Wordpress security

WordPress Vulnerability News, April 2020


Updated: May 4, 2020 by Agnes Talalaev

This is a monthly WordPress plugin vulnerability news article. It is a monthly digest of vulnerable WordPress plugin discloses or highlighted plugins that have vulnerabilities (there are other, less critical vulnerabilities on smaller plugins that unfortunately don’t always make it to the list).

Hundreds of WordPress sites get hacked every day. Statistics say that 98% of hacking incidents happen because of outdated plugins and themes.

When plugins and themes are outdated, they are not getting important updates which may include security fixes.

One of the most important reasons why we keep a close eye on WordPress plugins is to monitor available updates and newly disclosed vulnerabilities.

When a vulnerability is found we immediately send an automatic patch to our firewall if needed and make sure sites that are protected with WebARX firewall are protected at all times.

All the vulnerabilities you find from this article have received a virtual patch to the WebARX firewall.

It means that if you use the WebARX web application firewall, your site is safe from these vulnerabilities, but it’s always strongly advised to update or delete vulnerable plugins from your site. If possible, enable automatic updates in WebARX Portal.

Is your WordPress site secured? Take a look at how to secure your site here.

If you are a WordPress plugin developer read how to secure plugins from an attackers’ perspective or contact support@webarxsecurity.com and ask for a plugin security audit.

Read March vulnerability news here and February vulnerability news here.

Authenticated SQL Injection in WP-Advanced-Search

WP-Advanced-Search adds a search page of WordPress. 

Vulnerability: Authenticated SQL injection
Fixed in version: 3.3.7
Number of sites affected: 1 000+

The import functionality to restore plugin settings within the admin pages was vulnerable to SQL Injection through a privileged user with the edit_posts capability.

Read more about the vulnerable WordPress plugin here.

CSRF to XSS in Ninja Forms Plugin

Use Ninja Forms to create WordPress forms.

Vulnerability: CSRF to XSS
Fixed in version: 3.4.24.2
Number of sites affected: 1+ million

The web application does not, or can not, sufficiently verify whether a well-formed, valid, consistent request was intentionally provided by the user who submitted the request.

Read more about the vulnerable WordPress plugin here.

Unauthenticated Reflected XSS in Catch Breadcrumb

Catch Breadcrumb is a simple yet feature-rich breadcrumb WordPress plugin that adds seamless breadcrumbs navigation to your website.

Vulnerability: Unauthenticated Reflected XSS
Fixed in version: 1.5.7
Number of sites affected: 1 000+

Catch Breadcrumb 1.5.4 plugin for WordPress allows Reflected XSS via a search query when used with one of the themes from the same author:

  • Alchemist & Alchemist PRO
  • Izabel & Izabel PRO
  • Chique & Chique PRO
  • Clean Enterprise & Clean Enterprise PRO
  • Bold Photography PRO
  • Intuitive PRO, Devotepress PRO, Clean Blocks PRO, Foodoholic PRO, Catch Mag PRO, Catch Wedding PRO, Higher Education PRO.

The PoC will be displayed on May 14, 2020, to give users the time to update.

Authenticated Settings Update in Quick Page/Post Redirect Plugin

Quick Page/Post Redirect gives you two ways to add redirects to your WordPress install.

Vulnerability: Authenticated settings update
Fixed in version: no known fix– plugin closed
Number of sites affected: 200 000+

Quick Page/Post Redirect is prone to an authenticated settings change vulnerability in version 5.1.9 and below.

Read more about the vulnerable WordPress plugin here.

Multiple Cross-Site Scripting (XSS) in Gmedia Photo Gallery Plugin

Manage files, show image galleries and photo slideshows, play music on your site with Gmedia Gallery plugin.

Vulnerability: Stored and reflected XSS
Fixed in version: 1.18.5
Number of sites affected: 10 000+

Multiple XSS vulnerabilities have been discovered in the Gmedia Gallery plugin (version 1.18.0). These vulnerabilities are caused by improper validation of user input in the album, gallery, category, and media upload module. The vulnerability types include both stored and reflected XSS.

Read more about the vulnerable WordPress plugin here.

Reflected Cross-Site Scripting (XSS) in BigBlueButton Plugin

BigBlueButton is an open-source web conferencing system.

Vulnerability: Reflected cross-site scripting (XSS)
Fixed in version: 2.2.4
Number of sites affected: 7 000+

XSS via closed captions because dangerouslySetInnerHTML in React is used.

Read more about the vulnerable WordPress plugin here.

Multiple Vulnerabilities in LearnPress Plugin

LearnPress is a WordPress LMS Plugin, like Moodle for WordPress. 

Vulnerability: Authenticated post creation and status modification
Fixed in version:  3.2.6.9
Number of sites affected: 80 000+

The LearnPress plugin for WordPress allows authenticated remote attackers with minimal permissions to create pages with arbitrary titles or modify the publication status of any existing page, via the learnpress_create_page or learnpress_update_order_status AJAX actions.

Read more about the vulnerable WordPress plugin here.

Vulnerability: Privilege escalation to “LP Instructor”
Fixed in version:  3.2.6.9
Number of sites affected: 80 000+

The LearnPress plugin through 3.2.6.8 for WordPress allows remote attackers to escalate the privileges of any user to LP Instructor via the accept-to-be-teacher action parameter. The “LP Instructor” role grants the “unfiltered_html” capability, allowing an escalated user to insert posts containing malicious JavaScript

Vulnerability: Authenticated time-based blind SQL injection
Fixed in version: 3.2.6.8
Number of sites affected: 80 000+

This could allow a low privilege user, to perform a time-based SQL Injection attack and retrieve data from the DB, such as hashed passwords.

The PoC will be displayed on May 12, 2020, to give users the time to update.

Unauthenticated Arbitrary File Upload RCE in Simple File List

Simple File List is a free plugin that gives your WordPress website a list of your files allowing your users to open and download them. Users can also upload files if you choose.

Vulnerability: Unauthenticated arbitrary file upload RCE
Fixed in version: 4.2.3
Number of sites affected: 4 000+

The Simple File List WordPress plugin was found to be vulnerable to an unauthenticated arbitrary file upload leading to remote code execution. The Python exploits first upload a file containing PHP code but with a png image file extension. A second request is sent to move (rename) the png file to a PHP file.

The PoC will be displayed on May 11, 2020, to give users the time to update.

Cross-Site Request Forgery to Stored Cross-Site Scripting in Real-Time Find and Replace

This plugin allows you to dynamically (i.e. at the time when a page is generated) replace code and text from themes and other plugins with code and text of your choice before a page is delivered to a user’s browser.

Vulnerability: Cross-site request forgery to stored cross-site scripting
Fixed in version: 4.0.2
Number of sites affected: 100 000+

This flaw could allow any user to inject malicious Javascript anywhere on a site if they could trick a site’s administrator into performing an action, like clicking on a link in a comment or email.

The PoC will be displayed on May 11, 2020, to give users the time to update.

SQL Query Leak in Ajax Search in Advanced Woo Search

Advanced Woo Search – search plugin for WooCommerce. Supports AJAX search and search results page display.

Vulnerability: SQL query leak in ajax search
Fixed in version: 2.00
Number of sites affected: 40 000+

Every ajax search returns the raw SQL query in the response.

Read more about the vulnerable WordPress plugin here.

SQL Injections due to Duplicated Snippets in Duplicate Page and Post & WP Post Page Clone

Duplicate Page and Post plugin provide the functionality to create a clone of page or posts. You can duplicate pages, posts, and custom posts by a single click and it will be saved as a draft.

Duplicate Page and Post
Vulnerability:
 SQL Injections due to duplicated snippets
Fixed in version: 2.5.7
Number of sites affected: 50 000+

WP Post Page Clone lets you create clones of your pages and posts, it has the same vulnerability as Duplicate Page and Post. The WP Post Page Clone, according to WordPress.org has 0 downloads. There is no known fix and the plugin is closed.

Read more about the vulnerable WordPress plugin here.

Authenticated Stored XSS in YOP Poll Plugin

YOP Poll plugin allows you to easily integrate a survey in your blog post/page and to manage the polls from within your WordPress dashboard.

Vulnerability: Authenticated Stored XSS
Fixed in version: 6.1.5
Number of sites affected: 20 000+

If you add a new poll, and place a malicious script in the question/answer fields and then press Preview, the script will run. The preview option is available for the editor & administrator role, which makes these roles vulnerable to XSS attacks.

The PoC will be displayed on May 08, 2020, to give users the time to update.

Authenticated map creation/deletion leading to stored cross-site scripting (XSS) in MapPress Maps for WordPress

MapPress adds interactive Google or Leaflet maps to WordPress.

Vulnerability: Authenticated map creation/deletion leading to stored cross-site scripting (XSS)
Fixed in version: 2.53.9
Number of sites affected: 80 000+

Both the Free and Pro versions of this plugin register AJAX actions that call functions that lack capability checks and nonce checks.

It is possible for a logged-in attacker with minimal permissions, such as a subscriber, to add a map containing malicious JavaScript to an arbitrary post or page.

Read more about the vulnerable WordPress plugin here.

Multiple Unauthenticated Issues in WP GDPR Plugin

The WP GDPR plugin by AppSaloon will assists in making your website GDPR compliant by making personal data accessible to the owner of the data.

Vulnerability: Multiple vulnerabilities (see list below)
Vulnerable version: 2.1.1 and below – plugin closed
Number of sites affected: 6 000+

The plugin is affected by multiple issues, and has been closed from WordPress repo:

  • Unauthenticated Stored XSS
  • Unauthenticated Content spoofing
  • Unauthenticated Arbitrary comment deletion
  • Unauthenticated plugin’s settings update

Read more about the vulnerable WordPress plugin here.

M-Shield & Kingof – Fake Malware Backdoor Plugins

Sucuri Labs found that the M-Shield & kingof fake WordPress plugins were used as malware droppers, with the initial compromise likely coming from another legitimate vulnerable WordPress plugin security vulnerability.

It’s important to note that attackers can leverage plugin vulnerabilities and other malicious code even if a plugin is deactivated in your WordPress environment.

It is highly recommended regularly auditing your plugins and themes and removing any unknown or unused components from your website.

Read more about the vulnerable WordPress plugin here.

Unauthenticated Reflected XSS in Catch Breadcrumb Plugin

Catch Breadcrumb comes with features such as shortcode options, breadcrumb selectors, separators, and more.

Vulnerability: Unauthenticated reflected XSS
Fixed in version: 1.5.4
Number of sites affected: 1 000+

Catch Breadcrumb 1.5.4 plugin for WordPress allows Reflected XSS via a search query when used with one of the themes from the same author:

  • Alchemist & Alchemist PRO
  • Izabel & Izabel PRO
  • Chique & Chique PRO
  • Clean Enterprise & Clean Enterprise PRO
  • Bold Photography PRO
  • Intuitive PRO
  • Devotepress PRO
  • Clean Blocks PRO
  • Foodoholic PRO
  • Catch Mag PRO
  • Catch Wedding PRO
  • Higher Education PRO

Read more about the vulnerable WordPress plugin here.

Authenticated RCE in Media Library Assistant Plugin

The Media Library Assistant plugin provides several enhancements for managing the Media Library.

Vulnerability: Authenticated RCE
Fixed in version: 2.82
Number of sites affected: 60 000+

Remote Code Execution can occur via the tax_query, meta_query, and date_query parameter of the [mla_gallery] shortcode.

Read more about the vulnerable WordPress plugin here.

Reflected Cross-Site Scripting (XSS) in GTranslate Plugin

GTranslate plugin uses Google Translate automatic translation service to translate WordPress site with Google power and make it multilingual.

Vulnerability: Reflected cross-site scripting (XSS)
Fixed in version: 2.8.52
Number of sites affected: 200 000+

The GTranslate plugin before 2.8.52 for WordPress has Reflected XSS via a crafted link. This requires the use of the hreflang tags features within a sub-domain or sub-directory paid option.

Read more about the vulnerable WordPress plugin here.

Authenticated Stored XSS in Widget Settings Importer/Exporter

Widget Settings Importer/Exporter is a WordPress plugin that offers the ability to import and export WordPress widgets.

Vulnerability: Authenticated stored XSS
Fixed in version: no known fix – plugin closed
Number of sites affected: 40 000+

This flaw allowed an authenticated attacker with minimal, subscriber-level permissions to import and activate custom widgets containing arbitrary JavaScript into a site with the plugin installed.

Read more about the vulnerable WordPress plugin here.

Unprotected AJAX Action to Stored/Reflected XSS in Accordion Plugin

Accordion is an easy and powerful tool to create accordion, faq, tabs, tab content, frequently asked question, knowledgebase, question & answer section.

Vulnerability: Unprotected AJAX action to stored/reflected XSS
Fixed in version: 2.2.9
Number of sites affected: 30 000+

This flaw allowed any authenticated user with subscriber-level and above permissions the ability to import a new accordion and inject malicious Javascript as part of the accordion.

The PoC will be displayed on April 28, 2020, to give users the time to update.

Broken Authentication and Missing Capability Checks on AJAX calls in Responsive Poll Plugin

A responsive and customizable poll, image & video poll plugin for WordPress.

Vulnerability: Authenticated stored cross-site scripting (XSS)
Fixed in version: 1.3.4 – plugin closed
Number of sites affected: 900+

In the versions < 1.3.3, unauthenticated users can manipulate polls, e.g., delete, clone, or view a hidden poll.

In the versions < 1.3.4 any authenticated user can do the same as above v1.3.4 added capability checks, however, the issues are still exploitable via CSRF as there are no nonce checks.

Read more about the vulnerable WordPress plugin here.

Multiple Vulnerabilities in Media Library Assistant Plugin

The Media Library Assistant provides several enhancements for managing the media library.

Vulnerability: Unauthenticated limited local file inclusion
Fixed in version: 2.82
Number of sites affected: 60 000+

The Media Library Assistant plugin before 2.82 for WordPress suffers from a Local File Inclusion vulnerability in mla_gallery link=download.

Vulnerability: Authenticated stored cross-site scripting (XSS)
Fixed in version: 2.82
Number of sites affected: 60 000+

The Media Library Assistant plugin before 2.82 for WordPress suffers from multiple XSS vulnerabilities in all Settings/Media Library Assistant tabs, which allow remote authenticated users to execute arbitrary JavaScript.

Vulnerability: Local file inclusion
Fixed in version: 2.82
Number of sites affected: 60 000+

The Media Library Assistant plugin before 2.82 for WordPress suffers from a Local File Inclusion vulnerability in mla_gallery link=download.

Read more about the vulnerable WordPress plugin here and here.

Unauthenticated Sensitive Data Exposure in Tickera WordPress Event Ticketing Plugin

Tickera allows you to check-in attendees easily by using a simple iPhone and Android mobile applications as well as Barcode readers or even our powerful premium platform-independent Chrome Desktop application to speed up the whole check-in process.

Vulnerability: Unauthenticated sensitive data exposure
Fixed in version: 3.4.6.9
Number of sites affected: 8 000+

Due to missing authorization controls in the “admin_init” hooks, all personal data from registered users of an event could be exported into a downloadable PDF file by every unauthenticated user. The event ID could be read from the page source and/or easily enumerated in sequence.

The PoC will be displayed on April 25, 2020, to give users the time to update.

Unauthenticated Reflected XSS in Support Ticket System By Phoeniixx

With the Support Ticket System, the customers can send in their queries as tickets. You can assign them to the agents who will work towards solving them.

Vulnerability: Unauthenticated reflected XSS
Fixed in version: no known fix – plugin closed
Number of sites affected: 5 000+

Bad user input sanitization leads to unauthenticated reflected XSS.

Unauthenticated SQL Injection in WP Advanced Search Plugin

WP Advanced Search helps to create a search option in WordPress sites.

Vulnerability: Unauthenticated SQL injection
Fixed in version: 3.3.6
Number of sites affected: 1 000+

Due to using string concatenation, allowing direct access to a vulnerable PHP file and missing best-practices for coding SQL operations, there exists an unauthenticated SQL injection in autocompletion-PHP5.5.php.

The PoC will be displayed on April 17, 2020, to give users the time to update. You can find more information here.

Authenticated Arbitrary Plugin Deactivation, Activation and Installation in Klarna Checkout for WooCommerce

This official Klarna extension also makes it easy for you to handle orders in WooCommerce after a purchase is complete.

Vulnerability: Authenticated arbitrary plugin deactivation, activation, and installation
Fixed in version: 2.0.10
Number of sites affected: 20 000+

The plugin registers one AJAX action intended for installing addon plugins from WordPress.org. The callback method to this action does not have a capability nor a nonce check.

This enables any logged-in user to post a request to the endpoint and install, activate or deactivate any plugin. Since the action is not registered with a “nopriv”-parameter this exploit can only be used when logged in.

The plugin is used in conjunction with the e-commerce plugin WooCommerce which in most cases creates a WordPress-user when a purchase is made in the shop. It is also possible to register as a customer in many of the shops.

Is has been verified that the exploit can be used with users that have the customer-role which means that many websites are affected by this. This exploit is available in the version (2.0.9) and all the way back to version 1.0.9.

The PoC will be displayed on April 23, 2020, to give users the time to update.

Unauthenticated Stored Cross-Site Scripting (XSS) in Online Hotel Booking System Pro

A WordPress plugin for an online hotel booking system.

Vulnerability: Unauthenticated stored cross-site scripting (XSS)
Vulnerable version: no known fix
Number of sites affected: N/A

An unauthenticated user can inject malicious JavaScript via the booking form, specifically in the new user details. The XSS payload is then executed when an authenticated administrator user views the booking on the Customer-booking page.

If you are not protected by WebARX, we suggest removing the plugin from your website.

Read more about the vulnerable WordPress plugin here.

Unauthenticated Stored Cross-Site Scripting (XSS) in Car Rental System Plugin

Native and responsive WordPress plugin to rent a car.

Vulnerability: Unauthenticated stored cross-site scripting (XSS)
Vulnerable version: no known fix
Number of sites affected: N/A

An unauthenticated user can inject malicious JavaScript via the booking form, specifically in the new user details. The XSS payload is then executed when an authenticated administrator user views the booking on the booking-list and cust-lookup pages.

If you are not protected by WebARX, we suggest removing the plugin from your website.

Read more about the vulnerable WordPress plugin here.

Authenticated Settings Change in Gutenberg Blocks – Ultimate Addons for Gutenberg Plugin

Gutenberg blocks that help you build websites.

Vulnerability: Authenticated settings change
Fixed in version: 1.14.8
Number of sites affected: 200 000+

Read more about the vulnerable WordPress plugin here.

Authenticated Stored Cross-Site Scripting (XSS) in WP Lead Plus X Plugin

Create landing pages for your websites without coding.

Vulnerability: Authenticated stored XSS
Fixed in version: 0.99
Number of sites affected: 70 000+

This page builder interface relied on an unprotected AJAX action core37_lp_save_page which lacked a capability check and a nonce check in order to save and update pages.

The PoC will be displayed on April 21, 2020, to give users the time to update.

Authenticated Stored XSS in WP Last Modified Info Plugin

This plugin automatically inserts last modified or updated info on your WordPress posts and pages.

Vulnerability: Unauthenticated stored XSS
Fixed in version: 1.6.6
Number of sites affected: 10 000+

When saving a new campaign, a user with administrator capabilities can store scripts in the plugin’s options. The code can then be executed on every page or post on the website.

The PoC will be displayed on April 17, 2020, to give users the time to update.

Authenticated Stored Cross-Site Scripting (XSS) in Contact Form 7 Datepicker

This plugin will allow you to create date picker fields.

Vulnerability: Authenticated stored cross-site scripting (XSS)
Vulnerable version: no known fix– plugin closed
Number of sites affected: N/A

Contact Form 7 Datepicker registers an AJAX action to save settings which calls a function that fails to perform a capability check or nonce check.

As such, a logged-in attacker with minimal permissions (such as a subscriber) can send a crafted request which will store a malicious JavaScript in the plugin’s settings.

The next time an authorized user created or modified a contact form, the stored JavaScript would be executed in their browser, which could be used to steal an administrator’s session or even create malicious administrative users.

Read more about the vulnerable WordPress plugin here.

Unauthenticated Stored Cross-Site Scripting (XSS) OneTone Theme

One page WordPress theme.

Vulnerability: Unauthenticated stored cross-site scripting (XSS)
Vulnerable version: no known fix
Number of sites affected: N/A

Due to missing capability checks and security nonces, an unauthenticated attacker can use the theme options import feature to inject JavaScript code into all pages and posts of the website.

Read more about the vulnerable WordPress theme here.

Unauthenticated SQL Injection in WP Advanced Search Plugin

Search plugin for WordPress.

Vulnerability: Unauthenticated SQL injection
Vulnerable version: no known fix– plugin closed
Number of sites affected: N/A

Due to using string concatenation, allowing direct access to a vulnerable PHP file and missing best-practices for coding SQL operations, there exists an unauthenticated SQL injection in autocompletion-PHP5.5.php.

The PoC will be displayed once the issue has been remediated.

Unauthenticated Arbitrary File Upload in Art-Picture-Gallery Plugin

A gallery plugin for WordPress.

Vulnerability: Unauthenticated arbitrary file upload
Vulnerable version: no known fix– plugin closed
Number of sites affected: N/A

The PoC will be displayed once the issue has been remediated.

Unauthenticated SQL Injection in LearnDash Plugin

Create & sell courses, deliver quizzes, award certificates, manage users, download reports, and more.

Vulnerability: Unauthenticated SQL injection
Fixed in version: 3.1.6
Number of sites affected: 100 000+

Fixed PayPal IPN to prevent secondary unauthenticated SQL injection (now only using PayPal post data for the transaction data).

Read more about the vulnerable WordPress plugin here.

Arbitrary File Writing in LifterLMS Plugin

Auth0 is a WordPress authentication plugin with features like social login buttons, multifactor authentication and more.

Vulnerabilities:

  • CSRF controls missing for domain field
  • Stored XSS in the Settings page
  • Stored XSS in multiple pages
  • CSV injection vulnerabilities
  • Insecure direct object reference

Fixed in version: 4.0.0
Number of sites affected: 4 000+

Read more about the vulnerable WordPress plugin here.

Vulnerable WordPress Plugin Can End Up With Malware Infection

WordPress sites are being hacked and infected every day. Some statistics say that about 30,000 websites are infected with some type of malware daily. Every public website is a resource available on the internet and therefore it’s a target. It’s important to understand that as soon as your website is available to the public, it immediately becomes a target. 

It can take just days from a disclosed plugin vulnerability to a full-scale attack campaign. Attacks in this nature are almost always automated. To be able to fight back, you have a small time window to take action. In such cases, web application firewalls have critical importance.

wordpress plugin vulnerability

Always keep your plugins updated so you don’t have a vulnerable plugin on your site. If possible, enable automatic updates. If you are using any of the mentioned plugins, you need to update it with the latest version as soon as possible.

WebARX web application firewall gets virtual patches that are distributed automatically among the sites when vulnerabilities are discovered. Threat intelligence and prevention are our main focus and thus our firewall engine is updated on a daily basis.

Websites with WebARX firewall installed are protected from the security issues mentioned in this article. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.

Frequently Asked Questions About Vulnerable WordPress Plugins

Does installing many WordPress plugins negatively affect security?

There is no rule of thumb on how many plugins you should have on your site, but if you choose to add funcionality to your site using plugins, you should closely monitor available updates.

As said – hundreds of WordPress sites get hacked every day. Statistics say that 98% of hacking incidents happen because of outdated plugins and themes. We recommend using auto-update feature on vulnerable plugins and installing a managed web application firewall that sends automatic virtual patches to you sites.

If you have a lot of plugins you should strongly consider using WebARX to protect your sites.

How do I know if I have vulnerable WordPress plugin on my site?

The best is to monitor you site for vulnerabilities. WebARX has a good overview and monitoring panel available where you have the opportunity to gain a full overview of what is going on with your sites.

You can also enable auto-updates for vulnerable plugins and receive notifications if any of the sites you manage are outdated or under risk.

How to choose a WordPress security plugin?

This will require some critical thinking as many of the providers offer 100% security. This can never be promised. When choosing, make sure the security provider offers a managed web application firewall with virtual patches and active support.

Wordpress security

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms:

PHP
WordPress
Magento
Drupal
Joomla