–Updated 6/10 to include remaining vulnerabilities
We take a lot of precautions when it comes to the safety and security of your website but once we hand off your website to you that burden falls on you to maintain that. Nicely Done Sites offers a maintenance agreement so that we can continue to maintain your website so that it remains as safe and secure as possible. We highly recommend all of our clients purchase one but it is not mandatory. If not we hope at least that you do keep your WordPress website up to date and in this series of posts we are going to detail some of the vulnerabilities discovered recently.
As summer approaches the last thing that you want to worry about is vulnerabilities with your website but you should keep this in mind. For a brief description of what some of these issues are check out this link and if you want to bring yourself up to speed on April’s vulnerabilities check out this link.
Plugins
Blog Designer
This Unauthenticated Stores XSS vulnerability was discovered in a function of this plugin’s settings. The plugin itself allows users to change the style of their WordPress website and has been installed on over 30,000 sites. The issue stems from the function not checking if a user has the privilege level to update settings much less even being logged in. This vulnerability is present on every page the plugin touches and exploiting it is simple for an attacker. It was discovered in early April and due to a lack of action from the developers the plugin was temporarily banned but it was patched on May 2 and reactivated by WordPress.
All-In-One Event Calendar
This XSS vulnerability allowed an attacker to import an event and that information was not sanitized which could give them potential access to the system. The plugin allows users to list events and share them with the world and it does allow for the importing (and exporting) of events, which is where the issue stems from. This issue was identified and fixed in early May.
W3 Total Cache
Three different vulnerabilities were disclosed with this plugin, which helps to increase the SEO and user experience for a website by reducing load times. The first was a Cryptographic Signature Byass which did not validate a cryptographic check, which would allow a site with an invalid OpenSSL certificate or signature to bypass it. Also found was an XSS vulnerability discovered in the form construction. Finally a SSRF vulnerability was found that implemented calls by the user with parameters that were controlled fully by the user. These vulnerabilities were made public in early May and were fixed quickly.
Custom Field Suite
Another XSS vulnerability. This plugin allows users to add custom fields to posts. The vulnerability potentially allowed an attacker to insert their own code into those fields and gain access for logged in users and admins. The issue was detected in mid-May and was fixed within two days.
Ultimate Member
On the heels of last month’s vulnerability more vulnerabilities were discovered. First was a file leak vulnerability. If a file or image upload field was available for a user it was possible to modify the config file and make any file on the server available for download by rewriting routing information.
Numerous XSS vulnerabilities were also discovered allowing an attacker to add their own information to a field and because the input would only be sanitized if the input was text or a URL and hence the information of another user could be replaced. The other came regarding the update of user information. One function does not check permissions allowing an attacker to upload a photo with a payload of malicious code and when an admin checked it the code would be executed. All of these issues were disclosed on May 7 and fixed by May 10.
Register IPs
Another XSS vulnerability. This plugin is used to log IP addresses of users to help admins fight harassment, spam and sock puppets. An attacker could take advantage of poorly named functions and no sanitization was used to prevent an exploit. This issue was discovered on May 7 and fixed in mid May.
WP Live Chat Support
Another XSS vulnerability. This plugin is used to chat with customers to provide seamless support while not interrupting the user’s browsing experience. Plugin settings can be updated without doing a privilege check but then it is also possible for a non-logged in user to use another option to insert their own code in several different locations. This vulnerability was detected at the end of April and fixed in mid May.
FV Flowplayer
Three vulnerabilities were discovered with this plugin, one of the most popular on WordPress for embedding video on a website. The first was an XSS vulnerability that allows an unauthenticated user to inject JavaScript code through a signup email when that user provides their email address with a malformed address (where they inject the code). A sanitization check was not performed and the code was allowed to pass and would be executed by the site admin, or the second vulnerability, a SQL Injection. The last vulnerability, a CSV export, allowed guests the capability to export email subscription information. These were identified in mid-May and fixed the following day.
WP Booking System
Two SQL injection vulnerabilities were discovered with this plugin, a popular plugin that handles booking and reservations for vacation rental properties as well as accepting payments for those bookings. It was possible that an attacker could create a malicious website and if an authenticated user visited the site it would initiate a SQL injection attack. No CSRF checks were made making the two different injections possible. The discovery was made in the beginning of May and was fixed that day.
Slimstat
This Unauthenticated Stored XSS vulnerability allowed a visitor in inject JavaScript code to the plugin access log to make it possible for them to see details of who is accessing the website once an administrator logs in. Code sanitization was not performed correctly creating the vulnerability. Slimstat is one of the leading analytics plugins available for WordPress to track website visitors and customers. It is installed on hundreds of thousands of WordPress pages. This issue was discovered in mid-May and was fixed four days later.
Hustle
An Unauthenticated CSV Injection was discovered with this plugin, which is used to create popups, slide-ins and email opt-ins on websites. An attacker could insert malicious code into a pop-up which would then run on an administrator’s computer using built-in functions with Microsoft Excel when file is exported to their computer. Code was not sanitized and thus any code could be potentially entered. There has been no evidence that anyone exploited this vulnerability and it was discovered by security researchers in early May and fixed three days later.
Hostel
This plugin had an Unauthenticated Stored XSS vulnerability that allows an attacker to insert any code and that code will be executed when an administrator visits the booking page. This vulnerability was discovered in late May and fixed the following day.
Event Management Tickets Booking By Event Monster
A Stored XSS vulnerability was discovered with this plugin, a simple and easy way to create and organize events. An attacker could create an event and add malicious code in the registration form. This code will then be executed when an administrator visits the visitors page. It was discovered in late May and fixed a few days later.
Slick Popup
A Privilege Escalation vulnerability was discovered with this plugin. It stems from the plugin’s ability to grant access to the developers for support issues. The login credentials were hardcoded into the plugin using the same username and password for every instance of this plugin. If an attacker knew this information they would need to find a site using the plugin and they would be able to login and create a backdoor for themselves. Attackers that have at least subscriber access are also able to gain administrator access since no capabilities check is performed. This issue was discovered in early April and the company has claimed to have released a fix for the Pro version with a Free version fix coming soon.
Convert Plus
This plugin, which is used to generate leads and display marketing popups and info bars, was found to have a serious Unauthenticated Arbitrary User Role vulnerability. Administrators have to define a user role to email addresses like subscribers. The administrator role is removed from this list but it was present in a hidden field and can be modified. No filtering is done if an attacker is able to select administrator and the attacker will be given an administrator account and allowed to login. This issue was discovered at the end of May and fixed three days later.
Core
No Core vulnerabilities were disclosed during May but WordPress 5.2 was released so make sure to update that.
Theme
Traveler
A Reflected and Stored XSS vulnerability was discovered with this theme, a popular theme used for travel booking websites. No filtering was present with input and text fields which would allow an attacker to insert malicious code. Also if a user uploads to their profile page a .php file and add a .png extension it breaks the profile. These issues were disclosed in early May and has still not been fixed though certain browsers like Firefox and Opera prevent the XSS vulnerability through their built in security features.