Wordpress security

WordPress Vulnerability News, February 2020

Updated: February 12, 2020 by Agnes Talalaev

This is a monthly WordPress plugin vulnerability news article. It is a monthly digest of highlighted plugins that have vulnerabilities (there are other, less critical vulnerabilities on smaller plugins that unfortunately don’t always make it to the list). 

Updates are a crucial part of keeping WordPress sites secure. 98% of the hacking incidents happen to WordPress sites because of outdated plugins or themes.

This is why we are keeping a close eye on vulnerable plugins and newly discovered vulnerabilities to make sure the sites using the vulnerable plugins are protected.

All the vulnerabilities you find from this article have received a virtual patch to the WebARX firewall. It means that if you use the WebARX web application firewall, your site is safe from these vulnerabilities, but it’s always strongly advised to update or delete vulnerable plugins from your site.

Is your WordPress site secured? Take a look at how to secure your site here.

If you are a WordPress plugin developer read how to secure plugins from an attackers’ perspective.

Improper Access Controls in GDPR Cookie Consent Plugin

The GDPR Cookie Consent plugin will assist you in making your website GDPR compliant. 

Vulnerability: Improper access controls
Vulnerable version: fixed in version 1.8.3
Number of sites affected: 700 000+

Improper Access Controls issue in the cli_policy_generator AJAX call which could allow an authenticated user with low privileges (such as a subscriber) to:

  • Change the status of any post/page from published to draft, removing them from the frontend of the blog.
  • Put a payload in the content of one of them, leading to Stored Cross-Site Scripting issues.

Read more about the WordPress plugin vulnerability here.

Authenticated Time Based SQL Injection in Participants Database

This plugin offers all the functionality needed to build and maintain a database of people or anything you want.

Vulnerability: Authenticated time-based SQL injection
Vulnerable version: fixed in version 1.9.5.6
Number of sites affected: 10 000+

Authenticated time-based SQL injection via the ascdesc, list_filter_count, and sortBy parameters.

Read more about the WordPress plugin vulnerability here.

Broken Authentication in Profile Builder and Profile Builder Pro Plugins

Profile Builder is a user profile plugin for WordPress. It’s a profile plugin for creating front-end login, user registration, and edit profile forms by using shortcodes.

User Registration With Administrator Role

Vulnerability: User registration with the administrator role
Vulnerable version: fixed in version 3.1.1
Number of sites affected: 4 000+

The plugin is affected by a broken authentication vulnerability, allowing unauthenticated users to register or edit their account and gain the administrator role using the plugin’s forms.

The vulnerability only exists in the Plugin’s own generated Registration Form or Profile Edit Form. This means if the blog is using the shortcode [wppb-register] or [wppb-edit-profile] then it is vulnerable.

This is a very obvious shortcode that holds the basic functionality of the plugin so admin must be using it 90% of the time if installed. If the blog isn’t using [wppb-register] but using [wppb-edit-profile] then vulnerability is still valid if Registration is enabled.

CVSS Score of the vulnerability is 9.

The PoC will be displayed on February 24, 2020, to give users the time to update.

CSV Injection in Events Manager & Events Manager PRO Plugin

Events Manager is an event registration plugin for WordPress.

Vulnerability: CSV injection
Vulnerable version: fixed in version 5.9.7.2
Number of sites affected: 100 000+

Events Manager PRO

Vulnerability:
CSV injection
Vulnerable version: fixed in version 2.6.7.2
Number of sites affected: 100 000+

A CSV Injection vulnerability was discovered in Events Manager Plugin version 5.9.7.1. It allows an unauthenticated or a low privileged user to inject OS command that will be included in the exported CSV file, leading to possible command/code execution.

Read more about the WordPress plugin vulnerability here.

CSRF to edit .htaccess in Htaccess by BestWebSoft Plugin

Htaccess plugin is a tool which helps to control the access to your WordPress website. Allow or deny access based on a hostname, IP address, IP range, and others. Disable hotlinking and access to xmlrpc.php.

Vulnerability: CSRF to edit .htaccess
Vulnerable version: 1.8.1 and below
Number of sites affected: 2 000+

The plugin is still affected. The PoC will be displayed once the issue has been remediated.

Unauthenticated Reflected XSS via wle Parameter in Auth0 Plugin

This plugin replaces standard WordPress login forms with one powered by Auth0 that enables authentication to over 30 social login providers and more.

Vulnerability: Unauthenticated reflected XSS via wle parameter
Vulnerable version: fixed in version 3.11.3
Number of sites affected: 4 000+

The WordPress Plugin for Auth0 versions 3.11.0, 3.11.1, and 3.11.2 do not properly sanitize the wle query parameter. This could allow an attacker to run cross-site scripting (XSS) attack on the login page.

If you use Auth0, you need to upgrade to version 3.11.3 or later.

Read more about the WordPress plugin vulnerability here.

Cross-Site Request Forgery in Tutor LMS Plugin

The Tutor is a complete, feature-packed and robust WordPress LMS plugin to create & sell courses online easily.

Vulnerability: Cross-site request forgery
Vulnerable version: fixed in version 1.5.3
Number of sites affected: 4 000+

The plugin is vulnerable to Cross-Site Request Forgery (CSRF). All WordPress websites using Tutor LMS version 1.5.2 and below are affected.

Read more about the WordPress plugin vulnerability here.

CSRF & Reflected XSS in Portfolio Filter Gallery Plugin

Create a beautiful and responsive portfolio for your WordPress websites.

Vulnerability: CSRF & reflected XSS
Vulnerable version: fixed in version 1.1.3
Number of sites affected: 10 000+

Lack of CSRF checks on the Filters page could allow attackers to add/edit/update/delete categories and delete all categories, as well as perform reflected XSS attacks.

  • v1.0.8 fixed the reflected XSS, however, no CSRF check on delete and delete_all_category actions
  • v1.1.0 released, no additional fix
  • v1.1.1 released, no additional fix

The PoC will be displayed on February 12, 2020, to give users the time to update.

Read more about the WordPress plugin vulnerability here and here.

Stored Cross-Site Scripting in Strong Testimonials Plugin

WordPress plugin vulnerability

Collect and publish testimonials or reviews.

Vulnerability: Stored cross-site scripting (XSS)
Vulnerable version: fixed in version 2.40.1
Number of sites affected: 90 000+

The stored XSS vulnerability found in the plugin can be exploited by attackers to perform malicious actions such as stealing the victim’s session cookies or login credentials, performing arbitrary actions on the victim’s behalf, logging their keystrokes and more.

First reported to the Strong Testimonials team on 23rd January 2020. A PoC with more details on the vulnerability will be released on February 15th, 2020.

Read more about the WordPress plugin vulnerability here.

WordPress Plugin Vulnerability Is Used To Target Your Site

WordPress sites are being hacked and infected every day. Some statistics say that about 30,000 websites are infected with some type of malware daily. Every public website is a resource available on the internet and therefore it’s a target. It’s important to understand that as soon as your website is available to the public, it immediately becomes a target. 

It can take just days from a disclosed plugin vulnerability to a full-scale attack campaign. Attacks in this nature are almost always automated. To be able to fight back, you have a small time window to take action. In such cases, web application firewalls have critical importance.

wordpress plugin vulnerability

Always keep your plugins updated so you don’t have any vulnerable plugins on your site. If possible, enable automatic updates. If you are using any of the mentioned plugins, you need to update it with the latest version as soon as possible to make sure a WordPress plugin vulnerability won’t affect your sites.

WebARX web application firewall gets virtual patches that are distributed automatically among the sites when vulnerabilities are discovered. Threat intelligence and prevention are our main focus and thus our firewall engine is updated on a daily basis.

Websites with WebARX firewall installed are protected from the security issues mentioned in this article. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.

Frequently Asked Questions About Vulnerable Plugins

Is WordPress secure?

WordPress itself is secure, but what makes it vulnerable is the third party components or plugins that are used to improve its functionality. Statistics say that 98% of WordPress vulnerabilities are related to plugins.

How WordPress sites get hacked?

WordPress sites get hacked mostly by hackers targeting vulnerable software. It means that your site is not the target in most cases but the software (plugins, themes) that you use. It is mostly being done with bots and automated tools.

What to do when a website is hacked?

Find a trustworthy malware removal provider that has some reviews and testimonials online. Check the company background and if the provider is doing cleanups manually. Read why manual cleanups are important from WebARX blog.

How to choose a WordPress security plugin?

This will require some critical thinking as many of the providers offer 100% security. This can never be promised. When choosing, make sure the security provider offers a managed web application firewall with virtual patches and active support.

Wordpress security

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms:

PHP
WordPress
Magento
Drupal
Joomla