We take a lot of precautions when it comes to the safety and security of your website but once we hand off your website to you that burden falls on you to maintain that. Nicely Done Sites offers a maintenance agreement so that we can continue to maintain your website so that it remains as safe and secure as possible. We highly recommend that all of our clients purchase one but it is not mandatory. If not we hope at least that you do keep your WordPress website up to date and in this series of posts we are going to detail some of the vulnerabilities discovered recently.
For anyone interested or anyone who missed it check out last month’s vulnerabilities and don’t forget to keep your WordPress website up to date!
Plugins
Event Tickets
A CSV Injection vulnerability was discovered in this plugin, which is used to allow people to purchase tickets or just RSVP to an event you are hosting. An attacker is able to run malicious code on a user who is logged in. An alert message would be shown to the user but chances are that would be ignored as they would be unaware of the reason for it and it appeared to be coming up in error. This issue was discovered in February and has not been fixed. It was disclosed in early September. If you are using this plugin, it may be best to use a different plugin.
Portrait-Arch.com Photstore
An Unauthenticated Reflected XSS vulnerability was discovered with this plugin, which was used to sell photos. User input to the plugin was not sanitized, which would allow an attacker to execute malicious code. This could allow the attacker to steal the login credentials of that user. This issue and the subsequent non-action by the developer has resulted in the plugin being removed from WordPress permanently. If you are using this plugin, remove it and find another one.
Spryng Payments for WooCommerce
An Unauthenticated Reflected XSS vulnerability was also discovered with this plugin, which used allowed for payments through the WooCommerce platform from the payment provider Spryng. Like above no sanitization of user input was in place and just like above it could allow the attacker to steal the login credentials of a user. Also just like above the subsequent non-action by the developer has resulted in this plugin being removed from WordPress. If you are using this plugin remove it and find another one.
ECPay Logistics For WooCommerce
An Unauthenticated Reflected XSS vulnerability was also found with this plugin, which is an open source system which provides cooperative stores without having to worry about complicated checks. Several fields in the plugin are vulnerable to an XSS attack due to the lack of sanitization of user input data, which like the above plugins could allow the attacker to steal the login credentials of a user. This plugin has not been deemed compatible with the past few updates to WordPress and may no longer be being maintained. The issue was disclosed in early September and no fix for this has been put in place.
API Bearer Auth
Stop us if you have heard this already but an Unauthenticated Reflected XSS vulnerability was found in this plugin, which is used to enable authentication for REST API by using JWT refresh to access tokens. As with the above plugins user input was not sanitized, which could allow the attacker to steal the login credentials of a user. The issue was disclosed in early September and has not been fixed. The plugin has not been updated in over 8 months and has very few installations so chances are you are not using it.
Advanced Access Manager
An Arbitrary File Access/Download vulnerability was discovered in this plugin, which is used to manage access to give visitors different roles that determine their level of access. The capability check does not work completely which allows a user to have access to files that they should not have. This also gives them the capability of downloading the wp_config file and gain access to the database. The issue was discovered in early September and fixed quickly.
Search Exclude
An Unauthenticated Settings Change vulnerability was found in this plugin, which is used to exclude a page or post from a search of the website. No security checks were in place so an attacker had the ability change settings within the plugin even if they were not administrators. This vulnerability was discovered and fixed at the end of August and made public in early September.
Photo Gallery By 10Web
A SQL Injection and XSS vulnerabilities were discovered with this plugin, which is used to build mobile-friendly photo galleries in WordPress. The possibility of a SQL Injection was found in the album_id parameter as no sanitization of the input was present. Two different XSS vulnerabilities were present. Little other information is available but the issue was fixed in early September.
Ellipsis Human Presence Technology
An Unauthenticated Reflected XSS vulnerability was found in this plugin, which is used to eliminate CAPTCHA tests for website logins while maintaining the same level of security. One of the parameters of a form was vulnerable to an XSS vulnerability due to a lack of sanitization of the input. This could allow an attacker to insert their own code and steal the login credentials of an admin. This issue was discovered in mid September and has not been fixed yet so this plugin has been removed as a downloadable plugin from WordPress.
Lifter LMS
An Unauthenticated Options Import was discovered with this plugin, which is a WordPress Learning Management System. The vulnerability could allow an attacker to create their own administrator account, insert a website redirection, insert their own content or elevate this to a Stored XSS vulnerability. Several scripts are loaded when the plugin is used and the capabilities check is not sufficient and no security check is in place. That allows an attacker to import their own payload and perform the actions listed above. This issue was discovered in early September and fixed the following day.
SlickQuiz
Two different issues were found with this plugin, which is used for displaying and managing dynamic quizzes. The first issue was an Unauthenticated Stored XSS vulnerability. The issue comes when a user goes to save their score. This information is not encoded and presents three different places that an XSS payload could be inserted and when any user with access to the dashboard of the site accesses the user scores the payloads activate. That also opens the plugin up to an Unauthenticated SQL Injection vulnerability.Since the id parameter is present on all calls in the code SQL code could be injected allowing the attacker to steal login credentials or more. This was discovered in early September and has not been fixed yet.
Checklist
An Unauthenticated Reflected XSS vulnerability was discovered in this plugin, which is used to turn a blog into a checklist. No sanitization of a user’s input is done which can allow an attacker to steal login credentials. This issue has not been fixed yet.
Woody Ad Snippets
An Unauthenticated Reflected XSS vulnerability was found with this plugin, which is used to create and store code snippets for advertising. Like with above no sanitization of a user’s input is performed which can allow an attacker to steal login credentials. This issue was fixed in mid-September.
Advanced AJAX Product Filters
An Unauthenticated Plugin Settings Update vulnerability was discovered with this plugin, which is used to filter products on a WooCommerce shop. The issue takes advantage of the misuse of the admin_init’s execution content and allows an attacker to update all plugin settings or redirect a user to a malicious site. The developed assumed that the admin_init was only called when an administrator visits the page inside the admin folder but it runs on non-admin pages too to control access to the admin panel. This issue was fixed in mid-September.
Ultimate FAQ
An Unauthenticated Options Import/Export vulnerability was found with plugin, which is used to create, organize and publish FAQs on your WordPress site. Information can be imported from a spreadsheet and no capabilities check or security checks are performed on it. This allows an attacker to import their own file and create their own blog posts on the website. Because of the lack of checks the attacker is also able to export all blog posts to a PDF file, including all posts that are members only or are restricted. This issue was fixed in mid-September.
Motors Car Dealer & Classified Ads
Multiple issues were found with this plugin, which is used to control inventory and help with listings. An Unauthenticated Settings Import/Export vulnerability was found since no security check was performed on the function used to import and export plugin options thus making it accessible to anyone. This can lead to an XSS vulnerability where the attacker is able to build their own or existing form and insert their own code and then re-import the plugin settings.
Also an Unauthenticated Settings Import was found since the plugin allows for the administrator to import data using two scripts. One function uses the admin_init hook (mentioned above) therefore making the function accessible by anyone. Continuing on, user ads can be displayed but the developer misused a script and only sanitized part of the input area. An Authenticated Options Change vulnerability was also found which lacked security or capabilities checks thus allowing an authenticated user to change options or to insert code into the import vulnerability above. These issues were fixed in mid-September.
DELUCKS SEO
An Unauthenticated Options Update vulnerability was discovered with this plugin, which is used to find relevant keywords to create attractive titles and content. A number of websites recently have been hacked and it was found to be because of this plugin. This vulnerability allows an attacker to insert their own code into the plugin settings and those changes will be adapted through all pages. No fix for this plugin is in place and it has been pulled from the WordPress store. It is recommended that if you use this plugin that you disable it.
Rich Reviews
An Unauthenticated Plugins Options Update vulnerability was publicized with this plugin, which is used to help submit and publicize reviews. Attackers are able to insert their own code to create popup ads and redirects which can turn this into an XSS vulnerability. A lack of access controls were in place and when combined with a lack of sanitization created a dangerous vulnerability. This plugin was pulled from the WordPress store in March and while the developers have been working to rewrite the plugin the number of exploits have led to the publication of this vulnerability. If you are using this plugin it is recommended that you disable it.
Easy Fancybox
An Authenticated Stored XSS vulnerability was found with this plugin, which is used to give users a flexible and aesthetic light box solution for just about all media links on a WordPress website. Any publicly accessible page of a WordPress site is vulnerable if this plugin is installed. Some setting parameters were arbitrarily encoded and lack sanitization which allows an attacker to insert their own code. This vulnerability was identified in mid-September and fixed within 5 days.
GiveWp
An Authentication Bypass vulnerability was found in this plugin, which is used to accept donations on a WordPress site and not to use a third party. An unauthenticated user was able to bypass API authentication and gain access to personal information. It turned out that no API key was generated to keep private information private and thus could have access to it. No API token was also in place to validate the user. This vulnerability was discovered in early September and it was fixed quickly. If you use this plugin and have not updated you should do so immediately.
Visualizer
Two vulnerabilities were discovered with this plugin, which is used to create, manage and embed interactive charts and tables. A Stored XSS vulnerability was found which allows an attacker to modify the meta data of a chart and insert their payload which will be stored and executed later when an admin views the chart. A lack of access controls are the reason for this vulnerability. A Blind SSRF vulnerability was also discovered with this plugin but no other information was disclosed so the author has time to fix the plugin and people have time to apply the fix. The issue has been resolved and more information will be released in mid-October.
Theme Editor
Multiple issues were found with this plugin, which is used to modify WordPress theme files. A CSRF vulnerability, a Arbitrary File Upload vulnerability, insufficient permission checking and the ability to interact with server folders was all possible due to a missing nonce check. Little information about this has been published and most of these vulnerabilities require access to an account. This issue was found in early September and a fix was applied at the end of the month that fixes most of the issues.
Core
WordPress 5.2.3 was released in early September to fix several security issues as well as 29 bugs. A Potential Open Redirect was found following validation and sanitization of a URL. An XSS vulnerability was found in stored comments and post previews as well as shortcode previews. Another XSS vulnerability was discovered in the Dashboard.These issues were fixed with the recent update so update as soon as possible if you have not already.
Theme
Selio – Real Estate Directory
A SQL Injection vulnerability and an XSS vulnerability was found in this theme, which can help run any real estate business. After an attacker created a new account they could go to the Inquiry section or the Report Listing and enter their own code in the Message section. This vulnerability can be escalated into a XSS vulnerability as well. This issue was found in early September and fixed in late September.
Nexos – Real Estate
A SQL Injection vulnerability and an XSS vulnerability was found in this theme, which can help run any real estate business. This is basically the same issue as above. After an attacker created a new account they could go to the Inquiry section or the Report Listing and enter their own code in the Message section. This vulnerability can be escalated into a XSS vulnerability as well. This issue was found in early September and fixed in late September.