Wordpress security

WordPress Vulnerability News, January 2020


Updated: April 3, 2020 by Agnes Talalaev

WordPress vulnerability news is a monthly digest of highlighted vulnerable plugins for WordPress or vulnerability discloses that have been published (there are other, less critical vulnerabilities on smaller plugins that unfortunately don’t always make it to the list). 

Keeping up to date with security vulnerabilities in WordPress and other CMS’s is an important part of security. That is why we are analyzing vulnerable plugins and newly disclosed vulnerabilities to make sure the sites using the mentioned plugins or themes are protected.

All the vulnerabilities you find from this article have received a virtual patch to the WebARX firewall. It means that if you use the WebARX web application firewall, your site is safe from these vulnerabilities, but it’s always strongly advised to update or delete vulnerable plugins from your site.

Is your WordPress site secured? Take a look at how to secure your site here.

If you are a WordPress plugin developer read how to secure plugins from an attackers’ perspective.

Take a look at February 2020 news here, March 2020 news here, and April 2020 news here.

Authenticated Stored XSS in GistPress Plugin

screenshot-1.png
Example from github.com/bradyvercher/gistpress

A WordPress plugin to easily embed Gists via oEmbed or shortcode.

Vulnerability: Authenticated stored XSS
Vulnerable version: 3.0.2 and below
Number of sites affected: N/A

XSS vulnerability that could be exploited by untrusted contributors on multi-author sites.

Read more about the vulnerable plugin from here.

Authenticated Stored XSS in Elementor Page Builder

This image has an empty alt attribute; its file name is image-5.png

A page builder for page designs and advanced capabilities for WordPress sites.

Vulnerability: Authenticated stored XSS
Vulnerable version: 2.7.6 and below
Number of sites affected: 4+ million
Exploitation Level: Easy/requires authentication

This vulnerability is exploitable on sites that allow users to have accounts and are using Elementor versions lower than 2.7.6, released last December.

A successful attack results in malicious scripts being injected on the plugin’s System Info page. If an administrator visits that page, the malicious Javascript code can execute privileged actions on the victim’s behalf, like creating new administrative accounts or storing backdoors on the site to maintain access.

Read more about the vulnerable plugin here.

Critical CSRF to RCE Vulnerability in Code Snippets Plugin

Code Snippets is an easy, clean and simple way to run PHP code snippets on your site. It removes the need to add custom snippets to your theme’s functions.php file.

Vulnerability: Critical CSRF to RCE
Vulnerable version: fixed in version 2.14.0
Number of sites affected: 200 000+

This issue could cause complete site takeovers. Vulnerabilities with such magnitude are quickly targeted by adversaries and updating to the patched version should be done immediately!

Read more about the vulnerable plugin here.

Authenticated Reflected XSS in Elementor Page Builder

A page builder for page designs and advanced capabilities for WordPress sites.

Vulnerability: Authenticated reflected XSS
Vulnerable version: 2.8.5 and below
Number of sites affected: 4+ million

The PoC will be displayed on February 12, 2020, to give users the time to update.

CSV Injection in Flamingo Plugin

Flamingo is a message storage plugin originally created for Contact Form 7, which doesn’t store submitted messages.

Vulnerability: CSV injection
Vulnerable version: 2.1.1 and below
Number of sites affected: 500 000+

A CSV Injection vulnerability was discovered in Flamingo Plugin v 2.1. It allows a user with low-level privileges to inject OS command that will be included in the exported CSV file. It leads to possible command/code execution.

Read more about the vulnerable plugin here.

Missing Authorization Check In wpCentral Plugin

The wpCentral plugin allows you to manage your sites on a single panel. It gives you the power to login to any website, install/delete/activate plugins, upload files and much more.

Vulnerability: Privilege escalation
Vulnerable version: 1.4.7 and below
Number of sites affected: 50 000+

In versions 1.4.7 and below of this plugin, there’s a vulnerability that allows anyone who is logged in with any user role to escalate their privilege or alter/upload any file, or adjust any plugin and interact with the site in many other ways.

You can read more about the vulnerable plugin here.

Secret Login Page Disclosure in WPS Hide Login Plugin

WPS Hide Login lets you change the URL of the login form page to anything you want.

Vulnerability: Secret login page disclosure
Vulnerable version: 1.5.5 and below
Number of sites affected: 500 000+

A vulnerability in version 1.5.4.2 and below could allow an attacker to find and access the secret login page.

You can read more about the vulnerable plugin here.

Stored XSS in WP DS FAQ Plus Plugin

WP DS FAQ Plus plugin is a simple FAQ page management tool for your website. WP DS FAQ Plus is the plugin which was improved based on WP DS FAQ 1.3.3.

This plugin includes the fixed some issues (Quotation and Security, such as SQL Injection and CSRF), Japanese translation, improvement of the interface, and SSL Admin setting.

Vulnerability: Stored XSS
Vulnerable version: 1.0.354 and below
Number of sites affected: 50 000+

The PoC will be displayed on February 07, 2020, to give users the time to update.

Authenticated Stored XSS in Calculated Fields Form Plugin

With Calculated Fields Form, you can create forms with dynamically calculated fields to display the calculated values.

Vulnerability: Authenticated stored XSS
Vulnerable version: 1.0.354 and below
Number of sites affected: 50 000+

“An authenticated user with access to edit or create Calculated Fields Form content can inject javascript into input fields such as ‘field name’ and ‘form name’.”

Read more about the vulnerable plugin here.

Unauthenticated Reflected XSS in Chained Quiz Plugin

This is a chained / conditional logic quiz plugin that lets you create quizzes where the next question depends on the answer to the previous question.

Vulnerability: Unauthenticated reflected XSS
Vulnerable version: 1.1.8.2 and below
Number of sites affected: 1 000+

WordPress Plugin Plugin Chained Quiz before 1.1.8.2 suffers from a Reflected XSS vulnerability in the ‘total_questions’ POST parameter when a user completes a quiz.

The code in question accepts the ‘total_questions’ parameter without escaping the special characters: models/quiz.php $output = str_replace('{{questions}}', $_POST['total_questions'], $output);

The PoC will be displayed on January 30, 2020, to give users the time to update.

Read more about the vulnerable plugins here.

WordPress Hardening Bypass

Photo from https://blog.ripstech.com/

There is a Remote Code Execution (RCE) vulnerability in the WordPress core that bypasses hardening mechanisms. The vulnerability is present in the WordPress core in versions prior to 5.2.4.

The vulnerability in the WordPress core that can be exploited even if the described hardening mechanism is in place, allowing for an effective bypass. This re-enables attackers to leverage simple Cross-Site Scripting vulnerabilities to full Remote Code Execution impact on servers.

Make sure to update your WordPress installations to 5.2.4 or later to prevent the bypass.

Read more about the WordPress vulnerability here.

Authenticated Stored XSS in Contact Form Clean and Simple Plugin

An AJAX contact form with Google reCAPTCHA, Twitter Bootstrap markup, and Akismet spam filtering.

Vulnerability: Authenticated stored XSS
Vulnerable version: 4.7.0 and below
Number of sites affected: 20 000+

Contact Form Clean and Simple is vulnerable to Authenticated stored XSS. When a user has admin capabilities, malicious code can be submitted through the plugin’s options. This code will then be executed on every page with the contact form on the front-end.

January 22nd, 2020 – Escalated to the WP plugins team as no response from the developer according to the researcher.

Read more about the plugin vulnerability here.

Insecure Direct Object Reference (IDOR) in Ultimate Member Plugin

Ultimate Member is a user profile and membership plugin for WordPress. The plugin makes it a breeze for users to sign-up and become a member of your website.

Vulnerability: Insecure direct object reference (IDOR)
Vulnerable version: 2.1.3 and below
Number of sites affected: 100 000+

IDOR issues allowing change of other users’ profiles and cover photos.

Read more about the vulnerable plugin here.

Arbitrary PHP Execution in AccessAlly Plugin

AccessAlly is a powerful, flexible customer-getting and retaining system that grows with your business, and that pays for itself.

Vulnerability: Arbitrary PHP execution
Vulnerable version: 3.3.2 and below
Number of sites affected: N/A

Prior to version 3.3.2, this plugin allowed arbitrary PHP execution through the login_error function. This exploit is out in the wild now and actively being exploited.

The PoC will be displayed on February 11, 2020, to give users the time to update.

Read more about the plugin vulnerability here.

DOM Cross-Site Scripting in Chatbot with IBM Watson Plugin

IBM Watson helps you to give support to your customers. You can train Watson to answer frequently asked questions, provide useful information and help them navigate your website.

Vulnerability: DOM-based XSS
Vulnerable version: 0.8.21 and below
Number of sites affected: 2 000+

A DOM-based XSS vulnerability has been identified in the chat functionality of the Watson Assistant plugin for WordPress, allowing a remote attacker to execute JavaScript in the victim browser by tricking the victim into pasting HTML inside the chatbox.

Read more about the vulnerable plugin here.

Authenticated Stored Cross-Site Scripting Issue in Contextual Adminbar Color Plugin

This plugin provides custom admin bar colors to differentiate environments (staging, pre-prod, production).

Vulnerability: Authenticated stored cross-site scripting issue
Vulnerable version: 0.3 and below
Number of sites affected: 40+

The PoC will be displayed on February 03, 2020, to give users the time to update.

Read more about the vulnerable plugin here.

Authenticated Arbitrary Plugin Deactivation in 2J SlideShow Plugin

2J Slideshow is a responsive slideshow plugin with classic design and clean interface elements.

Vulnerability: Authenticated arbitrary plugin deactivation
Vulnerable version: 1.3.40 and below
Number of sites affected: 3 000+

Lack of authorization checks in the twoj_slideshow_setup() function registered as an AJAX call could allow authenticated users with low privileges to deactivate arbitrary plugins.

Read more about the vulnerable plugin here.

Broken Authentication Leading To Unauthenticated Stored XSS in Batch-Move Posts Plugin

Picture from arevainna.com

This plugin has been closed as of December 11, 2018, and is not available for download. Reason: Security Issue.

Vulnerability: Broken authentication leading to unauthenticated stored XSS
Vulnerable version: 1.5 and below
Number of sites affected: N/A

An attacker can add XSS Payload remotely without any authentication. The Payload gets triggered when Admin visits the settings page of the Plugin.

Read more about vulnerable plugins here.

CSRF to XSS in Marketo Forms and Tracking Plugin

Image result for Marketo Forms and Tracking
Picture from marcommpro.net

The plugin has been closed.

The settings page for the Marketo-forms-and-tracking WordPress Plugin is vulnerable to CSRF, this CSRF can be used to inject a script tag into the  WordPress Admin Panel, making this attack vector an authenticated XSS attack.

Vulnerability: CSRF to XSS
Vulnerable version: 1.0.2 and below
Number of sites affected: N/A

Read more about the vulnerable plugin here.

Reflected XSS in Chained Quiz Plugin

This is a unique chained / conditional logic quiz plugin that lets you create quizzes where the next question depends on the answer to the previous question.

WordPress Plugin Plugin Chained Quiz before 1.1.8.2 suffers from a Reflected XSS vulnerability in the ‘total_questions’ POST parameter when a user completes a quiz.

The code in question accepts the ‘total_questions’ parameter without escaping the special characters: models/quiz.php $output = str_replace(‘{{questions}}’, $_POST[‘total_questions’], $output);

Vulnerability: Reflected XSS
Vulnerable version: 1.1.8.2 and below
Number of sites affected: 1 000+

The PoC will be displayed on January 30, 2020, to give users the time to update.

Multiple Vulnerabilities in WP Database Reset Plugin

The WordPress Database Reset plugin allows you to reset the database (all tables or the ones you choose) back to its default settings without having to go through the WordPress 5 minute installation or having to modify any files.

Vulnerability: Unauthenticated database reset
Vulnerable version: 3.1 and below
Number of sites affected: 80 000+

This flaw “allowed any unauthenticated user to reset any table from the database to the initial WordPress set-up state”.

The PoC will be displayed on January 30, 2020, to give users the time to update.

Vulnerability: Privilege escalation
Vulnerable version: 3.1 and below
Number of sites affected: 80 000+

This flaw “allowed any authenticated user, even those with minimal permissions, the ability to grant their account administrative privileges while dropping all other users from the table with a simple request.”

The PoC will be displayed on January 30, 2020, to give users the time to update.

Read more about the vulnerable plugin here.

Reflected Cross-Site Scripting in LearnDash Plugin

Create and sell courses, deliver quizzes, award certificates, manage users, download reports.

Vulnerability: Reflected cross-site Scripting (XSS) issue on the [ld_profile] search field
Vulnerable version: fixed in version 3.1.2
Number of sites affected: N/A

Reflected Cross-Site Scripting (XSS) issue on the [ld_profile] search field. Only authenticated users are able to take advantage of the XSS vulnerability.

First reported to Learndash on January 14, 2020, and update 3.1.2 to fix it was released the same day.

Check the LearnDash release notes about the vulnerable plugins here.

Authenticated Stored XSS in Video on Admin Dashboard

Videos on Admin Dashboard allow you to embed Youtube and Vimeo tutorials, help or support videos quickly and easily into the dashboard of your WordPress website.

Vulnerability: Authenticated stored XSS
Vulnerable version: fixed in version 1.1.4
Number of sites affected: 40+

Video on the Admin Dashboard is vulnerable to stored XSS. When a user has admin capabilities, malicious code can be submitted through the plugin’s options. 

The PoC will be displayed on January 19, 2020, to give users the time to update.

Read more about the vulnerable plugins here.

Authenticated Stored XSS in Computer Repair Shop Plugin

Computer Repair Shop CRM WordPress Plugin can help you convert your WordPress website into a better software. It can help you manage your services, parts, jobs, and clients effectively.

Vulnerability: Authenticated stored XSS
Vulnerable version: fixed in version 2.0
Number of sites affected: 40+

Computer Repair Shop is vulnerable to stored XSS. When a user has admin capabilities, malicious code can be submitted through the plugin’s options. Fixed in version 2.0.

The PoC will be displayed on January 21, 2020, to give users the time to update.

Read more about the vulnerable plugin here.

CSV Injection in TablePress Plugin

plugin vulnerability

TablePress allows you to easily create and manage beautiful tables.

Vulnerability: CSV injection
Vulnerable version: 1.10 and below
Number of sites affected: 800 000+

“Through CSV injection vulnerability a malicious user can force other users to execute code in his machine, for example, this can be used for spread malware.”

Read more about the vulnerable plugin here.

CSV Injection in WooCommerce – Store Exporter Plugin

vulnerable plugins

Store Exporter for WooCommerce creates the product, order, category, tag, and user exports to suit your store requirements.

Vulnerability: CSV injection
Vulnerable version: 2.4 and below
Number of sites affected: 20 000+

“A CSV Injection vulnerability was discovered in WooCommerce – Store Exporter v 2.3.1. It allows a user with low-level privileges to inject a command that will be included in the exported CSV file, leading to possible command/code execution.”

Read more about the plugin vulnerability here.

Authentication Bypass in Backup and Staging by WP Time Capsule

vulnerable plugins

WP Time Capsule was created to ensure peace of mind with WP updates and put the fun back into WordPress. It uses the cloud apps’ native file versioning system to detect changes and backs up just the changed files and DB entries to your account.

Vulnerability: Authentication bypass
Vulnerable version: 1.21.16 and below
Number of sites affected: 20 000+

Read more about the vulnerable plugins here.

Authentication Bypass in InfiniteWP Client Plugin

InfiniteWP allows users to manage an unlimited number of WordPress sites from their own servers.

Vulnerability: Authentication bypass
Vulnerable version: 1.9.4.5 and below
Number of sites affected: 300 000+

Read more about the vulnerable plugins here.

Multiple Vulnerabilities Patched in Minimal Coming Soon & Maintenance Mode – Coming Soon Page Plugin

vulnerable plugins

The Minimal Coming Soon & Maintenance Mode plugin allows you to quickly & easily set up a Coming Soon Page, Maintenance Mode Page, Landing Page or Launch Page for your website.

Vulnerability: CSRF to Stored XSS and Setting Changes
Vulnerable version: 2.15 and below
Number of sites affected: 80 000+

Vulnerability: Insecure permissions: enable and disable maintenance mode
Vulnerable version: 2.15 and below
Number of sites affected: 80 000+

Vulnerabilities: Insecure permissions: export settings/theme change
Vulnerable version: 2.15 and below
Number of sites affected: 80 000+

Read more about the plugin vulnerabilities here.

Multiple CSRF & XSS in Ultimate Auction Plugin

vulnerable plugins

Ultimate WordPress Auction plugin allows an easy and quick way to set up auctions on your site.

Vulnerabilities: Multiple CSRF & XSS
Vulnerable version: 4.0.6 and below
Number of sites affected: 3 000+

“We have updated security-related changes to avoid XSS/CSRF kind of injections. We have used WordPress nonces that are security tokens to help protect URLs and forms. Used esc_attr, esc_url, esc_html for form’s post and get data (form submission).”

Read more about the vulnerability here.

Authenticated Code Injection in ElegantThemes (Divi, Extra, Divi-Builder)

vulnerable plugins

A library of popular WordPress themes and visual page builders.

Vulnerability type: Authenticated code injection
Vulnerable version: 4.0.10 and below
Number of sites affected: N/A

A code injection vulnerability was discovered during a routine code audit that could allow logged-in contributors, authors, and editors to execute a small set of PHP functions.

Affected:
– Divi version 3.23 and above
– Extra 2.23 and above
– Divi Builder version 2.23 and above.

Product versions 4.0.10 include the security patch.

Read more about the vulnerability here.

CSRF to XSS in WooCommerce Conversion Tracking Plugin

vulnerable plugins

This plugin inserts those codes on the WooCommerce cart page, checkout success page and after user registration. So you can track who is adding your products to cart, who is buying them and who are registering to your site.

Vulnerability: CSRF to XSS
Vulnerable version: 2.0.5 and below
Number of sites affected: 20 000+

The settings page of the plugin is lacking CSRF checks as well as input sanitization, leading to stored XSS.

The PoC will be displayed on January 17, 2020, to give users the time to update.

Read more about the vulnerable plugin here.

Post Submission Spoofing & Stored XSS in Postie Plugin

plugin vulnerability

Postie offers many advanced features for creating posts by email, including the ability to assign categories by name, included pictures and videos, and automatically strip off signatures.

Vulnerability: Post submission spoofing & stored XSS
Vulnerable version: 1.9.40 and below
Number of sites affected: 20 000+

The Postie plugin for WordPress only allows posting of articles submitted by authorized users through a mailing list registered in the plugin settings.

However, through the email sender’s spoofing technique, it was possible to bypass the plugin settings and publish a post as having been sent by a valid user. This could be used to create a post with an XSS payload.

Read more about the vulnerable plugin here.

Multiple Vulnerabilities in Import Users From CSV with Meta

vulnerable plugins

Clean and easy-to-use Import users plugin. It includes custom user meta to be included automatically from a CSV file and delimitation auto-detector.

Vulnerability: Unauthorised authenticated users export
Vulnerable version: 1.15
Number of sites affected: 30 000+

The export_users_csv function, registered as an authenticated AJAX call and allowing to export users, was missing the authorization/capability check. CSRF check was in place, reducing the severity of the issue.

Only version 1.15 seems to be affected as the export functionality is a new feature introduced by it.

Read more about the vulnerability here.

Vulnerability: CSRF leading to attachment deletion & Path Traversal
Vulnerable version: 1.14.1.3
Number of sites affected: 30 000+

CSRF leading to attachment deletion via the acui_delete_attachment() AJAX function.

Read more about the vulnerable plugin here.

Protect Websites From Plugin Vulnerabilities

Start free trial
Google Blacklist

Unauthenticated Reflected XSS in Ultimate FAQ Plugin

vulnerable plugins

FAQ plugin that lets you create, organize and publicize your FAQs (frequently asked questions) in no time through your WordPress admin panel.

Vulnerability: Unauthenticated reflected XSS
Vulnerable version: 1.8.30 and below
Number of sites affected: 40 000+

The HTML code generated by the FAQ shortcode does not sanitize the Display_FAQ GET parameter, leading to an unauthenticated reflected Cross-Site Scripting issue on pages where such shortcode is used.

The PoC will be displayed on January 20, 2020, to give users the time to update.

Read more about the vulnerable plugin here.

Arbitrary API Key update via CSRF in WP Simple Spreadsheet Fetcher For Google Plugin

vulnerable plugins

This is the simple plugin to fetch data from Google Sheets and display it on your website.

Vulnerability: Arbitrary API key update via CSRF
Vulnerable version: 0.3.7 and below
Number of sites affected: about 10

The lack of Cross-Site Request Forgery (CSRF) checks on the plugin’s settings page could allow CSRF attacks to set an arbitrary API key.

The PoC will be displayed on January 20, 2020, to give users the time to update.

Read more about the vulnerable plugin here.

Conclusion: Always Update Vulnerable Plugins

WordPress sites are being hacked and infected every day. Some statistics say that about 30,000 websites are infected with some type of malware daily. Every public website is a resource available on the internet and therefore it’s a target. It’s important to understand that as soon as your website is available to the public, it immediately becomes a target. 

It can take just days from a disclosed plugin vulnerability to a full-scale attack campaign. Attacks in this nature are almost always automated. To be able to fight back, you have a small time window to take action. In such cases, web application firewalls have critical importance.

Always keep your plugins updated so you don’t have any vulnerable plugins on your site. If possible, enable automatic updates. If you are using any of the mentioned plugins, you need to update it with the latest version as soon as possible to make sure WordPress plugin security vulnerabilities won’t affect your sites.

WebARX web application firewall gets virtual patches that are distributed automatically among the sites when vulnerabilities are discovered. Threat intelligence and prevention are our main focus and thus our firewall engine is updated on a daily basis.

Websites with WebARX firewall installed are protected from the security issues mentioned in this article. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.

Frequently Asked Questions About Vulnerable Plugins

Is WordPress secure?

WordPress itself is secure, but what makes it vulnerable is the third party components or plugins that are used to improve its functionality. Statistics say that 98% of WordPress vulnerabilities are related to plugins.

How WordPress sites get hacked?

WordPress sites get hacked mostly by hackers targeting vulnerable software. It means that your site is not the target in most cases but the software (plugins, themes) that you use. It is mostly being done with bots and automated tools.

What to do when a website is hacked?

Find a trustworthy malware removal provider that has some reviews and testimonials online. Check the company background and if the provider is doing cleanups manually. Read why manual cleanups are important here.

How to choose a WordPress security plugin?

This will require some critical thinking as many of the providers offer “100% security”. This can never be promised. When choosing, make sure the security provider offers a managed web application firewall with virtual patches and active support.

Wordpress security

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms:

PHP
WordPress
Magento
Drupal
Joomla