Wordpress security

WordPress Vulnerability News, November 2019

November 12, 2019 by Agnes Talalaev

WordPress vulnerability news is a weekly digest of highlighted WordPress plugin security vulnerabilities or vulnerability discloses that have been published (there are other, less critical vulnerabilities on smaller plugins that unfortunately don’t make it to the list). 

Keeping up to date with security vulnerabilities in WordPress and other CMS’s is an important part of security. That is why we are analyzing WordPress plugins and newly disclosed vulnerabilities to make sure the sites using the mentioned plugins or themes are protected.

All the vulnerabilities you find from this article have received a virtual patch to the WebARX firewall. It means that if you use the WebARX web application firewall, your site is safe from these vulnerabilities, but it’s always strongly advised to update or delete vulnerable plugins from your site.

Is your WordPress site secured? Take a look at how to secure your site here.

If you are a WordPress plugin developer read how to secure plugins from an attackers’ perspective.

Cross-Site Request Forgery (CSRF) in WP Spell Check Plugin

With WP Spell Check you can proofread and audit your WordPress website. Find & fix spelling errors, punctuation errors, grammar errors, broken shortcodes & HTML, SEO empty fields, and create a professional image.

Vulnerability: Cross-site request forgery (CSRF)
Vulnerable version: 7.1.9 and below
Number of sites affected: 2000+

The plugin was affected by a CSRF vulnerability, allowing attackers to force logged in users to perform unwanted actions, which could lead to Cross-Site Scripting (XSS).

Read more about the WordPress plugin security vulnerabilities here.

Vulnerability in Shortcode Embed Code in Jetpack Plugin

Jetpack is a security, performance, and site management plugin.

Vulnerability: Vulnerability in Shortcode Embed Code
Vulnerable version: 5.1 to 7.9
Number of sites affected: 5+ million

Jetpack 7.9.1 contains a critical security update. You should update all sites that you administer as soon as possible.

Read more about the WordPress plugin security vulnerabilities here.

Cross-Site Request Forgery to Stored Cross-Site Scripting in WP Maintenance Plugin

The WP Maintenance plugin allows you to put your website on the waiting time for you to do maintenance or launch your website. 

Vulnerability: Cross-site request forgery to stored cross-site scripting
Vulnerable version: 5.0.5 and below
Number of sites affected: 30 000+

Description: No nonce protection on form submissions leading to CSRF and no input/output sanitization allowing for XSS when CSRF is exploited.

The PoC will be displayed on December 03, 2019, to give users the time to update.

Cross-Site Scripting in Sassy Social Share Plugin

wordpress plugin security vulnerabilities

Sassy Social Share enables your website users to share the content over Facebook, Twitter, Google, LinkedIn, Whatsapp, Tumblr, Pinterest, Reddit and over 100 more social sharing and bookmarking services.

Vulnerability type: Cross-Site Scripting (XSS)
Vulnerable version: 3.3.3 and below
Number of sites affected: 100 000+

Description: AJAX endpoints that return JSON data have no Content-Type header set and uses default text/html. Any JSON that has HTML will be rendered as such.

The PoC will be displayed on December 02, 2019, to give users the time to update.

Cross-Site Scripting in Anti-Spam Plugin by CleanTalk

wordpress plugin security vulnerabilities

CleanTalk is a free anti-spam plugin that stops spam comments, registrations, orders bookings and more.

Vulnerability type: Cross-Site Scripting (XSS)
Vulnerable version: 5.127.4 and below
Number of sites affected: 90 000+

Read more about the WordPress plugin security vulnerabilities here.

Cross-Site Scripting in Blog2Social Plugin

wordpress plugin security vulnerabilities

Social media auto-posting and scheduling plugin for WordPress sites and blogs. Autopost, cross-promote, schedule and automatically share your blog posts to social networks such as Facebook, Twitter, Google My Business, LinkedIn, etc.

Vulnerability type: Cross-Site Scripting (XSS)
Vulnerable version: 5.9.0 and below
Number of sites affected: 40 000+

Read more about the WordPress plugin security vulnerabilities here.

Multiple Vulnerabilities in Email Subscribers & Newsletters Plugin

wordpress plugin security vulnerabilities

Email Subscribers is a complete newsletter plugin that lets you collect leads, send automated new blog post notification emails, create & send broadcasts and also manage them all in one single place.

Vulnerabilies:

  • Unauthenticated File Download w/ Information Disclosure
  • Blind SQL Injection in INSERT statement
  • Insecure Permissions on Dashboard and Settings
  • Cross-Site Request Forgery on Settings
  • Unauthenticated Option Creation

Vulnerable version: 4.2.3 and below
Number of sites affected: 100 000+

These flaws have been patched in version 4.3.1 and we recommend that users update to the latest version available immediately.

Read more about the WordPress plugin security vulnerabilities here.

Privilege Escalation Vulnerability in CartFlows Plugin

wordpress plugin security vulnerabilities

CartFlows is a WordPress funnel builder, to help every website owner get more leads, increase conversions, & maximize profits.

Vulnerability type: Privilege escalation vulnerability
Vulnerable version: 1.3.0 and below
Number of sites affected: 30 000+

Read more about the WordPress plugin security vulnerabilities here.

Security Restrictions Bypass in Currency Switcher for Woocommerce

wordpress plugin security vulnerabilities

WooCommerce Currency Switcher (WOOCS) is a WooCommerce multi-currency plugin, that allows your site visitors to switch product price currencies according to set currencies rates in real-time and pay in the selected currency.

Vulnerability type: Security restrictions bypass
Vulnerable version: 2.11.1 and below
Number of sites affected: 5 000+

Read more about the WordPress plugin security vulnerabilities here.

Black Friday – Cyber Monday:
Limited Time Black Friday Deal For WebARX Annual Plan

GET 50% OFF

Multiple Vulnerabilities in Safe SVG Plugin

Denial of Service in Safe SVG Plugin

WordPress vulnerability

Safe SVG gives you the ability to allow SVG uploads whilst making sure that they’re sanitized to stop SVG/XML vulnerabilities affecting your site. It also gives you the ability to preview your uploaded SVGs in the media library in all views.

Vulnerability type: Denial of service bypass
Vulnerable version: 1.9.4 and below
Number of sites affected: 200 000+

Read more about the WordPress vulnerability here.

XSS Protection Bypass in Safe SVG Plugin

Vulnerability type: Cross-site scripting (XSS)
Vulnerable version: 1.9.6 and below
Number of sites affected: 200 000+

Read more about the WordPress plugin security vulnerabilities here.

CSRF to Stored XSS in Tidio Live Chat Plugin

WordPress vulnerability

Tidio Live Chat is a live chat service that allows you to communicate with your customers easily, also with the help of chatbots.

A CSRF vulnerability in the Tidio Live Chat WordPress plugin allows attackers to trick admins into adding a Stored XSS payload presented to all visitors.

Vulnerability type: CSRF to stored XSS
Vulnerable version: 4.1.0 and below
Number of sites affected: 60 000+

Read more about the WordPress plugin security vulnerabilities here.

Multiple Issues IgniteUp Plugin

WordPress vulnerability

Create coming soon, maintenance mode or under construction mode pages. IgniteUp comes with simple but more customizable templates. You can change everything in the theme according to your needs.

IgniteUp has multiple vulnerabilities in version 3.4 and below that could lead to arbitrary file deletion, stored XSS, information disclosure, HTML injection in email and CSRF, among a few other issues.

Vulnerability type: arbitrary file deletion, stored XSS, information disclosure, HTML injection in email and CSRF
Vulnerable version: 3.4 and below
Number of sites affected: 30 000+

Read more about the WordPress plugin security vulnerabilities here.

Other Related News

Exploit code published for dangerous Apache Solr remote code execution flaw

Confusion still surrounds a security bug that the Apache Solr team patched over the summer, which turns out it’s actually much more dangerous than anyone thought.

Apache Solr is a Java-based open-source search engine, initially developed to add search functionality to the CNET website.

Over the summer, a user named “jnyryan” reported to the Solr project that the default solr.in.sh configuration file that is included with all new Solr instances contained an insecure option.

At the time it was reported, the Apache Solr team didn’t see the issue as a big deal, and developers thought an attacker could only access (useless) Solr monitoring data, and nothing else.

Things turned out to be much worse.

Read more from ZDNet.

Researchers: WP-VCD malware is No. 1 in WordPress infections since August

WordPress vulnerability

Researchers at WordFence have eyed a recent uptick in attacks on WordPress involving WP-VCD backdoor malware. Since August 2019, no other WordPress-targeting malware has yielded a higher rate of new infections that WP-VCD.

Such findings suggest that the malware, whose main purpose is to enable black hat SEO and malvertising activity, continues to pay off for attackers since it was first reported in the wild as far back as February 2017.

Read more: How to Boost and Maintain SEO Rankings by Securing Your Website

Website developers and administrators who use WordPress are typically infected with WP-VCD upon downloading malicious plugins or themes from unofficial third-party sites.

Once activated, the malware executes a deployer script that compromises the site by injecting backdoors into already installed themes. Sneakily, this deployer eventually removes its own code from the malicious theme or plugin to hide evidence of the crime.

Read more about the WordPress vulnerability from scmagazine.com

Phishing Kits Hosted on More than Six Thousand Domains

Akamai’s 2019 State of the Internet / Security Report found that 6,035 domains were being used to host 120 different phishing kits.

The phishing kits impersonated more than sixty well-known brands, with Microsoft, PayPal, DHL, Dropbox, DocuSign, and LinkedIn leading the pack.

In total, researchers observed 2,064,053,300 unique domains associated with malicious activity over the course of sixty days. The vast majority of these were linked to botnet traffic and shut down within a day, with less than four percent staying up longer than three days.

Read more from bleepingcomputer.com

Magecart Groups Attack Simultaneous Sites in Card-Theft Frenzy

Stealing payment-card data and PII from e-commerce sites has become so lucrative that some are being targeted by multiple groups at the same time.

They compromise websites built on the Magento e-commerce platform in order to inject card-skimming scripts on checkout pages, stealing unsuspecting customers’ payment card details and other information entered into the fields on the page.

Read more from threatpost.com

Conclusion

WordPress sites are being hacked and infected every day. Some statistics say that about 30,000 websites are infected with some type of malware daily. Every public website is a resource available on the internet and therefore it’s a target. It’s important to understand that as soon as your website is available to the public, it immediately becomes a target. 

It can take just days from a disclosed plugin vulnerability to a full-scale attack campaign. Attacks in this nature are almost always automated. To be able to fight back, you have a small time window to take action. In such cases, web application firewalls have critical importance.

Always keep your plugins updated. If possible, enable automatic updates. If you are using any of the mentioned plugins, you need to update it with the latest version as soon as possible to make sure WordPress plugin security vulnerabilities won’t affect your sites.

WebARX web application firewall gets virtual patches that are distributed automatically among the sites when vulnerabilities are discovered. Threat intelligence and prevention are our main focus and thus our firewall engine is updated on a daily basis.

Websites with WebARX firewall installed are protected from the security issues mentioned in this article. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.

Black Friday – Cyber Monday:
Limited Time Black Friday Deal For WebARX Annual Plan

GET 50% OFF
Wordpress security

suggested articles

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms:

PHP
WordPress
Magento
Drupal
Joomla