WordPress Vulnerabilities: December 2019

We take a lot of precautions when it comes to the safety and security of your website but once we hand off your website to you that burden falls on you to maintain that. Nicely Done Sites offers a maintenance agreement so that we can continue to maintain your website so that it remains as safe and secure as possible. We highly recommend all of our clients purchase one but it is not mandatory. If not we hope at least that you do keep your WordPress website up to date and in this series of posts we are going to detail some of the vulnerabilities discovered recently.

For anyone interested or anyone who missed it check out last month’s vulnerabilities and don’t forget to keep your WordPress website up to date! It was a slow month in December 2019 regarding vulnerabilities, which is not a bad thing. 

Plugins

CSS Hero

A Reflected XSS vulnerability was found with this plugin, which is used to perform visual editing of themes. Not much information is available but with a logged in user it would be possible to navigate to a malicious site and execute JavaScript code, which will then be reflected back in HTML form. This issue was found in mid November, fixed shortly thereafter and made public in early December.

Scoutnet Kalender

A XSS vulnerability was found with this plugin, which is used as a calendar for the German Boy and Girl Scouts. That means there is a very good chance that you are not using this plugin here in the US. The info field on embedded calendars is not sanitized so it is possible for an attacker to insert their own code into that field. These calendars are retrieved from the homepage for the scouts. This issue was discovered in late November and has not been fixed yet.

Ultimate Addons For Elementor

An Authentication Bypass vulnerability was discovered with this plugin, which is used to add extra functionality and flexibility to the Elementor page builder. If an attacker was able to gain the username of any account (which can be extremely easy to do) they can upload a fake zip file to install a fake plugin which will create a backdoor and allow them to potentially gain administrator rights. This issue has been exploited by attackers and was fixed in mid December.

Ultimate Addons For Beaver Builder

The same issue as above was found with this plugin, which is used to create custom modules and templates. This issue was also fixed in mid December. 

301 Redirects – Easy Redirect Manager

A number of issues were found in this plugin, which is used to create and manage 301 and 302 redirects on a webpage. An Authenticated Arbitrary Redirect Injection and Modification issue was fould as well as a XSS and CSRF vulnerability. It was possible for any authenticated user to modify, delete, and inject redirect rules that could potentially result in a loss of site availability. A capabilities check is performed when the dashboard or the admin panel should be displayed but it does not determine if the user has the proper permissions to view it. That allows any authenticated user to add, edit or remove redirects which could give an attacker the ability to create malicious redirects.

The XSS vulnerability stems from an ID parameter that is used to create new rules and identify existing rules that lacked input validation or sanitization. The CSRF vulnerability stemps from the failure to use a nonce for AJAX actions that were used to modify and create new rules. If an attacker was unable to gain subsriber level privileges this could be exploited due to a lack of permission checks and any user with a subscriber level or higher permissions could be targeted. All of these issues were found in mid December and fixed within 4 days.

Recontre

Multiple CSRF issues were found in this plugin, which is used to create a dating site. This is related to an earlier issue found in this plugin. Some of the issues were fixed but the fixes did not include the CSRF issues. After being contacted the issues were fixed but information about this has not been provided.

Featured Image From URL

This plugin, which is used to set a featured image from an external site, was found to be missing Access Controls. Not much information has been released regarding this issue but permission callbacks are not set which could allow an unauthorized user to call them. The issue was fixed just before Christmas.

bbPress Login Register Links On Forum Topic Pages

A CSRF vulnerability was found within this plugin, which is used to add a dedicated sidebar which will include other bbPress widgets. No checks on the settings were in place which could allow the settings to be changed. This can later also open up the possibility of a Stored XSS vulnerability. No other information has been provided but the issue was fixed around Christmas time.

bbPress Members Only

A CSRF vulnerability was found in this plugin, which is used to restrict access to bbPress forums to members only. This is not quite as extensive as the above plugin as this only exposes the Optional Settings section but just like with the above not much information has been released regarding this plugin though the issue was fixed around Christmas time.

GDPR Cookie Compliance

An Authenticated Settings Reset issue was found with this plugin, which is used to assist you with GDPR, PIPEDA, CCPA, LGPD, AAP, cookie law and consent notice requirements on your website. Due to a lack of a capabilities check and a security nonce any logged-in user can execute class script which will allow the attacker to erase all entered settings. This issue was discovered in mid December and fixed just before Christmas.

Photo Gallery – Image Gallery By Ape

An Authenticated Arbitrary Plugin Deactivation vulnerability was found in this plugin, which is used to create video or photo galleries. No user capability check is in place when the plugin is used. This allows any authenticated user to deactivate any plugins on the site. This issue was discovered in early December and fixed in late December.

Donorbox

A Stored XSS vulnerability was discovered in this plugin, which is used to allow a site to request and manage donations. This issue was caused by a recent update by creating arbitrary attributes in the shortcode. Only having privileges are required to store shortcode and XSS protections on the server have no effect on this. This issue was identified in late December and fixed quickly but no other information was made available.

Core

WordPress 5.3.1 was released in mid December and provided 46 fixes and enhancements including fixes for three different vulnerabilities. A Stored XSS vulnerability was found in Crafted Links and in Block Editor Content. Last, Improper Access Controls were present that could allow an unprivileged user to make a post sticky through the REST API. Not a lot of other information was shared about these but they were fixed in the most recent update to 5.3.1. At the end of December version 5.3.2 was released though no corrected issues have been made public from that update as of yet.

Theme

Mesmerize and Materialis 

An Authenticated Options Update vulnerability was found with these two themes. After installation the admin was given the option to install a companion plugin. When dismissed the status of the banner ad is changed in the database and the popup should have been disabled. Instead the banner (and the security nonce) was displayed to any logged-in user regardless of privilege level. The user could copy the security nonce, send a request and potentially modify core options. It would be possible for an attacker to disable all plugins, crash the blog and more. These issues were found in late November and fixed quickly before being made public in early December.

Superlist

An XSS vulnerability was discovered in this theme. No further information was disclosed about it and no fix has been applied to this yet.

Comments are closed.

Scroll to Top