WordPress Vulnerabilities December 2018

We take a lot of precautions when it comes to the safety and security of your website but once we hand off your website to you that burden falls on you to maintain that. Nicely Done Sites offers a maintenance agreement so that we can continue to maintain your website so that it remains as safe and secure as possible. We highly recommend all of our clients purchase one but it is not mandatory. If not we hope at least that you do keep your WordPress website up to date and in this series of posts we are going to detail some of the vulnerabilities discovered recently.


Arigato Autoresponder and Newsletter

This plugin allows for the scheduling of newsletters, for autoresponder marketing campaigns and managing mailing lists. It allows a registration form to be placed on a site or blog and it can send an unlimited number of email messages to an unlimited number of email addresses. A blind SQL injection allowed users to be created or deleted with administrative privileges which opened it up to numerous XSS vulnerabilities. This vulnerability was fixed the day after being discovered.

Ninja Forms

Another vulnerability with Ninja Forms. This vulnerability created an issue in a download submission page that allowed for an unvalidated redirect or forward of the submission form. This vulnerability was fixed 5 days after being discovered.


A vulnerability within this plugin created a cross-site request forgery (CSRF). These vulnerabilities happen when a trusted user of a page transmits unauthorized commands. This can be done through image tags, hidden forms or JavaScript XMLHTTPRequests and can happen without the user’s knowledge. This vulnerability was fixed within a day of its discovery. The Redirection plugin is one of the most popular plugins available for WordPress and helps to keep track of site errors to reduce errors and boost rankings.

WPForms Lite

An Authenticated Stored XSS vulnerability was discovered that allowed untrusted data to be stored in a database for the forum to be displayed later to users, hopefully trusted users or administrators and executed so that the attacker will gain elevated privileges. This vulnerability was fixed 4 days after discovery. Another XSS vulnerability was discovered a few days later and patched that day.

Google Analytics by Monster Insights

This was another Authenticated Stored XSS vulnerability. It was discovered at the same time and fixed 4 days later.

WPMail SMTP by WPForms

Another Authenticated Stored XSS vulnerability. It was discovered at the same time as the above two and fixed in the same timeframe.

All In One SEO Pack

Yet another Authenticated Stores XSS vulnerability. It was found two days after the others above and fixed two days later.

Property Hive

With this vulnerability the plugin could be removed either inadvertently or maliciously. It was discovered on December 3 and patched 3 days later.


Kiwi is a social sharing plugin and a vulnerability was discovered that allowed an attacker to modify the wp_options table to create an administrator account. This allows them redirect a blog post to another site. The issue was fixed in November but attacks are beginning to exploit this vulnerability so if you have this plugin and have not updated it do so.

Smush Image Compression and Optimization

This vulnerability takes advantage of a new exploitation of PHP code that was announced to the public earlier this month. PHP uses what are known as wrappers to access file locations and these potentially make remote file exclusion attacks easier. One wrapper that has been ignored has been the Phar or the PHP Archive which now allows an attacker to gain the ability to execute code and gain access to a file path. This vulnerability was fixed with this plugin within 3 days.

Advanced Custom Fields

This is an XSS vulnerability that allowed an attacker to save unfiltered HTML in a custom field which should not have been possible. This has been fixed since its discovery.


Another Authenticated Stored XSS vulnerability as well as an Authenticated Phar Deserialization vulnerability were discovered at the same time. These vulnerabilities allowed Shop Managers to exceed capabilities by editing roles for all accounts except for admins and execute malicious code. Should an attacker gain control of one of these accounts they could easily execute any malicious code. These issues were fixed the day it was discovered and Shop Managers can now only edit customer profiles.

Orbit Fox by ThemeIsle

This vulnerability does not properly authenticate Representational Site Transfer (REST) API calls which allows unauthorized users to execute API calls. It is possible to upload files which can lead to remote code execution. This issue has since been fixed. REST is a web service that allows a requesting system to access and manipulate textual representations of web resources using a uniform set of operations. It is designed to provide faster performance, better reliability as well as the ability to grow since components are reused and can be updated while the system is running without affecting it as a whole.

Import Users from CSV with Meta

This plugin allows for users to be imported directly into WordPress allowing for potentially thousands of users to be imported in seconds. An XSS vulnerability was discovered and patched.


WordPress 5.0

The big news in December was the update to WordPress 5.0. It did not take long for vulnerabilities to be discovered that affected not only 5.0 but previous versions as well. The first vulnerability is the ability for users to alter metadata and delete files that they are not authorized to delete. Another vulnerability allows authors to create posts of unauthorized post types with specially crafted input bypassing normal protocols.

Another vulnerability allowed commentators and contributors to craft metadata in a manner that allowed for a PHP object injection. Contributors were also found to be able to edit new comments from users with a higher privilege level which could lead to XSS vulnerabilities. Another potential XSS vulnerability was discovered that specially crafted URL inputs which would not affect WordPress but could affect some plugins.

Another vulnerability was discovered where the user activation screen could be indexed by search engines in some circumstances which would allow for the exposure of the user’s email address and even a default password. Another vulnerability was discovered with Apache hosted sites where authors of those sites would be able to upload specially crafted files that could bypass Multipurpose Internet Mail Extension (MIME) verification which could open up the opportunity for an XSS vulnerability. All of these and the above vulnerabilities were patched within a day of discovery.

Comments are closed.

Scroll to Top