We take a lot of precautions when it comes to the safety and security of your website but once we hand off your website to you that burden falls on you to maintain that. Nicely Done Sites offers a maintenance agreement so that we can continue to maintain your website so that it remains as safe and secure as possible. We highly recommend all of our clients purchase one but it is not mandatory. If not we hope at least that you do keep your WordPress website up to date and in this series of posts we are going to detail some of the vulnerabilities discovered recently.
For anyone interested or anyone who missed it check out last month’s vulnerabilities and don’t forget to keep your WordPress website up to date!
Plugins
Divi, Extra and Divi Builder
An Authenticated Code Injection was found in these plugins, which are part of the Elegant Theme. The Divi plugin is used as a standalone drag-and-drop page builder. Extra is used to create stunning page layouts and Divi Builder adds more versatility. Users who are able to log in like editors, contributors or authors have the ability to execute a small set of PHP functions, which could allow an untrustworthy person to do some serious damage to the site. The issue was discovered during a routine audit in early January and was fixed quickly.
WooCommerce Conversion Tracking
A CSRF to XSS vulnerability was discovered within this plugin, which is used to track conversions on the website to provide extra analytics for the owner. In the Settings page no CSRF checks were present and any input was not sanitised which could lead to an XSS vulnerability. Not much more information has been made available but the issue was fixed in early January.
WP Simple Spreadsheet Fetcher For Google
A CSRF vulnerability was found with this plugin, which is used to retrieve information on Google Sheets to display on your website. A lack of CSRF checks could allow CSRF attacks and for the attacker to set their own API key. This issue was fixed in early January.
Ultimate FAQ
An Unauthenticated Reflected XSS vulnerability was identified in this plugin, which is used to create, organize and show a FAQ section on your WordPress site. The shortcode does not sanitize the HTML code generated in one of the parameters creating the vulnerability on any page that uses the shortcode.
Minimal Coming Soon & Maintenance Mode
Three different vulnerabilities were found with this plugin, which is used to easily set up a Coming Soon, Maintenance Mode or Landing Page for your WordPress website from day 1. A CSRF vulnerability that could lead to a Stored XSS vulnerability was found since it lacked a security nonce check to verify that requests were coming from a logged in administrator. This could allow an attacker to craft a request that is disguised by a link to trick a site owner into modifying the settings. This could allow the attacker to do anything from taking the site out of Maintenance Mode to temporarily pausing search engines to injecting malicious code.
An Insecure Permissions vulnerability was also found that allowed an attacker to disable Maintenance Mode since it uses the is_admin () function. It is commonly believed that the function is used to check if the change comes from an administrator but it just checks if the request came from the admin panel. Because of this any logged in user has the ability to disable Maintenance Mode on the site. Related to this, another vulnerability relates to the ability to import or export theme settings. Again the is_admin () function is used and any logged in user has the ability to make these changes.
These issues were discovered in mid December and fixed in early January.
InfiniteWP Client
An Authenticated Bypass vulnerability was found with this plugin, which is allows users to manage an unlimited number of WordPress sites from one server. A mistake in the code from a function located in an imput file checks if the class is empty, which is determined by another function and may lack an authentication check. When the payload meets the right condition the username will be able to login without performing any further authentication. So, to execute this the attacker would only need to know a username that can log into the site. This issue was discovered in early January and fixed a day later.
Backup And Staging By WP Time Capsule
An Authentication Bypass vulnerability was also found with this plugin, which is used to backup your WordPress website and to test any changes to the site before they go live. The same issue was InfiniteWP Client was also found with this plugin. Like that plugin it was discovered in early January and fixed the following day.
WooCommerce – Store Exporter
A CSV Injection issue was found in this plugin, which is used to create product, order, category, tag and user exports to meet store requirements in an easy to use Excel spreadsheet. A user with low level privileges is able to inject code to be included in the exported CSV file which could lead to that code being executed. This issue was found in early January and fixed a few days later.
TablePress
A CSV Injection was also found in this plugin, which is used to create and manage tables that could be embedded into posts, pages or widgets. Just like above it was possible for a low privilege user to attach code to a CSV spreadsheet which can be executed when the file is exported. This issue was detected in early January and fixed in mid January.
Video On Admin Dashboard
An Authenticated Stored XSS vulnerability was found in this plugin, which is used to embed YouTube or Vimeo videos on your page. It was possible for code to be submitted through the plugin options if a user has administrator capabilities. This issue was found in mid January and fixed within 2 days.
Computer Repair Shop
An Authenticated Stored XSS vulnerability was also found in this plugin, which is used to help manage a computer repair service and its clients. Like with Video On Admin Dashboard, it was possible for code to be submitted through the plugin options if a user has administrator capabilities. This issue was found in mid January and fixed the following day.
LearnDash
A Reflected XSS vulnerability was found in this plugin, which is used to transform your WordPress site into a learning management system. It was possible for an attacker to post code in the Select Your Courses box and this is not sanitized. This allows the attacker to potentially to steal an authenticated user’s cookies or login credentials, perform actions on their behalf, log their keystrokes and more. The issue was found in mid January and fixed the following day.
WP Database Reset
Two different issues were found with this plugin, which is used to reset the database back to its default settings without having to go through the WordPress reinstallation or modifying any files. The database stores all data related to the site like posts, pages, users, site options comments and more. Should an attacker be given access to it they could wipe out an entire site. In this case any user that had abilities above that of subscriber had the ability to do just that and if the table was reset all users would be dropped from the database except for the logged in user, who would automatically be escalated to become an administrator thus being able to take over the site marking the other vulnerability. This issue was found in early January and fixed about a week later.
Resim Ara
An Unauthenticated Reflected XSS vulnerability was found with this plugin, which is used as an image sharing add-on. Chances are you are not using this plugin as it is in an Eastern European language so you can possibly skip this one. User input is not santized meaning an attacker can input their own code and potentially steal login credentials and take over a site. This issue was found in mid January and has not been fixed yet.
Chained Quiz
A Reflected XSS vulnerability was found in this plugin, which is used to chained or conditional logic create quizzes. One question allows the user to input the number of questions to make the quiz and this input allows for any character to be input. This could allow an attacker to insert their own code to attack the site. This issue was found in mid January and fixed quickly.
Marketo Forms And Tracking
A CSRF vulnerability was found with this plugin, which is used to create forms and track user information. It was possible to inject a script tag into the WordPress Admin Panel which could then create an XSS vulnerability. No validation is performed validation of the HTTP request origin or sanitization of the input so the attacker can trick an administrator into visiting a malicious web page and perform arbitrary actions on the page. The issue has not been fixed and the plugin has been removed from the plugin store. The issue was made public in mid January.
Contextual Adminbar Color
An Authenticated Stores XSS vulnerability was found with this plugin, which is used to create different admin bar colors so that different environments can be differentiated easily. The $message variable’s input is not sanitized. More information will be provided in early February but the issue was fixed in mid January.
Batch-Move Posts
An issue with Broken Authentication was found in this plugin, which is used to move posts to a new WordPress site. This issue can be escalated to become an Unauthenticated Stores XSS vulnerability. It was possible for an attacker to add a payload remotely and have it triggered when the admin visits the settings page. This plugin was removed from the plugin store and the issue was publicized in mid January when the issue was not fixed.
2J SlideShow
An Authenticated Arbitrary Plugin Deactivation issue was found with this plugin, which is used to create slideshows geared for mobile devices. Due to a lack of privilege checks it was possible for a low privilege user like a subscriber to deactivate some plugin settings. This issue was found in early December, fixed and made public in mid January.
Chatbot With IBM Watson
A Self-XSS vulnerability was found in this plugin, which is used to automatically provide chat answers to frequently answered questions, provide information and navigate the website. It was possible for a remote attacker to execute code in a victim’s browser by tricking the victim into pasting it into the chat box. This issue was fixed in late January.
AccessAlly
An Arbitrary PHP Execution issue was found with this plugin, which is used as a membership plugin for course creators and industry leaders. It was possible to run PHP code through the plugin through a particular function. This allowed attackers to execute PHP code on the site. This issue was found in the wild and was exploited but it was fixed in late January.
Contact Form Clean And Simple
An Authenticated Stored XSS vulnerability was found in this plugin, which is used as a simple contact form for your WordPress site. If a user has administrator capabilities it was possible to submit malicious code through the plugin’s options and the code would be executed on every page where the contact form is located. This issue was discovered in mid January and fixed in late January.
Calculated Fields Form
An Authenticated Stored XSS vulnerability was found with this plugin, which is used to create forms with dynamically calculated fields to display the calculated values like with financial calculations or to create a quote. If an authenticated user edits or creates content they are able to inject JavaScript into the form fields. The script is stored in both the back-end and front-end and as a result all users could be a target if the site is compromised. This issue was fixed in late January.
wpCentral
A Privilege Escalation was discovered with this plugin, which allows you to use a single panel to manage multiple WordPress sites. It was possible for any logged in user to escalate their privileges to become an administrator. Authentication checks are in place but only checked to see whether the user was logged in and not what level they held. A valid key is required for administrators but that key could be acquired using an AJAX function. This issue was discovered in late January and fixed a day later.
WP DS FAQ Plus
A Stored XSS vulnerability was found with this plugin, which is used for simple FAQ management. This plugin is an improvement on WP DS FAQ which had serious SQL Injection and CSRF issues but chances are you are not using this plugin as it is designed for the Japanese language. With this one weak security checks were in place on the questions form which could allow an attacker to insert malicious code. This issue was fixed in late January.
WPS Hide Login
A vulnerability was found with this plugin, which is used to change the URL of the page to login to the site, that disclosed the secret login page. The login page for a typical WordPress website is standard which makes it easy for an attacker to access and attempt to log into the site. Some requests when the plugin is loaded are not decoded using the normal functions which would let an attacker encode their own in the URL and bypass the plugin and redirect themselves to the hidden login page. This issue was found in late January and fixed on the same day.
Code Snippets
A CSRF issue was found in this plugin, which is used to run PHP code snippets to customize site functionality and it removes the need to add custom snippets to your functions file. It was possible for anyone to forge a request on behalf of an administrator and inject malicious code on the site. The import function lacks sanitization and this allows the attacker to insert code. It was possible for them to create an administrator account, remove sensitive information, infect other users or more turning this into a Remote Code Execution vulnerability. This issue was found in late January and fixed two days later.
Elementor Page Builder
Two different XSS vulnerabilities were found with this plugin, which is a popular all-in-one solution to control every aspect of web design from one place. An Authenticated Reflected XSS issue was found during a test by a cyber security group that tested every possible place that code could be entered. It was possible to enter an IP address in hexadecimal (base 16) format that could point to a remote server. This issue is easy to find but difficult to exploit and it has been fixed since.
An Authenticated Stored XSS issue was also found. Not much information has been provided about this but it is possible for malicious code to be injected into the System Info page and if an administrator visits the page the code is executed. This could possible be used to create a separate administrator account for the attacker or a backdoor for the attacker to use. Like the other vulnerability this issue has also been fixed.
GistPress
An XSS issue was found in this plugin, which is used to embed gist and files from GitHub into a blog post or webpages. A file involved in the plugin had unknown functionality and it was possible to manipulate the id function to inject HTML code or scripts into the site. This would allow the attacker to change the appearance of the website or make further attacks on the site. This issue was fixed in late January.
Core
No WordPress core vulnerabilities were disclosed during January.
Theme
Elegant Themes
An Authenticated Code Injection was found within this theme. It allowed logged in contributors, authors and editors to execute PHP functions. This also includes the Divi, Extra and Divi Builder plugins as already mentioned. The issue was discovered during a routine audit by the Elegant Themes team and the issue was fixed in early January. The fix has been made available to all users of the theme and not just those with active subscriptions.
TownHub
Multiple issues were found in this theme, which is a directory and listing theme. An Unauthenticated XSS vulnerability was found. An Authenticated Persistent XSS vulnerability was also found. Also an Insecure Direct Object Reference (IDOR) vulnerability was found. IDOR vulnerabilities see attackers change the header values of cookies to give them access to other user’s objects. It was possible to insert cookie stealing code to hijack the user or administrator session or to force a redirect to a malicious website. It was also possible to delete any post or page or listing on the site. These issues were found at the end of December and fixed in early January after the theme was temporarily removed.
CityBook
The same issues that were found with TownHub were also found with CityBook, a theme that is also a directory and listing theme. Like with the above issues it was fixed in early January.
EasyBook
The same issues that were found with TownHub and CityBook was also found with this theme, which is a hotel booking and directory theme. Like with the above issues it was fixed in early January.
Travel Booking
A Reflected and Persistent XSS vulnerability was found in this theme, which is used to create booking forms and accept payments. It was possible for an attacker to insert code that could hijack user or administrator information or force a redirect to a malicious website. This issue was found in mid January and fixed two days later.
Real Estate 7
Multiple issues were found in this theme, which is used for real estate and commercial listings. An Unauthenticated Reflected XSS vulnerability was found. An Authenticated Persistent XSS vulnerability was also found as was an Authenticated Persistent Self-XSS vulnerability. An IDOR issue was also found. Last an Information Exposure issue was also found. Like with many of the above issues it was fixed in early January.
ListingPro
An Unauthenticated Reflected XSS vulnerability was found in this theme, which is used for real estate listing. Like with the above issues it was fixed in early January.
CarSpot
Multiple issues were found in this theme, which is used for car dealerships. Two different Authenticated Persistent XSS issues were found in the registration form and user profile as well as the Ad Post. An IDOR vulnerability was also found. These issues were found in mid January and most of the issues were fixed in late January but not all have been.