WordPress Vulnerabilities: August 2019

We take a lot of precautions when it comes to the safety and security of your website but once we hand off your website to you that burden falls on you to maintain that. Nicely Done Sites offers a maintenance agreement so that we can continue to maintain your website so that it remains as safe and secure as possible. We highly recommend all of our clients purchase one but it is not mandatory. If not we hope at least that you do keep your WordPress website up to date and in this series of posts we are going to detail some of the vulnerabilities discovered recently.

For anyone interested or anyone who missed it check out last month’s vulnerabilities and don’t forget to keep your WordPress website up to date!

Plugins

Order XML File Export Import For WooCommerce

An XSS vulnerability was found with this plugin, which can be used to import data into WooCommerce and create shipping labels and to export orders in XML format. No sanitization of the input code was present which could allow an attacker to insert their own code. The issue was fixed in early August. 

Woody Ad Snippets

Multiple issues were found with this plugin, which is used to create and store code, text or ads in a special library so it can be used anywhere on the website. An Unauthenticated Stored Options Vulnerability and an XSS vulnerability were found. No capability check is present in the code so an unauthenticated user can import their own code snippets. The good news is that getting the code to be run is much more difficult since the attacker cannot activate it, except in the case of the XSS vulnerability which does not sanitize input and can allow the code to be activated. This vulnerability was discovered in late July and fixed quickly before being disclosed in early August.

Travel Management

An Unauthenticated Options Change was found with this plugin, which is used to manage different travel packages. No capability check on a function is available to any user which allows that user to change website settings like the website URL, the admin email address, user roles or they can create a new user with administrator access. The issue was discovered in late July and fixed quickly and a new update has taken security even further. 

ND Donations

A Privilege Escalation Vulnerability was discovered with this plugin, which allows a website to take and process donations. The issue allows an unauthenticated user to modify the settings and take over the website like the above plugin. This issue was also discovered in late July and fixed.

ND Booking

The same issue as the ND Donations plugin was found within this plugin, which is used to offer booking for hotel rooms, bed and breakfasts and Air BNB rooms. Also like with the ND Donations plugin it was discovered in late July and fixed.

ND Learning Courses

The same issue as ND Donations and ND Booking was discovered with this plugin, a popular Learning Management System. Just like above it was discovered in late July and fixed. 

ND Restaurant Reservations 

Again the same issue was discovered within this plugin as other ND plugins. Like the others it was discovered it late July and fixed.

Popup Builder

A SQL Injection vulnerability was discovered with this plugin, which is used to create and manage popups on a WordPress site. The vulnerability would allow an attacker to insert their own SQL code and execute them. The issue was discovered in late July and was fixed in early August.

Login Or Logout Menu Item

An Unauthenticated Options Change vulnerability was found with this plugin, which adds a dynamic login/logout option to any menu on a WordPress site. The function that is used to modify the login URL had no security check present and was accessible to anyone. As such an attacker could change the link and redirect it to a malicious site to steal login credentials. This vulnerability was discovered in early August and fixed quickly.

JoomSport

A SQL injection vulnerability was discovered in this plugin, which is used to build a sports website and can include standings, photos, awards and stats. An attacker could insert their own SQL code which would allow them to steal information from the site’s database or even to delete the database itself. The issue was discovered in late July and was fixed in early August. 

Simple 301

Multiple issues were found within this plugin, which is used to redirect users to another page easily, which is especially when a URL is changed. An Unauthenticated Options Change vulnerability was discovered. No security checks were in place which would allow an attacker to upload their own file and redirect users to a malicious site. An Authenticated Options vulnerability was also discovered. Again with no security checks or capabilities check in place administrative functions could be accessed by any logged in user. These issues were discovered in late July and fixed in early August.

PPOM for WooCommerce

An Authenticated Stored XSS vulnerability was discovered with this plugin, which adds input fields on product pages to personalize products, or Personalized Product Option Manager (PPOM). No sanitization of the input fields was in place so an attacker would be able to insert their own code. The issue was discovered in mid August and fixed quickly. 

Give

A SQL Injection vulnerability was discovered with this plugin, the leading donations plugin on WordPress. An attacker had the ability to execute remote code via two different queries. The issue was discovered in early July, fixed quickly and made public in mid August. 

CformsII

Multiple issues were discovered with this plugin, which is used to build web forms. An Unauthenticated HTML Injection vulnerability was discovered. An attacker can inject their own code into the form since input is not sanitized, which can lead to a malicious redirect or the attacker being able to take over an account. A CSRF vulnerability was also discovered. No security checks were in place so an attacker could trick an administrator into doing something to their own site. These issues were discovered in mid July, fixed quickly and made public in mid August.

Easy Property Listings

An XSS vulnerability was found within this plugin, one of the most popular real estate plugins available through WordPress. Every line of code with this plugin was edited to meet WordPress security standards. Also no sanitization of input was present, which could allow an attacker to insert their own malicious code, which could lead to a takeover of the site or a redirect of users to a malicious site. The issue was fixed in mid August.

Bold Page Builder

This plugin, which is used to develop new WordPress themes and to build pages, was found to have access control issues. Any unauthenticated user was able to perform actions that only administrators should be able to like modifying settings and importing data. This issue was fixed in late August and if you use this plugin you should update it immediately.

Import Export WordPress Users

A CSV Injection vulnerability was discovered with this plugin, which allows for the easy export and import of users to a new WordPress site or WooCommerce site. A user with subscriber level of access could execute commands on an administrator’s computer by using a CSV injection in the first_name and last_name field. It could force the administrator to download a malicious file. This was discovered in mid August and fixed in late August so update this plugin immediately.

UserPro

An Unauthenticated Reflected XSS vulnerability was discovered with this plugin, which is used to create registration forms, profiles, member list and provides front end login for a WordPress site. This issue was discovered in late August but no fix is in place as of yet for this plugin.

Nextgen Gallery

A SQL Injection vulnerability was discovered with this plugin, which is used to create simple photo galleries and has been the industry standard since 2007. It was possible for an attacker to insert their own SQL code and execute that code. This issue was discovered in late July, fixed soon afterwards and made public in late August. 

WP Private Content Plus

An Unauthenticated Options Change vulnerability was discovered in this plugin, which is used to restrict who can see certain content on the page. No security or capability checks were performed when a user logs in which means that an unauthenticated user can potentially make settings changes which can give them access to personal information and restricted content. It is also possible for a user to redirect other users to other sites creating the possibility for an XSS vulnerability as well or create a denial of service attack on the site. This vulnerability was discovered at the end of August and fixed quickly.

Shapepress DSGVO

An Authenticated Reflected XSS vulnerability was found in this plugin, which is used to help make your website or ecommerce platform compliant with Europe’s GDPR regulations. This is not uncommon with many GDPR compliance plugins. No restriction is placed on some input fields that allow regular users the same control of functions as administrators. No sanitization of the input code is present and it could potentially allow the attacker to force the admin to make changes that they do not want to make. This issue was discovered in late August and fixed a few days later. Since these kinds of issues are common with GDPR plugins it is recommended that if you use one of these plugins that you make sure that they have passed all security checks.

HandL UTM Grabber

An Authentication Option Change via CSRF vulnerability was discovered in this plugin, which is used to capture UTM variables when a user visits any page on your WordPress site. Urchin Tracking Monitors (UTM) are five parameters that are used by marketers to track the effectiveness of a marketing campaign. Not much information was disclosed regarding this vulnerability but the issue can be found in two different options. The issue was discovered in late August and fixed quickly.

WooCommerce Product Feed

An Authenticated Reflected XSS vulnerability was discovered with this plugin, which is used to generate product feeds for Google, Facebook, eBay and Amazon to get products into shopping engines or a price comparison website. User input was not sanitized which could allow an attacker to edit the theme files. The good news is that the only way this attack can be exploited is if the admin is logged in. The issue was discovered in late August and fixed quickly.

Core

No Core vulnerabilities were disclosed in August

Theme

Real Estate 7

An XSS vulnerability and an Insecure Direct Object Reference vulnerability was discovered with this theme, which can be used for real estate agents, brokerages, apartment managers, residential & commercial developers, vacation rentals and more. The XSS issue allowed an attacker to insert their own code into the website’s front-end and steal an admin or moderator’s cookies. The other vulnerability gave unauthorized users the ability to edit listings that they should not be able to. This issue was discovered in July and made public in August but it has not been fixed yet.

Comments are closed.

Scroll to Top