We take a lot of precautions when it comes to the safety and security of your website but once we hand off your website to you that burden falls on you to maintain that. Nicely Done Sites offers a maintenance agreement so that we can continue to maintain your website so that it remains as safe and secure as possible. We highly recommend all of our clients purchase one but it is not mandatory. If not we hope at least that you do keep your WordPress website up to date and in this series of posts we are going to detail some of the vulnerabilities discovered recently.
For anyone interested or anyone who missed it check out last month’s vulnerabilities and don’t forget to keep your WordPress website up to date!
Plugins
Booked
A lack of Authentication was found with this plugin, which is used to book appointments and maintain a calendar. Users have to provide their personal information in order to complete an appointment booking. When a user creates an appointment they become a registered user on the website and with no authentication in place they can export all user records and their appointment information. They are also able to modify or delete existing appointments, create fake ones or inject malicious code. This issue was discovered in early February and fixed in late February.
Testimonial
An Authenticated Stored XSS vulnerability was found in this plugin, which is used to publish testimonials, reviews or quotes on your website in multiple ways. It was possible for a low-privileged user to inject code into the gallery image, which could then be viewed by others. This issue was discovered in late January, fixed in late February and disclosed in early March.
WooCommerce Smart Coupons
A vulnerability that allowed attackers to create their own coupons was found in this plugin, which is used to handle coupons and gift certificates on the WooCommerce platform. One feature of the plugin allows the store manager to create coupons that can be mailed to customers. This ability was only to be available for administrators and store managers but the dashboard was restricted for other users. The plugin though was actively listening for submissions on every page and a lack of validation allowed an unauthorized user access to the page. This allowed an attacker to create their own coupons. This issue was found in late February, fixed in late February and made public in early March.
Appointment Booking Calendar
Two separate issues were found with this plugin, which is used to book appointments online. The first issue was a CSV Injection and the second was an Authenticated Stored XSS issue. Both are similar in what can be done and their end results.. An attacker could insert a payload into a calendar that will be executed when a user opens the file. It would redirect a user to a malicious website if successful.
Brizy – Page Builder
An Unauthenticated Site Settings Update issue was found in this plugin, which is used to help build websites. Access to the site settings page is not restricted so any user has access to it and can make changes to the plugin. It is possible to also insert an XSS payload into the footer creating an XSS vulnerability as well. This issue was fixed in late February but further issues were discovered which prompted the plugin to be removed from the store. Those issues were resolved in early March and the plugin has been restored.
WPForms
An Authenticated Stored XSS vulnerability was found with this plugin, which is used to create website forms. This is one of the most popular WordPress plugins with over 3 million downloads. Not much information has been provided about this but these kinds of attacks tend to result in the attacker being able to steal cookies, login credentials, log keystrokes, perform arbitrary actions on the victim’s behalf and more. This issue was found in mid February and fixed in early March.
WP Advanced Search
An issue that could lead to either a Remote Code Execution issue or Unauthenticated Data Access issues were found in this plugin, which is used to make searching your site easier and more powerful. It was possible for an attacker to launch arbitrary database queries and create administrator accounts which would allow them to access all of the information on the site. This issue was fixed in early March.
RegistrationMagic
Multiple issues were found with this plugin, which is used to customize registration forms, accept payments, create and manage users, track submissions and more. Most of the issues stem from a lack of a capabilities check and security nonces. The first issue is a CSRF vulnerability. Since no security nonces are in place which allowed an attacker to create a request on behalf of an administrator so that they can modify the plugin settings. This could also allow them to remove users, create new user roles or allow the forms to accept php files which could create a backdoor into the site for them.
An Authenticated Email Injection was also found. A subscriber could send an email from the site to any email address listed in the user database with the body of their choice. This could allow the attacker to send out spam messages or trick an administrator into clicking a link to a malicious site.
Also an Authenticated Settings and User Data Export Issue was also found. Building on the ability for a subscriber to escalate their privileges it was possible for an attacker to export data from every form on the site that had been submitted. While this did not include login credentials this could include a wealth of information and allow the attacker to launch other attacks.
It was also possible for an attacker to create an administrator account due to an Authenticated Settings Import issue. A feature of the plugin allowed the creation of forms that saved user-submitted content directly into a table on the site’s database. This form was intended to store metadata but it also stored a user’s permission level. It would be possible to modify the keys by resubmitting the form or uploading a custom form using information from the above issue. Once they set a form to expire the new form became active and an attacker could register on the site as an administrator.
These issues were found in early February, fixed in late February and made public in early March.
Custom Searchable Data Entry System
An Unauthenticated Data Modification and Deletion issue was found in this plugin, which is used to make searching a site easier. Not much information has been released about this issue though it appears that the developer is no longer maintaining the plugin. Despite that there are several thousand active installations of the plugin and it is being exploited in the wild. It is possible for an attacker to delete or modify the contents of any table in the website’s database. Since the plugin is not being maintained it is recommended that you disable or remove this plugin until a fix is in place, if it ever is.
WP Security Audit Log
It was found that this plugin has a Broken Access Control issue. This plugin is used to keep track of everything that is going on with your WordPress site like knowing what all users are doing and spotting suspicious behavior. The issue is in the setup wizard of the plugin. No capabilities check is performed and an admin hook can be triggered by anyone, so an unauthenticated user can run the wizard. To exploit the issue though requires the wizard to be stopped on the last step where a large number of options are configured like page roles.
The attacker can add a user to the Roles field and click next after the user is validated. This saves the form but it is not validated by the plugin. After moving to the next step an option is given to allow the user access to the plugin activity log. Not only that, it gives the user more privileges than they should have. This allows the attacker the ability to change every plugin option, access and delete the activity log or insert malicious code into the database. This issue was discovered in late February, fixed in late February and made public in early March.
Search Meter
A CSV Injection issue was found with this plugin, which is used to record what people are searching for on your site’s blog so you can find out what they are looking for. Malicious code could be entered into the search field which could lead to information being exported in an Excel spreadsheet. This plugin appears to be no longer maintained and the developer has not responded to this issue so no fix is in place nor does one appear to be in the works. If you are using this plugin you should disable or delete it immediately.
Import Export WordPress Users
An Arbitrary User Creation issue was found in this plugin, which is used to import or export users easily for your WordPress site or WooCommerce platform. The import/export process did have capabilities checks and security nonces in the first few steps of the process but later steps only checked to see if WooCommerce is enabled so no check was present. Step 3 also allowed for a remote file upload making the capabilities check irrelevant. This could allow any user with at least subscriber-level access the ability to execute these last steps. An attacker could thus import new users with administrator capabilities which could allow them to take over the site and inject malicious code or install a backdoor into the site. This issue was discovered in late February, fixed in early March and made public in mid March.
WebToffee Plugins
WebToffee has created several WooCommerce plugins, in this case Order Export and Order Import for WooCommerce, Product Import Export for WooCommerce, Order XML File Export Import for WooCommerce, Product Reviews Import Export for WooCommerce, XML File Export Import for Stamps.com and WooCommerce and WordPress Comments Import Export that were vulnerable to a CSRF issue. In this case they suffered from the same issue as Import Export WordPress Users. No nonce checks were in place so a low level user could import or export files by inserting malicious code into the site. The good news is that the issue could not be taken advantage of unless the WooCommerce plugin was also installed. This issue was discovered in late February, fixed in early March and made public in mid March.
MStore API
An Unauthenticated Arbitrary Account Creation vulnerability was found with this plugin, which is used to configure the MStore and FluxStore mobile and support REST API to connect with the app. Several endpoints were accessible to any user on the website regardless of whether they are logged in or not. One of them, the register endpoint allows a user to create a new account and it allows the user to set their own role, thus allowing an attacker to create an administrator account. After registration the cookie will be created giving the attacker administrator privileges without having to actually log in. Another endpoint allows a user to update their information and it does not check if the user is authenticated. This could allow an attacker to update any account on the site including an administrator’s like their password or email address. This issue was found in mid February, fixed in late February and made public in mid March.
Font Awesome
An API Token vulnerability was found with this plugin, which is used to have custom fonts and icons on a site. Not a lot of information was made available about this but the tokens were placed in a file that was accessible to unauthorized users. This was only happening with users who configured the plugin to be used as a kit. This issue has been fixed as the file has been encrypted and the user will need to log in and update their tokens.
Popup Builder
Multiple issues were found with this plugin, which is used to create and manage promotional popups on your WordPress site. First is an Unauthenticated Stored XSS issue. The plugin allows the ability to run custom Javascript when a popup is loaded and this function was available to underprivileged users since it lacked security nonces and capabilities checks. This would allow an attacker to insert malicious code which would then be executed when a visitor sees the popup. This can lead to a visitor being redirected to a malicious site, steal sensitive information or lead to a site takeover if an administrator visited a page that was affected.
Second a Authenticated Settings Modifications, Configuration and Disclosure and User Data Export issue was also found. It was possible for a low-level user with minimal permissions could grant access and create and manage categories or newsletters. They could also use other functions that lack a capabilities check. It was possible for them to export a list of newsletter subscribers or gain access to that and create a social engineering attack against those people. They could also gain access to sensitive information on the site like installed plugins and activation status which could be used to craft an attack on the site. These issues were found in early March and fixed in mid March.
WordPress File Upload
A Directory Traversal issue was found with this plugin, which is used to allow users to upload files to your WordPress site. It was possible for an unauthenticated user to upload a file to the library directory. It would be possible for malicious code to be included in the file could escalate this to a remote code execution vulnerability as well. This issue was discovered in mid March and fixed a few days later.
Newsletter
A CSV vulnerability was found with this plugin, which is used for newsletter and email marketing. It was possible for a low level user or even a user with no priviliges to inject malicious code into the subscription form that would be included in the CSV form. When the CSV file is exported it can then be executed. This issue was fixed in mid March.
LearnPress
A Privilege Escalation issue was found in this plugin, which is a learning management system to create and sell online courses. Not much information was released regarding this but it was possible for an authenticated user to change their role to instructor or teacher and gain access to sensitive information. This issue was fixed in mid March.
Gutenberg and Elementor Templates Importer For Responsive
Unprotected AJAX endpoints were found with this plugin, which is used to easily import templates into WordPress sites. This plugin is also known as Responsive Ready Sites Importer. It was possible for any authenticated user to execute various actions. It was possible that an attacker could reset site data, inject malicious code onto pages, modify theme data and other file, activate plugins and many other actions. Importing requires the use of AJAX functions at least 23 of them lacked capabilities checks and/or security nonces. This issue was discovered in early March and fixed in mid March.
Advanced Ads
An Authenticated Reflected XSS issue was found in this plugin, which is used to create and manage ads on a WordPress site. Two different XSS issues were found within the admin dashboard and both were related to the same property. This property normally should display a number but a lack of sanitization allowed for malicious code to be inserted. If the administrator visits the link the site could be compromised. This issue was found in early March and fixed a day later.
CookieBot
An Authenticated Reflected XSS issue was found with this plugin, which is used to make cookies and cookie policy GDPR compliant. Only two different tab types should be available with this plugin but a manual tab mechanism allows a class to be added to a form. When a form is added nothing is checked and it is directly inserted into the attributes. It was possible to insert malicious code and if an administrator visits a malicious link it would be possible to compromise the website. This issue was discovered in mid March and fixed a day later.
WPvivid
An issue with Missing Authorization that could lead to a Database Leak was found with this plugin, which is used to backup and migrate WordPress sites. No authorization check was found with one of the functions. It would be possible for any authenticated user to add a new remote storage location and set that as the default backup location. The next time a backup is done the site’s information will go there and all of the information in the databases will be sent to the attacker. This issue was discovered in late February and fixed in mid March.
Multiple Plugins
The same Unauthenticated Dompdf Local File Inclusion issue was found with several different plugins: Web Portal Lite, Buddypress Component Status, Abstract Submission, Post PDF Export, Blog To PDF, Gboutique and WP Ecommerce Shop Styling. Dompdf is a HTML to PDF file converter. This allows an attacker to bypass security protections and read arbitrary files and thus upload malicious code. No known fix is in place for these plugins and they have all be pulled from the WordPress Store.
Data Tables Generator By Supsystic
Several different issues were found in this plugin, which is used to create responsive and easy to use tables on your WordPress site. First an Insecure Permissions issue was found. No capabilities checks or security nonces were in place for any of the AJAX actions that allow any authenticated user to make chances like fonts, adding frames, labels and more. This could allow an attacker to make changes or even create new tables.
Second an Authenticated Stored XSS issue was found. This builds on the previous issue since malicious code could be injected into table fields on existing tables. The code would then be executed when it is run allowing the attacker to redirect to malicious websites, create new users and more. On top of that a CSRF to Stored XSS issue was also found. Due to the lack of security checks several CSRF vulnerabilities could be exploited. If the attacker was able to trick a user into visiting a malicious site or opening a malicious attachment a request would be sent on behalf of that user to modify database information and inject malicious script. This could lead to the creation of a new administrative account or redirect users to a malicious site.
These issues were discovered in late January and fixed in late March.
All-In-One WP Migration
An Arbitrary Backup Download issue was found with this plugin, which is used to easily export your WordPress site. When a backup is created a filename is assigned to it but that filename is not randomly assigned making it easy to guess. On top of that the backup was publicly available to download. An attacker could either brute force an attack or write a script that would download WordPress files. This issue was found in mid January, fixed in late January and made public in late March.
Product Lister For Walmart
An Authenticated Remote Code Execution vulnerability was found in this plugin, which is used to upload products from your eCommerce site to be listed by Walmart. An outdated PHP library was used in the plugin. The original issue with the PHP library was stealthily fixed in 2016 but not everyone using it updated. Because of that some functions do not do what they originally did and it is now possible for an authenticated user to execute their own malicious payloads. Plugins like this that use the old phpunit package are now vulnerable to this and should be deleted as there is no known fix outside of updating it to the latest version. This plugin has been removed from the WordPress plugin store.
CM Pop-Up Banners
An Authenticated Stored XSS issue was found in this plugin, which is used to create and manage popup ads on your WordPress page. It was possible for a user with the ability to edit campaigns to store scripts in a pop up and save it. Once that happened the code would be executed on every page on the site. This issue was fixed in late March.
IMPress For IDX Broker
Two separate issues were found with this plugin, which is used to display data from your Multi-Listing Service data feed on your WordPress site using widgets and shortcode. The first issue was an Authenticated Stored XSS issue. The plugin has the ability to accept submissions and has spam and bot filters in place using Google’s ReCAPTCHA. This service requires an API key but the action that the plugin is registered to lacks security checks and nonces. This made is possible for an attacker with low level permissions to send a request to that action with malicious parameters which would then be executed the next time an administrator visits the settings panel. It would be possible for the attacker to create a new user by doing this.
Also found was an Authenticated Post Creation, Modification and Deletion issue. A feature of the plugin allows for the creation of dynamic pages and to delete those pages as well. As above the functions called lack capabilities checks and security nonces making it possible for a low level authenticated user to set their own parameters and create, modify or delete pages from the site. These issues were found in late February and were fixed in late March.
WordPress SEO Plugin – Rank Math
A Privilege Escalation issue was found with this plugin, which helps manage SEO on your WordPress page. The main issue stemmed from the plugin’s ability to edit metadata but to do this a REST-API endpoint was needed. This endpoint lacked a capabilities check allowing an attacker the ability to delete or update the metadata for posts, comments and terms. It also allowed the attacker to update the metadata for users which could allow an attacker to give themselves administrator privileges or revoke the privileges of a real administrator.
Additionally an additional unprotected REST endpoint could also allow an attacker to create their own redirects on the site. This was also due to a lack of a capabilities check with the endpoint. The potential for damage from this was a bit lower as the redirect could not be set to an existing file or folder on the server so while they could redirect users from most parts of the site they could not redirect users immediately upon visiting the site. These issues were found in late March and fixed two days later.
LifterLMS
An Arbitrary File Writing issue was found with this plugin, which is used to create an online training platform and user community. Very little information was provided about this issue other than it could lead to a Remote Code Execution issue. This issue was fixed in late March.
Elementor Page Builder
A Privilege Escalation issue was found with this plugin, which is used for drag and drop building of a webpage to make that job as easy as possible. It was possible for any authenticated user to enable the Safe Mode feature which would allow any user of the webpage to disable security features on the plugin. The feature is helpful as it allows a developer to isolate the plugin and WordPress from a theme or other plugins that might cause an error. It was possible for any user to have access to this due to a lack of a capabilities check. This could allow an attacker to send spam messages, bypass the firewall or attack the login page. This issue was discovered in mid March, fixed quickly and made public at the end of March.
Core
No WordPress core vulnerabilities were made public during March.
Theme
Fruitful
Two different issues were found with this theme, which is a responsive theme with a powerful options panel and a simple clean front end design. First an Authenticated Stored XSS issue was found. One of the functions lacks a capabilities check and security nonce making it accessible to any authenticated user. On top of that some fields in the theme are not sanitized which allows an attacker to insert malicious code into potentially every page on the site. On top of that several other options within the theme are available to any user rather than just administrators. These include resetting theme options, adding input fields and creating a fatal error by calling a function that does not exist. These issues were found in early March and fixed four days later.