It's WebARX Birthday Month

We challenge you to a game to win 1 YEAR FREE subscription.

Wordpress security

WordPress Vulnerability News, August 2020


Updated: September 2, 2020 by Agnes Talalaev

WordPress vulnerability news is a weekly digest of highlighted vulnerability discloses that have been published (there are other, less critical vulnerabilities on smaller plugins that unfortunately don’t make it to the list). 

This month we have seen 31 vulnerable plugins and themes that affect more than 2 million sites. 

Keeping up to date with security vulnerabilities in WordPress and other CMS’s is an important part of security. That is why we are analyzing WordPress plugins and newly disclosed vulnerabilities to make sure the sites using the mentioned plugins or themes are protected.

All the vulnerabilities you find from this article have received a virtual patch to the WebARX firewall. It means that if you use the WebARX web application firewall, your site is safe from these vulnerabilities, but it’s always strongly advised to update or delete vulnerable plugins from your site.

Is your WordPress site secured? Take a look at how to secure your site here.

If you are a WordPress plugin developer read how to secure plugins from an attackers’ perspective.

What are the biggest challenges for freelancers and digital agencies in 2020? Read the Website Security Survey Report 2020 to find out.

Quiz and Survey Master

Quiz and Survey Master is a WordPress quiz plugin.

Vulnerability: Unauthenticated arbitrary file upload
Fixed in version: 7.0.2
The number of sites affected: 30 000+

An unauthenticated user could upload a PHP script with a double extension, e.g., script.php.jpg, and execute it on HTTP servers running a configuration such as Apache + PHP FastCGI.

Read more about the WordPress vulnerability news here.

FooGallery Image Gallery

With FooGallery you can add a stunning photo gallery to your website in minutes.

Vulnerability: Authenticated cross-site scripting (XSS)
Fixed in version: 1.9.25
The number of sites affected: 200 000+

The vulnerability exists due to insufficient sanitization of user-supplied data in the image title or caption parameters in the gallery media upload editor. A remote authenticated attacker can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in the user’s browser in the context of the vulnerable website.

Successful exploitation of this vulnerability may allow a remote attacker to steal potentially sensitive information, change the appearance of the web page, perform phishing, and drive-by-download attacks.

Read more about the WordPress vulnerability news here.

Autoptimize

You can optimize and lazy-load images, optimize Google Fonts, async non-aggregated JavaScript, remove WordPress core emoji cruft and more.

Vulnerability: Authenticated arbitrary file upload
Fixed in version: 2.7.7
The number of sites affected: 1+ million

The ao_ccss_import AJAX call does not ensure that the file provided is a legitimate Zip file, allowing high privilege users to upload arbitrary files, such as PHP, leading to RCE.

The PoC will be displayed on September 07, 2020, to give users the time to update. Read more here.

RSVPMaker

RSVPMaker is an event scheduling and RSVP tracking plugin for WordPress.

Vulnerability: Unauthenticated SQL injection
Fixed in version: 7.8.2
The number of sites affected: 700+

The plugin does not sanitise user input before using it in a SQL statement in the signed_up_ajax() AJAX action.

Note: Even though the reported SQL Injection was fixed in v7.8.2, other additional sanitisation was implemented in v7.8.3 to 7.8.6.

The PoC will be displayed on September 12, 2020, to give users the time to update.

WooCommerce – NAB Transact 

NAB Transact is a credit card processor. You can process Visa and Mastercard by default, and optionally accept American Express, UnionPay (UPOP), Diners Club and JCB after activation from NAB.

Vulnerability: Payment bypass
Fixed in version: 2.1.2
The number of sites affected: N/A

The plugin does not validate the origin of payment processor status requests, allowing orders to be marked as fully paid by issuing a specially crafted GET request during the ordering workflow.

The PoC will be displayed on September 04, 2020, to give users the time to update.

Contact Form – Form builder by Kali Forms

Kali Forms is a WordPress contact form plugin. 

Vulnerability: Authenticated plugin’s settings change
Fixed in version: 2.1.2
The number of sites affected: 30 000+

The kaliforms_update_option_ajax() AJAX action lacks capability and proper CSRF checks, allowing low privilege authenticated users to change or delete the plugin’s settings.

Read more about the WordPress vulnerability news here.

Advanced Access Manager

Advanced Access Manager (aka AAM) is a WordPress plugin designed to help you control your website.

Vulnerability: Authenticated authorization bypass and privilege escalation
Fixed in version: 6.6.2
The number of sites affected: 100 000+

Advanced Access Manager allows fine-grained access control, and has the capability to assign multiple roles to a single user. Only if the “Multiple Roles Support” setting is enabled, the plugin is vulnerable to authenticated authorization bypass and, in some cases, privilege escalation.

Read more about the WordPress vulnerability news here.

Discount Rules for WooCommerce

Discount Rules for WooCommerce

Discount Rules for WooCommerce helps you to create any type of bulk discounts, dynamic pricing, advanced discounts, percentage discounts, product based discounts, tiered discounts for your products.

Vulnerability: SQLi and unauthenticated stored XSS
Fixed in version: 2.1.0
The number of sites affected: 30 000+

There are SQLi and unauthenticated stored XSS vulnerabilities in Discount Rules for WooCommerce WordPress plugin.

Read more about the WordPress vulnerability news here.

Geo Magazine

Geo Magazine is a responsive WordPress news, magazine, newspaper, and blog theme.

Vulnerability: Unauthenticated reflected XSS
Fixed in version: no known fix
The number of sites affected: 30+

An Unauthenticated Reflected XSS vulnerability was discovered in the Geo Magazine theme through 2.0 for WordPress.

The PoC will be displayed once the issue has been remediated.

WordPress Theme Home Villas

Home Villas is a real estate WordPress theme.

Vulnerability: Multiple cross-site scripting issues
Fixed in version: no known fix
The number of sites affected: 1 000+

An Unauthenticated Reflected & Authenticated Persistent XSS vulnerabilities were discovered in the Home Villas theme through 2.2 for WordPress.

The PoC will be displayed once the issue has been remediated. Read more here.

WP Customer Reviews

WP Customer Reviews allows you to setup a specific page on your blog to receive customer testimonials for your business/service OR to write reviews about a product.

Vulnerability: Multiple unauthenticated and low privilege authenticated stored XSS
Fixed in version: 3.4.3
The number of sites affected: 50 000+

Multiple stored cross-site scripting vulnerabilities in WP Customer Reviews 3.4.2 and lower allow remote attackers to inject arbitrary JavaScript code or HTML.

The PoC will be displayed on September 10, 2020, to give users the time to update.

Click to Top

Click to top is a scroll to top WordPress plugin.

Vulnerability: Authenticated stored cross-site scripting
Fixed in version: no known fix
The number of sites affected: 8 000+

The Type scroll text field in the plugin settings page was found to be vulnerable to stored XSS, as they did not sanitize user given input properly before publishing the changes.

It is triggered when a user loads any page on the website. All WordPress websites using Click to top WordPress Plugin version 1.2.7 and below are affected.

The PoC will be displayed once the issue has been remediated.

Change WordPress Login Logo

Upload your logo for WordPress login page instead of the usual WordPress logo with simple settings.

Vulnerability: Authenticated stored cross-site scripting
Fixed in version: no known fix
The number of sites affected: 8 000+

The height and width fields used updating the custom logo were found to be vulnerable to stored XSS, as they did not sanitize the user given input properly before publishing the changes.

It is triggered when a user loads the login page. All WordPress websites using Change WordPress Login Logo Plugin version 1.1.4 and below are affected.

The PoC will be displayed once the issue has been remediated.

Internal Links Manager

The Internal Links Manager helps to automatically match links with your keywords.

Vulnerability: Multiple authenticated stored cross-site scripting
Fixed in version: no known fix
The number of sites affected: 2 000+

Due to lack of user input filtering and validation, the “Add New Link” and “All Links” features are vulnerability to cross-site scripting. The following fields are vulnerable: Internal Title (title), Link Title (titleattr).

The PoC will be displayed once the issue has been remediated. Read more here.

Fancy Lightbox 

WP fancyBox plugin allows you to pop up content in a lightbox using the popular jQuery fancyBox library.

Vulnerability: Authenticated stored cross-site scripting (XSS)
Fixed in version: 1.0.2
The number of sites affected: 600+

The ‘hyperlink’ field in used while linking a remote resource (Image, Video or web page) from a URL was found to be vulnerable to stored XSS, as they did not sanitize user given input properly before publishing the post.

It is triggered when a users loads a page where the plugin shortcode is used. All WordPress websites using Fancybox Lightbox version 1.0.1 and below are affected.

The PoC will be displayed on August 31, 2020, to give users the time to update.

Responsive Lightbox2

Responsive Lightbox2 plugin allows you to overlay images on top of the current page.

Vulnerability: Authenticated stored cross-site scripting (XSS)
Fixed in version: 1.0.3
The number of sites affected: 400+

The ‘hyperlink’ field in used while linking an image from a URL was found to be vulnerable to stored XSS, as they did not sanitize user given input properly before publishing the post.

It is triggered when a users loads a page where the plugin shortcode is used. All WordPress websites using Responsive Lightbox2 version 1.0.2 and below are affected.

The PoC will be displayed on August 31, 2020, to give users the time to update.

Colorbox Lightbox

WordPress Colorbox plugin allows users to pop up content in a lightbox using the popular jQuery ColorBox library.

Vulnerability: Authenticated stored cross-site scripting (XSS)
Fixed in version: no known fix – plugin closed
The number of sites affected: 10 000+

The ‘hyperlink’ field in used while linking an image from a URL was found to be vulnerable to stored XSS, as they did not sanitize user given input properly before publishing the post.

It is triggered when a users loads a page where the plugin shortcode is used. All WordPress websites using WordPress Colorbox Lightbox version 1.1.2 and below are affected.

The PoC will be displayed once the issue has been remediated.

Sell Photo

Sell Photo plugin allows you to create a Buy button for each image of your WordPress photo gallery.

Vulnerability: Authenticated stored cross-site scripting (XSS)
Fixed in version: no known fix – plugin closed
The number of sites affected: 200+

The Button Text/Image field in Settings page of Sell Photos Plugin was found to be vulnerable to stored XSS, as they did not sanitize user given input properly. It is triggered when a users loads a page where the plugin is used, and when an admin opens settings page of the plugin.

The PoC will be displayed once the issue has been remediated.

NextGEN Gallery Sell Photo

WordPress vulnerability news
Photo is illustrative.

NextGEN Gallery Sell Photo plugin allows you to create a buy button for each photo that a user can click to purchase.

Vulnerability: Authenticated stored cross-site scripting (XSS)
Fixed in version: no known fix – plugin closed
The number of sites affected: 600+

“The Button Text/Image field in Settings page of Sell Photos Plugin was found to be vulnerable to stored XSS, as they did not sanitize user given input properly. It is triggered when a users loads a page where the plugin is used, and when an admin opens settings page of the plugin.”

Fancy Lightbox

WordPress vulnerability news

WP fancyBox plugin allows you to pop up content in a lightbox using the popular jQuery fancyBox library. 

Vulnerability: Stored cross-site scripting (XSS)
Fixed in version: no known fix – plugin closed
The number of sites affected: 500+

The ‘hyperlink’ field in used while linking a remote resource (Image, Video or web page) from a URL was found to be vulnerable to stored XSS, as they did not sanitise user given input properly before publishing the post.

It is triggered when a users loads a page where the plugin short-code is used. All WordPress websites using Fancybox Lightbox version 1.0.1 and below are affected.

The PoC will be displayed once the issue has been remediated.

Easy Media Download

WordPress vulnerability news

Easy Media Download is a free download manager for WordPress.

Vulnerability: Stored cross-site scripting (XSS)
Fixed in version: 1.1.5
The number of sites affected: 20 000+

The ‘Button Text’ field in used while posting a file download was found to be vulnerable to stored XSS, as they did not sanitize user given input properly before publishing the post.

It is triggered when a users loads a page where the plugin shortcode is used. All WordPress websites using Easy Media Download by naa986 version 1.1.4 and below are affected.

The PoC will be displayed on August 31, 2020, to give users the time to update. You can read more here.

Nova Lite

Nova Lite is a responsive clean Tumblog WordPress Theme, based on Bootstrap framework.

Vulnerability: Unauthenticated reflected cross-site scripting (XSS)
Fixed in version: 1.3.9
The number of sites affected: 700+

The theme did not properly sanitise the search query, leading to an unauthenticated reflected cross-site scripting issue.

The PoC will be displayed on August 27, 2020, to give users the time to update.

Sell Media

Sell Media is a WordPress plugin to sell photos, prints, and videos through your self-hosted WordPress site.

Vulnerability: Unauthenticated reflected cross-site scripting (XSS)
Fixed in version: 2.4.2
The number of sites affected: 1 000+

A Cross-site scripting (XSS) vulnerability in /inc/class-search.php in the Sell Media plugin v2.4.1 for WordPress allows remote attackers to inject arbitrary web script or HTML via the keyword parameter (aka $search_term or the Search field).

Read more about the WordPress vulnerability news here.

Quiz And Survey Master

A WordPress plugin to create surveys for your users.

Vulnerability: Arbitrary file upload
Fixed in version: 7.0.1
The number of sites affected: 30 000+

This flaw made it possible for unauthenticated attackers to upload arbitrary files and achieve remote code execution.

Vulnerability: Unauthenticated arbitrary file deletion
Fixed in version: 7.0.1
The number of sites affected: 30 000+

This flaw allows users to delete arbitrary files like a site’s wp-config.php file which could effectively take a site offline and allow an attacker to take over the vulnerable site.

The PoC will be displayed on September 03, 2020, to give users the time to update.

Ultimate Member – User Profile & Membership Plugin

Ultimate Member is a user profile and membership plugin for WordPress.

Vulnerability: Unauthenticated open redirect
Fixed in version: 2.1.7
The number of sites affected: 100 000+

The Ultimate Member WordPress plugin was vulnerable to an Unauthenticated Open Redirect vulnerability, affecting the registration and login pages where the “redirect_to” GET parameter was used.

The PoC will be displayed on August 26, 2020, to give users the time to update. Read more about the WordPress vulnerability news here.

WordPress Theme Konzept

KONZEPT is a portfolio solution for creative professionals.

Vulnerability: Unauthenticated Reflected XSS
Fixed in version: 2.5
The number of sites affected: 2 000+

An Unauthenticated Reflected XSS vulnerability was discovered in the Konzept theme through 2.3 for WordPress.

The PoC will be displayed on August 20, 2020, to give users the time to update. Read more about the WordPress vulnerability news here.

WordPress Theme FoodBakery

FoodBakery is a WordPress restaurant theme.

Vulnerability: Unauthenticated Reflected XSS
Fixed in version: no known fix
The number of sites affected: 2 000+

An Unauthenticated Reflected XSS vulnerability was discovered in the FoodBakery theme through 1.9 for WordPress.

The issue has been hot patched (in 1.9), but no new version has been released. As a result, there are two 1.9 versions out there, one vulnerable and one with the patch, therefore we can not set a fixed in value so far. This will be set when a new version will be released. (Source)

The PoC will be displayed on August 19, 2020, to give users the time to update.

The Official WordPress Facebook Chat Plugin

You can add the Facebook Chat Plugin to your website, enabling customers to message you while browsing your website.

Vulnerability: Authenticated options change to chat takeover
Fixed in version: 1.6
The number of sites affected: 80 000+

This flaw made it possible for low-level authenticated attackers to connect their own Facebook Messenger account to any site running the vulnerable plugin and engage in chats with site visitors on affected sites.

The PoC will be displayed on August 25, 2020, to give users the time to update.

Divi Theme, Extra Theme, and Divi Builder plugin

Divi is a theme and visual page builder.

Vulnerability: Authenticated arbitrary file upload
Fixed in version: 4.5.3 (for all products)
The number of sites affected: 700 000+

There is a vulnerability present in two themes by Elegant Themes, Divi and Extra, as well as Divi Builder, a WordPress plugin. This flaw gave authenticated attackers, with contributor-level or above capabilities, the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server.

Read more about the WordPress vulnerability news here.

CMP – Coming Soon & Maintenance

With CMP – Coming Soon & Maintenance plugin you can activate your maintenance, coming soon or under construction landing page.

Vulnerability: Improper access controls on AJAX calls
Fixed in version: 3.8.2
The number of sites affected: 100 000+

Some of the AJAX calls from the plugin do not properly check for capabilities and CSRF tokens, leading to issues such as arbitrary post read, subscribers list export, and plugin deactivation.

Read more about the WordPress vulnerability news here.

Product Input Fields for WooCommerce

Product Input Fields for WooCommerce plugin lets you add custom input fields to WooCommerce product’s frontend for the customer to fill before adding product to cart.

Vulnerability: Unauthenticated file download
Fixed in version: 1.2.7
The number of sites affected: 5 000+

The Product Input Fields for WooCommerce plugin team fixed a high severity vulnerability affecting version 1.2.6 and below. The vulnerability could allow an unauthenticated user to download any file from the website, including the WordPress configuration file that contains the database credentials.

Read more about the WordPress vulnerability news here.

Newsletter

Newsletter is a newsletter and email marketing system for WordPress blogs.

Vulnerability: Authenticated cross-site scripting (XSS)
Fixed in version: 6.8.2
The number of sites affected: 300 000+

Vulnerability: Authenticated PHP object injection
Fixed in version: 6.8.2
The number of sites affected: 300 000+

The PHP Object Injection vulnerability requires additional vulnerable software to be installed.

Sites with WebARX firewall installed are protected from both of these vulnerabilities.

Read more about the WordPress vulnerability news here.

Conclusion

WordPress sites are being hacked and infected every day. Some statistics say that about 30,000 websites are infected with some type of malware daily. Every public website is a resource available on the internet and therefore it’s a target. It’s important to understand that as soon as your website is available to the public, it immediately becomes a target. 

It can take just days from a disclosed plugin vulnerability to a full-scale attack campaign. Attacks in this nature are almost always automated. To be able to fight back, you have a small time window to take action. In such cases, web application firewalls have critical importance.

Always keep your plugins updated. If possible, enable automatic updates. If you are using any of the mentioned plugins, you need to update it with the latest version as soon as possible.

WebARX web application firewall gets virtual patches that are distributed automatically among the sites when vulnerabilities are discovered. Threat intelligence and prevention are our main focus and thus our firewall engine is updated on a daily basis.

Websites with WebARX firewall installed are protected from the security issues mentioned in this article. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.

Protect your websites from plugin vulnerabilities

Try for free

Frequently Asked Questions After Reading Our WordPress Vulnerability News

Is WordPress secure?

WordPress itself is secure, but what makes it vulnerable is the third party components or plugins that are used to improve its functionality. Statistics say that 98% of WordPress vulnerabilities are related to plugins.

How many websites get hacked a day?

A study was made that stated that there is an attack every 39 seconds on average on the web and about 30,000 websites are infected with some type of malware daily. Since WordPress is used by over 35% of all websites it is unsurprisingly also registered as the one with the highest number of vulnerabilities.

How WordPress sites get hacked?

WordPress sites get hacked mostly by hackers targeting vulnerable software. It means that your site is not the target in most cases but the software (plugins, themes) that you use. It is mostly being done with bots and automated tools.

How to choose a WordPress security plugin?

This will require some critical thinking as many of the providers offer “100% security”. This can never be promised. When choosing, make sure the security provider offers a managed web application firewall with virtual patches and active support.

Wordpress security

suggested articles

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms:

PHP
WordPress
Magento
Drupal
Joomla