We take a lot of precautions when it comes to the safety and security of your website but once we hand off your website to you that burden falls on you to maintain that. Nicely Done Sites offers a maintenance agreement so that we can continue to maintain your website so that it remains as safe and secure as possible. We highly recommend that all of our clients purchase one but it is not mandatory. If not we hope at least that you do keep your WordPress website up to date and in this series of posts we are going to detail some of the vulnerabilities discovered recently.
For anyone interested or anyone who missed it check out last month’s vulnerabilities and don’t forget to keep your WordPress website up to date!
Plugins
Currency Switcher For WooCommerce
A Security Restrictions Bypass vulnerability was found with this plugin, which is used to switch product prices into other currencies in real time and to pay in selected currencies. An attacker was potentially able to force a currency that is not included and do a conversion that is less than the price equivalent. This issue was fixed in late October and published in early November.
Tidio Live Chat
A CSRF vulnerability that could lead to Stored XSS vulnerability was discovered in this plugin, which is used to communicate with customers directly or with a chatbot. Blog administrators are able to adjust the public and private keys for the Tidio service which allows for the JavaScript to be loaded from the server and the plugin to function. Due to a lack of validation as well as missing CSRF tokens it is possible to trick an admin into using a malicious public key. It is possible then for a non-administrator to see chat information or allow the attacker to take over the chat. The good news is that the blog administrator has to visit the malicious site in order for this to work but this could be more probable by putting a comment into the blog linking to it. This issue was found in early June and it was finally fixed in early November.
Safe SVG
A Denial of Service issue was found with this plugin, which is used to upload SVG files to your WordPress site and sanitize all uploads. Not much information has been released regarding this issue though by exploiting the vulnerability could lead to a denial of service issue. The issue was found in late September and fixed in early November.
Funnel Builder By CartFlows
A Privilege Escalation vulnerability was discovered in this plugin, which is used to increase leads and sales by turning a WooCommerce into a selling machine. No capabilities check or security nonces were present which meant that any authenticated user could potentially activate any plugin on the blog. This issue was discovered in early November and fixed within two days.
IgniteUp
Multiple issues were found with this plugin, which is used to let users know that a website is under construction or is in Maintenance Mode. An Arbitrary File Deletion vulnerability allows any user to delete template files and folders due to a lack of a capability check. An HTML Injection and a CSRF vulnerability was found due to a lack of sanitization of the user input into the provided email template. Since these emails are forwarded to the administrator it was possible to insert code into the email and compromise the administrator account.
A Stored XSS vulnerability was found due to that same lack of sanitization which could allow an attacker to insert their own JavaScript code on the backend. An Information Disclosure vulnerability was also found due to a lack of a capability check and a security nonce which could allow an attacker to download a list of email addresses that have submitted emails to the template. An additional vulnerability also allowed an unauthenticated user to have access to some functions that they could access the email templates or even remove subscribers from the master email list. These issues were discovered in late September and fixed in early November.
Anti-Spam by CleanTalk
An XSS vulnerability was found with this plugin, which provides anti spam protection to several different contact form and registration themes to prevent spam comments and registrations. An attacker was able to potentially execute their own JavaScript or HTML code via the form or a particular parameter. Not much else has been provided but the issue has been fixed.
Email Subscribers & Newsletters
Multiple vulnerabilities were found with this plugin, which is used to collect leads, sent automated emails and to create and send newsletters all from one place. An Unauthenticated File Download vulnerability was also found. No access control was in place when a user exports an email list along with other sensitive information. On top of that a function that tracks open actions. It was possible to insert SQL statements and this can be done by an unauthenticated user.
An issue with Insecure Permissions was also found in the Dashboard. Since the Dashboard provides a central place for the site to be managed but due to this flaw any user with the ability to edit a post could edit to view or modify settings, campaigns or subscriber list. Also a CSRF vulnerability was found due to a lack of security checks which allows an attacker to make changes to the settings.
Furthermore it was possible for a user with subscriber level access to send test emails from the administrator’s dashboard. Test emails are done to make sure everything is working OK. This is not a super critical issue but it does allow someone other than an administrator to send out emails from the site’s email server. Last, an Unauthenticated Option Creation vulnerability was found which gave an unauthenticated user the ability to create options in the database. This option could then be exploited with malicious code. These issues were discovered in mid October and fixed in mid November
Blog2Social
An XSS vulnerability was found with this plugin, which is used to auto post, cross promote or schedule blog posts to social media. It was possible for an attacker to insert their own malicious code through a certain parameter. Not much else is known about this plugin but the issue was fixed in mid November.
Sassy Social Share
An XSS vulnerability was also found with this plugin, which is used to share content over social media. Not much information has been provided but a lack of a content type qualifier in a header is set to default which could allow an attacker to insert their own HTML code. The issue was found in mid November and fixed quickly.
WP Maintenance
A Cross Site Forgery Request was found within this plugin, which is used to set a temporary page on the website while the site undergoes an update. It was possible for an attacker to enable maintenance mode and inject malicious code which would affect any visitor coming to the site while maintenance mode is enabled. The plugin is customizable but a lack of security checks and sanitization was present which could allow an attacker to redirect a user to a malicious site or just play havoc on the site. Six different settings could be altered and malicious code could be inserted also creating the opportunity for an XSS attack. This issue was discovered in mid November and fixed quickly.
Jetpack
A vulnerability in the Shortcode Embed Code function was found in this plugin, which is used to protect your WordPress site from brute force attacks, unauthorized logins and more with a security suite. Very little about this vulnerability has been made clear but it stems from the way the plugin processes embed code and this issue has existed for some time, though it is doubtful that it has been exploited. This issue was identified in mid November, fixed in late November and many WordPress users were even notified by the WordPress team of the issue and told to update so if you use this plugin update it immediately.
WP Spell Check
A Cross Site Forgery Request vulnerability was discovered in this plugin, which is used as a spell check and grammar along with broken shortcode and an HTML checker. If a user is logged in to the site and views a malicious website it was possible for unintended actions to be performed. This could potentially be upgraded into an XSS vulnerability should that happen. The issue was found at the end of November and fixed quickly.
Core
WordPress 5.3 was released in mid November. While there were plenty of feature updates there were no vulnerabilities disclosed during this time.
Theme
No Theme vulnerabilities were disclosed during the month of November.