We take a lot of precautions when it comes to the safety and security of your website but once we hand off your website to you that burden falls on you to maintain that. Nicely Done Sites offers a maintenance agreement so that we can continue to maintain your website so that it remains as safe and secure as possible. We highly recommend that all of our clients purchase one but it is not mandatory. If not we hope at least that you do keep your WordPress website up to date and in this series of posts we are going to detail some of the vulnerabilities discovered recently.
For anyone interested or anyone who missed it check out last month’s vulnerabilities and don’t forget to keep your WordPress website up to date!
Plugins
Download Plugins And Themes From Dashboard
An Unauthenticated Stored XSS vulnerability was found in this plugin, which lets you download installed plugins and theme zip files directly from your admin dashboard without using FTP. The function that is used to save plugin settings can be used by anyone and not just authenticated users because it lacks any security checks. An unauthenticated user can inject code into any field. This issue was found in late September and fixed a few days later.
Export Users To CSV
An Unauthorized Access vulnerability was found with this plugin, which allows you to export usernames and metadata like email, real name and registration date to a CSV file. CSV is a simple file format used to store data in tables like for a spreadsheet or database and it can be easily imported by the leading programs like Microsoft Excel. In this case the CSV file was saved in a public directory with a predictable filename that could easily be found by an attacker doing path traversal or enumeration. This issue was discovered in late July, fixed in late September and was disclosed in early October.
All In One WP Security & Firewall
Two vulnerabilities were discovered in this plugin, which is used to add extra security and a firewall to your WordPress site. It is the third most downloaded security plugin on the WordPress store with over 600,000 downloads. The first issue was an Open Redirect vulnerability. This lead to the other vulnerability, which was the exposure of the hidden login page to the public. The issue was discovered in early October and fixed within a week.
SoundPress
An XSS vulnerability was found in this plugin, which allows you to embed audio from SoundCloud to your sidebar or in posts. No check of the URL was performed which could allow an attacker to insert their own code. This issue was discovered in early October and fixed within a day.
wpData Tables
Two different issues were found with this plugin, which is the top selling plugin to make tables and charts to manage data and present it on your WordPress site. Not a lot of information is available regarding this issue but both an XSS and a SQL Injection vulnerability was found. An attacker is able to insert their own code which will be executed by an administrator. This issue was fixed in mid-October.
iThemes Sync
An Insufficient Secure Key Validation vulnerability was found with this plugin, which allows users to manage multiple WordPress sites from one dashboard. The issue allows an attacker to insert their own secure API key to a site that uses this plugin. The attacker then would be able to add or remove plugins, manipulate content, or add or remove users from a site. It is not believed that anyone has exploited this issue in the wild but with this issue being disclosed to the public that increases the odds of that happening. This issue was fixed in early October so if you are using this plugin make sure that you update immediately if you haven’t already.
Popup-Maker
Multiple issues were found with this plugin, which is used to create popups as its name implies. It is possible for an attacker to control some of the actions during initialization giving them control of those actions creating an Indirect Object Reference vulnerability. This stems from a lack of authentication which also would allow an attacker to display system information. The plugin is also vulnerable to CSRF attacks due to a lack of tokens which could allow the attacker to insert their own popup ad. These vulnerabilities will allow the attacker to gain informationation regarding other WordPress plugins that are installed, PHP configuration and more. This issue was fixed in mid-October.
Lara Google Analytics
An Authenticated Stored XSS vulnerability was found in this plugin, which provides a Google Analytics dashboard widget interface and also inserts Google tracking code. Attackers were able to insert their own code in one of the fields given but the attacker must have a user account on the page. When the code is inserted it is added to all pages throughout the site. This issue was being exploited in the wild when it was found in mid October and it was fixed the same day.
Zoho CRM Lead Magnet
An XSS vulnerability was found with this plugin, which is used to create webforms on your site and capture leads. It is possible for an attacker to run their own code on a user’s browser while they are connected to a trusted site essentially using the affected site as a vehicle to target users. Any user of the plugin could exploit this. This issue was found in mid October and fixed immediately. The plugin was pulled from the WordPress store while a review was conducted.
Broken Link Checker
An Authenticated Reflected XSS vulnerability was discovered with this plugin, which is used to monitor your website for broken web links. An attacker is able to exploit this due to improper coding in the filter function and can accept an XSS payload. An attacker does not need to have any privileges with the site and this can lead to credentials being stolen or initiating a phishing attack. This issue was discovered in early September and the developer responded that they no longer support or maintain this plugin. Due to this lack of response the issue was disclosed to the public in mid October. If you are using this plugin you should delete it and find another.
Fast Velocity Minify
A Full Path Disclosure vulnerability was found with this plugin, which is used for speed optimization of a website. Authenticated users are able to discover the full directory path of the WordPress installation. Administrators are able to review cached files and to do this a callback is used to retrieve those files. No capabilities check is performed so any user can potentially do this. The issue was discovered in mid October and fixed the same day.
Events Manager
A Stored XSS vulnerability was found with this plugin, which is used for event registration. The vulnerability exists because of improper encoding and insertion of data in the locations map and events map. An attacker has the ability to insert their own code and gain the ability to create their own posts or execute their own code to create fake login screens to steal login credentials or initiate phishing attacks. If the user exploited is an administrator it can lead to the execution of PHP code and compromise the server. This issue was found in early September, fixed in late September and disclosed to the public in mid October.
EU Cookie Law
A Stored XSS vulnerability was also found with this plugin, which is used for GDPR compliance. Improper configuration of several configuration options in the admin area. If the attacker is able to compromise an admin account it can lead code being executed in a user’s browser to create fake login pages to steal login credentials. The issue was discovered in early September and the developers were asked to create a fix for this twice and have not responded. It was publicly disclosed in mid October.
All In One SEO Pack
A Stored XSS vulnerability was found with this plugin, which is used to help with SEO with your website. It is the first SEO plugin available for WordPress. An authenticated attacker is able to take advantage of improper encoding of SEO-specific descriptions for posts. The attacker is able to create posts and execute code in a victim’s browser and depending on the capability level of the victim more can be done like execute PHP code and compromise the server. This issue was discovered in mid September and fixed the following day. The issue was disclosed in mid October.
Sliced Invoices
Multiple issues were found in this plugin, which is used to create quotes and send invoices that can be paid online. An Unauthenticated Information Disclosure vulnerability was found that allows an attacker to get a person’s name and other personal information. It was possible due to a lack of a capability check and a lack of a security nonce. An Authenticated SQL Injection was found. Again a lack of a capability check and security nonce allowed an attacker to duplicate a quote or invoice since and post them since the duplicate is considered to be a blog post. The attacker could then save the duplicate as a draft to steal the personal information or publish it and expose that to the world. These issues were discovered in early October and fixed in mid October.
SyntaxHighlighter Evolved
A Stored XSS vulnerability was found in this plugin, which is used to easily post syntax highlighted code without losing any formatting. Many of the websites that report on WordPress issues and display the code where the issue is use this plugin. An attacker could potentially insert their own code with an XSS payload in the comments section and that payload can be processed as shortcode. This issue was discovered in early October and fixed within hours. It was announced to the public in late October.
Groundhogg
An XSS vulnerability was found with an older version of this plugin, which is used to simplify, consolidate and automate sales and marketing. The issue was found in versions 2.0.8.1 and earlier that allowed an attacker to insert their own code into a submission form and send someone to another website. Another issue, an Authenticated SQL Injection was also found in an older version of this plugin, version 1.3.11.3. If an attacker is authenticated on the site the plugin accepts user supplied data that is unsanitized. These issues were fixed in late October.
WP HTML Mail
A HTML Injection vulnerability was found in this plugin, which is used to create professional email templates. Default plain text is converted to HTML mail formats but it is unsanitized. An attacker can potentially insert their own code which can lead to a phishing attack or a CSRF vulnerability. Normally WordPress would include all plain text information which would provide more information and lessen the chance of this being exploited but this plugin forgoes that and cuts out much of the relevant information and changes any potential link to a generic WordPress link. This issue was discovered in late October and fixed quickly.
WP Email Template
Same issue as above for this plugin, which is used to create a customization and responsive email template. Just like above this issue was discovered in late October and fixed quickly.
Email Templates
Same issue as above for this plugin, which is used to send beautiful emails with the WordPress Email Templates plugin. Choose your template style, add a logo or some text, change colors, edit footer and start sending nice emails in WordPress. Like above this issue was discovered in late October and fixed quickly.
Give WP
Multiple issues were found with this plugin, which is the leading donation request plugin on WordPress. An Unauthenticated Settings Change vulnerability was found due to a lack of a capabilities check which would allow any user to make changes and potentially tamper with credentials with the payment gateway. An Authenticated Settings Change was found again because of the lack of a capabilities check which would allow an attacker to reroute notification emails, which could be valuable if the first vulnerability was exploited. Another vulnerability has a lack of validation of a user’s IP address. This is done to prevent XSS attacks and can be bypassed by the sanitisation that is present in that particular function. These issues were discovered in mid October and fixed in late October.
YIT Plugin Framework
An Authenticated Settings Change vulnerability was found with this plugin framework, which is used in several dozen plugins most prominently all WooCommerce plugins. A logged in user is able to change plugin options and insert or update custom post types. It is caused by a lack of a capability check and a security nonce. This issue was discovered in August and fixed in late October.
WP Google Review Slider
An Authenticated SQL Injection vulnerability was discovered with this plugin, which is used to display Google reviews on your site’s slider and it can automatically check for new reviews and add them. Very little information was provided about this but the issue was fixed in October.
About Author
An Authenticated Stored XSS vulnerability was discovered with versions of this plugin up to 1.3.9. This plugin is used to display information about the author of a post efficiently. An attacker is able to insert their own code into a post which is then stored in the admin panel and executed when accessed by an admin. Not much else has been provided about this issue but it was fixed in late October.
Core
A security update was released for WordPress in mid October. Six vulnerabilities were found in the WordPress Core. A Stored XSS vulnerability was found in the Customizer. The Customizer is used to make custom changes to the theme. Another vulnerability was found that allowed unauthorized users being able to view unauthenticated posts. A Stored XSS vulnerability was found in Style Tags, which allowed an attacker to add code to the CSS.
A JSON Request Cache Poisoning issue was also found which could allow an attacker to send a request that creates a harmful response. For a more in-depth look at these type of vulnerabilities check out this link. A Server-Side Request Forgery was found in the URL validation, which could allow an attacker to manipulate a HTTP client to make requests. Last an Admin Referrer Validation vulnerability was found that did not properly check whether a user was an administrator as they moved from page to page. Not much other information was disclosed but these issues were fixed in WordPress 5.2.4.
Theme
Bridge Theme
An Open Redirect vulnerability was found with this theme. The issue was found with one of the preloaded plugins, the Qode Instagram Widget and the same issue was found in another of the preloaded plugins, the Qode Twitter Feed. Scripts that were intended for the demo version only were left in the published theme and allowed an attacker to redirect a user to another site. This issue was fixed in late October.