Wordpress security

WordPress Vulnerability News, September 2019

September 27, 2019 by Agnes Talalaev

WordPress vulnerability news is a weekly digest of vulnerability discloses that have been published.

Keeping up to date with security vulnerabilities in WordPress and other CMS’s is an important part of security. That is why we are analyzing WordPress plugins and newly disclosed vulnerabilities to make sure the sites using the mentioned plugins or themes are protected.

Is your WordPress site secured? Take a look at how to secure your site here.

If you are a WordPress plugin developer read how to secure plugins from an attackers perspective.

Multiple Vulnerabilities in WordPress Plugin “Theme Editor”

Theme editor allows you to edit theme files, create a folder, upload files and remove any file and folder in themes and plugins. You can easily customize your themes and plugins directly.

Vulnerability type: SRF, insufficient permission checking, arbitrary file upload and the ability to interact with folders/files on the server 
Vulnerable version: 2.1 and below
Number of sites affected: 30 000+

The plugin has over 30,000 active installations as of September 16th, 2019. These vulnerabilities (aside from CSRF) require access to any account, regardless of its role.

Read more about the WordPress theme vulnerability from WebARX blog.

Blind SSRF in WordPress Plugin Visualizer

Visualizer: Tables and Charts Manager for WordPress plugin is a simple, easy to use and quite powerful tool to create, manage and embed interactive charts & tables into your WordPress posts and pages.

Vulnerability type: Blind SSRF vulnerability in the /wp-json/visualizer/v1/upload-data endpoint
Vulnerable version: 3.1.0
Number of sites affected: 40 000+

This vulnerability is fixed in version 3.3.1. The PoC will be displayed on October 13, 2019, to give users the time to update.

Persistent XSS & IDOR in Real Estate WordPress Theme

Zoner It’s a new Real Estate WordPress theme with unique functionality, design, and features. Perfect for agency owners, personal or standalone Real estate agents, who want to receive personal, regional or global Real estate WordPress website. You can watch videos try Zoner Lite on wordpress.org check pages on PSD mockups.

Vulnerability type: Persistent XSS & IDOR
Vulnerable version: 4.1.1
Number of sites affected: 1600+

Read more about the WordPress theme vulnerability from exploitalert.com.

Stored Cross-site Scripting (XSS) in Easy FancyBox WordPress Plugin

wordpress vulnerability

Easy FancyBox plugin for WordPress websites gives you a flexible and aesthetic lightbox solution for just about all media links on your website.

Vulnerability type: Cross-site scripting (XSS)
Vulnerable version: 1.8.17 and older
Number of sites affected: 300 000+

The Easy FancyBox WordPress Plugin Version 1.8.17 is susceptible to Stored Cross-site Scripting in the Settings > Media admin page /wp-admin/options-media.php due to improper encoding of arbitrarily submitted setting parameters. The vulnerability affects every publicly accessible page of the WordPress site.

By exploiting the documented vulnerability, an attacker can execute JavaScript code in a victim’s browser within the origin of the target site. This can be misused, for example, by taking over future administrative web management sessions.

Read more about the WordPress vulnerability from Github.

Stored Cross-Site Scripting (XSS) in Rich Reviews Plugin

wordpress vulnerability

The Rich Reviews plugin does the work for you to make it possible for your ratings/reviews to be showcased as rich snippets in SERPs.

Vulnerability type: XSS Via Unauthenticated Plugin Options Update
Vulnerable version: 1.7.4 and older
Number of sites affected: 10 000+

Sites running the plugin are vulnerable to unauthenticated plugin option updates, which can be used to deliver malware payloads.

This plugin has been closed as of March 11, 2019, and is not available for download. It is strongly advised to remove the Rich Reviews plugin from websites for now.

Read more about the WordPress vulnerability Wordfence blog.

Multiple Issues in Motors Car Dealer & Classified Ads Plugin

wordpress vulnerability

Quickly and easily input the relevant information about a vehicle – an overview, photos and videos, technical features and options, location, contact information, and PDF brochure.

Vulnerability type:
– Unauthenticated plugin’s settings import/export (leading to stored XSS)
– Authenticated settings import
– Unsanitized inputs
– Authenticated options change
Vulnerable version: 1.4.0 and older
Number of sites affected: 10 000+

The WordPress Motors Car Dealer & Classified Ads plugin, which has 10,000+ active installations, was prone to multiple vulnerabilities.

Update as soon as possible if you have version 1.4.0 or below installed.

Read more about the WordPress vulnerability Nintechnet blog.

Unauthenticated Options Import Vulnerability in WordPress Ultimate FAQ Plugin

wordpress vulnerability

FAQ plugin that lets you create, organize and publicize your FAQs (frequently asked questions) in no time through your WordPress admin panel. Select from multiple responsive FAQ layouts and styles. A modern accordion-style layout that fits into any site.

Vulnerability type: Unauthenticated options import
Vulnerable version: 1.8.24 and older
Number of sites affected: 30 000+

The WordPress Ultimate FAQ plugin, which has 30,000+ active installations, was prone to an unauthenticated options import vulnerability in version 1.8.24 and below that could lead to content injection.

A new version 1.8.25 was released on September 18, 2019.

Update as soon as possible if you have version 1.8.24 or below installed.

Read more about the WordPress vulnerability Nintechnet blog.

Cross-Site Scripting in WordPress Plugin Sell Downloads

wordpress vulnerability

Sell Downloads is a WordPress eCommerce plugin for selling downloadable files: audio, video, documents, pictures all that may be published on the Internet. Sell Downloads uses PayPal as a payment gateway, making the sale process easy and secure.

Vulnerability type: XSS
Vulnerable version: 1.0.86 and older
Number of sites affected: 500+
Discovery date: September 09, 2019

The WordPress Sell Downloads plugin, which has 500+ active installations, was prone to a cross-site scripting vulnerability in version 1.0.86.

Read more about the WordPress vulnerability cxsecurity.com.

Unauthenticated Options Update in Delucks SEO Plugin

wordpress vulnerability

WordPress SEO plugin for easy, professional and multilingual search engine optimization. Find relevant keywords to create an attractive meta title & description for every content. Auto-create a sitemap and use canonical URLs for SSL encryption.

Vulnerability type: Unauthenticated Options Update
Vulnerable version: 2.1.7 and older
Number of sites affected: 1000+

The WordPress DELUCKS SEO plugin version 2.1.7 and below is prone to a vulnerability that is actively exploited by hackers.

The vulnerability allows an unauthenticated user to inject JS code in the plugin settings, which will be reflected on all pages. The vulnerability affects plugins to version 2.1.7 and below.

On the 26th of September, the author has released a new version available on their website.

Read more about the WordPress vulnerability Nintechnet blog.

Authentication Bypass Vulnerability in GiveWP Plugin

wordpress vulnerability

Transform the way you accept online donations. With GiveWP you can accept charitable gifts through customizable donation forms, view donation statistics and reports, manage donors, and integrate with a wide variety of third-party gateways and services.

WordPress plugin GiveWP that is installed on over 70,000 websites allows in version 2.5.4 unauthenticated users to bypass API authentication methods and potentially access personally identifiable user information (PII). These can be names, addresses, IP addresses, and email addresses which should not be publicly accessible. 

Vulnerability type: Authentication Bypass with Information Disclosure
Vulnerable version: 2.5.4 and older
Number of sites affected: 70 000+

This is considered a high security issue, and websites running Give 2.5.4 or below should be updated to version 2.5.5 or later right away.

Read more about the WordPress vulnerability in WordFence blog.

Other Related News

Critical 0-Day RCE Exploit in vBulletin

wordpress vulnerability
Picture from thehackernews.com

An anonymous hacker publicly revealed details and proof-of-concept exploit code for an unpatched, critical zero-day remote code execution vulnerability in vBulletin—one of the widely used internet forum software.

One of the reasons why the vulnerability should be viewed as a severe issue is not just because it is remotely exploitable, but also doesn’t require authentication.

Written in PHP, vBulletin is a widely used proprietary Internet forum software package that powers more than 100,000 websites on the Internet, including Fortune 500 and Alexa Top 1 million companies websites and forums.

Read more from thehackernews.com.

Conclusion

WordPress sites are being hacked and infected every day. Some statistics say that about 30,000 websites are infected with some type of malware daily. Every public website is a resource available on the internet and therefore it’s a target. It’s important to understand that as soon as your website is available to the public, it immediately becomes a target. 

It can take just days from a disclosed plugin vulnerability to a full-scale attack campaign. Attacks in this nature are almost always automated. To be able to fight back, you have a small time window to take action. In such cases, web application firewalls have critical importance.

Always keep your plugins updated. If possible, enable automatic updates. If you are using any of the mentioned plugins, you need to update it with the latest version as soon as possible.

WebARX web application firewall gets virtual patches that are distributed automatically among the sites when vulnerabilities are discovered. Threat intelligence and prevention is our main focus and thus our firewall engine is updated on a daily basis.

Websites with WebARX firewall installed are protected from the security issues mentioned in this article. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.

Protect your websites from plugin vulnerabilities

Get started
website firewall webarx website security
Wordpress security

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms:

PHP
WordPress
Magento
Drupal
Joomla