We take a lot of precautions when it comes to the safety and security of your website but once we hand off your website to you that burden falls on you to maintain that. Nicely Done Sites offers a maintenance agreement so that we can continue to maintain your website so that it remains as safe and secure as possible. We highly recommend all of our clients purchase one but it is not mandatory. If not we hope at least that you do keep your WordPress website up to date and in this series of posts we are going to detail some of the vulnerabilities discovered recently.
If you haven’t already read it, check out February’s list here.
Plugins
Fremius Library
This is a monetization, marketing and analytics plugin that is used by developers and is also part of many other popular WordPress plugins like NextGEN Gallery, which is installed on over one million WordPress installs. This was an Authenticated Option vulnerability that allowed potentially anyone with a WordPress account to take control of the site. This vulnerability was discovered at the end of February and would not have been made public quicky until patches were in place but it was published at the beginning of March when the vulnerability was fixed.
Fastest Cache
This is an Arbitrary File Deletion vulnerability that allows an attacker to specify a path to a directory and delete those files. The path portion of the referrer header is vulnerable and allows them to build the path which is then passed on with the right function to delete files. Not only can this lead to data loss but it can also lead to a Denial of Service attack as well. The good news with this is that there were a few specific conditions that needed to be met in order for the vulnerability to be exploited like certain configurations and another plugin, WP Postratings, had to be installed. This vulnerability was reported at the end of January and patched in mid-February before being released to the public in mid-March.
Abandoned Cart Lite for WooCommerce
This is a major XSS vulnerability with this plugin, which allows ecommerce site owners to track what has been abandoned in shopping carts and try to convert them to sales. The vulnerability allows an attacker to inject unsanitized JavaScript payloads when they build their own shopping cart and fill in the information fields and then abandon the cart. This code will be executed when an administrator logs in and views abandoned carts.
The attacker can give themselves administrator access or they can see all of the plugins that have been disabled by the site administrator and change the main file with malicious scripts creating a backdoor for them. This vulnerability is a major issue with potentially thousands of sites already hit. If you have a user appear with a username of [email protected] you have been hit and should have a security audit conducted as soon as possible. This vulnerability was patched in mid-March.
SG Optimizer and Caldera Forms Pro
This is an Unauthenticated File Upload vulnerability. Since both plugins utilize REST API to provide new features they utilize API endpoints that fail to restrict sensitive functionality. This vulnerability exploits a permissions attribute making that endpoint accessible to the public. It makes it possible to download any file from the site and could escalate into the PHAR unserializiation vulnerability. With over 500,000 instances of these plugins this is a far ranging issue though it does not appear it was ever exploited. The vulnerability was identified in the beginning for SG Optimizer in mid-January and fixed within two days while the vulnerability for Caldera Forms Pro was identified in early March and fixed within a week.
Better Search
Not much information about this vulnerability other than it is an Unauthenticated SQL Injection. It has not been fixed yet.
GraceMedia Media Player
This is a Local File Inclusion vulnerability resulting from unsanitized code which could lead to data leakage or server compromise. Client systems can also be targeted and compromised as well. The vendor was contacted when the vulnerability was discovered in early February but no fix has been submitted so it is recommended that if you use this plugin to disable it until a fix is completed.
Easy WP SMTP
This popular plugin that allows users to configure and send an email via an SMTP server to prevent them from going into a junk/spam folder had a vulnerability that allowed an unauthenticated user the ability modify WordPress options or inject and execute malicious code. They could send an AJAX request to trigger an admin function to view or delete the admin log, import or export the plugin configuration and update options in WordPress. It was discovered on March 15 and fixed on March 17.
Social Warfare
This is another XSS vulnerability that allowed an attacker to insert JavaScript code into social share links on a site’s post which would overwrite what the user entered and could divert traffic to malicious or pornographic websites. The plugin allows users to clone settings from other sites but the ability to do this was not restricted to administrators or even logged in users. The vulnerability was discovered in late March and the plugin was removed from WordPress’ plugin library and users who had it installed were recommended to disable it. The issue was fixed two days after discovery.
Font Organizer
Another XSS vulnerability that allows an attacker to execute code in an application which allows the attacker to bypass CSRF protections to read any data or perform any functions that a legitimate user can. This vulnerability was discovered in October and due to a lack of response was made public in February and again in March. It has not been fixed yet and the plugin is no longer available in the WordPress plugin library.
Article2pdf
This plugin is used to create PDF files of posts or articles. Multiple vulnerabilities were discovered with this plugin. A redirect of the URL of the content that is a PDF is created from is used and it is supposed to be deleted when the download is completed. If the redirect was not followed the file would not be deleted, which would lead to files remaining and eating up disk space which would then result in a denial of service when the space is exhausted.
Another vulnerability was discovered that would return the password file due to incomplete sanitization allowing it to be circumvented. If the user attempting this has write access the file will be downloaded and deleted. If the user does not have write access an error will be displayed disclosing the directory structure where the file is located. The creators of the plugin were contacted in December but have not fixed the issues as of the end of March. The plugin was removed from the WordPress plugin directory and if you have this installed it should be disabled immediately.
Pipdig Power Pack (P3)
Suspicious code was found in this plugin, which is sold alongside Themes from Pipdig, a UK based developer. The vulnerability allows for the developer of the plugin to grant themselves administrator access to any site using the plugin and it allows them to delete database content and reset the password of any user, essentially creating a backdoor for them. Remote calls were also placed in the code that would create a DDOS attack against a competitor of Pipdig amongst several other probably illegal actions. Pipdig was notified in late March and immediately fixed the issue though and the plugin should be updated immediately but there are serious issues of trust regarding Pipdig as a developer going forward.
Core
An XSS vulnerability was discovered that allows an unauthenticated attacker to gain remote code execution on any previous WordPress installation. The attacker targets or tricks a site administrator to visit a malicious website set up by them which will then run a Cross Site Forgery request without the victim’s knowledge in the site’s comments section. By exploiting logic flaws and sanitization issues the attacker can run a Remote Code Execution and take over the site. This was discovered in October of 2018 and was finally patched in mid-March.
Theme
No Theme vulnerabilities were disclosed in March