We take a lot of precautions when it comes to the safety and security of your website but once we hand off your website to you that burden falls on you to maintain that. Nicely Done Sites offers a maintenance agreement so that we can continue to maintain your website so that it remains as safe and secure as possible. We highly recommend all of our clients purchase one but it is not mandatory. If not we hope at least that you do keep your WordPress website up to date and in this series of posts we are going to detail some of the vulnerabilities discovered recently.
For anyone interested check out last month’s vulnerabilities and as always, make sure that your WordPress installation is kept up to date!
Plugins
Widget Logic
Last month a Cross Site Request Forgery vulnerability was discovered and another was found within this plugin. No authorization check was performed in one of the major functions which could give an attacker control of the sidebar panel, which could allow that person to make unauthorized settings changes to the website. This issue was fixed in early July.
WP Statistics
An Unauthenticated Blind SQL Injection vulnerability was discovered with this plugin, which is used to present statistics about your website in a clear and easy to understand way. At one API endpoint a setting is enabled that is by default disabled and expose this plugin to this vulnerability. This issue was fixed in early July.
Insert Or Embed Articulate Content Into WordPress
An Authenticated Arbitrary Folder Deletion Or Rename Vulnerability was discovered with this plugin, which is used to quickly insert content into a website that has been created by a 3rd party and it allows for a subscription service. This vulnerability allows anyone who is an authenticated user to delete or rename file folders. A Cross Site Request Forgery can also be performed against other authenticated users to make them perform these malicious actions. This issue was fixed in early July.
Simple Email Address Encoder
A Reflected Authenticated XSS vulnerability was discovered with this plugin, which is used to encode email address on the website to prevent spam. The vulnerability was found in one of the parameters used led to a donation option which was not sanitized. This issue was fixed in early June.
MyBookTable
Numerous XSS vulnerabilities were discovered within this plugin, which allows users to sell books through their WordPress site by easily linking to other sites. Input code in numerous locations was not sanitized which could allow an attacker to redirect a user to a malicious website. Multiple fixes were required before these vulnerabilities were removed so make sure that you have updated this plugin to the most recent version. This issue was identified at the end of June and was fixed in early July.
Visitors Traffic Real Time Statistics
A Cross Site Forgery Request vulnerability was discovered with this plugin that could lead to an XSS vulnerability. This plugin is a statistics plugin that displays site traffic numbers and visitor information. It was possible for an attacker to craft a request that would let the attacker manipulate the plugin settings. No encoding was present which opened up the XSS vulnerability as well as a possible SQL Injection vulnerability since all unsanitized input was passed through the SQL database. This issue has not been fixed yet.
Ocean Extra
A CSS Injection vulnerability was discovered with this plugin, which allows a site to add extra features and gives them extra control over the page. The Ocean Theme must be installed for this plugin to work. Admin information can be triggered by an unauthorized user thanks to a zeroday issue in WordPress Easy WP SMTP and a function that utilized this is present in this plugin. That means that an unauthenticated user is able to modify some settings and is also able to inject their own CSS code and deface the site. Because of the simplicity of the CSS sheet and the widespread usage of this plugin an attacker could potentially deface thousands of sites in a matter of hours. This vulnerability was discovered in early July and fixed within 24 hours of discovery.
Gallery Photoblocks
An Unauthenticated Reflected XSS vulnerability was found with this plugin, which allows a user to create perfect photo galleries with justified edges along with some display special effects. All input would be processed which could lead to an attacker being able to see the full directory structure. but it has since been sanitized. This issue was fixed in early July.
WooCommerce
A Cross-Site Forgery Request was discovered with this plugin, the leader in ecommerce plugins on WordPress. Two issues were found here, the first was that no file type check was performed when a tax rate document was imported. Since this check was not in place it could potentially allow an attacker to upload their own code. The other was that no nonce check was in place for when a CSV document (a spreadsheet or database file) was uploaded. These issues have been fixed and it does not appear that any site has been compromised.
Recontre – Dating Site
A SQL Injection and XSS vulnerability was discovered with this plugin, which is used to create a professional quality dating site. A user has to log in and private messages along with a connection to a Facebook account is stored on the plugin and payment information. No security checks were performed when a user uploaded information on the information uploaded. Those checks are now in place and the issue has been resolved.
Icegram
A Cross Site Request Forgery vulnerability was discovered that could turn into an XSS vulnerability with this plugin, which is used to collect email addresses for newsletter dispersal. Any user with at least subscriber access could exploit a function that saves all of the information that users input since no permission checks were implemented. Any subscriber could potentially import data into that file and execute code when an administrator logs in. The issue was discovered in early June and was fixed in early July.
iLive
An XSS vulnerability was discovered with this plugin, which is used as an intelligent chat plugin for any site that operates customer sales or support through live chat. No security is present with the live chat text fields and no sanitization of text being input is performed so a user could input malicious code into the text fields and it is possible to steal admin cookies or redirect to another website. This plugin has not been updated since 2017 and no fix has been implemented though the designer says that they are investigating the issue.
Hybrid Composer
An Unauthenticated Options Update was discovered with this plugin, which is used to help users create custom themes for their WordPress site. It was possible for an unauthenticated user to gain access to the site by using the update_option () function to update the options table thereby giving themselves admin access and the ability to inject their own data. The issue was fixed in mid July.
WP File Manager
Multiple vulnerabilities were found with this plugin, which is used to manage files on your WordPress site. The vulnerabilities stem from no authentication being performed on any actions. Any logged in user could delete backups, restore backups and see backup information. By being able to view the backed up files there is a treasure trove of information that could be exploited with a lot of sensitive information present. An attacker could cause a lot of damage by restoring the site to its initial backup and deleting all others. This issue was discovered in late June and fixed in early July
FV Flowplayer Video Player
A SQL Injection vulnerability was discovered with this plugin, a free plugin that allows users to embed FLV or MP4 videos onto their page. No sanitisation of a variable was in place, which could allow an attacker to inject their own code into the admin screen if the user had access to it. This issue was fixed in mid July.
School Management
A Cross Site Request Forgery and XSS vulnerability was discovered with this plugin, which is used to manage all school operations giving access to parents, teachers and students. Not much information has been divulged about this issue which was discovered in mid June and fixed in mid July.
One Click SSL
Multiple issues were found with this plugin, a simple an easy plugin that redirects non-SSL pages to SSL. Authorization checks in the settings were not performed so a lower privileged user could potentially change settings or create an AJAX request. At the same time site options could be arbitrarily updated similar to the Hybrid Composter plugin listed above.
Ad Inserter
An Authenticated Path Traversal vulnerability was discovered with this plugin, an ad management plugin. The plugin separates itself from other ad management plugins by allowing the owner to insert ads anywhere on the site by changing the code. It was found that authenticated users including subscribers could execute PHP code. Security checks were in place to prevent CSRF attacks but this check did not go far enough to stop unauthorized code from being uploaded.
Malicious code could also be uploaded by through the debug feature, which can be used by any user that has a special cookie. While there was access control within the plugin it was not as strong as it should have been. These issues were reported in mid-July and fixed the following day.
Coming Soon Page & Maintenance Mode
An Unauthenticated Stored XSS vulnerability was discovered with this plugin, which is used to notify a visitor that a page is undergoing maintenance or a new page is coming soon. The plugin accesses scripts used to save plugin settings and no authentication checks were performed and no security checks are present either to ensure that only a page administrator is accessing the page. Visitors can enter information into a template including malicious code which could allow an attacker to reset the plugin settings by an unauthorized user. This issue was discovered in early July and fixed in mid July.
Ultra Simple Paypal Shopping Cart
A Cross Site Request Forgery issue was found in this plugin, which allows a developer to add an Add to Cart link button on any page or post and an easy to view shopping cart on the sidebar. If a user viewed a malicious page while they were logged in it could lead to attacks on the page. Not much other information was provided but the issue was fixed in mid July.
All-in-One WP Migration
An XSS vulnerability was discovered with this plugin, which is used to export your website’s information so it can be moved to another location. The good news if you could say this is that in order to exploit this an attacker would already have to gain access to a user account or compromise the database. The attacker would be able to insert malicious code since the code in the backup description since the text input is not sanitized. This issue was discovered in early July and fixed in mid July.
Everest Form
A SQL Injection vulnerability was discovered with this plugin, which is used to easily create user registration and login pages. No sanitization of the fields was in place and an attacker could potentially execute remote SQL commands. This was discovered in mid July and was fixed by late July.
Category Specific RSS Feed Subscription
A Cross Site Request Forgery vulnerability was discovered with this plugin, which is used to present multiple RSS feed options to a visitor in addition to the normal RSS feed. A website that uses this plugin was unable to determine if a well-formed request was sent by a legitimate user. Since it is unable to do that an attacker could create something that appears to be a legitimate request and trick the site into processing it via several different methods like sending a URL, code injection and others. This can lead to the exposure of data or unintended code being executed. This issue was discovered in late July and fixed quickly.
Adaptive Images For WordPress
A Local File Inclusion and Detection vulnerability was discovered with this plugin, which is used to serve images based on screen resolution to decrease the page load time of a website. The vulnerability allows a remote attacker to retrieve arbitrary files via a script parameter. All images are processed via this script and any visitor could upload something and override this parameter, since it allows the attacker to set the way the file is requested from the server and it can lead to malformed images or a Remote Code Execution. This issue was discovered in late July and fixed quickly.
Email Subscribers & Newsletters
A SQL Injection vulnerability was found with this plugin, which allows you to collect leads, send new blog post notifications and create and send broadcasts all from one place. No sanitization of the code was in place and an attacker could successfully exploit this to inject and execute their own SQL commands. This issue was discovered in mid July and fixed in late July.
WPS Cleaner
Multiple issues were discovered with this plugin, which is used to clean your WordPress site including posts, comments, extensions, plugins, media and other files. An attacker can potentially access private media and multiple CSRF issues allow an attacker control that they should not have or to delete files. This issue was updated in late July and the good news for this plugin is that there is a good chance that you are not using it as it is a French plugin.
WPS Bidouille
Multiple CSRF vulnerabilities were discovered with this plugin, which provides information about your site and help to optimize it. 15 different CSRF vulnerabilities, an Arbitrary File Upload and an XSS vulnerability were found, mostly due to the lack of nonce tokens and sanitization which can give an attacker undue abilities. This issue was fixed in late July and like above this is a French plugin so there is a good chance that you will not be using it here in the US.
WPS Limit Login
Just like above multiple issues were discovered with the plugin, which prevents unlimited login attempts to a site to stop brute force attacks on a WordPress site. A Protection ByPass vulnerability was discovered which allowed an attacker the ability to reset the number of login attempts thereby making the plugin worthless. A Stored XSS vulnerability was found that allowed an attacker to inject text or scripts using a preinstalled query page and another had no sanitization of input or output entered thereby allowing an attacker to insert their own script or code. There was also a CSRF vulnerability due to the lack of a nonce token. This issue was fixed in late July and like above this is a French plugin so there is a good chance that you will not be using it here in the US.
WPS Child Themes Generator
A Directory Path Traversal vulnerability was discovered with this plugin, which is used to create child themes. It allowed an attacker to insert their own PHP code and it would treat the code as good code allowing an attacker to create or rewrite files and directories. This issue was fixed in late July and like above this is a French plugin so there is a good chance that you will not be using it here in the US.
WPS Hide Login
Multiple issues were discovered with this plugin, which allows a user to change the login page URL. Four Protection Bypasses were discovered which could allow an attacker to access the original login page which can allow them to login (or try to login) to the site. Along similar lines a Default Parameter Usage vulnerability was found that allows bots to access the login page. Finally a Full Path Disclosure was found that produces a fatal error when an attacker enters a real URL which allows an attacker to figure out the file structure of the site. This issue was fixed in late July and like above this is a French plugin so there is a good chance that you will not be using it here in the US.
Contact Form 7 Dynamite Text Extension
A Reflected XSS vulnerability was found in this plugin, which can be added to the popular Contact Form 7 plugin and allows users to create pre-populated fields based on entered values. The good news is that this issue is unlikely to affect users since it only exists when a tag is used in a non-standard way. The input code was not sanitized and has since been fixed.
Blog2Social
A SQL Injection was discovered with this plugin, which is used to auto schedule and auto post content and media to social media sites at the best time for each of those networks. Little is mentioned about this vulnerability but it would allow an attacker to remotely execute arbitrary SQL commands. This issue was discovered in early July and fixed in late July.
Photo Gallery
A similar SQL Injection vulnerability was found with this plugin, the leading plugin to develop mobile web photo galleries. Not much is mentioned about this vulnerability but like with the above plugin it would allow an attacker to remotely execute arbitrary SQL commands. This vulnerability was discovered in late July and fixed two days later.
Advanced Contact Form 7 DB
And yet another similar SQL Injection vulnerability was found in this plugin, which is used to store information received through Contact Form 7 fields. Like above not much is mentioned about this vulnerability but like with the above plugin it would allow an attacker to remotely execute arbitrary SQL commands. This issue was discovered in early July and fixed in late July. For a time during the month the plugin was unavailable as the developer was not responsive and it was removed from WordPress for a time.
Custom Simple RSS
A CSRF vulnerability was found with this plugin, which allows a user to create their own RSS feed on their site. Information on this vulnerability will be made public in early August but the issue has been fixed.
Simple Membership
A CSRF vulnerability was found with this plugin, which can be used to protect pages and content so that only registered users can see them. More information on this will be released in early August but the issue was fixed in late July.
Pirate Forms
An HTML Injection and CSRF vulnerability was found in this plugin, an easy way to insert contact forms into a WordPress website. Part of the security within this plugin is that a user’s IP address is validated but if a certain variable was defined that would be overridden. This allows an attacker to insert their own code into the contact form body, which will then be emailed to the administrator, which could compromise their account. At the same time a CSRF attack could happen due to a lack of nonce checks that would trick an authenticated user into performing actions that they do not want to perform. This issue was discovered in late July and fixed quickly.
ND Shortcodes For Visual Composer
A Privilige Escalation vulnerability was found with this plugin, which adds some useful functions to Visual Composer. The vulnerability allowed an attacker and unauthenticated user to modified the settings of the plugin and gain access to the site. A function in the code allowed both authenticated and unauthenticated users access to the site’s WordPress functions. Since no capability check was put in place any user could make changes to the site and even gain administrator access or to create a new user. This issue was discovered in late July and fixed quickly.
Core
No Core vulnerabilities were disclosed in July 2019.
Theme
Zoner – Real Estate
A Reflected and Stored XSS vulnerability was discovered with this theme. An attacker was able to inject their own code at multiple different places within the theme and its demo version. The issue was fixed in early July.