WP Security bulletin – SEPTEMBER 2018
At your next scheduled WordPress Maintenance, be advised for your WP Security about the latest 12 vulnerabilities in WordPress plugins identified and reported publicly during. As these vulnerabilities are disclosed, when you use one (or more) of these outdated plugins – your risking serious WordPress breaches to your site(s).
- Breadcrumb NavXT
- Username Disclosure via REST API reported by Janek Vind “waraxe” and Ryan Dewhurst (dewhurstsecurity.com). API function “author” can be accessed in unauthenticated state and as result anyone can list WordPress usernames without registering or having an account on website. WordPress authentication is based on two pieces of information – username and password. It’s possible to launch password brute-force attack when username is known.
- WP Security recommendation: immediately upgrade to version 6.2.0 to fix the vulnerability
- Username Disclosure via REST API reported by Janek Vind “waraxe” and Ryan Dewhurst (dewhurstsecurity.com). API function “author” can be accessed in unauthenticated state and as result anyone can list WordPress usernames without registering or having an account on website. WordPress authentication is based on two pieces of information – username and password. It’s possible to launch password brute-force attack when username is known.
- Duplicator
- Arbitrary Code Execution (ACE) in shortcodes reported by Thomas Chauchefoin / Julien Legras (synacktiv.com). Synacktiv discovered that WordPress Duplicator does not remove sensitive files after the restoration process. Indeed, the installer.php and installer-backup.php files can be reused after the restoration process to inject malicious PHP code in the wp-config.php file. Thus, an attacker could abuse these scripts to execute arbitrary code on the server and take it over. Even though the code injection was fixed in a first release, it is still possible to gain arbitrary PHP code execution. Indeed, install steps can be bypassed to force the installer script to insert all the backed up data in an arbitrary MySQL database. As the attacker controls this database, he would be able to change the hash of an administrative user to gain access to the dashboard. Finally, he could upload a malicious WordPress plugin to execute PHP code.
- WP Security recommendation: immediately upgrade to version 1.2.42 to fix the vulnerability
- Arbitrary Code Execution (ACE) in shortcodes reported by Thomas Chauchefoin / Julien Legras (synacktiv.com). Synacktiv discovered that WordPress Duplicator does not remove sensitive files after the restoration process. Indeed, the installer.php and installer-backup.php files can be reused after the restoration process to inject malicious PHP code in the wp-config.php file. Thus, an attacker could abuse these scripts to execute arbitrary code on the server and take it over. Even though the code injection was fixed in a first release, it is still possible to gain arbitrary PHP code execution. Indeed, install steps can be bypassed to force the installer script to insert all the backed up data in an arbitrary MySQL database. As the attacker controls this database, he would be able to change the hash of an administrative user to gain access to the dashboard. Finally, he could upload a malicious WordPress plugin to execute PHP code.
- UserPro
- Unauthenticated Cross-Site Scripting (XSS) in shortcodes reported by Yonatan_correa (risataim.blogspot.com). The UserPro plugin through 4.9.23 for WordPress allows XSS via the short-code parameter in a userpro_shortcode_template action to wp-admin/admin-ajax.php.
- WP Security recommendation: immediately upgrade to version 4.9.24 to fix the vulnerability
- Unauthenticated Cross-Site Scripting (XSS) in shortcodes reported by Yonatan_correa (risataim.blogspot.com). The UserPro plugin through 4.9.23 for WordPress allows XSS via the short-code parameter in a userpro_shortcode_template action to wp-admin/admin-ajax.php.
- Arigato Autoresponder and Newsletter
- Multiple Vulnerabilities in shortcodes reported by Larry W. Cashdollar and Ryan Dewhurst (dewhurstsecurity.com). There are several exploitable blind SQL injection and Nine Reflected (XSS) (CVE 2018-1002000 … CVE 2018-1002009) vulnerabilities via the del_ids variable by POST request.
- WP Security recommendation: immediately upgrade to version 2.5.1.6 to fix the vulnerability
- Multiple Vulnerabilities in shortcodes reported by Larry W. Cashdollar and Ryan Dewhurst (dewhurstsecurity.com). There are several exploitable blind SQL injection and Nine Reflected (XSS) (CVE 2018-1002000 … CVE 2018-1002009) vulnerabilities via the del_ids variable by POST request.
- FV Flowplayer Video Player
- Unspecified Cross-Site Scripting (XSS) in short-codes reported by Ryan Dewhurst (dewhurstsecurity.com). Cross-site scripting vulnerability in FV Flowplayer Video Player 6.1.2 to 6.6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
- Authenticated Cross-Site Scripting (XSS) reported by Janek Vind “waraxe” and Ryan Dewhurst (dewhurstsecurity.com). Insufficient sanitization of user-supplied data.
- WP reinforce recommendation: immediately upgrade to version 7.2.1.727 to fix both vulnerabilities
- File Manager
- Authenticated Cross-Site Scripting (XSS) in short-codes reported by Ryan Dewhurst (dewhurstsecurity.com).
- WP reinforce recommendation: immediately upgrade to version 3.0 to fix the vulnerability
- Authenticated Cross-Site Scripting (XSS) in short-codes reported by Ryan Dewhurst (dewhurstsecurity.com).
- Contact_Form_7
- Privilege Escalation in short-codes reported by Ryan Dewhurst (dewhurstsecurity.com). A privilege escalation vulnerability has been found in Contact Form 7 5.0.3 and older versions. Utilising this vulnerability, a logged-in user in the Contributor role can potentially edit contact forms, which only Administrator and Editor-role users are allowed to access by default. This issue has been reported by Simon Scannell from RIPS Technologies. To minimise damage from possible attacks utilising those vulnerabilities, Contact Form 7 5.0.4 and higher will restrict the local file attachment feature. More particularly, you will no longer be able to specify an absolute file path that refers to a file placed outside the wp-content directory. You can still specify files inside the wp-content directory with relative or absolute file paths, so all you need to change is the location of the attachment files.
- WP reinforce recommendation: immediately upgrade to version 5.0.4 to fix the vulnerability
- Privilege Escalation in short-codes reported by Ryan Dewhurst (dewhurstsecurity.com). A privilege escalation vulnerability has been found in Contact Form 7 5.0.3 and older versions. Utilising this vulnerability, a logged-in user in the Contributor role can potentially edit contact forms, which only Administrator and Editor-role users are allowed to access by default. This issue has been reported by Simon Scannell from RIPS Technologies. To minimise damage from possible attacks utilising those vulnerabilities, Contact Form 7 5.0.4 and higher will restrict the local file attachment feature. More particularly, you will no longer be able to specify an absolute file path that refers to a file placed outside the wp-content directory. You can still specify files inside the wp-content directory with relative or absolute file paths, so all you need to change is the location of the attachment files.
- Unyson
- Arbitrary Code Execution (ACE) in short-codes reported by Jonas Lejon (wpscans.com).
- WP reinforce recommendation: immediately upgrade to version 2.7.19 to fix the vulnerability
- Arbitrary Code Execution (ACE) in short-codes reported by Jonas Lejon (wpscans.com).
- Image Intense
- Authenticated SQL Injection (SQLI) in short-codes reported by Thomas Chauchefoin / Julien Legras (synacktiv.com). Synacktiv discovered that the WordPress plugin Image Intense does not correctly sanitise user-controlled data before using it in SQL queries while handling the short-code et_pb_image_n10s. Thus, an attacker could abuse the affected feature to alter the semantic original SQL query and access sensitive database records. It should be noted that the attacker must be able to create pages / articles on the instance (Contributor, Author, Editor or Administrator) to reach the vulnerable code path.
- WordPress protection WARNING: IMMEDIATELY UNINSTALL THIS PLUGIN! The vendor does not consider it to be a vulnerability, it remains unfixed.
- Authenticated SQL Injection (SQLI) in short-codes reported by Thomas Chauchefoin / Julien Legras (synacktiv.com). Synacktiv discovered that the WordPress plugin Image Intense does not correctly sanitise user-controlled data before using it in SQL queries while handling the short-code et_pb_image_n10s. Thus, an attacker could abuse the affected feature to alter the semantic original SQL query and access sensitive database records. It should be noted that the attacker must be able to create pages / articles on the instance (Contributor, Author, Editor or Administrator) to reach the vulnerable code path.
- Localize My Post 1.0
- Multiple Vulnerabilities in short-codes reported by Manuel Garcia Cardenas and Ryan Dewhurst (dewhurstsecurity.com). The parameter “file” it is not sanitised allowing include local files. To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application.
- WordPress protection WARNING: IMMEDIATELY UNINSTALL THIS PLUGIN! This plugin was closed on September 21, 2018 and is no longer available for download.
- Multiple Vulnerabilities in short-codes reported by Manuel Garcia Cardenas and Ryan Dewhurst (dewhurstsecurity.com). The parameter “file” it is not sanitised allowing include local files. To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application.
- Wechat Broadcast
- Local/Remote File Inclusion reported by Manuel Garcia Cardenas and Jonas Lejon (wpscans.com). The Wechat Broadcast plugin 1.2.0 and earlier for WordPress allows Directory Traversal via the Image.php url parameter. The parameter “url” it is not sanitised allowing include local or remote
files. To exploit the vulnerability only is needed use the version 1.0 of the HTTP protocol to interact with the application.- WordPress protection WARNING: IMMEDIATELY UNINSTALL THIS PLUGIN!
- Local/Remote File Inclusion reported by Manuel Garcia Cardenas and Jonas Lejon (wpscans.com). The Wechat Broadcast plugin 1.2.0 and earlier for WordPress allows Directory Traversal via the Image.php url parameter. The parameter “url” it is not sanitised allowing include local or remote
Our only security is our ability to change. ~ John Lilly
Protect your WordPress: BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!
The following WordPress plugin vulnerabilities are extremely dangerous. Since their initial finding date, until public disclosure (usually a full month) the reported vulnerability was not fixed. This usually means, that the developer intended this – and the plugin was removed from the WP repository or the developer does not update it willingly. In both cases, you should immediately deactivate and remove the mentioned plugin and find an alternative. Otherwise you risk irreversible security breaches to your WordPress site(s), and the risk grows exponentially as days go by.
Get Healthy, Stay Healthy: A healthier online business starts today and it begins with you!
