WP Security: 12 plugin vulnerabilities in SEPT 2018

WordPress protection: 12 plugin vulnerabilities in SEPTEMBER 2018

WP Security bulletin – SEPTEMBER 2018

At your next scheduled WordPress Maintenance, be advised for your WP Security about the latest 12 vulnerabilities in WordPress plugins identified and reported publicly during. As these vulnerabilities are disclosed, when you use one (or more) of these outdated plugins – your risking serious WordPress breaches to your site(s).

  • Breadcrumb NavXT
    • Username Disclosure via REST API reported by Janek Vind “waraxe” and Ryan Dewhurst (dewhurstsecurity.com). API function “author” can be accessed in unauthenticated state and as result anyone can list WordPress usernames without registering or having an account on website. WordPress authentication is based on two pieces of information – username and password. It’s possible to launch password brute-force attack when username is known.
      • WP Security recommendation: immediately upgrade to version 6.2.0 to fix the vulnerability

  • Duplicator
    • Arbitrary Code Execution (ACE) in shortcodes reported by Thomas Chauchefoin / Julien Legras (synacktiv.com). Synacktiv discovered that WordPress Duplicator does not remove sensitive files after the restoration process. Indeed, the installer.php and installer-backup.php files can be reused after the restoration process to inject malicious PHP code in the wp-config.php file. Thus, an attacker could abuse these scripts to execute arbitrary code on the server and take it over. Even though the code injection was fixed in a first release, it is still possible to gain arbitrary PHP code execution. Indeed, install steps can be bypassed to force the installer script to insert all the backed up data in an arbitrary MySQL database. As the attacker controls this database, he would be able to change the hash of an administrative user to gain access to the dashboard. Finally, he could upload a malicious WordPress plugin to execute PHP code.
      • WP Security recommendation: immediately upgrade to version 1.2.42 to fix the vulnerability

  • UserPro
    • Unauthenticated Cross-Site Scripting (XSS) in shortcodes reported by Yonatan_correa (risataim.blogspot.com). The UserPro plugin through 4.9.23 for WordPress allows XSS via the short-code parameter in a userpro_shortcode_template action to wp-admin/admin-ajax.php.
      • WP Security recommendation: immediately upgrade to version 4.9.24 to fix the vulnerability

  • Arigato Autoresponder and Newsletter
    • Multiple Vulnerabilities in shortcodes reported by Larry W. Cashdollar and Ryan Dewhurst (dewhurstsecurity.com). There are several exploitable blind SQL injection and Nine Reflected (XSS) (CVE 2018-1002000 … CVE 2018-1002009) vulnerabilities via the del_ids variable by POST request.
      • WP Security recommendation: immediately upgrade to version to fix the vulnerability
  • Our only security is our ability to change. ~ John Lilly

  • FV Flowplayer Video Player
    • Unspecified Cross-Site Scripting (XSS) in short-codes reported by Ryan Dewhurst (dewhurstsecurity.com). Cross-site scripting vulnerability in FV Flowplayer Video Player 6.1.2 to 6.6.4 allows remote attackers to inject arbitrary web script or HTML via unspecified vectors.
    • Authenticated Cross-Site Scripting (XSS) reported by Janek Vind “waraxe” and Ryan Dewhurst (dewhurstsecurity.com). Insufficient sanitization of user-supplied data.
      • WP reinforce recommendation: immediately upgrade to version to fix both vulnerabilities

  • File Manager
    • Authenticated Cross-Site Scripting (XSS) in short-codes reported by Ryan Dewhurst (dewhurstsecurity.com).
      • WP reinforce recommendation: immediately upgrade to version 3.0 to fix the vulnerability

  • Contact_Form_7
    • Privilege Escalation in short-codes reported by Ryan Dewhurst (dewhurstsecurity.com). A privilege escalation vulnerability has been found in Contact Form 7 5.0.3 and older versions. Utilising this vulnerability, a logged-in user in the Contributor role can potentially edit contact forms, which only Administrator and Editor-role users are allowed to access by default. This issue has been reported by Simon Scannell from RIPS Technologies. To minimise damage from possible attacks utilising those vulnerabilities, Contact Form 7 5.0.4 and higher will restrict the local file attachment feature. More particularly, you will no longer be able to specify an absolute file path that refers to a file placed outside the wp-content directory. You can still specify files inside the wp-content directory with relative or absolute file paths, so all you need to change is the location of the attachment files.
      • WP reinforce recommendation: immediately upgrade to version 5.0.4 to fix the vulnerability

  • Unyson
    • Arbitrary Code Execution (ACE) in short-codes reported by Jonas Lejon (wpscans.com).
      • WP reinforce recommendation: immediately upgrade to version 2.7.19 to fix the vulnerability
  • Protect your WordPress: BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!

    The following WordPress plugin vulnerabilities are extremely dangerous. Since their initial finding date, until public disclosure (usually a full month) the reported vulnerability was not fixed. This usually means, that the developer intended this – and the plugin was removed from the WP repository or the developer does not update it willingly. In both cases, you should immediately deactivate and remove the mentioned plugin and find an alternative. Otherwise you risk irreversible security breaches to your WordPress site(s), and the risk grows exponentially as days go by.

Get Healthy, Stay Healthy: A healthier online business starts today and it begins with you!

Related Posts

Leave a comment

Do NOT follow this link or you will be banned from the site!
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.