We take a lot of precautions when it comes to the safety and security of your website but once we hand off your website to you that burden falls on you to maintain that. Nicely Done Sites offers a maintenance agreement so that we can continue to maintain your website so that it remains as safe and secure as possible. We highly recommend all of our clients purchase one but it is not mandatory. If not, we hope at least that you do keep your WordPress website up to date, and in this series of posts, we are going to detail some of the vulnerabilities discovered recently.
For anyone interested or anyone who missed it checks out last month’s vulnerabilities and don’t forget to keep your WordPress website up to date!
Plugins
WTI Like Post
An Authenticated Stored XSS vulnerability was found in this plugin, which is used to add likes or unlikes to a post or page. Not a lot of information was provided about this issue but the issue was in the administration page and once an administrator had submitted the crafted data the script would be executed for all users visiting the page or post. This was discovered in late March and despite the author claiming that they would work on the issue, it has not been resolved. The plugin was closed in early May so if you are using this plugin you should disable it immediately.
Advanced Order Export For WooCommerce
An Authenticated XSS issue was found in this plugin, which is used to export WooCommerce data easily. A lack of sanitization of one of the parameters allowed for HTML or JavaScript code to be inserted and executed by a logged-in user. This issue was fixed in early May.
Elementor
An issue that allowed an attacker to bypass sanitization and could lead to an Authenticated Stored XSS issue was found with this plugin, which is the top free WordPress page builder. Elementor allows SVG uploads (but it needs to be activated in the settings) but it lacks a capabilities check and shares a security nonce. This nonce is accessible to all logged-in users. To upload a file a user needs to have the capabilities to do so but it does not allow users to include elements like JavaScript or HTML tags. After enabling SVG uploads though an attacker can bypass that and also insert their own code by modifying the code. A specially crafted SVG file could then be uploaded injecting malicious code into a site.
A second issue was also found that allowed for PHP code to be inserted that shouldn’t be. PHP code should not be able to be inserted but the functions used to sanitize the code were called in the wrong order thus neutralizing the functions. These issues were both found in mid-April, fixed in late April, and made public in early May.
Ultimate Addons For Elementor
A Registration Bypass issue was discovered in this plugin, which is a library of unique Elementor widgets that give you more functionality and flexibility in the Elementor Page Builder. Not a lot of info is public about this but an attacker was able to create new subscriber-level accounts on a site even if user registration is not enabled. Once the accounts are created they can be used to exploit a zero-day vulnerability that can turn this into a Remote Code Execution issue. This issue was fixed in early May.
Elementor Pro
An Authenticated Arbitrary File Upload issue was found in this plugin, which is the top WordPress page builder available. It should be noted that this issue does not affect the Elementor plugin, only the pro version, and this issue is being exploited by hackers in the wild. Registered users are able to upload files and an attacker is able to remotely execute code on a site and either install a backdoor for access, give themselves full administrator access, or even delete a site completely. This issue was fixed in early May.
Chopslider
An Unauthenticated Blind SQL Injection vulnerability was found in this plugin, which is used to insert transition effects between pictures. One of the parameters lacks the sanitization of the code. This would allow an attacker to execute arbitrary SQL queries with the WordPress database that would give the attacker access to the information in that database. This issue was discovered in early March but no reply from the developer was received by early May so this issue was made public. This plugin has been closed in the WordPress store.
Page Builder By Site Origin
Two different CSRF vulnerabilities that could turn into a Reflected XSS issue in this plugin, which is one of the most popular site building plugins available for WordPress. The first issue centers around the page builder which allows the user to see live updates for their site. In order to do this, a function is used to check whether the user is in the live editor and any changes made are set as a certain POST parameter before being put into live preview. A capabilities check is in place but it lacks a security nonce that would ensure that the changes being made were coming from a legitimate source. This could make this function vulnerable to malicious code being injected into the page and this could be turned into an XSS issue since JavaScript could be executed as part of one of the widgets. This could allow an attacker to create their own backdoor or to create a new administrator account for themselves.
The second issue was tied to one of the AJAX functions used to transmit data from the live editor to the WordPress editor so that the changes can be published onto the site. Again this function had a capabilities check but lacked a security nonce that would verify the source of a request. It would be possible for an attacker to inject malicious code in text mode which would transmit the code unfiltered and could then be executed in the same manner as above. These issues were found in early May and fixed a day later.
WooCommerce
An Issue with Unescaped Metadata was found with this plugin, the top eCommerce plugin in the world. Very little information was made available about this issue but it seemed that when a product listing would be duplicated unescaped metadata became available. Most data is escaped, that is special characters are reserved so when they input they are changed. That data can be unescaped later and returned to normal. This issue was fixed in mid-May as part of a major update to the plugin.
Easy Testimonials
Multiple Authenticated Stored XSS issues were found in this plugin, which is used to add or embed testimonials to a page or post of your WordPress site. It was possible for an attacker to insert malicious code via several different parameters that are available to submit a testimonial. To be successful the attacker must at least be a medium-privileged user. The code injected will be executed when an administrator or another user accesses the All Testimonials page in the backend of the page. Another issue was found should the Allow HTML Tags In Testimonials option be enabled (which it is by default) which would trigger the code when a testimonial is displayed in the frontend. These issues were found in early May and fixed a few days later.
Site Kit By Google
A Privilege Escalation vulnerability was found in this plugin, which is Google’s official WordPress plugin for analytics. This plugin connects to a Google account but to do that it generates a proxy URL to redirect the administrator and authenticate them. The problem was that the function used to call this lacked a capabilities check which would allow low-level users to have access to this function. On top of that, the verification process to determine the site’s ownership also lacked a capabilities check which would allow for the same thing. This vulnerability could allow an attacker to manipulate a site’s SEO rating, could mess around with a site’s monetization, or inject malicious code. These issues were discovered in late April and fixed in early May.
WP Product Review
An Unauthenticated Stored XSS issue was found in this plugin, which is used to allow users to post reviews and to post them on your site. While user input was sanitized it was possible to bypass it by adjusting an HTML parameter. This would allow an attacker to insert malicious code into potentially every single page of the site. This issue was discovered in mid-May and fixed the following day.
Login/Signup Popup
An Authenticated Stored XSS vulnerability was found with this plugin, which allows users to sign into a site running a WooCommerce store from anywhere on the site. The plugin lacked a capabilities check and security nonces and this would allow an authenticated user to inject malicious code into the plugin settings that could be used to target the administrator. This issue was discovered in mid-May as it was being exploited and fixed the following day.
Photo Gallery By 10Web
An Unauthenticated SQL Injection issue was found with this plugin, which is WordPress’s leading photo gallery plugin. Very little information about this issue was made public but any unauthenticated user can exploit this issue. This issue was fixed in mid-May.
Team Members
An Authenticated Stored XSS issue was found in this plugin, which allows you to showcase staff or employees in an easy manner on your site. It was possible for a medium-privileged user to inject malicious code in the description or biography section of a member. No other information was provided but this issue was fixed in mid-May.
Visual Composer
Multiple Authenticated XSS issues were found with this plugin, which is a website builder plugin. The first issue was found in the Settings page and should only be able to be changed by an administrator. Three tabs are available and the CSS, HTML & JavaScript tab allows the administrator to insert code to customize a header or footer on the page and it is possible to insert malicious code in that spot. That tab, as well as the System Status tab, should have a capabilities check but if it is not present it will restrict access to users who can edit posts, which is something that low-privileged users can do.
It was also possible to insert malicious code into posts that are being edited as well. Any user who can access the editor can do this, even if they cannot publish a post. Any post can be saved as a draft but the code would be executed immediately and could be inserted into every page or post on the site.
Another vulnerability comes when a user saves a post. The payload sent by the plugin is heavily obfuscated and is able to bypass firewalls and security protections. These issues were found in early April and it was fixed in mid-May.
Ajax Load More
An Authenticated SQL Injection issue was found within this plugin, which is used for loading posts after a query, particularly endless scrolling. The good news is that in order for this to work the attacker must be logged in and they must have administrative capabilities. One particular function was vulnerable but no other information has been released about this. This issue was disclosed in mid-May but no fix is in place, though the plugin has not been removed from the WordPress store yet.
Paid Memberships
Another Authenticated SQL Injection issue was found in this plugin, which is used to manage memberships on a website. It was possible for a user with administrative privileges to create a SQL Injection when adding new orders to a dashboard. This issue was fixed in mid-May.
WP Frontend Profile
A CSRF check was incorrectly implemented in this plugin, which is used to create user profile sections on the front page of a WordPress site. A nonce check is present to prevent CSRF issues but will only make a generic return and do nothing. This issue was found in mid-May and fixed in late May.
ThirstyAffiliates
An Authenticated Stored XSS vulnerability was found in this plugin, which is used to manage affiliate links on monetized blogs. It was possible for an authenticated attacker to insert malicious code into an image title which would then be executed when an administrator views it. This issue was fixed in late May.
Official MailerLite Sign Up Forms
Two separate issues were identified in this plugin, which is used for signing up users for email marketing campaigns. First, a SQL Injection issue was found. Several functions were vulnerable to this and these functions should be available to administrators only but they lack an authenticated check and CSRF protections (more on that in a bit). The data input on these forms is not sanitized and a nonce token is not utilized.
The lack of checks and nonce tokens create numerous CSRF issues throughout the plugin. It would be possible for an attacker to make a logged-in administrator add, edit or delete arbitrary signup form views. These issues were found in early May. The SQL Injection issue was fixed but the CSRF issues have not been resolved as of this posting.
Add-on SweetAlert Contact Form 7
An Authenticated Stored XSS issue was found in this plugin, which is used to display Contact Form 7 messages as a pop-up alert. It does require Contact Form 7 to be installed but this plugin is separate from that it should be noted. One of the fields lacks data sanitization which could allow an attacker to insert malicious code and save it. Once saved, every person who visits the plugin settings page will be the attacker. This issue was found in mid-May and fixed in late May.
Form Maker By 10Web
An Authenticated SQL Injection vulnerability was found in this plugin, which is used to create custom web forms including mobile-friendly web forms. No information has been provided other than the issue is in one parameter of the code. The issue has not been fixed and the WordPress Plugins Team has been notified so this plugin could be removed in the near future.
Core
No WordPress Core vulnerabilities were discovered or made public during the month of May.
Theme
Avada
A Missing Permissions Check issue and a Stored XSS issue was found with this theme, which is the top-selling theme of all time. A lack of permission checks allows a low privileged user to edit, create, or delete any page on a site. Only a security nonce is present and that can be copied and modified for any post or page on the site. This lack of permissions checks also allow for the XSS issue by allowing a low privileged user to inject JavaScript code using one of the attributes vulnerable in the other vulnerability. These issues were found in late April, fixed the following day, and made public in early May.