Wordpress security

WordPress Vulnerability News, October 2019

October 11, 2019 by Agnes Talalaev

WordPress vulnerability news is a weekly digest of highlighted vulnerability discloses that have been published (there are other, less critical vulnerabilities on smaller plugins that unfortunately don’t make it to the list). 

Keeping up to date with security vulnerabilities in WordPress and other CMS’s is an important part of security. That is why we are analyzing WordPress plugins and newly disclosed vulnerabilities to make sure the sites using the mentioned plugins or themes are protected.

All the vulnerabilities you find from this article have received a virtual patch to the WebARX firewall. It means that if you use the WebARX web application firewall, your site is safe from these vulnerabilities, but it’s always strongly advised to update or delete vulnerable plugins from your site.

Is your WordPress site secured? Take a look at how to secure your site here.

If you are a WordPress plugin developer read how to secure plugins from an attackers’ perspective.

Authenticated Stored Cross-Site Scripting (XSS) in About Author Plugin

With About Autor plugin you can display WordPress author complete information in stylish mode. Using [ABTM id=123] shortcode, you can publish blog users’ profiles into any Page or Post in your WordPress sites.

Vulnerability type: Authenticated stored cross-site scripting (XSS)
Vulnerable version: 1.3.9 and below
Number of sites affected: 1 000+

Read more about the WordPress vulnerability here.

Multiple Plugins with HTML Injection

Email Templates

Send beautiful emails with the WordPress Email Templates plugin. Choose your template style, add a logo or some text, change colors, edit footer and start sending nice emails in WordPress.

Vulnerability type: HTML injection
Vulnerable version: 1.3.1 and below
Number of sites affected: 20 000+

Read more about the WordPress vulnerability here.

WP Email Template

WP Email Template applies a responsive, customizable, optimized HTML email template to every email sent from your WordPress site including plugin generated emails. Easily Configure advanced email sending providers with any of the supported providers.

Vulnerability type: HTML injection
Vulnerable version: 2.2.10 and below
Number of sites affected: 5 000+

Read more about the WordPress vulnerability here.

WP HTML Mail – Email Designer

Beautiful responsive HTML mails, fully customizable without any coding knowledge. Create your own professional email template within a few minutes.

Vulnerability type: HTML injection
Vulnerable version: 2.9.0.3 and below
Number of sites affected: 10 000+

Read more about the WordPress vulnerability here.

Authenticated SQL Injection and Authenticated Reflected XSS in Groundhogg Plugin

Groundhogg is a marketing automation tool for WordPress that can handle CRM, email marketing, SMS marketing, and more without the need for third-party software.

Vulnerability type: Authenticated SQL Injection
Vulnerable version: 1.3.11.3 and below
Number of sites affected: 500+
Available version: 2.0.12.2

Vulnerability type: Authenticated Reflected XSS
Vulnerable version: 2.0.8.1 and below
Number of sites affected: 500+
Available version: 2.0.12.2

WordPress Groundhogg plugin with a version lower than 1.3.11.13 is affected by an Authenticated SQL Injection vulnerability and version lower than 2.0.8.1 is affected by an authenticated Reflected Cross-site scripting (XSS) vulnerability.

Update to the latest available version of the Groundhogg plugin.

Authenticated SQL Injection: read more about the WordPress vulnerability here.

Authenticated Reflected XSS: read more about the WordPress vulnerability here.

Stored Cross-Site Scripting (XSS) in SyntaxHighlighter Evolved Plugin

SyntaxHighlighter Evolved allows you to easily post syntax-highlighted code to your site without losing its formatting or making any manual changes.

Vulnerability type: Stored cross-site scripting (XSS)
Vulnerable version: 3.5.0 and below
Number of sites affected: 40 000+

The SyntaxHighlighter plugin used in the comments section of *.wordpress.com sites is vulnerable to stored XSS via a crafted payload.

Read more about the WordPress vulnerability here.

Open Redirect in Bridge Theme

BRIDGE is a responsive retina multipurpose WordPress theme perfect for just about anyone. Whether you are a creative, a corporate team, a lawyer, a medical doctor or a freelancer looking for a modern portfolio website or a personal blog, Bridge is your best choice.

Vulnerability: Open redirect
Vulnerable version: Bridge Theme: 18.2 / Plugins: 2.0 (Twitter plugin) 2.0.1 (Instagram plugin)
Number of sites affected: 100 000+

Affected are two built-in plugins packaged with the Bridge theme – Qode Instagram Widget and Qode Twitter Feed. The patched versions are Bridge Theme: 18.2.1 / Plugins: 2.0.1 (Twitter plugin) 2.0.2 (Instagram plugin).

Read more about the WordPress vulnerability here.

WordPress 5.2.4 Security Release

WordPress 5.2.4 is now available and this security release fixes 6 security issues. WordPress versions 5.2.3 and earlier are affected by bugs, which are fixed in version 5.2.4.

According to WordPress, WordPress version 5.2.4 fixes 6 security issues:

According to WPScan there were 9 files in this release had been modified.

Read more about the findings from blog.wpscan.org

Fake WordPress Plugin Comes with Cryptocurrency Mining Function

It’s not that difficult to create a plugin for WordPress. For example – attackers can modify the code of an existing plugin to include malicious components.

Additionally, automated tools exist that can generate a plugin with a name given by the attacker and lace it with an arbitrary payload, such as a reverse shell.

Researchers have found a plugin called WP Framework that attackers used it to gain and maintain unauthorized access to the site environment. It is unclear which plugin it impersonates, but one with this name exists in the WordPress public repository.

Emergency? We can fix and secure your site in less than 12 hours.

Learn more

It is advised checking the additional site components when doing a malware cleanup since many times this procedure is limited to WordPress core files. Themes and plugins are often migrated without any prior scrutiny. This way, attackers maintain their grip on the new site through the backdoor planted in third-party extensions.

Read more about the WordPress vulnerability here.

Multiple Vulnerabilities in Sliced Invoices Plugin

Sliced Invoices is an invoicing system that is easy to use but at the same time comes packed with features to help make your quoting and invoicing a breeze.

Vulnerabilities: Unauthenticated information disclosure; authenticated SQL injection and information disclosure; lack of CSRF and authorization checks on AJAX methods.
Vulnerable version: 3.8.2 and below
Number of sites affected: 6 000+

The WordPress Sliced Invoices plugin, which has 6,000+ active installations, was prone to multiple vulnerabilities in version 3.8.2 and below that could lead to information disclosure and SQL injection.

Read more about the WordPress vulnerability here.

Full Path Disclosure in Fast Velocity Minify Plugin

WordPress vulnerability

Fast Velocity Minify plugin is a WP speed optimization plugin for developers and advanced users. This plugin reduces HTTP requests by merging CSS & Javascript files into groups of files while attempting to use the least amount of files as possible. It minifies CSS and JS files with PHP Minify (no extra requirements).

Vulnerability type: Full path disclosure
Vulnerable version: 2.7.6 and below
Number of sites affected: 80 000+

This flaw allowed authenticated attackers to discover the full webroot path to the running WordPress application. Fast Velocity Minify versions up to 2.7.6 are vulnerable to attacks against this flaw. All Fast Velocity Minify users should update to version 2.7.7 immediately.

Read more about the WordPress vulnerability here.

Authenticated Reflected Cross-Site Scripting in Broken Link Checker

WordPress vulnerability

This plugin will monitor your blog looking for broken links and let you know if any are found. Once installed, the plugin will begin parsing your posts, bookmarks (AKA blogroll) and other content and looking for links. When parsing is complete, the plugin will start checking each link to see if it works.

Vulnerability type: Authenticated reflected cross-site scripting (XSS)
Vulnerable version: 1.11.8 and below
Number of sites affected: 700 000+

Read more about the WordPress vulnerability here.

Stored XSS in Events Manager Plugin

Events Manager Plugin vulnerability

Events Manager is a full-featured event registration plugin for WordPress based on the principles of flexibility, reliability and powerful features.

Vulnerability type: Stored cross-site scripting (XSS)
Vulnerable version: 5.9.6 and below
Number of sites affected: 100 000+

The events-manager plugin through 5.9.5 for WordPress (aka Events Manager) is susceptible to Stored XSS due to improper encoding and insertion of data provided to the attribute map_style of shortcodes (locations_map and events_map) provided by the plugin.

Read more about the WordPress vulnerability here.

Is your WordPress site secured? Secure your site here.

Stored XSS in EU Cookie Law Plugin

GDPR vulnerability

EU Cookie Law is a light, elegant and powerful solution to comply with European cookie law and GDPR, with popup and options to lock scripts before acceptance.

Vulnerability type: Stored cross-site scripting (XSS)
Vulnerable version: 3.0.6 and below
Number of sites affected: 100 000+

The EU-cookie-law plugin through 3.0.6 for WordPress (aka EU Cookie Law (GDPR)) is susceptible to Stored XSS due to improper encoding of several configuration options in the admin area and the displayed cookie consent message. This affects Font Color, Background Color, and the Disable Cookie text. An attacker with high privileges can attack other users.

Read more about the WordPress vulnerability here.

Stored Cross-Site Scripting in All In One SEO Pack Plugin

WordPress vulnerabilityall in one seo pack vulnerability

All in One SEO Pack is used to optimize your WordPress site for SEO. It’s easy and works out of the box for beginners, and has advanced features and an API for developers.

Vulnerability type: Stored cross-site scripting (XSS)
Vulnerable version: 3.2.7 and below
Number of sites affected: 2+ million

The all-in-one-seo-pack plugin before 3.2.7 for WordPress (aka All in One SEO Pack) is susceptible to Stored XSS due to improper encoding of the SEO-specific description for posts provided by the plugin via unsafe placeholder replacement.

Read more about the WordPress vulnerability here.

Multiple Vulnerabilities in Popup-Maker Plugin

popup maker

Popup Maker is a popup plugin for WordPress. Create any type of popup, modal, or content overlay for your WordPress website. You can create email opt-in popups, contact form popups, announcements, EU cookie notices, slide-ins, & more.

Vulnerability description: An unauthenticated attacker can retrieve information regarding WordPress Plugins (active/inactive), the Webserver Configuration, the PHP Configuration and more. Further attacks may also be possible.
Vulnerable version: 1.8.12 and below
Number of sites affected: 400 000+

Read more about the WordPress vulnerability here.

Authenticated Stored XSS in Lara Google Analytics Plugin

WordPress vulnerability

Lara’s Google Analytics plugin adds a full-width Google Analytics dashboard widget for the WordPress admin interface and inserts the latest Google Analytics tracking code to all your pages.

Vulnerability type: Authenticated stored cross-site scripting (XSS)
Vulnerable version: 2.0.7 and below
Number of sites affected: 20 000+

Read more about the WordPress vulnerability here.

Multiple Issues Leading to RCE in Woody Ad Snippets Plugin

WordPress vulnerability

The plugin helps to create and store code snippets or duplicated text in a special library at the admin bar of your website. Use the shortcode to add a snippet anywhere on your website.

Vulnerability: An unauthenticated options import vulnerability combined with a stored XSS vulnerability can lead to remote code execution.
Vulnerable version: 2.2.4 and below
Number of sites affected: 90 000+

Read more about the WordPress vulnerability here.

XSS & SQL Injection in wpDataTables Plugin

wpdata tables plugin

wpDataTables is a popular WordPress table plugin used to quickly create tables & table charts from Excel, CVS, PHP, and other data sources. Use the WP table plugin to represent vast amounts of complicated data in a concise, user-friendly way using tables or charts.

Vulnerability type: Cross-site scripting (XSS) and SQL injection
Vulnerable version: 2.0.7 and below
Number of sites affected: 20 000+

Read more about the WordPress vulnerability here.

Cross-Site Scripting (XSS) in SoundPress Plugin

SoundPress Plugin

SoundPress allows you to embed audio from SoundCloud to your sidebar or directly inside your posts. All you need to do is provide the SoundCloud URL straight from your browser and the plugin will display the SoundCloud player.

Vulnerability type: Cross-site scripting (XSS)
Vulnerable version: 2.2.6
Number of sites affected: 5 000+

The vulnerability is fixed in version 3.0.0.

Read more about the WordPress vulnerability from plugins.trac.wordpress.org

Open Redirect & Hidden Login Page Exposure in All In One WP Security & Firewall Plugin

WordPress vulnerability

The WordPress plugin All In One WP Security & Firewall is a WordPress security plugin that you can use to implement user accounts security, login security, file system security and more.

Vulnerability type: Open redirect and exposure of the actual URL of the “hidden login page” feature
Vulnerable version: 4.4.1 and below
Number of sites affected: 800 000+

The PoC will be displayed on October 22, 2019, to give users the time to update.

Read more about the WordPress vulnerability from wpvulndb.com.

Is your WordPress site secured? Take a look at how to secure your site here.

Stored XSS Vulnerability in WordPress Download Plugins and Themes from Dashboard Plugin

WordPress vulnerability

WordPress plugin Download Plugins and Themes from Dashboard lets you download installed plugins and themes ZIP files directly from your admin dashboard without using FTP.

Vulnerability type: Unauthenticated stored XSS 
Vulnerable version: 1.5.0 and below
Number of sites affected: 10 000+

The vulnerability was reported on September 26, 2019, and a new version 1.6.0 was released on September 30.

Read more about the WordPress vulnerability from Nintechnet blog.

XSS and SSRF in WordPress Visualizer Plugin

Visualizer: Tables and Charts Manager for WordPress plugin is a simple, easy to use and quite powerful tool to create, manage and embed interactive charts & tables into your WordPress posts and pages.

Vulnerability type: Blind SSRF and a stored XSS 
Vulnerable version: 3.3.0 and below
Number of sites affected: 40 000+

Read more about the WordPress vulnerability from nathandavidson.com.

Is your WordPress site secured? Secure your site here.

Unauthorized CSV Access in Export Users to CSV Plugin

WordPress vulnerability

Export Users to CSV Plugin allows you to export users list and their metadata in the CSV file. CSV file having the following fields and their metadata: username, email, display name, first name, last name, and registered date.

Vulnerability type: Unauthorized CSV access
Vulnerable version: below 1.4
Number of sites affected: 3 000+

The plugin exports a CSV file containing sensitive user data. The generated files are stored in a public directory with a predictable filename based on a Unix timestamp.

CSV files are discoverable either through enumeration or path traversal. Export Users to CSV does not provide visibility over exported CSV files. Generated CSV files are stored indefinitely.

WooCommerce 3.6.4 – CSRF Bypass to Stored XSS

WordPress vulnerability

WooCommerce is an open-source, completely customizable eCommerce platform for entrepreneurs worldwide. A flaw in the way WooCommerce handles imports of products results in a stored cross-site scripting vulnerability (XSS) that can be exploited through cross-site request forgery (CSRF).

Vulnerability type: Stored cross-site scripting and cross-site request forgery (CSRF)
Vulnerable version: 3.6.4
Number of sites affected: 3+ million

Read more from Ripstech blog.

Other Related News

Joomla 3.4.6 ‘configuration.php’ Remote Code Execution

Joomla is an open-source content management system, based on PHP and MySQL, originally forked from Mambo.

The exploitation is implanting a backdoor in /configuration.php file in the root directory with an eval in order to be more suitable for all environments, but it is also more intrusive.

Vulnerability type: ‘configuration.php’ remote code execution
Vulnerable version: 3.4.6

Read more from hacktivesecurity.com.

Conclusion

WordPress sites are being hacked and infected every day. Some statistics say that about 30,000 websites are infected with some type of malware daily. Every public website is a resource available on the internet and therefore it’s a target. It’s important to understand that as soon as your website is available to the public, it immediately becomes a target. 

It can take just days from a disclosed plugin vulnerability to a full-scale attack campaign. Attacks in this nature are almost always automated. To be able to fight back, you have a small time window to take action. In such cases, web application firewalls have critical importance.

Always keep your plugins updated. If possible, enable automatic updates. If you are using any of the mentioned plugins, you need to update it with the latest version as soon as possible.

WebARX web application firewall gets virtual patches that are distributed automatically among the sites when vulnerabilities are discovered. Threat intelligence and prevention are our main focus and thus our firewall engine is updated on a daily basis.

Websites with WebARX firewall installed are protected from the security issues mentioned in this article. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.

Protect your websites from plugin vulnerabilities

Try for free
Wordpress security

suggested articles

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms:

PHP
WordPress
Magento
Drupal
Joomla