We take a lot of precautions when it comes to the safety and security of your website but once we hand off your website to you that burden falls on you to maintain that. Nicely Done Sites offers a maintenance agreement so that we can continue to maintain your website so that it remains as safe and secure as possible. We highly recommend all of our clients purchase one but it is not mandatory. If not we hope at least that you do keep your WordPress website up to date and in this series of posts we are going to detail some of the vulnerabilities discovered recently.

For anyone interested or anyone who missed it check out last month’s vulnerabilities and don’t forget to keep your WordPress website up to date!

Plugins

Login By Auth0

Multiple issues were found with this plugin, which enables Single Sign-on for business, social and passwordless logins throughout all instances. Not a lot of information was made available regarding these issues but they include: Lacking CSRF controls in the domain field, Stored XSS issues in the settings and several different pages, a CSV Injection vulnerability and an Insecue Direct Object Reference. These issues were found in late March and fixed in early April.

LearnDash 

An Unauthenticated SQL Injection was found in this plugin, which is used to create a Learning Management System on your website. Not much information was provided but the issue seemed to relate to PayPal’s Instant Post Notification. This issue was fixed in early April. 

WP Advanced Search

An Unauthenticated SQL Injection was also found with this plugin, which is used to allow for advanced search metrics on a site. Due to an issue with the programming it was possible for an attacker to have direct access to a PHP file which would allow an attacker to insert their own code. This issue has not been fixed as the developer has not responded to any communication and the plugin has been removed from the WordPress store. If you are using this plugin you should disable or remove it immediately.

Contact Form 7 Datepicker

An Authenticated Stored XSS issue was found with this plugin, which is used to add a calendar interface to Contact Form 7. This plugin allows a user to add a datepicker to forms and thus gives them access to modify some settings within this plugin. The function that allows this lacks a capabilities check and a security nonce. That means an attacker with minimal permissions could insert malicious code into the plugin’s settings which would be executed the next time an administrator creates a new form. This issue was discovered in March and the developer has been unresponsive so the issue has not been fixed and the plugin has been removed from the Plugin Store. If you are using this plugin you should remove it immediately or disable it. This issue does not affect the regular Contact Form plugin. 

Art-Picture Gallery

An Arbitrary File Upload issue was found with this plugin, which is used to create a gallery layout on your site with a user sharing ability. No  information was provided about this issue and the developer has been unresponsive leading to the plugin being pulled. If you are using this plugin you should remove it or disable it until a fix is available.

Last Modified Info

An Authenticated Stored XSS issue was found with this plugin, which is used to add shortcode to your site with the date that a page or post was last modified. When saving a new campaign it was possible for a user with administrator capabilities to be able to store scripts in the plugin’s options. These scripts would then be executed on every page or post on the site. This issue was found in early April and fixed quickly.

WP Lead Plus X

Several issues were found with this plugin, which is used to create a landing page for your WordPress site. First an Authenticated Stored XSS issue was found. The plugin comes with a page builder interface that allows for the insertion of JavaScript code but the interface lacked a capabilities check and security nonces. It was possible for an attacker that had subscriber level access or better to craft several different requests to deface a page or replace a page with one from a malicious site. It was also possible for them to turn any site running this plugin into a spam site.

Also an Unauthenticated Stored XSS issue was found as well. If a user paid the license fee they were given access to different templates. It was possible for an unauthenticated attacker to import templates with malicious JavaScript code due to an action that was available to unprivileged users. If the malicious template was used by the site an account takeover was possible.

On top of that several different CSRF issues were also found in the plugin due to a lack of capabilities checks and security nonces. It was possible for an attacker to trick an administrator into clicking a malicious like and give themselves the ability to create or edit pages on the site. These issues were found in early March and some of the issues were fixed in the middle of March but not all of them. If your website uses this plugin you should disable it or use extreme caution when being on the web with it.

Online Hotel Booking System Pro

An Unauthenticated Stored XSS issue was found in this plugin, which is used to create a hotel booking system on your WordPress site as its name implies. It was possible for an attacker to insert malicious code in the booking form. The payload would then be executed when an administrator views the booking. No fix for this plugin has been put into place yet and if you are using it you should disable it. The plugin has been pulled from the WordPress store.

Car Rental System

An Unauthenticated Stored XSS issue was also found in this plugin, which is used to allow users to rent cars. Like above it was possible for an attacker to insert malicious code in the booking form. The payload would then be executed when an administrator views the booking. No fix for the plugin has been put into place yet so if you are using this plugin you should disable it. 

Gutenberg Blocks – Ultimate Addons For Gutenberg

An Authenticated Settings Change vulnerability was found in this plugin, which is used as a powerful block editor that helps you build a WordPress site fast. Six actions were found to lack capabilities checks and rely on the same security nonce. This nonce uses a script that needs to be echoed when a logged-in administrator visits the settings page. This lead to the security nonce being leaked into the source code of the page allowing a user to interact with those six actions. This issue was found in late March, fixed in late March and made public in early April.

Klarna Checkout For WooCommerce

An Authenticated Arbitrary Plugin Deactivation, Activation and Installation issue was found in this plugin, which is used to link merchants with Klarna, one of Europe’s largest banks and one who does provide services in the United States. One AJAX action is used to install addon plugins but lacks a capabilities check and security nonces. This makes it possible for any logged in user to install, deactivate or activate any plugin. The attacker must be logged in to exploit this but since this is an ecommerce plugin an account is required for a customer so creating an account is easy to do and a part of its normal operation. This issue was fixed in early April.

Tickera WordPress Event Ticketing

An issue with Unauthorized Sensitive Information Exposure was found with this plugin, which is used for event ticketing. It may sound like a broken record but one of the authorization functions lacked authorization controls. This means that all personal data from registered users of an event could be exported in PDF form by an unauthorized user. Some information would need to be acquired by the attacker but those could be easily gleaned from the page itself. It took some time for the issue to be acknowledged by the developers but it was finally fixed in mid April.

Support Ticket System By Phoeniixx

An Unauthenticated Reflected XSS issue was found in this plugin, which is used for help desk support with your employees and customers. The plugin lacks input sanitization making it vulnerable to this issue but little other information has been provided. The issue was first discovered in late January and the developers were non-responsive. This plugin was pulled from the plugin store and the issue was disclosed in mid April. If you use this plugin disabled it or remove it.

Media Library Assistant

Three different issues were found in this plugin, which is used to add enhancements to the WordPress Media Library. First, a Local File Inclusion issue was found. One specific function was vulnerable due to a lack of sanitization but little other information was included. Also, several Authenticated Stored XSS issues were found. These were found in every settings and media library assistant tab and could allow an authenticated user to execute JavaScript code. These first two issues were fixed in mid April. 

The third issue was an Authenticated Remote Code Execution issue. Three different parameters  were vulnerable to this issue which would let the attacker insert their own commands. This issue was also fixed in the same update and disclosed a few days later in mid April.

Responsive Poll

An issue with Broken Authentication was found with this plugin, which is used to conduct polls or surveys. It is possible for an unauthenticated user to 16 different functions. This gives them the ability to delete, manipulate or hide polls. This was due to a lack of capabilities checks and security nonces. Capabilities checks were added to this plugin but since the nonces were not this plugin is still vulnerable to CSRF attacks. As a result the plugin has been pulled from the WordPress store. If you are using this plugin you should disable it or remote it immediately.

Accordion

An Unprotected AJAX Action issue that could escalate into a Stored/Reflected XSS issue was found with this plugin, which is used to create FAQ or knowledge base questions called accordions. It was possible for any authenticated user to import new accordions and inject malicious code as part of that new addition. Users are able to import their own accordions but the function that does this lacks a capabilities check so any authenticated user can do this rather than just ones with appropriate permission levels. It was possible for this to happen in several different ways making the issue worse with XSS issues and CSRF issues. These issues were discovered in mid March, fixed a few days later and disclosed in made public in mid April.

GTranslate

A Reflected XSS issue was found with this plugin, which uses Google Translator to make your website multilingual. One feature could be used that took advantage of some of the paid options that would allow a crafted link to be added. Not much other information was provided about this issue other than it was fixed in late April.

Widget Settings Importer/Exporter

An Authenticated Stored XSS issue was found in this plugin, which is used to help move widgets from one website to another and to back them up. It was possible for an attacker with low level permissions to import or export custom widgets that could contain JavaScript payloads. The plugin lacked capabilities checks or security nonces and the normal functions used with the plugin allow for the import and export of widgets. This issue was discovered in mid March but the developer has not responded thus the issue has not been fixed. This plugin has been removed from the Plugin Store and if you are using it you should disable it or remove it.

M-Shield 

This plugin was discovered to be a fake plugin that would create a backdoor into a WordPress site. It may have been legitimate at first as it was available on the WordPress plugin repository with malicious code injected later. The malware checks to see if there are any files less than 1000 bytes and if that condition fails a malicious file is downloaded and its contents are injected into the code. A WordPress function is then used to execute malicious code. If you downloaded this plugin, remove this plugin immediately and remove any plugins that you do not recognize.

Kingof

This is the same as M-Shield. This plugin was discovered to be a fake plugin that would be used to create a backdoor into a WordPress site. If you have downloaded this plugin, remove it immediately.

Catch Breadcrumb

An Unauthenticated XSS issue was found with this plugin, which is used to add breadcrumbs to your website’s navigation. Not a lot of information was provided about this issue other than malicious code could be inserted through a search query when themes from certain authors were used. As of the end of April there is no fix for this issue and the plugin has been closed.

WP GDPR

Multiple issues were found with this plugin, which is used to help with GDPR compliance. A Stored XSS issue was found that would allow an attacker to insert malicious code that would be triggered when someone accesses a page or post with a comment form on it. A Content Spoofing issue was also found that would allow an attacker to gain full control of the comments table in the database and manipulate it. This can be used to remove comments, assign comment to another post or to bypass moderation. It was also found that an attacker could modify the plugin settings as well. This issue was discovered in October of 2019 and has not yet been fixed as of the end of April. The plugin has been removed from WordPress and if you are using it you should remove it immediately.

MapPress Maps Pro

A Remote Code Execution issue was found with this plugin, which is used to add interactive Google or Leaflet maps to your WordPress site. The pro version of the plugin uses several AJAX actions that call functions that lack capabilities checks and security nonces. That means it would be possible for an authorized user with minimal permissions to upload executable PHP code which could then be executed, delete any existing PHP file on the site or view the contents of any existing PHP file on the site including the wp-config file. This issue was found in early April and fixed in late April.

MapPress Maps

The regular version of MapPress Maps was also found to have a Authenticated Content Creation and Deletion issue that could lead to a Stored XSS issue. The site allows site owners to add custom maps and it was possible for an user with minimal permissions to add a map that contained malicious JavaScript code to an arbitrary post or page, like with the title or by creating points of interest. The malicious code could then be executed when someone visits a link in the map. In addition to redirecting a user it would also be possible to create a new administrator. Additionally it was possible for an attacker to remove a map. The administrator would then visit the new map that the attacker uploaded and trigger the malicious scripts. Like with the issue with the pro version, this issue was found in early April and fixed in late April.

YOP Poll

An Authenticated Stored XSS issue was found in this plugin, which is used to insert polls or surveys into a page or blog post. When a new poll is added it was possible for an attacker to insert malicious code into the question fields when creating a poll. This is only available to editors or administrators and when the poll would be previewed the code would then be executed. This issue was discovered in early April and fixed in late April.

Duplicate Page Post and WP Post Page Clone

An issue with a SQL Injection that could lead to Remote Code Execution was found with these plugins, which are used as its name implies to duplicate blog posts and pages. The issue with this was that several plugins were developed to do this and all of them essentially copied and pasted the same vulnerable code from the original plugin unaware of this vulnerability. That original plugin was fixed about a week after these were created closing the vulnerability on that plugin but leaving these still vulnerable. An attack on these plugins could be executed by anyone regardless of privilege level and it could allow them to steal passwords or completely compromise a WordPress site. The issue was resolved with Duplicate Page Post in late April but WP Post Page Clone is still vulnerable to this issue and has been removed from the WordPress plugin list.

Simple File List

An Authenticated Arbitrary File Upload issue was found in this plugin, which is used to give users of your website a list of your files to open or download as well as the ability to upload files. Not a lot of information was provided about this due to the potential sensitivity of this issue since it could lead to a Remote Code Execution issue. A file can be uploaded with a .png extension but containing PHP code and a request can then be sent to rename the file to change the extension from .png to .php. This issue was fixed in late April.

Real-Time Find And Replace

A CSRF issue was found with this plugin, which is used to dynamically replace code and text from themes and other plugins with code and text of your choosing before a page is delivered to a user’s browser. To do this a function is called which registers a sub-menu page but this function lacks a security nonce which means the source of the request is not verified. If an attacker could trick an administrator into executing malicious code or an unwanted action they could replace any content or code with malicious code which would then be executed on every page of the site. This can be escalated to an XSS issue and the attacker could steal cookies, create a new account or redirect users to a malicious site. This issue was found in late April and fixed the same day.

WP-Advanced Search

An Authenticated SQL Injection vulnerability was found in this plugin, which is used to configure searches on a WordPress site. With this plugin it was found that the import functionality to restore plugin settings in the admin pages was vulnerable if a user had the ability to edit posts. This issue was fixed in late April.

Quick Page /Post Redirect

An Authenticated Settings Update issue was found with this plugin, which is used for 301 or 302 redirects. The plugin did not have a capabilities check or security nonces so a low-privileged user could interact with the plugin settings and create a redirect link which could redirect a user to a malicious site. This issue was discovered (as were several other undisclosed issues) in mid February and it appears that the plugin is no longer being maintained. It has been pulled from the WordPress plugin store so if you are using this plugin you should remove it immediately.

LearnPress 

Three separate issues were found with this plugin, which is used to create a learning management system on your website. The fist issue was a Privilege Escalation. The plugin allows administrators to create content and also to allow “Instructors” to create their own content. It is possible for a user to request Instructor status but it has to be approved by an administrator via an email. An attacker could bypass the email by sending a request to the wp-admin and changing the parameters. Instructors were basically given the same privileges as administrators or editors which would allow them to insert malicious code into any post that they create.

Also an Authenticated Page Creation and Status Modification issue was also found. Again due to a lack of capabilities checks and security nonces it would be possible for an attacker with minimal permissions to create pages or modify the publication status of any existing page. Last an Authenticated Time Based Blind SQL Injection was also found.  It was possible for a low privileged user to perform a time based SQL Injection to retrieve information from the database like passwords. One of the functions fails to sanitize user input before a SQL query is performed which then executes the query and retrieves the items. These issues were found in mid March and fixed in late April.

Gmedia Photo Gallery

Several XSS issues were found in this plugin, which is used as a comprehensive interface for handling galleries, images, video and audio files. Not a lot of information was provided other than these issues are caused by improper validation of user input. This issues was fixed in late April.

Ninja Forms

A CSRF issue that could be escalated to an XSS issue was found with this plugin, which is a drag and drop form builder that allows you to easily create forms on your site. No other information has been disclosed but the issue was fixed in late April.

Core

WordPress 5.2.4 was released in early April. Following that seven different vulnerabilities were publicized. First an issue that would have allowed unauthenticated users to view private posts by manipulating time and date queries was found. A Stored XSS issue was found in the Customizer and another was found in the wp-object-cache due to a lack of validation or encoding. Next password reset tokens failed to be properly validated so when a password reset request was sent the link would still be usable after the reset ocurred. This would require an attacker to have access to a victim’s email account also. An Authenticated XSS issue was found in the Search Block which would allow an attacker to customize the class of the search block and in the File Uploads which would allow an authenticated user the ability to upload files which could then execute JavaScript code when they are viewed later. Last, an Authenticated XSS issue was also found with the Customizer which would allow an authenticated user to corrupt data in the Customizer of other users and inject malicious code.

Theme

OneTone

An Unauthenticated Stored XSS issue was found in this theme. The theme lacks capabilities checks and security nonces which means that an unauthenticated user could the theme option import feature to inject malicious code into the site. This code can also be used to target administrators when they edit the theme. These issues, as well as several other security issues were reported to the WordPress team in September of 2019 and due to a lack of response the theme was removed in October of 2019. It was made public in early April and if you are using this theme you should remove it and use another.

Comments are closed.

Scroll to Top