Wordpress security

WordPress Vulnerability News, October 2020


Updated: October 26, 2020 by Agnes Talalaev

WordPress vulnerability news is a weekly digest of highlighted WordPress plugin security vulnerabilities or vulnerability discloses that have been published (there are other, less critical vulnerabilities on smaller plugins that unfortunately don’t make it to the list). 

Keeping up to date with security vulnerabilities in WordPress and other CMS’s is an important part of security. That is why we are analyzing WordPress plugins and newly disclosed vulnerabilities to make sure the sites using the mentioned plugins or themes are protected.

All the vulnerabilities you find from this article have received a virtual patch to the WebARX firewall. It means that if you use the WebARX web application firewall, your site is safe from these vulnerabilities, but it’s always strongly advised to update or delete vulnerable plugins from your site.

Is your WordPress site secured? Take a look at how to secure your WordPress site here.

If you are a WordPress plugin developer read how to secure plugins from an attackers’ perspective or contact support@webarxsecurity.com and ask for a plugin security audit.

What are the biggest challenges for freelancers and digital agencies in 2020? Read the Website Security Survey Report 2020 to find out.

Advanced Booking Calendar 

Booking Calendar for accommodations.

Vulnerability: Unauthenticated SQL injection
Fixed in version: 1.6.2
Number of sites affected: 5000+

The PoC will be displayed on November 05, 2020, to give users the time to update.

CM Download Manager 

The CM Downloads Manager is a file-sharing plugin for WordPress that enables you to specify which users are allowed to upload, manage, track and support documents, media files, and much more.

Vulnerability: Authenticated cross-site scripting
Fixed in version: 2.8.0
Number of sites affected: 700+

The plugin does not properly validate and sanitise the uploaded filename, which could result in a Cross-Site Scripting issue.

Read more about the plugin vulnerabilities here.

Helios Solutions Brand Logo Slider

HS Brand Logo Slider is a WordPress plugin that helps users upload logos of their, clients, affiliates, sponsors, etc.

Vulnerability: Unauthenticated SQL injection
Fixed in version: no known fix
Number of sites affected: N/A

An Authenticated user (admin+) can bypass the security check of the plugin and upload arbitrary files via the Brand Logo.

Read more about the plugin vulnerabilities here.

Loginizer

Loginizer is a WordPress plugin which helps you fight against brute-force attacks.

Vulnerability: Unauthenticated SQL injection
Fixed in version: 1.6.4
Number of sites affected: 1+ million

The PoC will be displayed on November 04, 2020, to give users the time to update.

Simple Download Monitor

This plugin helps to manage digital downloads and monitor the number of downloads of my files and documents.

Vulnerability: SQL injection
Fixed in version: 3.8.9
Number of sites affected: 20 000+

Read more about the plugin vulnerabilities here.

SuperStoreFinder Plugins

Super Store Finder for WordPress

Super Store Finder is a WordPress Plugin integrated with the latest Google Maps API that allows customers to locate your stores easily. 

Vulnerability: Unauthenticated Arbitrary File Upload
Fixed in version: 6.2
Number of sites affected: 4000+

Super Interactive Maps for WordPress

Super Interactive Maps is a WordPress Plugin integrated with Google Geochart API that allows you to create maps of country, continent, and regions. 

Vulnerability: Unauthenticated Arbitrary File Upload
Fixed in version: 2.0
Number of sites affected: 600+

Super Logos Showcase for WordPress

Super Logos Showcase is a plugin to showcase logos and brands on your website that is tailor-made for a full-width website template and mobile responsive view.

Vulnerability: Unauthenticated Arbitrary File Upload
Fixed in version: 2.3
Number of sites affected: 200+

The PoC will be displayed on November 11, 2020, to give users the time to update.

TI WooCommerce Wishlist

WooCommerce Wishlist is a tool that can help you to convert your site visitors into customers.

Vulnerability: Authenticated WP options change
Fixed in version: 1.21.12
Number of sites affected: 70 000+

The WordPress TI WooCommerce Wishlist plugin (70,000+ installations) fixed a critical zero-day vulnerability affecting version 1.21.11 and below that could allow an attacker to take over the blog and its database.

Because WooCommerce allows customer registration, any logged-in customer can exploit this vulnerability.

Read more about the plugin vulnerabilities here.

Comment Press

CommentPress is a plugin for WordPress that allows you to insert, edit and delete comments.

Vulnerability: Unauthenticated cross-frame scripting
Fixed in version: 2.7.2
Number of sites affected: 500+

An unauthenticated cross-frame scripting vulnerability was discovered in the Comment Press plugin version 2.7.0 for WordPress.

Read more about the plugin vulnerabilities here.

Realia

A real estate WordPress plugin.

Vulnerability: Unauthenticated IDOR leading to arbitrary post deletion
Fixed in version: no known fix
Number of sites affected: N/A

While investigating an IDOR issue in the Home Sweet premium theme, allowing arbitrary deletion of Ads, the Realia plugin was found to be the root cause.

In fact, having this plugin installed (which some themes require) can allow unauthenticated attackers to delete arbitrary posts, by submitting a malicious request with the post ID to delete.

Read more about the plugin vulnerabilities here.

Child Theme Creator by Orbisius

This plugin allows you to quickly create child themes from any theme that you have currently installed on your site/blog. It also creates rtl.css if exists in the parent theme.

Vulnerability: CSRF to arbitrary file modification/creation
Fixed in version: 1.5.2
Number of sites affected: 30 000+

This flaw gave attackers the ability to forge requests on behalf of an administrator in order to modify arbitrary theme files and create new PHP files, which could allow an attacker to achieve remote code execution (RCE) on a vulnerable site’s server. (Source)

The PoC will be displayed on October 28, 2020, to give users the time to update.

Live Chat – Live support

Chat with your website visitors in real-time.

Vulnerability: Cross-site request forgery
Fixed in version: 3.2.0
Number of sites affected: 1000+

The vulnerability may allow attackers to access to settings change.

Read more about the plugin vulnerabilities here.

PowerPress Podcasting Plugin by Blubrry

plugin vulnerabilities

Powerpress is a podcasting plugin for WordPress.

Vulnerability: Authenticated arbitrary file upload leading to RCE
Fixed in version: 8.3.8
Number of sites affected: 60 000+

The PoC will be displayed on October 25, 2020, to give users the time to update.

Ninja Forms

Ninja Forms is a WordPress plugin that helps to create forms.

Vulnerability: CSRF to RCE
Fixed in version: 3.4.27.1
Number of sites affected: 1+ million

Read more about the plugin vulnerabilities here.

Coditor

Coditor is a code editor plugin for WordPress.

Vulnerability: Arbitrary file edition, deletion, and internal directory listing in wp-content
Fixed in version: 1.1
Number of sites affected: N/A

The PoC will be displayed once the issue has been remediated.

Dynamic Content for Elementor

plugin vulnerabilities

The PHP Raw widget allows you to apply a string of PHP code directly from the frontend.

Vulnerability: Authenticated RCE
Fixed in version: 1.9.6
Number of sites affected: N/A

The PHP Raw Widget of the Dynamic Content for Elementor plugin before 1.9.6 did not properly check for user permissions, allowing accounts with a role as low as an editor to perform RCE attacks. (Source)

The PoC will be displayed on October 29, 2020, to give users the time to update.

WPBakery Page Builder

WPBakery is a page builder plugin for WordPress.

Vulnerability: Authenticated stored cross-site scripting (XSS)
Fixed in version: 6.4.1
Number of sites affected: 4+ million

This flaw made it possible for authenticated attackers with contributor-level or above permissions to inject malicious JavaScript in posts.

Read more about the plugin vulnerabilities here.

Meta Slider

plugin vulnerabilities

With Meta Slider you can create SEO-optimized slideshows.

Vulnerability: Cross-site scripting (XSS)
Fixed in version: 2.5
Number of sites affected: 800 000+

See more about the plugin here.

XCloner – Backup and Restore

plugin vulnerabilities

XCloner is a WordPress backup plugin.

Vulnerability: Authenticated path traversal
Fixed in version: 3.1.5
Number of sites affected: 30 000+

Authenticated users are able to perform directory listings at any location available to the WordPress user, leaking filenames of previous backups. This was found in XCloner – Backup and Restore version 3.1.5, but may have been introduced in earlier versions.

Attackers can leverage directory listings to leak otherwise secret file paths to previous backups, allowing them to acquire full backup contents since the backup download is not authenticated.

Read more about the plugin vulnerabilities here.

Post Grid

With PostGrid you can create: a grid for your blog post; product showcase; team member showcase; portfolio, gallery; archive post display; category post display; and more.

Vulnerability: Authenticated stored cross-site scripting (XSS)
Fixed in version: 2.0.73
Number of sites affected: 60 000+

Read more about the plugin vulnerabilities here.

Team Showcase

A plugin that helps you to display your team on your WordPress site.

Vulnerability: Authenticated stored cross-site scripting (XSS)
Fixed in version: 1.22.16
Number of sites affected: 6 000+

Read more about the plugin vulnerabilities here.

WordPress + Microsoft Office 365 / Azure AD | LOGIN

plugin vulnerabilities

With WPO365 | LOGIN users can sign in with their corporate or school (Azure AD / Microsoft Office 365) account to access your WordPress website.

Vulnerability: JWT signature verification bypass
Fixed in version: 11.7
Number of sites affected: 1000+

The vulnerability could allow an attacker to bypass authentication and authorisation checks.

Read more about the plugin vulnerabilities here.

Make Sure WordPress Plugin Vulnerabilities Won’t Affect Your Sites

WordPress sites are being hacked and infected every day. Some statistics say that about 30,000 websites are infected with some type of malware daily. Every public website is a resource available on the internet and therefore it’s a target. It’s important to understand that as soon as your website is available to the public, it immediately becomes a target. 

It can take just days from a disclosed plugin vulnerabilities to a full-scale attack campaign. Attacks in this nature are almost always automated. To be able to fight back, you have a small time window to take action. In such cases, web application firewalls have critical importance.

Always keep your plugins updated. If possible, enable automatic updates. If you are using any of the mentioned plugins, you need to update it with the latest version as soon as possible to make sure WordPress plugin vulnerabilities won’t affect your sites.

WebARX web application firewall gets virtual patches that are distributed automatically among the sites when vulnerabilities are discovered. Threat intelligence and prevention are our main focus and thus our firewall engine is updated on a daily basis.

Websites with WebARX firewall installed are protected from the security issues mentioned in this article. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.

Wordpress security

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms:

PHP
WordPress
Magento
Drupal
Joomla