WP Security bulletin – January 2019
At your next scheduled WordPress Maintenance, be advised for your WP Security about the latest 21 vulnerabilities in WordPress plugins identified and reported publicly. As these vulnerabilities are disclosed, when you use one (or more) of these outdated plugins – your risking serious WordPress breaches to your site(s).
- Google XML Sitemaps
- Authenticated Cross-Site Scripting (XSS) reported by Javier Casares, (@JavierCasares). A security issue related to escaping external URLs and another security issue related to option tags in forms.
- WP Security recommendation: immediately upgrade to version 4.1.0 to fix the vulnerability.
- Authenticated Cross-Site Scripting (XSS) reported by Javier Casares, (@JavierCasares). A security issue related to escaping external URLs and another security issue related to option tags in forms.
- Two Factor Authentication
- Disable Two Factor Authentication CSRF reported by Martijn Korse (bitnesswise.com) and Ryan Dewhurst (RIPS Technologies). A logged-in CSRF vulnerability, due to a missing nonce check, if an attacker was able to persuade a personally-targeted victim who was currently logged in to their WordPress account to visit a personally-crafted (for the individual victim) page in the same browser session, then the attacker would be able to de-activate two-factor authentication for the victim on that WordPress site (thus leaving the targetted account protected by the user’s password, but not by a second factor – the absence of a request for a TFA code would be apparent on the user’s next login). This vulnerability was inherited from the original “Two Factor Auth” plugin that this plugin was forked from, and so is present in all versions before this one.”
- WP Security recommendation: immediately upgrade to version 1.31.3 to fix the vulnerability.
- Disable Two Factor Authentication CSRF reported by Martijn Korse (bitnesswise.com) and Ryan Dewhurst (RIPS Technologies). A logged-in CSRF vulnerability, due to a missing nonce check, if an attacker was able to persuade a personally-targeted victim who was currently logged in to their WordPress account to visit a personally-crafted (for the individual victim) page in the same browser session, then the attacker would be able to de-activate two-factor authentication for the victim on that WordPress site (thus leaving the targetted account protected by the user’s password, but not by a second factor – the absence of a request for a TFA code would be apparent on the user’s next login). This vulnerability was inherited from the original “Two Factor Auth” plugin that this plugin was forked from, and so is present in all versions before this one.”
- spam-byebye
- Cross-Site Scripting (XSS) reported by Ryan Dewhurst (RIPS Technologies). Cross-site scripting vulnerability in WordPress plugin spam-byebye 2.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- WP Security recommendation: immediately upgrade to version 2.2.2 to fix the vulnerability.
- Cross-Site Scripting (XSS) reported by Ryan Dewhurst (RIPS Technologies). Cross-site scripting vulnerability in WordPress plugin spam-byebye 2.2.1 and earlier allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- User Registration
- Authenticated Cross-Site Scripting (XSS) reported by Ryan Dewhurst (RIPS Technologies). WordPress User Registration plugin version 1.5.3 suffers from a cross-site scripting vulnerability.
- WP Security recommendation: immediately upgrade to version 1.5.6 to fix the vulnerability.
- Authenticated Cross-Site Scripting (XSS) reported by Ryan Dewhurst (RIPS Technologies). WordPress User Registration plugin version 1.5.3 suffers from a cross-site scripting vulnerability.
- Wise Chat
- Reverse Tabnabbing reported by Ryan Dewhurst (RIPS Technologies). The WordPress Plugin called Social Network Tabs, made by the company Design Chemical, is leaking twice the Twitter access_token, access_token_secret, consumer_key and consumer_secret oThe Wise Chat plugin before 2.7 for WordPress mishandles external links because “rendering/filters/post/WiseChatLinksPostFilter” php file omits noopener and noreferrer.
- WP Security recommendation: immediately upgrade to version 2.7 to fix the vulnerability.
- Reverse Tabnabbing reported by Ryan Dewhurst (RIPS Technologies). The WordPress Plugin called Social Network Tabs, made by the company Design Chemical, is leaking twice the Twitter access_token, access_token_secret, consumer_key and consumer_secret oThe Wise Chat plugin before 2.7 for WordPress mishandles external links because “rendering/filters/post/WiseChatLinksPostFilter” php file omits noopener and noreferrer.
- Yet Another Stars Rating
- PHP Object Injection reported by Ryan Dewhurst (RIPS Technologies). An unauthenticated PHP object injection in the “Yasr – Yet Another Stars Rating” WordPress plugin introduces a starting point for RCE and similar high-severity vulnerabilities. A shortcode provided by the plugin passes Cookie data without any filtering to PHPs unsafe “unserialize()” function.
- WP Security recommendation: immediately upgrade to version 1.8.7 to fix the vulnerability.
- PHP Object Injection reported by Ryan Dewhurst (RIPS Technologies). An unauthenticated PHP object injection in the “Yasr – Yet Another Stars Rating” WordPress plugin introduces a starting point for RCE and similar high-severity vulnerabilities. A shortcode provided by the plugin passes Cookie data without any filtering to PHPs unsafe “unserialize()” function.
- Health Check & Troubleshooting
- Authenticated Path Traversal reported by Julien Legras (Synacktiv) and siliconforks. Arbitrary file viewing through the integrity file actions.
- Authenticated Lack of Authorisation reported by Julien Legras (Synacktiv) and siliconforks. Site status was available to any user with a subscriber role or higher on a site.
- WP Security recommendation: immediately upgrade to version 1.2.4 to fix both vulnerabilities.
- WooCommerce
- Authenticated Stored Cross-Site Scripting (XSS) reported by Ryan Dewhurst (RIPS Technologies). The vulnerability occurs because of a common design flaw in application security. When data is stored in the database, it is sanitized correctly and secure. The application then trusts the data, since it was sanitized when it was initially stored, and then uses it without any further security checks when pulling it from the database. However, sometimes data can be modified that is already stored in the database. This happened in WooCommerce. When an evil Shop manager wants to create a new Order from within the Admin dashboard, all input is sanitized and stored safely. If the Shop Manager creates the order via the REST API of WordPress, the data will not be sanitized. Since WooCommerce trusts all data in the database, the Stored XSS occurs.
- WP Security recommendation: immediately upgrade to version 3.5.1 to fix the vulnerability.
- Authenticated Stored Cross-Site Scripting (XSS) reported by Ryan Dewhurst (RIPS Technologies). The vulnerability occurs because of a common design flaw in application security. When data is stored in the database, it is sanitized correctly and secure. The application then trusts the data, since it was sanitized when it was initially stored, and then uses it without any further security checks when pulling it from the database. However, sometimes data can be modified that is already stored in the database. This happened in WooCommerce. When an evil Shop manager wants to create a new Order from within the Admin dashboard, all input is sanitized and stored safely. If the Shop Manager creates the order via the REST API of WordPress, the data will not be sanitized. Since WooCommerce trusts all data in the database, the Stored XSS occurs.
- WP Job Manager
- Phar Deserialization (OBJECTINJECTION) reported by Ryan Dewhurst (RIPS Technologies). Attackers were able to sign up and upload a company logo for their listing. This upload functionality was vulnerable to a Phar Deserialization, which left over 100.000 sites vulnerable to a PHP Object Injection that results from Phar Deserializations. If other plugins are installed that make the Object Injection exploitable, a full takeover by unauthenticated remote attackers was possible.
- WP Security recommendation: immediately upgrade to version 1.31.3 to fix the vulnerability.
- Phar Deserialization (OBJECTINJECTION) reported by Ryan Dewhurst (RIPS Technologies). Attackers were able to sign up and upload a company logo for their listing. This upload functionality was vulnerable to a Phar Deserialization, which left over 100.000 sites vulnerable to a PHP Object Injection that results from Phar Deserializations. If other plugins are installed that make the Object Injection exploitable, a full takeover by unauthenticated remote attackers was possible.
- Adicon Server
- SQL Injection reported by Javier Casares, (@JavierCasares). There is an exploitable blind SQL injection vulnerability via the del_ids variable by a POST request. Plus, 9 Reflected XSS.
- WP Security recommendation: immediately remove THIS plugin to avoid the vulnerability. This plugin hasn’t been tested with the latest 3 major releases of WordPress. Last updated: 9 years ago!
- SQL Injection reported by Javier Casares, (@JavierCasares). There is an exploitable blind SQL injection vulnerability via the del_ids variable by a POST request. Plus, 9 Reflected XSS.
- Audio Record 1.0
- Arbitrary File Upload reported by Javier Casares, (@JavierCasares). Unrestricted file upload in record upload process allowing an arbitrary extension.
- WP Security recommendation: immediately remove THIS plugin to avoid the vulnerability. This plugin hasn’t been tested with the latest 3 major releases of WordPress. Last updated: 2 years ago!
- Arbitrary File Upload reported by Javier Casares, (@JavierCasares). Unrestricted file upload in record upload process allowing an arbitrary extension.
- Baggage Freight Shipping Australia 0.1.0
- Unauthenticated Arbitrary File Upload reported by Javier Casares, (@JavierCasares). Unrestricted file upload for an unauthorised user in package info upload process allowing an arbitrary extension.
- WP Security recommendation: immediately remove THIS plugin to avoid the vulnerability. This plugin hasn’t been tested with the latest 3 major releases of WordPress. Last updated: 4 years ago!
- Unauthenticated Arbitrary File Upload reported by Javier Casares, (@JavierCasares). Unrestricted file upload for an unauthorised user in package info upload process allowing an arbitrary extension.
- WP AutoSuggest 0.24
- Unauthenticated SQL Injection reported by Javier Casares, (@JavierCasares).
- WP Security recommendation: immediately remove THIS plugin to avoid the vulnerability. This plugin was closed on January 7, 2019 and is no longer available for download. Last updated: 10 years ago!
- Unauthenticated SQL Injection reported by Javier Casares, (@JavierCasares).
- MapSVG Lite
- Cross-Site Request Forgery (CSRF) reported by Ryan Dewhurst (RIPS Technologies). CSRF in MapSVG Lite could allow an attacker to do almost anything an admin can. The plugin uses REST requests to modify post data and does not check the nonce when doing so.
- WP Security recommendation: immediately remove THIS plugin to avoid the vulnerability.
- Cross-Site Request Forgery (CSRF) reported by Ryan Dewhurst (RIPS Technologies). CSRF in MapSVG Lite could allow an attacker to do almost anything an admin can. The plugin uses REST requests to modify post data and does not check the nonce when doing so.
- JSmol2WP
- Unauthenticated Server Side Request Forgery (SSRF) reported by Ryan Dewhurst (RIPS Technologies). An issue was discovered in the JSmol2WP plugin 1.07 for WordPress. There is an arbitrary file read vulnerability via ../ directory traversal in query=php://filter/resource= in the jsmol.php query string. This can also be used for SSRF.
- Unauthenticated Cross-Site Scripting (XSS) reported by Ryan Dewhurst (RIPS Technologies). An issue was discovered in the JSmol2WP plugin 1.07 for WordPress. The cross-site scripting (XSS) vulnerability allows remote attackers to inject arbitrary web script or HTML via the jsmol.php data parameter.
- WP Security recommendation: immediately remove THIS plugin to avoid the TWO vulnerabilities. This plugin was closed on January 7, 2019 and is no longer available for download. Last updated: 11 months ago!
- easy-redirect-manager
- Cross-Site Scripting (XSS) reported by Ryan Dewhurst (RIPS Technologies). Any page that causes a 404 or 302 response, will be output within the Redirect Log page without any validation or output encoding, including the URL query string, which could contain an XSS payload.
- WP Security recommendation: immediately remove THIS plugin to avoid the vulnerability. This plugin was closed on January 14, 2019 and is no longer available for download. Last updated: 12 months ago!
- Cross-Site Scripting (XSS) reported by Ryan Dewhurst (RIPS Technologies). Any page that causes a 404 or 302 response, will be output within the Redirect Log page without any validation or output encoding, including the URL query string, which could contain an XSS payload.
- Social Media Tabs
- Social Media API Key Leakage reported by Ryan Dewhurst (RIPS Technologies). The WordPress Plugin called Social Network Tabs, made by the company Design Chemical, is leaking twice the Twitter access_token, access_token_secret, consumer_key and consumer_secret of their user which is leading to a takeover of their Twitter account.
- WP Security recommendation: immediately remove THIS plugin to avoid the vulnerability.
- Social Media API Key Leakage reported by Ryan Dewhurst (RIPS Technologies). The WordPress Plugin called Social Network Tabs, made by the company Design Chemical, is leaking twice the Twitter access_token, access_token_secret, consumer_key and consumer_secret of their user which is leading to a takeover of their Twitter account.
- Total Donations
- Update Arbitrary WordPress Option Values reported by Ryan Dewhurst (RIPS Technologies). The Wordfence Threat Intelligence team recently identified multiple critical vulnerabilities in the commercial Total Donations plugin for WordPress. These vulnerabilities, present in all known versions of the plugin up to and including 2.0.5, are being exploited by malicious actors to gain administrative access to affected WordPress sites.
- WP Security recommendation: immediately remove THIS plugin to avoid the vulnerability. This item is no longer available!
- Update Arbitrary WordPress Option Values reported by Ryan Dewhurst (RIPS Technologies). The Wordfence Threat Intelligence team recently identified multiple critical vulnerabilities in the commercial Total Donations plugin for WordPress. These vulnerabilities, present in all known versions of the plugin up to and including 2.0.5, are being exploited by malicious actors to gain administrative access to affected WordPress sites.
- Download Ad Manager by WD
- Arbitrary File Download reported by Ryan Dewhurst (RIPS Technologies). The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
- WP Security recommendation: immediately remove THIS plugin to avoid the vulnerability.
- Arbitrary File Download reported by Ryan Dewhurst (RIPS Technologies). The software uses external input to construct a pathname that is intended to identify a file or directory that is located underneath a restricted parent directory, but the software does not properly neutralize special elements within the pathname that can cause the pathname to resolve to a location that is outside of the restricted directory.
Our only security is our ability to change. ~ John Lilly
Protect your WordPress: BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!
The following WordPress plugin vulnerabilities are extremely dangerous since the active installations are in the millions OR the reported vulnerabilities were never patched. The potential risk goes up each day as more and more bad intended persons find out about these vulnerabilities.
Get Healthy, Stay Healthy: A healthier online business starts today and it begins with you!
