Enjoy priority support and immediate help for your WordPress sites!

WP Security: 12 plugin vulnerabilities in NOV 2018

WordPress protection: 12 plugin vulnerabilities in NOVEMBER 2018

WP Security bulletin – NOVEMBER 2018

At your next scheduled WordPress Maintenance, be advised for your WP Security about the latest 12 vulnerabilities in WordPress plugins identified and reported publicly. As these vulnerabilities are disclosed, when you use one (or more) of these outdated plugins – your risking serious WordPress breaches to your site(s).

We withhold public disclosure from the beginning of December 2018, to avoid any unwanted attention during holidays.


  • Pie Register – Custom Registration Form and User Login WordPress Plugin
    • Cross-Site Scripting (XSS) reported by Socket_0x03 (Alvaro J. Gene) and Ryan Dewhurst (dewhurstsecurity.com). Pie Register is a WordPress plugin that an administrator can use to create different kinds of forms without programming knowledge. In addition, an administrator can use Pie Register for payment features; for example, if an administrator is using Pie Register to provide some kind of service, he/she can charge an amount to his/her users via PayPal.
      • WP Security recommendation: immediately upgrade to version 3.0.18 to fix the vulnerability

  • ARForms: WordPress Form Builder Plugin
    • Unauthenticated Arbitrary File Deletion reported by Amir Hossein Mahboubi and Ryan Dewhurst (dewhurstsecurity.com). WordPress Arforms plugin versions 3.5.1 and below suffer from an arbitrary file deletion vulnerability.
      • WP Security recommendation: immediately upgrade to version 3.5.2 to fix the vulnerability

  • Flow-Flow Social Stream
    • Unauthenticated Cross-Site Scripting (XSS) reported by Alaistair Jerrom-Smith (getrefined.com). Cross-Site Scripting (XSS) vulnerability in the JSON output by modifying the hash parameter in admin-ajax.php using the fetch_posts action. Response Content-Type set to HTML.
      • WP Security recommendation: immediately upgrade to version 3.0.72 to fix the vulnerability

  • WP-DBManager
    • Arbitrary File Delete reported by Ryan Dewhurst (dewhurstsecurity.com). According to the changelog: “FIXED: Arbitrary file delete bug by sanitizing filename.”
      • WP Security recommendation: immediately upgrade to version 2.79.2 to fix the vulnerability

  • Ultimate Member – User Profile & Membership Plugin
    • Cross-Site Request Forgery (CSRF). According to the changelog: “Fixed AJAX vulnerabilities”.
      • WP Security recommendation: immediately upgrade to version 2.0.33 to fix the vulnerability

Our only security is our ability to change. ~ John Lilly


  • WooCommerce
    • Authenticated File Deletion to Privilege Escalation reported by Simon Scannell (RIPS Technologies). Attackers in control of a user with the shop manager role can delete certain files on the server and then take over any victim account.
      • WP Security recommendation: immediately upgrade to version 3.4.6 to fix the vulnerability

  • WP GDPR Compliance
    • Unauthenticated Call Any Action or Update Any Option reported by Adrian Mörchen (moewe.io). The plugin WP GDPR Compliance allows unauthenticated users to execute any action and to update any database value. If the request data form is available for unauthenticated users, even unauthenticated users are able to do this.
      • WP Security recommendation: immediately upgrade to version 1.4.3 to fix the vulnerability

  • AMP for WP – Accelerated Mobile Pages
    • Multiple Unauthenticated Vulnerabilities reported by Sybre Waaijer (theseoframework.com). Critical WordPress Plugin Flaw Grants Admin Access to Any Registered Site User. The privilege-escalation vulnerability would allow an attacker to inject malware, place ads and load custom code on an impacted website.
      • WP Security recommendation: immediately upgrade to version 0.9.97.20 to fix the vulnerability

  • Ninja Forms – The Easy and Powerful Forms Builder
    • Unauthenticated Cross-Site Scripting (XSS) reported by Ryan Dewhurst (dewhurstsecurity.com). XSS in the Ninja Forms plugin before 3.3.18 for WordPress allows Remote Attackers to execute JavaScript via the includes/Admin/Menus/Submissions.php (aka submissions page) begin_date, end_date, or form_id parameter. According to the changelog: “Patched a redirect XSS vulnerability using code injection on our submissions page.”
      • WP Security recommendation: immediately upgrade to version 3.3.18 to fix the vulnerability

Protect your WordPress: BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!

The following WordPress plugin vulnerabilities are extremely dangerous. Since their initial finding date, until public disclosure (usually a full month) the reported vulnerability was not fixed. This usually means that the developer intended this – and the plugin was removed from the WP repository or the developer does not update it willingly. In both cases, you should immediately deactivate and remove the mentioned plugin and find an alternative. Otherwise, you risk irreversible security breaches to your WordPress site(s), and the risk grows exponentially as days go by.

Get Healthy, Stay Healthy: A healthier online business starts today and it begins with you!

Summary
WP Security: 12 plugin vulnerabilities in NOV 2018
Article Name
Description
At your next scheduled WordPress Maintenance, be advised for your WP Security about the latest 12 vulnerabilities in WordPress plugins identified and reported publicly. As these vulnerabilities are disclosed, when you use one (or more) of these outdated plugins - your risking serious WordPress breaches to your site(s).
Author
Publisher
owl power EUROPE

Related Posts

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.