WP Security bulletin – NOVEMBER 2018
At your next scheduled WordPress Maintenance, be advised for your WP Security about the latest 12 vulnerabilities in WordPress plugins identified and reported publicly. As these vulnerabilities are disclosed, when you use one (or more) of these outdated plugins – your risking serious WordPress breaches to your site(s).
We withhold public disclosure from the beginning of December 2018, to avoid any unwanted attention during holidays.
- Pie Register – Custom Registration Form and User Login WordPress Plugin
- Cross-Site Scripting (XSS) reported by Socket_0x03 (Alvaro J. Gene) and Ryan Dewhurst (dewhurstsecurity.com). Pie Register is a WordPress plugin that an administrator can use to create different kinds of forms without programming knowledge. In addition, an administrator can use Pie Register for payment features; for example, if an administrator is using Pie Register to provide some kind of service, he/she can charge an amount to his/her users via PayPal.
- WP Security recommendation: immediately upgrade to version 3.0.18 to fix the vulnerability
- Cross-Site Scripting (XSS) reported by Socket_0x03 (Alvaro J. Gene) and Ryan Dewhurst (dewhurstsecurity.com). Pie Register is a WordPress plugin that an administrator can use to create different kinds of forms without programming knowledge. In addition, an administrator can use Pie Register for payment features; for example, if an administrator is using Pie Register to provide some kind of service, he/she can charge an amount to his/her users via PayPal.
- ARForms: WordPress Form Builder Plugin
- Unauthenticated Arbitrary File Deletion reported by Amir Hossein Mahboubi and Ryan Dewhurst (dewhurstsecurity.com). WordPress Arforms plugin versions 3.5.1 and below suffer from an arbitrary file deletion vulnerability.
- WP Security recommendation: immediately upgrade to version 3.5.2 to fix the vulnerability
- Unauthenticated Arbitrary File Deletion reported by Amir Hossein Mahboubi and Ryan Dewhurst (dewhurstsecurity.com). WordPress Arforms plugin versions 3.5.1 and below suffer from an arbitrary file deletion vulnerability.
- Flow-Flow Social Stream
- Unauthenticated Cross-Site Scripting (XSS) reported by Alaistair Jerrom-Smith (getrefined.com). Cross-Site Scripting (XSS) vulnerability in the JSON output by modifying the hash parameter in admin-ajax.php using the fetch_posts action. Response Content-Type set to HTML.
- WP Security recommendation: immediately upgrade to version 3.0.72 to fix the vulnerability
- Unauthenticated Cross-Site Scripting (XSS) reported by Alaistair Jerrom-Smith (getrefined.com). Cross-Site Scripting (XSS) vulnerability in the JSON output by modifying the hash parameter in admin-ajax.php using the fetch_posts action. Response Content-Type set to HTML.
- WP-DBManager
- Arbitrary File Delete reported by Ryan Dewhurst (dewhurstsecurity.com). According to the changelog: “FIXED: Arbitrary file delete bug by sanitizing filename.”
- WP Security recommendation: immediately upgrade to version 2.79.2 to fix the vulnerability
- Arbitrary File Delete reported by Ryan Dewhurst (dewhurstsecurity.com). According to the changelog: “FIXED: Arbitrary file delete bug by sanitizing filename.”
- Ultimate Member – User Profile & Membership Plugin
- Cross-Site Request Forgery (CSRF). According to the changelog: “Fixed AJAX vulnerabilities”.
- WP Security recommendation: immediately upgrade to version 2.0.33 to fix the vulnerability
- Cross-Site Request Forgery (CSRF). According to the changelog: “Fixed AJAX vulnerabilities”.
Our only security is our ability to change. ~ John Lilly
- WooCommerce
- Authenticated File Deletion to Privilege Escalation reported by Simon Scannell (RIPS Technologies). Attackers in control of a user with the shop manager role can delete certain files on the server and then take over any victim account.
- WP Security recommendation: immediately upgrade to version 3.4.6 to fix the vulnerability
- Authenticated File Deletion to Privilege Escalation reported by Simon Scannell (RIPS Technologies). Attackers in control of a user with the shop manager role can delete certain files on the server and then take over any victim account.
- WP GDPR Compliance
- Unauthenticated Call Any Action or Update Any Option reported by Adrian Mörchen (moewe.io). The plugin WP GDPR Compliance allows unauthenticated users to execute any action and to update any database value. If the request data form is available for unauthenticated users, even unauthenticated users are able to do this.
- WP Security recommendation: immediately upgrade to version 1.4.3 to fix the vulnerability
- Unauthenticated Call Any Action or Update Any Option reported by Adrian Mörchen (moewe.io). The plugin WP GDPR Compliance allows unauthenticated users to execute any action and to update any database value. If the request data form is available for unauthenticated users, even unauthenticated users are able to do this.
- AMP for WP – Accelerated Mobile Pages
- Multiple Unauthenticated Vulnerabilities reported by Sybre Waaijer (theseoframework.com). Critical WordPress Plugin Flaw Grants Admin Access to Any Registered Site User. The privilege-escalation vulnerability would allow an attacker to inject malware, place ads and load custom code on an impacted website.
- WP Security recommendation: immediately upgrade to version 0.9.97.20 to fix the vulnerability
- Multiple Unauthenticated Vulnerabilities reported by Sybre Waaijer (theseoframework.com). Critical WordPress Plugin Flaw Grants Admin Access to Any Registered Site User. The privilege-escalation vulnerability would allow an attacker to inject malware, place ads and load custom code on an impacted website.
- Ninja Forms – The Easy and Powerful Forms Builder
- Unauthenticated Cross-Site Scripting (XSS) reported by Ryan Dewhurst (dewhurstsecurity.com). XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript via the includes/Admin/Menus/Submissions.php (aka submissions page) begin_date, end_date, or form_id parameter. According to the changelog: “Patched a redirect XSS vulnerability using code injection on our submissions page.”
- WP Security recommendation: immediately upgrade to version 3.3.18 to fix the vulnerability
- Unauthenticated Cross-Site Scripting (XSS) reported by Ryan Dewhurst (dewhurstsecurity.com). XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript via the includes/Admin/Menus/Submissions.php (aka submissions page) begin_date, end_date, or form_id parameter. According to the changelog: “Patched a redirect XSS vulnerability using code injection on our submissions page.”
Protect your WordPress: BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!
The following WordPress plugin vulnerabilities are extremely dangerous. Since their initial finding date, until public disclosure (usually a full month) the reported vulnerability was not fixed. This usually means that the developer intended this – and the plugin was removed from the WP repository or the developer does not update it willingly. In both cases, you should immediately deactivate and remove the mentioned plugin and find an alternative. Otherwise, you risk irreversible security breaches to your WordPress site(s), and the risk grows exponentially as days go by.
- Calendar
- Authenticated Stored Cross-Site Scripting (XSS) reported by boombyte. This WordPress plugin allows remote authenticated users, without the unfiltered_html capability, to execute JavaScript code through a stored XSS attack. The plugin by default is available to users with the contributor or more privileges.
- WordPress Maintenance recommendation: IMMEDIATELY UNISTALL THIS PLUGIN! This plugin was closed on November 2, 2018 and is no longer available for download. Reason: Security Issue.
- Authenticated Stored Cross-Site Scripting (XSS) reported by boombyte. This WordPress plugin allows remote authenticated users, without the unfiltered_html capability, to execute JavaScript code through a stored XSS attack. The plugin by default is available to users with the contributor or more privileges.
- Media File Manager
- Authenticated Multiple Vulnerabilities reported by Pasquale Turi and boombyte. Following the PoC you can combine the vulnerabilities to obtain PHP code execution and read a sensitive file. By default the File Manager can only be used by Administrator users, however, any user role can be configured to use it. Exploited options are Directory Traversal, Reflected XSS, Move any file to any dir, Rename any file.
- WordPress Maintenance recommendation: IMMEDIATELY UNISTALL THIS PLUGIN! This plugin was closed on November 8, 2018 and is no longer available for download.
- Authenticated Multiple Vulnerabilities reported by Pasquale Turi and boombyte. Following the PoC you can combine the vulnerabilities to obtain PHP code execution and read a sensitive file. By default the File Manager can only be used by Administrator users, however, any user role can be configured to use it. Exploited options are Directory Traversal, Reflected XSS, Move any file to any dir, Rename any file.
- BWP Better WordPress reCAPTCHA
- Unauthenticated Cross-Site Scripting (XSS) reported by Gabriel Avramescu (ituniversity.ro). There is a reflected XSS vulnerability in Better WordPress reCAPTCHA plugin version 2.0.3, and possibly below. The parameter cerror value is reflected in the page when this plugin is enabled. Once plugin disabled, the “cerror” parameter’s value is not reflected in the page anymore.
- WordPress Maintenance recommendation: IMMEDIATELY UNISTALL THIS PLUGIN! This plugin was closed on November 9, 2018 and is no longer available for download.
- Unauthenticated Cross-Site Scripting (XSS) reported by Gabriel Avramescu (ituniversity.ro). There is a reflected XSS vulnerability in Better WordPress reCAPTCHA plugin version 2.0.3, and possibly below. The parameter cerror value is reflected in the page when this plugin is enabled. Once plugin disabled, the “cerror” parameter’s value is not reflected in the page anymore.
Get Healthy, Stay Healthy: A healthier online business starts today and it begins with you!
