We take a lot of precautions when it comes to the safety and security of your website but once we hand off your website to you that burden falls on you to maintain that. Nicely Done Sites offers a maintenance agreement so that we can continue to maintain your website so that it remains as safe and secure as possible. We highly recommend all of our clients purchase one but it is not mandatory. If not we hope at least that you do keep your WordPress website up to date and in this series of posts we are going to detail some of the vulnerabilities discovered recently.

For anyone interested or anyone who missed it check out last month’s vulnerabilities and don’t forget to keep your WordPress website up to date!

Plugins

Strong Testimonials

A Stored XSS vulnerability was found in this plugin, which is used to collect and publish testimonials and reviews on your WordPress website. It was possible for an attacker to insert malicious code due to a lack of sanitization that could steal a victim’s cookies or login credentials to perform actions or log their keystrokes. This issue was discovered in late January, fixed shortly thereafter and made public in early February.

Tutor LMS

A CSRF vulnerability was found with this plugin, which is a feature-packed plugin used to create and sell courses online. No information is provided about the issue but it was discovered in late January and fixed in early February.

Ultimate Membership Pro

Multiple issues were found with this plugin, which is used to create multiple levels of access including free and paid tiers on your WordPress website. An Unauthenticated Remote Code Execution issue was found. This appears to be related to older versions of the plugin and the demo version which had already been fixed so any user running the most up-to-date version may not need to worry about it. More worrying issue was a PII (Personally Identifiable Information) disclosure. One file generated by the plugin was found to be publicly accessible and it contained information like email addresses, IP addresses, usernames, passwords and more. These issues were reported in early February and were fixed the following day.

Later in the month multiple issues were found with this plugin. Following the remedying of last month’s issues with this plugin two different CSRF vulnerabilities were found. The first allowed an attacker to delete accounts and the other allowed the attacker to create new accounts. It is possible that there are other CSRF issues present as well. These issues were found in mid February and fixed in late February.

More CSRF issues were indeed found. An Admin check was added since it was possible for an attacker to delete users (as mentioned above) and to delete several other things since no CSRF verification was in place. The filename export function was not random enough which would make it easier for an attacker to guess filenames that could contain sensitive information. When this was done the old file names were not deleted as well meaning that if an attacker could figure out the naming scheme they could potentially guess old filenames as well and get access to them. Like above these issues were fixed in late February.

Htaccess By BestWebSoft

A CSRF vulnerability was found in this plugin, which is used to control access to a WordPress site. Htaccess is short for Hypertext access and is a configuration file used to control the directory that it is stored in as well as the subdirectories underneath it. This file is found with any Content Management System like WordPress and others. The file includes the ability to password protect folders, ban users based on IP addresses, stop directory listings, redirect users to another page, create custom error pages, change the way some extensions are utilized or specify a different index file. The plugin does not validate a security nonce which allows an attacker to redirect a user to a malicious website which will allow them to edit the htaccess file and ultimately take control of the website. This issue has not been fixed and has been pulled from the WordPress plugin listing.

Events Manager Pro

A CSV Injection issue was found in this plugin, which is used for event registration and management. It was possible for an attacker to make a booking on a WordPress site to submit malicious code via text fields that could be executed when an administrator opens a spreadsheet application like Excel or Google Sheets. The good news is that the malicious code triggers an error in the spreadsheet for the user which can help to mitigate this issue. This issue was found in early February and fixed the following day. This issue was also present in the Events Manager plugin as well.

Profile Builder

A serious issue was found with this plugin, which is used to create front-end user login and registration on your WordPress sites. This issue affects both the regular version and the pro version. Authentication with the plugin was broken and allowed unauthenticated users to register or edit their accounts which could potentially give them administrator status. Not much information has been released about this issue due to its seriousness but the issue was found in mid February and fixed quickly. If you are using this plugin you need to update it now!

Participant Database

A SQL Injection vulnerability was found with this plugin, which is used to build and maintain a database of anything that you need. It is possible to put the website to sleep by injecting code onto the website and the issue is exacerbated since the code is executed twice so the site will go to sleep for twice the length input. Once asleep it was possible to extract data from the database. These issues are rare in the wild and the researcher that found it remarked that this was the first they had found. The issue was found in early February and in mid February.

GDPR Cookie Consent

An Improper Access Controls issue was found with this plugin, which is used to help make a website GDPR compliant. One of the classes lacks a capabilities check and the nonce used is not checked. Two of the calls used can be easily exploited by an attacker. This can lead to a privilege escalation and any authenticated user can change a page’s status from draft to published and they can change or delete content. It can also lead to an Authenticated Stored XSS issue since the data is saved in the database without any validation. An attacker can insert their own script onto the cookie policy preview page since any input there is unsanitized which will be loaded anytime a user visits the page. This issue was found in late January and fixed in mid February after it was removed from the WordPress plugin directory.

ThemeGrill Demo Importer

Two serious vulnerabilities were found in this plugin, which is used to import demo settings quickly. Both an Authentication Bypass issue were found as well as the ability of an attacker to completely wipe the database were found and were related to the same issue. When the plugin is activated an admin check runs but does not actually check whether the user is an administrator or not. Since no authorization is in place this gives access to the reset function for the database. If this is done it resets the database to its original status with a default administrator password which the attacker can change. This issue was discovered in early February and upon its discovery many users uninstalled the plugin. The issue was fixed in mid February. 

Popup Builder

A SQL Injection vulnerability was found with this plugin, which is used to create and manage popups. It was possible for an attacker to insert their own SQL code via PHP deserialization with one particular variable. Serialization happens when an object turns into a stream of bytes so it can be stored in a database. If successful the attacker would be able to create their own administrator account and run remote PHP code. 

wpCentral

An Improper Access Control issue was found with this plugin, which is used to control your entire WordPress site in a single panel. Weak access controls were in place to protect the connection key which is displayed in the footer function. This function checks to see if the page is part of the administrator interface and will display the requested information but it does not check to see if the user is an administrator. This means that any user that is logged is can view any content is that space. They could also take the key and potentially take over the site and steal information or create backdoors into the site. This issue was discovered in mid February and fixed the following day.

Easy Property Listings

A CSRF vulnerability was found with this plugin, which as its name implies is a real estate plugin which helps create a real estate site in minutes. Very little information has been provided about this issue but if a logged in user views a malicious website it was possible for an attacker to do certain things with the site. This issue was fixed in mid February.

Modula Image Gallery

An Authenticated Stored XSS vulnerability was found in this plugin, which is used to build fast loading photo galleries on your WordPress site. It was possible for a logged-in low privilege user to inject JavaScript into the gallery image captions. The script would be executed when another user viewed the gallery. This issue was found in mid February and fixed the following day.

ThemeREX Addons

A Remote Code Execution issue was found with this plugin, which is installed as a companion to many ThemeREX themes and provides a number of management features for the theme. One of the functions of the plugin does not verify that a request is coming from an administrator and allows potentially any PHP function to be executed rather than just a small set of them. That means that any visitor to the site can potentially execute code on the site including those not logged in on the site. One thing that can happen is that the attacker can create their own administrator account and take over the site. This vulnerability is being exploited in the wild and no fix for it has been issued yet. If you are using this plugin disable it immediately and check your user list for unknown administrator accounts.

Duplicator

An Unauthenticated Arbitrary File Download vulnerability was found in this plugin, which is used to migrate, copy or clone a website from one location to another and also to backup a site. For this plugin to work it needs to be able to export critical files like the databases. This action is supposed to be only available to users with administrator access. The download operation operates allow the user to download the files that they want and place them in their desired location. The problem is that the download option was available to unauthenticated users and no validation of the file paths was present. Directory traversal was possible was an attacker could also access files outside of what Duplicator allows.

This issue is being exploited in the wild and it can allow an attacker to steal login credentials since most of the attacks target the wp-config file. This would allow them to create their own accounts, install backdoors or compromise the site. This  issue was found in mid February and fixed quickly. If you have this plugin installed you should update immediately and if you believe that you were compromised check your user page for any unknown users and change login credentials.

Chained Quiz

An Authenticated Stored XSS vulnerability was found with this plugin, which is used created chained or logical quizzes or puzzles on your site. Not much information was released regarding this issue but three separate parameters allowed an attacker to insert their own code that would be executed when an administrator completed the settings entry for that parameter. This issue was made public in late February and fixed quickly.

Pricing Table By Supsystic

Several issues were found with this plugin, which is used to create pricing tables to allow visitors to see and compare prices without any programming knowledge. The first issue was an Insecure Permissions vulnerability. All of the tables use an AJAX hook to create, modify, import and export the tables settings. The hook that was used allowed an unauthenticated user to send a request and complete their action that used the hook. On examination it was discovered that a permissions check was missing on nearly every action. This meant that an unauthorized user had the ability to obtain or manipulate sensitive information.

That followed with an Unauthenticated Stored XSS vulnerability. On import actions no permissions check or input sanitization was in place so an unauthenticated user could insert malicious code. An attacker could use the previous vulnerability to get a table and add their code to steal cookies, gain administrator access or even redirect users to a malicious website. A CSRF vulnerability was also found. It was found that no nonce checks or CSRF protections were in place so the source of any request could not be verified. This would allow an attacker to forge their own request and inject malicious code or modify a table. 

These issues were found in mid January and fixed in late February. If you are using this plugin you should update it immediately.

Photo Gallery

Multiple XSS issues were found in this plugin, which is used to build mobile-friendly photo galleries. The issues stem from a lack of sanitization of user input in the gallery and edit image page which allowed an authenticated user to insert malicious code but no other information has been made public. This issue was discovered in early February and fixed in late February. 

Flexible Checkout Fields For WooCommerce

An Unauthenticated Settings Update issue was found in this plugin, which is used to customize checkout fields in the WooCommerce platform. Not much information has been made available since this issue has been exploited in the wild but it allowed anyone to access plugin settings. This allowed them the ability to create new checkout fields and to inject malicious code. This issue was found in late February and fixed an hour later but several sites had already been hacked.

Envira Photo Gallery

An Authenticated Stored XSS vulnerability was found with this plugin, which is the most powerful premium photo gallery available to WordPress. It was possible for a low privilege user to inject malicious code into the plugin gallery which others would then view. This issue was found in mid February and fixed in late February.

Export Users To CSV

A CSV Injection issue was found with this plugin, which is used to export users from one site to another. It was possible for an attacker to register themselves as a subscriber of a website and provide malicious payloads into the user account details field. When an authenticated user would then use the plugin to export the userfile the payload would be executed which could redirect a user to a malicious website. This issue was found in early February and has not been fixed as it seems like the developers have stopped working on the plugin and have been unresponsive.

Hero Maps Premium

An Unauthenticated Stored XSS vulnerability was found with this plugin, which is used as a quickly and easily add Google Maps to your website. No sanitization of user input was present so an attacker could steal cookie-based information, login credentials or other attacks. This issue was discovered in late February and fixed a few days later.

wpdefault Backdoor Plugin

This plugin is a malicious plugin. It essentially works like skimmers that are unfortunately found all too commonly on gas pumps and ATMs all across the country. The plugin contains two files, the first is used to capture payment data from users when a victim clicks place order in WooCommerce. The captured data is stored to be sent later to a website that is controlled by the attacker. It is also able to capture login data as well. On top of that it is hidden so it is not displayed in the list of active plugins as well as the user that is created. As of right now there is no know fix for this.

Modern Events Calendar Lite

An issue with Multiple Subscribers as well as an XSS vulnerability was found with this plugin, which is used to manage and display events on WordPress. The plugin creates a number of functions for logged-in users which allow them to manipulate settings and stored data with XSS attacks. This could potentially allow an attacker to create new accounts that the attackers can then use for their own use. These issues were found in late February and was fixed shortly thereafter.

Async Javascript

A Subscriber and Stored XSS vulnerability similar to above was found in this plugin, which is used to help with JavaScript scripting to improve site load times. No capabilities checks are in place so low-level users like subscribers are able to modify plugin settings. It is also possible to inject malicious code that will run when an administrator views certain areas of their dashboard. This issue was found in late February and fixed quickly.

10Web Map Builder For Google Maps

An Unauthenticated Stored XSS issue was found with this plugin, which is used to add maps to your WordPress site. The setup functions of this plugin are accessible to unauthenticated users since no capabilities check is in place. An attacker could potentially inject malicious code that code will execute for both logged-in administrators and visitors to the site. This issue was found in late February and was fixed shortly thereafter.

Core

No WordPress core vulnerabilities were disclosed during February 2020

Themes

Fruitful Theme

An Unauthenticated Reflected XSS vulnerability was found with this theme, a simple theme with light options and easy to understand options. It was possible for an attacker to insert malicious code in the comments section of a page using this theme. No fix for this issue has been put in place.

Comments are closed.

Scroll to Top