WP Security: 17 plugin vulnerabilities in DECEMBER 2018

WP Security: 17 plugin vulnerabilities in DECEMBER 2018

WP Security bulletin – DECEMBER 2018

At your next scheduled WordPress Maintenance, be advised for your WP Security about the latest 17 vulnerabilities in WordPress plugins identified and reported publicly. As these vulnerabilities are disclosed, when you use one (or more) of these outdated plugins – your risking serious WordPress breaches to your site(s).


  • Arigato Autoresponder and Newsletter
    • Authenticated Blind SQL Injection & Multiple XSS reported by Larry W. Cashdollar, (@_larry0). There is an exploitable blind SQL injection vulnerability via the del_ids variable by a POST request. Plus, 9 Reflected XSS.
      • WP Security recommendation: immediately upgrade to version 2.5.2 to fix the vulnerability

  • Redirection
    • Cross-Site Request Forgery (CSRF) reported by Ryan Dewhurst (dewhurstsecurity.com). The plugin suffered from a critical CSRF vulnerability that allows remote attackers to create a shell.php on the target server and execute arbitrary code. The only requirement for successful exploitation is that an administrator of the target site visits a malicious website set up by the attacker. The victim does not have to click anything on the malicious website in order to trigger the exploit.
      • WP Security recommendation: immediately upgrade to version 3.6.3 to fix the vulnerability

  • Contact Form by WPForms – Drag & Drop Form Builder for WordPress
    • Authenticated Stored Cross-Site Scripting (XSS) reported by Ryan Dewhurst (dewhurstsecurity.com). The commercial version of the plugin suffered from a reflected XSS vulnerability. If an attacker can lure a victim administrator to click on a malicious link, a full site takeover can be performed.
      • WP Security recommendation: immediately upgrade to version 1.4.8 to fix the vulnerability or consider owl CONTACTS as a more secure replacement candidate.

  • Google Analytics Dashboard Plugin for WordPress by MonsterInsights
    • Authenticated Stored Cross-Site Scripting (XSS) reported by Ryan Dewhurst (dewhurstsecurity.com). The vulnerabilities occurred because lower privileged users were able to create new notifications for other user accounts on the site and inject “script” tags into the rendered HTML markup of the notification. The malicious notifications are then displayed on the index site of the admin dashboard of WordPress. The next time an administrator logs into the admin dashboard, evil JavaScript code executes which compromises the entire server.
      • WP Security recommendation: immediately upgrade to version 7.2.0 to fix the vulnerability.

  • WP Mail SMTP by WPForms
    • Authenticated Stored Cross-Site Scripting (XSS) reported by Ryan Dewhurst (dewhurstsecurity.com). The vulnerabilities occurred because lower privileged users were able to create new notifications for other user accounts on the site and inject “script” tags into the rendered HTML markup of the notification. The malicious notifications are then displayed on the index site of the admin dashboard of WordPress. The next time an administrator logs into the admin dashboard, evil JavaScript code executes which compromises the entire server.
      • WP Security recommendation: immediately upgrade to version 1.4.0 to fix the vulnerability.

  • PropertyHive
    • Unvalidated Input to do_action() reported by Javier Casares, (javiercasares.com). According to the plugin’s changelog: “Corrected potential vulnerability picked up by WordPress causing plugin to be removed from plugin repository.”
      • WP Security recommendation: immediately upgrade to version 1.4.26 to fix the vulnerability.

Our only security is our ability to change. ~ John Lilly


  • Social Sharing Plugin – Kiwi
    • Update Any Option reported by Ryan Dewhurst (dewhurstsecurity.com). A critical vulnerability in the WordPress WordPress Kiwi Social Sharing plugin <2.0.11 (30,000+ active installations) is currently exploited since December 6th. Similarly to the WP GDPR Compliance vulnerability, it allows attackers to modify the WordPress wp_options table in order to create administrator accounts or, for instance, redirect the blog to another website. The issue was disclosed by pluginvulnerabilities.com and was fixed on November 12th with the release of v2.0.11, but hackers are now actively exploiting it.
      • WP Security recommendation: immediately upgrade to version 2.0.11 to fix the vulnerability.

  • Advanced Custom Fields
    • Authenticated Cross-Site Scripting (XSS) reported by Loading Kura Kura and Ryan Dewhurst (dewhurstsecurity.com). It was possible for a logged in author to save unfiltered HTML within a custom field value. This is something that should not be possible without the unfiltered_html capability.
      • WP Security recommendation: immediately upgrade to version 5.7.8 to fix the vulnerability.

  • Contact Form by WPForms – Drag & Drop Form Builder for WordPress
    • Unauthenticated Cross-Site Scripting (XSS) reported by Ryan Dewhurst (dewhurstsecurity.com). The commercial version of the plugin suffered from a reflected XSS vulnerability. If an attacker can lure a victim administrator to click on a malicious link, a full site takeover can be performed.
      • WP Security recommendation: immediately upgrade to version 1.4.8.1 to fix the vulnerability or consider owl CONTACTS as a more secure replacement candidate.

  • Import users from CSV with meta
    • Authenticated Stored Cross-Site Scripting (XSS) by Slawek Zytko and Ryan Dewhurst (RIPS Technologies). The codection “Import users from CSV with meta” plugin before 1.12.1 for WordPress allows XSS via the value of a cell.
      • WP Security recommendation: immediately upgrade to version 1.12.1 to fix the vulnerability.

  • Orbit Fox by ThemeIsle
    • Unvalidated Input to do_action() reported by James Golovich, (pritect.net). Orbit Fox by Themeisle (aka Themeisle Companion) version <= 2.6.3 does not properly authenticate REST API calls allowing unauthenticated users to execute several API calls. In some cases one of these calls can be used to upload arbitrary files which can lead to remote code execution.
      • WP Security recommendation: immediately upgrade to version 2.6.4 to fix the vulnerability.

Protect your WordPress: BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!

The following WordPress plugin vulnerabilities are extremely dangerous since the active installations are in the millions. The potential risk goes up each day as more and more bad intended persons find out about these vulnerabilities.

Get Healthy, Stay Healthy: A healthier online business starts today and it begins with you!

Summary
WP Security: 17 plugin vulnerabilities in DECEMBER 2018
Article Name
WP Security: 17 plugin vulnerabilities in DECEMBER 2018
Description
At your next scheduled WordPress Maintenance, be advised for your WP Security about the latest 17 vulnerabilities in WordPress plugins identified and reported publicly. As these vulnerabilities are disclosed, when you use one (or more) of these outdated plugins - your risking serious WordPress breaches to your site(s).
Author
Publisher
owl power EUROPE

Related Posts

Leave a comment

Do NOT follow this link or you will be banned from the site!