We take a lot of precautions when it comes to the safety and security of your website but once we hand off your website to you that burden falls on you to maintain that. Nicely Done Sites offers a maintenance agreement so that we can continue to maintain your website so that it remains as safe and secure as possible. We highly recommend all of our clients purchase one but it is not mandatory. If not we hope at least that you do keep your WordPress website up to date and in this series of posts we are going to detail some of the vulnerabilities discovered recently.
If you want to check out last month’s list check out this list and see if you are using any of the affected plugins or themes. If you are, make sure that you update them or purchase a maintenance agreement from Nicely Done Sites for your website.
Plugins
Paid Memberships Pro
An Unauthenticated Open Redirect vulnerability was discovered with this plugin, which is used to manage memberships, accept payments and creates a social space for users. When a user logins they would be redirected. This redirect could be potentially hijacked to redirect a user to another site. Coding was changed to redirect users safely. This issue was discovered at the end of May and fixed a few days later.
Crelly Slider
An Arbitrary File Upload vulnerability was discovered with this plugin, which allows users to display creative content from text to YouTube videos on their page. It was possible for an authenticated user to upload PHP scripts to remove sliders or even take over the site since no authentication check is performed on the user. The only check performed was if the user was able to load the dashboard. Any .zip file will be accepted for upload and the destination folder is accessible to the attacker. This issue was discovered at the end of May and has not yet been fixed.
Breadcrumbs by Menu
Multiple issues were discovered with this plugin, which is used to generate secondary navigation links on a site (aka breadcrumbs), including an XSS and a CSRF vulnerability. No nonce check was performed and no sanitization of user input was performed which would allow any user to edit the settings of the plugin rather than just the administrator. This issue was discovered in early June and fixed a few days later.
Download Manager
More issues for this plugin, a management plugin that allows users to track file downloads from the website. Numerous sanitization issues were discovered within the email template and package settings due to the fact that no sanitization of user input was performed. This vulnerability would allow any user to potentially be able to insert their own code and gain administrator access to take over the website. This issue was discovered in early June and fixed a few days later.
Easy Digital Downloads
An XSS vulnerability was discovered with this plugin that did not check IP addresses nor provide any filtering or sanitization. This issue was discovered in mid June and fixed a day later.
WP-Members
A Cross Site Forgery Request was discovered with this plugin, a popular plugin that allows for website membership and to create custom registration fields. It allowed an attacker to not only add those fields but also to edit and delete them. This allowed them to change the URL in the download option which would redirect a visitor to another site. No sanitization was in place with the code and this issue has since been fixed as of mid-June.
IP Address Blocker
Another Cross Site Forgery Request with this plugin, a plugin used as its name implies to block IP addresses. Specific IP addresses can be blocked from accessing the directory site and it helps with the SSL certificate with the registration and submission pages so users who are trying to harm a website can be blocked. No sanitization was present in the code which could allow an attacker to execute an Arbitrary File Upload issue. This issue was identified in mid-June and fixed a few days later.
WebP Express
Yet another Cross Site Forgery Request affecting this plugin, which helps to display images on mobile devices so they use less bandwidth. No security checks were present and have since been added as on mid-June. Later in June an Authenticated Stores XSS vulnerability was discovered for much of the same reason, no sanitisation of the code was in place. Sanitisation of the code was put in place for the previous fix and all issues have been fixed.
Real Estate Manager
An Arbitrary Settings Update vulnerability was discovered with this plugin, which is used to list real estate through a WordPress site. No sanitization or Cross-Site Forgery Request checks were in place which could allow an attacker to take over the admin functions of the plugin and hence the website. No fix for this plugin has been put in place and it has been pulled from the WP Plugin Store. If you are using this plugin you may want to consider using another.
Facebook for Woo Commerce
Another Cross-Site Forgery Request was discovered in this plugin, which has been installed over 200,000 times. This is not as dangerous as other CSFR vulnerabilities and does require a lot of technical knowledge to exploit. No sanitization was included and it allowed an attacker to potentially take over a WordPress site, though it does not seem that it has been exploited. This vulnerability was disclosed when a company that specializes in finding vulnerabilities disclosed it rather than following proper channels to allow the plugin developer to fix it. This issue has been fixed and any user using this plugin needs to update immediately.
Messenger Customer Chat
See Facebook for WooCommerce above. This is the same CSFR issue and was disclosed in the same manner by the same company. Just like Facebook for Woo Commerce it has been fixed and if you are running this plugin you should update it immediately.
Easy PDR Restaurant Menu Upload
A Cross-Site Scripting vulnerability was found with this plugin, which allows users to manage restaurant menus on their WordPress site. No sanitization of the file being uploaded was performed which could open up a potential issue. This issue was fixed in mid-June.
GA Backend Tracking
Another Cross Site Scripting vulnerability was found with this plugin, which uses Google analytics measurement protocols to send server to server tracking requests. Again no sanitization of the code was performed allowing a user to potentially insert their own code and damage the website. The issue was fixed as of mid-June.
SEO by Rank Math
Yet another Cross Site Scripting vulnerability for this plugin, which provides users with SEO tools to help their website grow and attract more visitors to their website. No sanitization was performed nor was a check on a user’s permissions, which would allow any user to potentially have administrative access. The issue has been fixed as of mid-June.
Another vulnerability was discovered later in June, an Arbitrary Settings Reset was discovered. It allowed any authenticated user no matter what level of access they have to reset the settings of the plugin. This issue was made public in late June and fixed quickly.
Shortlinks by Pretty Links
Two different vulnerabilities discovered for this plugin, which is used to shorten or clean up links on their website. A Cross Site Scripting vulnerability was discovered when a user retrieved a function no sanitization of the code was applied. An attacker could insert code that would target the administrator and eventually gain access and to view page statistics at best and execute their own code at worst. Also a CSV vulnerability was discovered that allowed an attacker to insert malicious code to a CSV file that will be executed when the file is loaded into a spreadsheet. These vulnerabilities were discovered in mid-June and fixed a few days later.
Import Users From CSV With Meta
An XSS vulnerability was discovered with this plugin, which is used to import users to a WordPress page through a CSV file. It is useful for importing metadata from WooCommerce users and allows the assignment of roles to users that are imported. Not much information is available but an XSS vulnerability existed due to the way the data was displayed. The issue was reported in late June and fixed quickly.
Deny All Firewall
Yet another Cross-Site Forgery Request with this plugin, which is used to block access to everything on the site except for genuine content. It is done by creating rules in the .htaccess fire and this vulnerability allows an attacker to remove those rules and disable the plugin. This is a new plugin with fewer than 100 installations so chances are your Nicely Done WordPress site is not running it but this issue was fixed within one day of its discovery.
CP Contact Form With PayPal
An Authenticated XSS vulnerability here with this plugin, which creates a contact form on a website and links it to a PayPal account. Information about the payment is stored in the WordPress database which makes that file a lucrative target. No sanitization of the input in the fields was performed which means anything could be entered. This vulnerability was fixed by removing the ability of the user to input any special characters and it was fixed in less than a day after discovery.
Custom 404 Pro
An Authenticated Reflected XSS vulnerability was discovered in this plugin, which is used to display a custom message if a 404 error is encountered by a user or to redirect the user to another page. It would be possible for an attacker to commandeer this plugin to redirect a user to another site since the input code was not sanitized. This issue was fixed in less than a day after discovery.
Ads For WP
Yet another Cross Site Forgery Request was discovered within this plugin, which is an ad inserter for your WordPress site. Little information is available but the issue was corrected at the end of June.
WP Ultimate Recipe
Another Authenticated Stored XSS vulnerability for this plugin, a plugin used to display recipes on a WordPress site. Since recipes could be uploaded custom fields were necessary and the input of those fields were not sanitized. The issue has been resolved at the end of June.
WP Converter For Media
Another Cross Site Forgery Request was found with this plugin, which is used to convert media to help make a webpage load faster. The file path where the images were uploaded to was not sanitized. This issue was corrected at the end of June.
ACF Better Search
Another Cross Site Forgery Request was found in this plugin, which is allows users to search a WordPress site not only through WordPress’ site features but also through custom fields. No sanitization of the input was present. This issue has been fixed at the end of June.
WP Better Permalinks
And another Cross Site Forgery Request was discovered with this plugin, which is used to set permalinks and custom permalink structures. No sanitization of the inputs were present which could allow an attacker to make updates to the plugin options. This issue was fixed at the end of June.
360 Product Rotation
An XSS vulnerability was discovered with this plugin, which is used to create a 360 degree view of a product for display on the web. None of the fields that would be uploaded was sanitized and this issue has since been fixed as of the end of June.
Block WP Login
A Cross Site Forgery Request was found with this plugin which could allow an attacker or an unauthorized user to change the plugin settings and update or remove settings. This plugin is used to block the default WordPress login and redirects it to a secret URL for login access. No nonce checks or authorization checks were present and have since been added as of the end of June.
Widget Logic
A Cross Site Forgery Request was discovered with this plugin which is used to dynamically toggled widget visibility. As stated by the plugin’s authors the code is visible to anyone who has access to it and it can be manipulated since the key component of the plugin is customization via PHP code. The CSRF vulnerability allowed an attacker to create an administrator account which would upgrade this to a Remote Code Execution vulnerability as they would then be able to insert their own code. No check for user permissions was performed and this has since been fixed.
Watu Quizz
An XSS vulnerability was found within this plugin, which is used to create exams and quizzes on your WordPress site. Input for the quiz answers was necessary but was not sanitized. This opened up the possibility of a Reflected XSS attack via the question form for the quiz. The issue was fixed at the end of June.
Core
No Core vulnerabilities were discovered during this month but WordPress 5.2.2 was released, so don’t forget to update if you haven’t already.
Theme
No Theme vulnerabilities were discovered during June.