Wordpress security

WordPress Vulnerability News, May 2020


Updated: May 26, 2020 by Agnes Talalaev

This is a monthly WordPress vulnerability plugin news article. It is a monthly digest of listed vulnerable WordPress plugin discloses or highlighted plugins that have vulnerabilities (there are other, less critical vulnerabilities on smaller plugins that unfortunately don’t always make it to the list).

All the vulnerabilities you find from this article have received a virtual patch to the WebARX firewall.

It means that if you use the WebARX web application firewall, your site is safe from these vulnerabilities, but it’s always strongly advised to update or delete vulnerable plugins from your site. If possible, enable automatic updates in WebARX Portal.

Is your WordPress site secured? Take a look at how to secure your site here.

If you are a WordPress plugin developer read how to secure plugins from an attackers’ perspective or contact support@webarxsecurity.com and ask for a plugin security audit.

Read March WordPress vulnerability news here and April WordPress vulnerability news here.

MailerLite Sign Up Forms

MailerLite Sign Up Form plugin makes it easy to grow your newsletter subscriber list from your WordPress blog or website.

The MailerLite Sign Up Forms plugin (version 1.4.3 and below) has multiple SQL injection and CSRF vulnerabilities.

Vulnerability: Unauthenticated SQL Injection
Fixed in version: 1.4.4
Number of sites affected: 100 000+

The CSRF issues in this plugin make it possible to edit, add, and delete signup form views.

Vulnerability: CSRF
Fixed in version: no known fix
Number of sites affected: 100 000+

The developer released plugin version 1.4.4 which fixes the SQL injection issue, but the CSRF issue still present.

Sites with WebARX firewall installed have received a virtual patch and are protected from both of these vulnerabilities.

Read more about the vulnerability here.

Form Maker by 10Web

Form Maker is a drag & drop plugin for building forms.

Vulnerability: Authenticated SQL injection
Fixed in version: 1.13.35
Number of sites affected: 100 000+

Authenticated (admin+) SQL injection in the Form Maker by 10Web WordPress Plugin 1.13.35 exists via the /wordpress/wp-admin/admin.php?page=blocked_ips_fm&s=1″ s parameter.

The PoC will be displayed once the issue has been remediated. Read more here.

ThirstyAffiliates Affiliate Link Manager

ThirstyAffiliates gives bloggers the tools they need to monetize their WordPress website with affiliate marketing.

Vulnerability: Authenticated Stored XSS
Fixed in version: 3.9.3
Number of sites affected: 30 000+

An authenticated attacker, such as an author, could attach an image with malicious JavaScript as its title, which would be executed once viewed by an administrator user.

The PoC will be displayed on June 05, 2020, to give users the time to update. Read more here.

WP Frontend Profile

WP Frontend Profile gives you the ability to add an extensible user profile section to the frontend of your WordPress website. 

Vulnerability: CSRF check incorrectly implemented
Fixed in version: 1.2.2
Number of sites affected: 300+

The cross-site request forgery (CSRF) nonce was not verified correctly in the WP Frontend Profile WordPress plugin.

Read about the WordPress plugin vulnerability here.

Paid Memberships Pro

WordPress membership plugin.

Vulnerability: Authenticated SQL injection
Fixed in version: 2.3.3
Number of sites affected: 90 000+

A high privileged user (administrator) could perform SQL injection attacks when adding new orders in the dashboard.

Read about the WordPress plugin vulnerability here.

WordPress Infinite Scroll – Ajax Load More

Ajax Load More is a WordPress infinite scroll plugin for lazy loading posts, single posts, pages, comments, and more.

Vulnerability: Authenticated SQL injection
Fixed in version: 5.3.2
Number of sites affected: 50 000+

The PoC will be displayed once the issue has been remediated.

Visual Composer Website Builder

WordPress vulnerability plugin

Visual Composer Website Builder is a drag and drop editor to create a WordPress site.

Vulnerability: Multiple authenticated cross-site scripting
Fixed in version: 27.0
Number of sites affected: 80 000+

The Visual Composer Website Builder fixed in version 27.0 multiple stored cross-site scripting issues, which could allow users with the contributor and above roles to inject arbitrary JavaScript in the blog.

Read about the WordPress plugin vulnerability here.

Team Members

WordPress vulnerability plugin

This plugin adds a “Teams” section to the admin panel which allows you to showcase your staff/employees/people on your website.

Vulnerability: Authenticated stored cross-site scripting (XSS)
Fixed in version: 5.0.4
Number of sites affected: 40 000+

Cross-site scripting vulnerabilities in Team Members version 5.0.3 and lower allow a medium-privileged authenticated attacker (contributor+) to inject arbitrary web script or HTML via the ‘Description/biography’ of a member.

The PoC will be displayed on May 30, 2020, to give users the time to update.

Login/Signup Popup

Login/Signup Popup is a plugin that allows users to login/signup anywhere from the site via pop-up without refreshing the page.

Vulnerability: Unauthenticated stored cross-site scripting (XSS)
Fixed in version: 1.5
Number of sites affected: 10 000+

A lack of capability checks and security nonce allows any authenticated user to inject, via the AJAX API, JavaScript code into the plugin’s settings and to use it to target the administrator in the backend of WordPress. The vulnerability has been exploited for a couple of days.

Read about the WordPress plugin vulnerability here.

WP Product Review

A product review plugin.

Vulnerability: Unauthenticated stored cross-site scripting (XSS)
Fixed in version: 3.7.6
Number of sites affected: 40 000+

All user input data is sanitized but the WordPress function used can be bypassed when the parameter is set inside an HTML attribute. A successful attack results in malicious scripts being injected in all the site’s products.

Read about the WordPress plugin vulnerability here.

Photo Gallery by 10Web

WordPress vulnerability plugin

Photo Gallery is a plugin for building galleries.

Vulnerability: Unauthenticated SQL injection
Fixed in version: 1.5.55
Number of sites affected: N/A

SQL injection in the Photo Gallery (10Web Photo Gallery) plugin before 1.5.55 exists via the frontend/models/model.php bwg_search_x parameter. Impact All gallery_type is affected by this bug and any unauthenticated remote attacker can exploit the plugin.

The PoC will be displayed on June 05, 2020, to give users the time to update.

Site Kit by Google

WordPress vulnerability plugin

Site Kit is the official WordPress plugin from Google for insights about how people find and use your site.

Vulnerability: Privilege escalation to gain search console access
Fixed in version: 1.8.0
Number of sites affected: 400 000+

This flaw allows any authenticated user, regardless of capability, to become a Google Search Console owner for any site running the Site Kit by Google plugin.

Read about the WordPress plugin vulnerability here.

Easy Testimonials

Easy Testimonials is a plugin that allows users to add Testimonials to the sidebar, as a widget, or to embed testimonials into a Page or Post using the shortcode. 

Vulnerability: Authenticated stored cross-site scripting (XSS)
Fixed in version: 3.6
Number of sites affected: 30 000+

Multiple cross-site scripting vulnerabilities in Easy Testimonials 3.5.2 and lower allow remote attackers to inject arbitrary web script or HTML via the Client Name, Position / Web Address / Other, Location Reviewed / Product Reviewed / Item Reviewed, Rating parameter.

Successful exploitation of this vulnerability would allow an authenticated medium-privileged user (contributor+) to inject arbitrary javascript code. It is executed when admin and other users access the All Testimonials page in the backend. Furthermore, if the ‘Allow HTML Tags in Testimonials’ option is enabled (which is the default), the XSS will also be triggered when the testimonial is displayed in the frontend.

The PoC will be displayed on May 27, 2020, to give users the time to update.

Iframe

You may use iframe shortcode to embed content from YouTube, Vimeo, Google Maps, or any external page.

Vulnerability: Authenticated stored cross-site scripting (XSS)
Fixed in version: 4.5
Number of sites affected: 100 000+

The iframe plugin before 4.5 does not sanitize a URL.

The PoC will be displayed on May 27, 2020, to give users the time to update.

WooCommerce

WooCommerce is a flexible, open-source eCommerce solution built on WordPress.

Vulnerability: Unescaped metadata when duplicating products
Fixed in version: 4.1.0
Number of sites affected: 5+ million

The WooCommerce changelog file was updated with the following message: “Security – Fixed unescaped metadata while duplicating products.

Page Builder by SiteOrigin

SiteOrigin Page Builder is a page creation plugin for WordPress.

Vulnerability: CSRF to reflected cross-site scripting (XSS)
Fixed in version: 2.10.16
Number of sites affected: 1+ million

Flaws in the live editor and action_builder_content functions of the plugin “allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator’s browser.

The attacker needs to trick a site administrator into executing an action, like clicking a link or an attachment, for the attack to succeed.”

The PoC will be displayed on May 25, 2020, to give users the time to update.

Ultimate Addons for Elementor

A library of unique Elementor Widgets to add more functionality and flexibility to your favorite page builder.

Vulnerability: Registration bypass
Fixed in version: 1.24.2
Number of sites affected: 90 000+

The Ultimate Addons for Elementor plugin recently patched a vulnerability in version 1.24.2 that allows attackers to create subscriber-level users, even if registration is disabled on a WordPress site.

This vulnerability is being used in conjunction with a 0-day vulnerability in Elementor PRO.

Read about the WordPress vulnerability plugin here.

Elementor Pro

A WordPress page builder.

Vulnerability: Authenticated arbitrary file upload (critical)
Fixed in version: 2.9.4
Number of sites affected: N/A

There are two plugins affected by this attack campaign. The first is Elementor Pro which is made by Elementor. This plugin has a zero-day vulnerability which is exploitable if users have open registration.

This vulnerability does not impact the free Elementor plugin with over 4 million installations.

It is still strongly advised to update Elementor PRO to the latest version.

The PoC will be displayed on June 07, 2020, to give users the time to update.

Elementor

A live page builder for WordPress.

Vulnerability: SVG sanitizer bypass leading to authenticated stored XSS
Fixed in version: 2.9.8
Number of sites affected: 4+ million

There is a bypass in the SVG sanitizer, which could lead to an authenticated stored XSS issue from users with the upload_files capability.

Read about the WordPress vulnerability plugin here.

Advanced Order Export For WooCommerce

This plugin helps you to easily export WooCommerce order data.

Vulnerability: Authenticated cross-site scripting (XSS)
Fixed in version: 3.1.4
Number of sites affected: 90 000+

The Advanced Order Export plugin for WooCommerce versions < 3.1.4 had a reflected XSS vulnerability due to a lack of input sanitization on the woe_post_type parameter. This allowed arbitrary HTML and JavaScript injection and execution in the context of the logged-in user.

The PoC will be displayed on May 18, 2020, to give users the time to update.

Ninja Forms

A drag and drop forms plugin.

Vulnerability: CSRF to Stored XSS
Fixed in version: 3.4.24.2
Number of sites affected: 1+ million

Cross-Site Request Forgery (CSRF) was discovered in the Ninja Forms plugin. By exploiting the CSRF vulnerability, an attacker could inject arbitrary malicious JavaScript via the import contact feature.

Read about the WordPress vulnerability plugin here.

WTI Like Post

WTI Like Post – Plugin WordPress | WordPress.org Español

WTI Like Post is a plugin for adding like (thumbs up) and unlike (thumbs down) functionality for posts/pages. 

Vulnerability: Authenticated stored cross-site scripting
Fixed in version: no known fix– plugin closed
Number of sites affected: 10 000+

A Stored XSS vulnerability has been found in the administration page of the WTI Like Post plugin 1.4.4 for WordPress. Once the administrator has submitted the crafted data, the script stored is executed for all the users visiting the public posts.

The PoC will be displayed once the issue has been remediated.

Avada WordPress Theme

Avada comes in three parts: a theme and two required plugins, Fusion Builder and Fusion Core.

Vulnerability: Content injection & stored XSS and arbitrary post deletion
Fixed in version: 6.2.3
Number of sites affected: 600 000+

Avada, a popular WordPress theme installed on 600,000 websites, was prone to several vulnerabilities affecting version 6.2.2 and below that could allow a low-privileged user to edit, create or delete any page or post on the website.

Read more here.

WordPress Vulnerability – Plugin Can Be the Infection Point For Malware

Malware infections happen daily and WordPress sites are being targeted constantly. WordPress is in the center of attention mainly because of its popularity. The second reason is the massive amount of third-party components or plugins that are being used to build WordPress sites.

These plugins are build by developers that may not always have much knowledge about security. When a vulnerability is found, the ill-intentioned hackers use automated tools to target sites using the plugin. This is how plugins can be a big threat to WordPress sites.

WordPress vulnerability plugin

To keep your sites protected, you should always keep your plugins updated. If possible, enable automatic updates. If you are using any of the mentioned plugins in the article, you need to update them to the latest version as soon as possible.

Secondly, in addition to updates is a web application firewall with virtual patches, that will have your back when you cant keep an eye on vulnerabilities daily.

WebARX web application firewall gets virtual patches that are distributed automatically among the sites when vulnerabilities are discovered. Threat intelligence and prevention are our main focus and thus our firewall engine is updated on a daily basis.

Websites with WebARX firewall installed are protected from the security issues mentioned in this article. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.

Frequently Asked Questions About WordPress Vulnerability and Plugin Vulnerability

How do I know if I have vulnerable WordPress plugin on my site?

The best is to monitor you site for vulnerabilities. WebARX has a good overview and monitoring panel available where you have the opportunity to gain a full overview of what is going on with your sites. You can also enable auto-updates for vulnerable plugins and receive notifications if any of the sites you manage are outdated or under risk.

How to choose a WordPress security plugin?

This will require some critical thinking as many of the providers offer 100% security. This can never be promised. When choosing, make sure the security provider offers a managed web application firewall with virtual patches and active support.

Where can I find out if I have vulnerable plugins on my site?

WebARX shows all the software and plugin vulnerabilities once you have installed it on your site. It helps you to always be on top of vulnerabilities, with protection and updates.

Wordpress security

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms:

PHP
WordPress
Magento
Drupal
Joomla