WP Security bulletin – OCTOBER 2018
At your next scheduled WordPress Maintenance, be advised for your WP Security about the latest 6 vulnerabilities in WordPress plugins identified and reported publicly during. As these vulnerabilities are disclosed, when you use one (or more) of these outdated plugins – your risking serious WordPress breaches to your site(s).
-
- PDF & Print
- Unauthenticated Cross-Site-Scripting (XSS) reported by Robin Trost (SySS GmbH). The called URL gets reflected in the tag for the “View PDF” and “Print Content” Buttons. Because the GET-parameter names did not get encoded it is possible to execute JavaScript through the URL. The value of the GET-parameter is encoded correctly, but the name of the GET-parameter is not encoded which leads to the Cross-Site-Scripting. This vulnerability affects all Blog Posts or WordPress Sites where the “View PDF” or “Print Content” Button is displayed.
- WP Security recommendation: immediately upgrade to version 2.0.3 to fix the vulnerability
- Unauthenticated Cross-Site-Scripting (XSS) reported by Robin Trost (SySS GmbH). The called URL gets reflected in the tag for the “View PDF” and “Print Content” Buttons. Because the GET-parameter names did not get encoded it is possible to execute JavaScript through the URL. The value of the GET-parameter is encoded correctly, but the name of the GET-parameter is not encoded which leads to the Cross-Site-Scripting. This vulnerability affects all Blog Posts or WordPress Sites where the “View PDF” or “Print Content” Button is displayed.
- PDF & Print
-
- WooCommerce
- OBJECTINJECTION reported by Simon Scannell, Karim, and Slavco. WooCommerce 3.4.6 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites as soon as possible. Versions 3.4.5 and earlier are affected by a handful of issues that allow Shop Managers to exceed their capabilities and perform malicious actions. These issues can be exploited by users with Shop Manager capabilities or greater, and we recommend all users running WooCommerce 3.x upgrade to 3.4.6 to mitigate them.
- WP Security recommendation: immediately upgrade to version 3.4.6 to fix the vulnerability
- OBJECTINJECTION reported by Simon Scannell, Karim, and Slavco. WooCommerce 3.4.6 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites as soon as possible. Versions 3.4.5 and earlier are affected by a handful of issues that allow Shop Managers to exceed their capabilities and perform malicious actions. These issues can be exploited by users with Shop Manager capabilities or greater, and we recommend all users running WooCommerce 3.x upgrade to 3.4.6 to mitigate them.
- WooCommerce
-
- Pie Register
- Unauthenticated Cross-Site-Scripting (XSS) reported by Alvaro J. Gene (Socket_0x03).
- WP Security recommendation: immediately upgrade to version 3.0.18 to fix the vulnerability
- Unauthenticated Cross-Site-Scripting (XSS) reported by Alvaro J. Gene (Socket_0x03).
- Pie Register
-
- ARForms
- Unauthenticated Arbitrary File Deletion reported by Amir Hossein Mahboubi (@Mahboubi66). WordPress Arforms plugin versions 3.5.1 and below suffer from an arbitrary file deletion vulnerability.
- WP Security recommendation: immediately upgrade to version 3.5.2 to fix the vulnerability
- Unauthenticated Arbitrary File Deletion reported by Amir Hossein Mahboubi (@Mahboubi66). WordPress Arforms plugin versions 3.5.1 and below suffer from an arbitrary file deletion vulnerability.
- ARForms
Our only security is our ability to change. ~ John Lilly
The following WordPress plugin vulnerabilities are extremely dangerous. And one of them is a SECURITY plugin, with more than 2 million active installs. The other one got removed this month from the WordPress repository.
-
- Wordfence
- Several issues reported by Janek Vind “waraxe”.
1. WordPress username disclosure protection partial bypass – A modified query: “https://localhost/wp498/?author[]=” method can disclose only one username – from author of the last post.
2. Reflected XSS in “403.php”. Reasons: directly accessible PHP file + uninitialized variable “customText”. Preconditions: PHP version < 5.4 + register_globals = On (default is “Off”).
3. Reflected XSS in “503.php”. Reasons: directly accessible PHP file + uninitialized variable “reason” and “customText”. Preconditions: PHP version < 5.4 + register_globals = On (default is “Off”).
4. Reflected XSS in “503-lockout.php”. Reasons: directly accessible PHP file + uninitialized variable “homeURL” and “customText”. Preconditions: PHP version < 5.4 + register_globals = On (default is “Off”).
5. Full path disclosure in multiple PHP files. Reason: directly accessible PHP files. Preconditions: display_errors = On (default is “On”).- WP Security recommendation: immediately upgrade to version 7.1.14 to fix the above mentioned list of vulnerabilities
- Several issues reported by Janek Vind “waraxe”.
- Wordfence
-
- Tajer
- Unauthenticated Arbitrary File Upload reported by Larry W. Cashdollar, (@_larry0). Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0
- WordPress protection WARNING: IMMEDIATELY UNINSTALL THIS PLUGIN! This plugin was closed on October 18, 2018 and is no longer available for download.
- Unauthenticated Arbitrary File Upload reported by Larry W. Cashdollar, (@_larry0). Unauthenticated arbitrary file upload vulnerability in Blueimp jQuery-File-Upload <= v9.22.0
- Tajer
Protect your WordPress: BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!
