgrade to version 1.4.0 to fix the vulnerability.
- Authenticated Stored Cross-Site Scripting (XSS) reported by Ryan Dewhurst (dewhurstsecurity.com). The vulnerabilities occurred because lower privileged users were able to create new notifications for other user accounts on the site and inject “script” tags into the rendered HTML markup of the notification. The malicious notifications are then displayed on the index site of the admin dashboard of WordPress. The next time an administrator logs into the admin dashboard, evil JavaScript code executes which compromises the entire server.
- PropertyHive
- Unvalidated Input to do_action() reported by Javier Casares, (javiercasares.com). According to the plugin’s changelog: “Corrected potential vulnerability picked up by WordPress causing plugin to be removed from plugin repository.”
- WP Security recommendation: immediately upgrade to version 1.4.26 to fix the vulnerability.
- Unvalidated Input to do_action() reported by Javier Casares, (javiercasares.com). According to the plugin’s changelog: “Corrected potential vulnerability picked up by WordPress causing plugin to be removed from plugin repository.”
Our only security is our ability to change. ~ John Lilly
- Social Sharing Plugin – Kiwi
- Update Any Option reported by Ryan Dewhurst (dewhurstsecurity.com). A critical vulnerability in the WordPress WordPress Kiwi Social Sharing plugin <2.0.11 (30,000+ active installations) is currently exploited since December 6th. Similarly to the WP GDPR Compliance vulnerability, it allows attackers to modify the WordPress wp_options table in order to create administrator accounts or, for instance, redirect the blog to another website. The issue was disclosed by pluginvulnerabilities.com and was fixed on November 12th with the release of v2.0.11, but hackers are now actively exploiting it.
- WP Security recommendation: immediately upgrade to version 2.0.11 to fix the vulnerability.
- Update Any Option reported by Ryan Dewhurst (dewhurstsecurity.com). A critical vulnerability in the WordPress WordPress Kiwi Social Sharing plugin <2.0.11 (30,000+ active installations) is currently exploited since December 6th. Similarly to the WP GDPR Compliance vulnerability, it allows attackers to modify the WordPress wp_options table in order to create administrator accounts or, for instance, redirect the blog to another website. The issue was disclosed by pluginvulnerabilities.com and was fixed on November 12th with the release of v2.0.11, but hackers are now actively exploiting it.
- Advanced Custom Fields
- Authenticated Cross-Site Scripting (XSS) reported by Loading Kura Kura and Ryan Dewhurst (dewhurstsecurity.com). It was possible for a logged in author to save unfiltered HTML within a custom field value. This is something that should not be possible without the unfiltered_html capability.
- WP Security recommendation: immediately upgrade to version 5.7.8 to fix the vulnerability.
- Authenticated Cross-Site Scripting (XSS) reported by Loading Kura Kura and Ryan Dewhurst (dewhurstsecurity.com). It was possible for a logged in author to save unfiltered HTML within a custom field value. This is something that should not be possible without the unfiltered_html capability.
- Contact Form by WPForms – Drag & Drop Form Builder for WordPress
- Unauthenticated Cross-Site Scripting (XSS) reported by Ryan Dewhurst (dewhurstsecurity.com). The commercial version of the plugin suffered from a reflected XSS vulnerability. If an attacker can lure a victim administrator to click on a malicious link, a full site takeover can be performed.
- WP Security recommendation: immediately upgrade to version 1.4.8.1 to fix the vulnerability or consider owl CONTACTS as a more secure replacement candidate.
- Unauthenticated Cross-Site Scripting (XSS) reported by Ryan Dewhurst (dewhurstsecurity.com). The commercial version of the plugin suffered from a reflected XSS vulnerability. If an attacker can lure a victim administrator to click on a malicious link, a full site takeover can be performed.
- Import users from CSV with meta
- Authenticated Stored Cross-Site Scripting (XSS) by Slawek Zytko and Ryan Dewhurst (RIPS Technologies). The codection “Import users from CSV with meta” plugin before 1.12.1 for WordPress allows XSS via the value of a cell.
- WP Security recommendation: immediately upgrade to version 1.12.1 to fix the vulnerability.
- Authenticated Stored Cross-Site Scripting (XSS) by Slawek Zytko and Ryan Dewhurst (RIPS Technologies). The codection “Import users from CSV with meta” plugin before 1.12.1 for WordPress allows XSS via the value of a cell.
- Orbit Fox by ThemeIsle
- Unvalidated Input to do_action() reported by James Golovich, (pritect.net). Orbit Fox by Themeisle (aka Themeisle Companion) version <= 2.6.3 does not properly authenticate REST API calls allowing unauthenticated users to execute several API calls. In some cases one of these calls can be used to upload arbitrary files which can lead to remote code execution.
- WP Security recommendation: immediately upgrade to version 2.6.4 to fix the vulnerability.
- Unvalidated Input to do_action() reported by James Golovich, (pritect.net). Orbit Fox by Themeisle (aka Themeisle Companion) version <= 2.6.3 does not properly authenticate REST API calls allowing unauthenticated users to execute several API calls. In some cases one of these calls can be used to upload arbitrary files which can lead to remote code execution.
Protect your WordPress: BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!
The following WordPress plugin vulnerabilities are extremely dangerous since the active installations are in the millions. The potential risk goes up each day as more and more bad intended persons find out about these vulnerabilities.
- WooCommerce
- Authenticated Stored XSS reported by Chris (firefart.at). It’s privilege design was flawed, which lead to attackers in control of a user account with Shop manager privileges on the target server being able to inject malicious JavaScript code into the index page of the target WordPress site. The next time an administrator visits the frontpage of the target store, the evil JavaScript code executes in his browser and compromises the store and all customer data.
- WP Security recommendation: immediately upgrade to version 3.4.6 to fix the vulnerability.
- Authenticated Stored XSS reported by Chris (firefart.at). It’s privilege design was flawed, which lead to attackers in control of a user account with Shop manager privileges on the target server being able to inject malicious JavaScript code into the index page of the target WordPress site. The next time an administrator visits the frontpage of the target store, the evil JavaScript code executes in his browser and compromises the store and all customer data.
- Jetpack by WordPress.com
- Authenticated Stored Cross-Site Scripting (XSS) by Ryan Dewhurst (RIPS Technologies). RIPS detected a Stored XSS vulnerability that affects a module available to premium and professional users of Jetpack. Attackers who gained control over an account on the target site with at least Contributor privileges were able to inject arbitrary JavaScript code into the HTML markup of a blog post. Once the administrator of the target site views the malicious blog post, evil JavaScript code is executed which compromises the target server.
- WP Security recommendation: immediately upgrade to version 6.5 to fix the vulnerability.
- Authenticated Stored Cross-Site Scripting (XSS) by Ryan Dewhurst (RIPS Technologies). RIPS detected a Stored XSS vulnerability that affects a module available to premium and professional users of Jetpack. Attackers who gained control over an account on the target site with at least Contributor privileges were able to inject arbitrary JavaScript code into the HTML markup of a blog post. Once the administrator of the target site views the malicious blog post, evil JavaScript code is executed which compromises the target server.
- WooCommerce
- Authenticated Phar Deserialization reported by Chris (firefart.at). The popular eCommerce plugin WooCommerce suffered from a Phar Deserialization vulnerability that allows attackers in control of a user account with Shop manager privileges on the target website to execute arbitrary code remotely on the underlying server. We have written a blog post explaining Phar Deserializations, a new exploitation technique in PHP. You can read about it here. The vulnerability occurred in the CSV import functionality of WooCommerce.
- WP Security recommendation: immediately upgrade to version 3.4.6 to fix the vulnerability.
- Authenticated Phar Deserialization reported by Chris (firefart.at). The popular eCommerce plugin WooCommerce suffered from a Phar Deserialization vulnerability that allows attackers in control of a user account with Shop manager privileges on the target website to execute arbitrary code remotely on the underlying server. We have written a blog post explaining Phar Deserializations, a new exploitation technique in PHP. You can read about it here. The vulnerability occurred in the CSV import functionality of WooCommerce.
- Smush Image Compression and Optimization
- Authenticated Phar Deserialization reported by Ryan Dewhurst (dewhurstsecurity.com). It suffers from a Phar deserialization vulnerability that can be exploited by attackers who have control over a user account with at least Author privileges on the target site. Such access could be gained via means of XSS vulnerabilities. RIPS has detected a reflected XSS vulnerability in the same version of WP Smush. The plugin is used in over more than 1 million WordPress sites. When the two vulnerabilities are combined, an attacker can trick a user of a target WordPress site into clicking a malicious link, which then executes evil JavaScript code that finally exploits the Phar Deserialization.
- WP Security recommendation: immediately upgrade to version 3.0.0 to fix the vulnerability.
- Authenticated Phar Deserialization reported by Ryan Dewhurst (dewhurstsecurity.com). It suffers from a Phar deserialization vulnerability that can be exploited by attackers who have control over a user account with at least Author privileges on the target site. Such access could be gained via means of XSS vulnerabilities. RIPS has detected a reflected XSS vulnerability in the same version of WP Smush. The plugin is used in over more than 1 million WordPress sites. When the two vulnerabilities are combined, an attacker can trick a user of a target WordPress site into clicking a malicious link, which then executes evil JavaScript code that finally exploits the Phar Deserialization.
- All in One SEO Pack
- Authenticated Stored Cross-Site Scripting (XSS) reported by Ryan Dewhurst (dewhurstsecurity.com). The vulnerability can be exploited by attackers who gained control over a user account with at least Contributor privileges on the target WordPress site. An attacker is able to inject arbitrary JavaScript code into blog posts he creates and publishes. If an administrator opens a malicious blog post, evil JavaScript code executes which compromises the target server.
- WP Security recommendation: immediately upgrade to version 2.10 to fix the vulnerability.
- Authenticated Stored Cross-Site Scripting (XSS) reported by Ryan Dewhurst (dewhurstsecurity.com). The vulnerability can be exploited by attackers who gained control over a user account with at least Contributor privileges on the target WordPress site. An attacker is able to inject arbitrary JavaScript code into blog posts he creates and publishes. If an administrator opens a malicious blog post, evil JavaScript code executes which compromises the target server.
- Ninja Forms
- Authenticated Open Redirect reported by Muhammad Talha Khan, (MTK). There is an exploitable Open Redirect vulnerability in the download submission page using an URL parameter.
- WP Security recommendation: immediately upgrade to version 3.3.19.1 to fix the vulnerability or consider owl CONTACTS as a more secure replacement candidate.
- Authenticated Open Redirect reported by Muhammad Talha Khan, (MTK). There is an exploitable Open Redirect vulnerability in the download submission page using an URL parameter.
Get Healthy, Stay Healthy: A healthier online business starts today and it begins with you!
