It's WebARX Birthday Month

We challenge you to a game to win 1 YEAR FREE subscription.

Wordpress security

WordPress Vulnerability News, June 2020


Updated: August 7, 2020 by Agnes Talalaev

This is a monthly WordPress plugin vulnerability list. It is a monthly digest of listed vulnerable WordPress plugin discloses or highlighted plugins that have vulnerabilities (there are other, less critical vulnerabilities on smaller plugins that unfortunately don’t always make it to the list).

All the vulnerabilities you find from this article have received a virtual patch to the WebARX firewall.

If you use the WebARX web application firewall, your site is safe from these vulnerabilities. It is sill always strongly advised to update or delete vulnerable plugins from your site. If possible, enable automatic updates in WebARX Portal.

Is your WordPress site secured? Take a look at how to secure your WordPress site here.

If you are a WordPress plugin developer read how to secure plugins from an attackers’ perspective or contact support@webarxsecurity.com and ask for a plugin security audit.

What are the biggest challenges for freelancers and digital agencies in 2020? Read the Website Security Survey Report 2020 to find out.

ACF to REST API

Exposes Advanced Custom Fields Endpoints in the WordPress REST API.

Vulnerability: Unauthenticated Arbitrary wp_options Disclosure
Fixed in version: 3.3.0
Number of sites affected: 30 000+

An issue was discovered in the acf-to-rest-api plugin through 3.1.0 for WordPress. It allows an insecure direct object reference via permalinks manipulation, as demonstrated by a wp-json/acf/v3/options/ request that reads sensitive information in the wp_options table, such as the login and pass values.

See more about the plugin in our WordPress plugin vulnerability list here.

Coming Soon Page, Under Construction & Maintenance Mode by SeedProd

Create a Coming Soon Page, Under Construction or Maintenance Mode Page. Work on your site in private while visitors see a “Coming Soon” or “Maintenance Mode” page.

Vulnerability: Authenticated stored cross-site scripting (XSS)
Fixed in version: 5.1.2
Number of sites affected: 1+ million

The PoC will be displayed on July 08, 2020, to give users the time to update.

WooCommerce

There is a new release containing some security improvements for SelectWoo as well as other minor bugfixes. 

Vulnerability: Potential XSS via SelectWoo
Fixed in version: 4.2.1
Number of sites affected: N/A

See more about the plugin in our WordPress plugin vulnerability list here.

YITH WooCommerce Ajax Product Filter

WooCommerce Ajax Product Filter lets you apply the filters you need to display the correct WooCommerce variations of the products you are looking for.

Vulnerability: Authenticated reflected cross-site scripting (XSS)
Fixed in version: 3.11.1
Number of sites affected: 100 000+

See more about the plugin in our WordPress plugin vulnerability list here.

Delete All Comments Easily 

A WordPress’ plugin that is built to delete all comments (approved, pending) from the WordPress database.

Vulnerability: CSRF leading to all comments deletion
Fixed in version: no known fix – plugin closed
Number of sites affected: 20 000+

See more about the plugin in our WordPress plugin vulnerability list here.

All in One Support Button

All in One Support Button displays on every page of your site and provide as many contact methods as you want.

Vulnerability: Authenticated stored cross-site scripting
Fixed in version: 1.8.8
Number of sites affected: 1 000+

The vulnerability could allow low-privilege users to perform stored XSS attacks. The Vendor attempted a fix with version 1.8.1, by adding capability and some sanitization checks. However, stored XSS was still possible via CSRF attacks. The XSS payload will then be triggered in the plugin’s settings.

The PoC will be displayed on July 05, 2020, to give users the time to update.

See more about the plugin in our WordPress plugin vulnerability list here.

WP-Pro-Quiz

WordPress plugin for building quizzes.

Vulnerability: CSRF leading to arbitrary quiz deletion
Fixed in version: no known fix – plugin closed
Number of sites affected: 70 000+

Abusing this issue, an unauthenticated attacker can cheat the admin to delete any quiz on vulnerable website.

See more about the plugin in our WordPress plugin vulnerability list here.

wpDiscuz

AJAX realtime comment system with custom comment form and fields. 

Vulnerability: Unauthenticated SQL injection
Fixed in version: 5.3.6
Number of sites affected: 70 000+

There is a security vulnerability issue in 5.3.5 version. The issue was fixed in the major update 7.x.x versions. However, they also fixed the issue for 5.x version users and released 5.3.6 version.

See more about the plugin in our WordPress plugin vulnerability list here.

Testimonial Rotator

This plugin creates a testimonial rotator custom post type.

Vulnerability: Authenticated stored cross-site scripting (XSS)
Fixed in version: 3.0.3
Number of sites affected: 60 000+

This vulnerability could allow an authenticated medium-privileged user (contributor+) to inject arbitrary JavaScript. The XSS will be triggered for anyone visiting public posts or testimonial page listing in the backend.

The PoC will be displayed on July 01, 2020, to give users the time to update. Read more here.

KingComposer

KingComposer is a page builder for WordPress.

Vulnerability: Multiple vulnerabilities
Fixed in version: 2.9.4
Number of sites affected: 100 000+

There are multiple issues in the KingComposer such as authenticated WordPress options change, content injection, stored Cross-Site Scripting (XSS), arbitrary file deletion and remote code execution.

Read more about the plugin in our WordPress plugin vulnerability list here.

Form Maker by 10Web

Form Maker is a drag & drop plugin for building forms.

Vulnerability: CSV injection
Fixed in version: 1.12.22
Number of sites affected: 100 000+

Read more from wpvulndb.com

Blog2Social: Social Media Auto Post & Scheduler

Social media auto-posting and scheduling plugin for WordPress sites.

Vulnerability: Authenticated SQL injection
Fixed in version: 6.3.1
Number of sites affected: 50 000+

SQL Injection in the Blog2Social plugin 6.3.0 for WordPress exists via the re-share posts feature.

The PoC will be displayed on June 12, 2020, to give users the time to update.

Brizy – Page Builder

WordPress page builder.

Vulnerability: Improper access controls on AJAX calls
Fixed in version: 1.0.126
Number of sites affected: 60 000+

The plugin does not properly check for access controls on AJAX calls, resulting in authenticated user with low privileges being able to gain access to the editor functions.

Read more about the plugin in our WordPress plugin vulnerability list here.

SportsPress

A WordPress plugin for sports tools including fixtures, results, automated standings, players rankings, and individual profiles for clubs, players, and staff.

Vulnerability: Authenticated stored cross-site scripting
Fixed in version: 12.7.2
Number of sites affected: 20 000+

“Any user with the role of administrator or League Manager is able to store XSS payloads in the custom delimiter setting of events pages. This will then execute on all events pages on the website.” – Source

The PoC will be displayed on June 21, 2020, to give users the time to update.

Elementor Page Builder

A live page builder for WordPress.

Vulnerability: Authenticated Stored XSS
Fixed in version: 2.9.10
Number of sites affected: 5+ million

There is a potential XSS vulnerability in the Elementor Page Builder where an author user can create custom links that can contain XSS payloads.

Read more about the plugin in our WordPress plugin vulnerability list here.

Form Maker by 10Web

Form Maker is a drag & drop plugin for building forms.

Vulnerability: Authenticated SQL injection
Fixed in version: 1.13.36
Number of sites affected: 100 000+

Authenticated (admin+) SQL injection in the Form Maker by 10Web WordPress Plugin 1.13.35 exists via the /wordpress/wp-admin/admin.php?page=blocked_ips_fm&s=1″ s parameter.

The PoC will be displayed once the issue has been remediated. Read more here.

JobSearch

It’s a plugin to display jobs on any type of website.

Vulnerability: Unauthenticated reflected cross-site scripting (XSS)
Fixed in version: 1.5.1
Number of sites affected: 1 000+

The PoC will be displayed on June 17, 2020, to give users the time to update.

Simple File List

Simple File List is a free plugin that gives your WordPress website a list of your files allowing your users to open and download them. 

Vulnerability:  Authenticated arbitrary file deletion
Fixed in version: 4.2.8
Number of sites affected: 4 000+

WordPress Plugin Simple File List is prone to a vulnerability that lets attackers delete arbitrary files because the application fails to properly verify user-supplied input.

Due to its severe vulnerability, the Proof of Concept can’t be released to the public.

Read more here.

AdRotate

With AdRotate you can create your own adverts and campaigns with HTML and/or Javascript code or use adverts from different ad servers.

Vulnerability: Authenticated SQL injection
Fixed in version: 5.8.4
Number of sites affected: 40 000+

Certain URLs passing variables can be exploited. These URLs require admin access to use. There is currently no evidence or sign that the exploit has been used. The risk is low/medium.

Read more here.

MapPress Maps

MapPress adds interactive Google or Leaflet maps to WordPress.

Vulnerability: Improper capability checks in AJAX calls
Fixed in version: 2.54.6
Number of sites affected: 80 000+

This vulnerability enables an attacker with subscriber privileges to download or delete arbitrary PHP files or upload arbitrary malicious PHP files to vulnerable sites, which could result in remote command execution. 

Read more about the vulnerable plugin here.

Multi Scheduler

Multi Scheduler is an appointment booking and scheduling plugin.

Vulnerability: Arbitrary record deletion via CSRF
Fixed in version: no known fix
Number of sites affected: 20+

The lack of a CSRF check could allow an attacker to delete arbitrary records from the plugin (for example Professional ones) via a CSRF attack.

The issue is not patched and has been escalated to the WP plugins team on May 29th, 2020. Read more here.

bbPress

bbPress is a forum software for WordPress.

There are three vulnerabilities fixed in the bbPress plugin.

Vulnerability: Unauthenticated privilege escalation via the Super Moderator feature
Fixed in version: 2.6.5
Number of sites affected: 300 000+

Vulnerability: Authenticated privilege escalation via the Super Moderator feature
Fixed in version: 2.6-2.6.5
Number of sites affected: 300 000+

Vulnerability: Authenticated stored cross-site scripting via the forums list table
Fixed in version: 2.6.5
Number of sites affected: 300 000+

Read more here.

Final Tiles Gallery

WordPress plugin vulnerability list

WordPress image gallery plugin.

Vulnerability: Authenticated stored cross-site scripting (XSS)
Fixed in version: 3.4.19
Number of sites affected: 40 000+

Multiple cross-site scripting vulnerabilities in Final Tiles Gallery 3.4.18 and lower allow remote attackers to inject arbitrary web script or HTML via the Title and Caption fields of an image.

Successful exploitation of this vulnerability would allow an authenticated high-privileged user (author+) to inject arbitrary javascript code into a post using the gallery which is viewed by admin and other users.

The PoC will be displayed on June 11, 2020, to give users the time to update. See more about the plugin in our WordPress plugin vulnerability list here.

Page Builder: PageLayer – Drag and Drop website builder

WordPress plugin vulnerability list

Pagelayer is a real-time page builder editor for WordPress.

Vulnerability: CSRF leading to XSS
Fixed in version: 1.1.2
Number of sites affected: 200 000+

One flaw in the plugin allowed any authenticated user with subscriber-level and above permissions the ability to update and modify posts with malicious content.

A second flaw allowed attackers to forge a request on behalf of a site’s administrator to modify the settings of the plugin which could allow for malicious Javascript injection.

The PoC will be displayed on June 11, 2020, to give users the time to update. To read more see here.

Drag and Drop Multiple File Upload for Contact Form 7

WordPress plugin vulnerability list

Drag and Drop Multiple File Uploader is a WordPress plugin extension for Contact Form7, which allows the user to upload multiple files using the drag-and-drop feature or the common browse-file of your webform.

Vulnerability: Unauthenticated file upload bypass
Fixed in version: 1.3.3.3
Number of sites affected: 20 000+

The plugin is not properly checking the file that is being uploaded, so an attacker could bypass the checks in place and upload a PHP file. This plugin vulnerability also requires you to have the Contact Form 7 plugin installed.

See more about the plugin in our WordPress plugin vulnerability list here.

The WordPress Plugin Vulnerability List Helps You Detect Vulnerabilities

We keep a constant eye on vulnerabilities to help developers, agencies, and freelancers keep their sites secure. When you monitor vulnerabilities and update them whenever new vulnerabilities in plugins come out, you can proactively protect your websites from getting hacked.

WordPress is a popular target for hackers mainly because of its massive amount of third-party plugins that are being used to build and give site functionality.

Unfortunately, these plugins are constantly under attack, meaning hackers target plugin vulnerabilities to get access to sites and infect sites with malware or spam or perform other ill-intentioned acts.

Make sure your sites are secure and protected and keep your sites and the plugins that are on your site updated. You can start by enabling automatic updates. In addition to updates, you need a web application firewall with virtual patching capabilities.

WebARX web application firewall gets virtual patches that are distributed automatically among the sites when vulnerabilities are discovered. Threat intelligence and prevention are our main focus and thus our firewall engine is updated on a daily basis.

Websites with WebARX firewall installed are protected from the security issues mentioned in this article. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.

Frequently Asked Questions About The WordPress Plugin Vulnerability List

How do I know if I have vulnerable WordPress plugin on my site?

The best is to monitor you site for vulnerabilities. WebARX has a good overview and monitoring panel available where you have the opportunity to gain a full overview of what is going on with your sites. You can also enable auto-updates for vulnerable plugins and receive notifications if any of the sites you manage are outdated or under risk.

How to choose a WordPress security plugin?

This will require some critical thinking as many of the providers offer 100% security. This can never be promised. When choosing, make sure the security provider offers a managed web application firewall with virtual patches and active support.

Where can I find out if I have vulnerable plugins on my site?

WebARX shows all the software and plugin vulnerabilities once you have installed it on your site. It helps you to always be on top of vulnerabilities, with protection and updates.

 

Wordpress security

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms:

PHP
WordPress
Magento
Drupal
Joomla