It's WebARX Birthday Month

We challenge you to a game to win 1 YEAR FREE subscription.

Wordpress security

WordPress Vulnerability News, September 2020


Updated: September 28, 2020 by Agnes Talalaev

This is a monthly article where we list WordPress plugin vulnerability discloses. There are other, less critical vulnerabilities on smaller plugins that unfortunately don’t always make it to the list.

This month we have seen 46 vulnerable plugins and themes. 

If you use the WebARX web application firewall, your site is safe from these plugin vulnerabilities. It is sill always strongly advised to update or delete vulnerable plugins from your site. If possible, enable automatic updates in WebARX Portal.

Is your WordPress site secured? Take a look at how to secure your site here.

If you are a WordPress plugin developer read how to secure plugins from an attackers’ perspective or contact support@webarxsecurity.com and ask for a plugin security audit.

What are the biggest challenges for freelancers and digital agencies in 2020? Read the Website Security Survey Report 2020 to find out.

Simple:Press

Simple:Press is forum software to your WordPress site.

Vulnerability: Broken access control leading to RCE
Fixed in version: 6.6.1
The number of sites affected: 600+

The  Simple:Press plugin fixed a broken access control vulnerability affecting version 6.6.0 and below that could lead to unauthenticated arbitrary file upload and remote code execution.

Read more about the plugin vulnerability here.

Backup, Restore and Migrate WordPress Sites With the XCloner Plugin

XCloner is a backup plugin that allows you to back up and restore your WordPress sites. 

Vulnerability: Cross-site request forgery
Fixed in version: 4.2.13
The number of sites affected: 30 000+

This flaw gave authenticated attackers, with subscriber-level or above capabilities, the ability to modify arbitrary files, including PHP files. Doing so would allow an attacker to achieve remote code execution on a vulnerable site’s server.

Alternatively, an attacker could create an exploit chain to obtain a database dump due to the same unprotected AJAX endpoint, amongst other things. The plugin also contained several endpoints that were vulnerable to cross-site request forgery (CSRF).

Read more about the vulnerability here.

Drag and Drop Multiple File Upload – Contact Form 7

Drag and Drop Multiple File Uploader is a WordPress plugin extension for Contact Form7, which allows the user to upload multiple files using the drag-and-drop feature or the common browse-file of your webform.

Vulnerability: Unauthenticated remote code execution
Fixed in version: 1.3.5.5
The number of sites affected: 20 000+

The plugin used a blacklist of dangerous file extensions that it did not allow to be uploaded, however, the extensions .phar and .phpt were not within the blacklist, which could be used to upload arbitrary PHP code.

The PoC will be displayed on October 06, 2020, to give users the time to update.

JobMonster Theme

JobMonster is a job board theme for WordPress.

Vulnerability: Directory listing in the upload folder
Fixed in version: 4.6.6.1
The number of sites affected: 4000+

The JobMonster Theme was vulnerable to Directory Listing in the /wp-content/uploads/jobmonster/ folder, as it did not include a default PHP file, or .htaccess file.

This could expose personal data such as people’s resumes. Although Directory Listing can be prevented by securely configuring the web server, vendors can also take measures to make it less likely to happen.

Read more about the vulnerability here.

Discount Rules for WooCommerce

Discount Rules for WooCommerce helps you to create any type of bulk discounts, dynamic pricing, advanced discounts, percentage discounts, product based discounts, tiered discounts for your products.

Vulnerability: Multiple authorization bypass
Fixed in version: 2.2.1
The number of sites affected: 40 000+

In August 2020 we disclosed multiple vulnerabilities affecting the Discount Rules for WooCommerce WordPress plugin, which were patched in version 2.1.0.

Recently there were several additional authorization bypass vulnerabilities found by the Wordfence team that are affecting the same plugin. The bypasses could lead to stored cross-site scripting.

Read more about the plugin vulnerability here.

25 WordPress plugins vulnerable to CSRF attacks

Twenty five plugins for WordPress were found to be vulnerable to cross-site request forgery (CSRF) attacks.

Vulnerable plugins:

Make sure to update to the latest version if you are running any of the above-mentioned plugins.

Read more about the plugin vulnerability here or here.

MetaSlider

WordPress slider plugin.

Vulnerability: Authenticated stored cross-site scripting
Fixed in version: 3.17.2
The number of sites affected: 800 000+

There is a stored cross-site scripting vulnerability in Metaslider plugin (v3.17.1), which exists in the Image caption or description parameter in the slide creation module.

Read more about the plugin vulnerability here.

Affiliate Manager

WP Affiliate Manager can help you manage an affiliate marketing program to drive more traffic and more sales to your store.

Vulnerability: Unauthenticated stored cross-site scripting
Fixed in version: 2.7.8
The number of sites affected: 10 000+

The plugin does not properly validate and sanitise data passed to the affiliate-register form, allowing unauthenticated user to set XSS payloads in some of its fields. The payloads will then be triggered when privileged users, such as admin, will view the created affiliate in the backend.

The PoC will be displayed on September 28, 2020, to give users the time to update.

10Web Social Post Feed 

10Web Social Feed is a plugin to display custom Facebook feeds on your website.

Vulnerability: Authenticated SQL injection
Fixed in version: 1.1.27
The number of sites affected: 40 000+

Authenticated SQL injection in the 10Web Social Post Feed WordPress Plugin 1.1.26 via the /wordpress/wp-admin/admin.php?page=info_ffwd search_value parameter.

The PoC will be displayed on September 25, 2020, to give users the time to update.

Email Subscribers & Newsletters

Email Subscribers is a newsletter plugin that lets you collect leads, send automated new blog post notification emails and more.

Vulnerability: Unauthenticated email forgery/spoofing
Fixed in version: 4.5.6
The number of sites affected: 100 000+

The vulnerability allows a remote unauthenticated attacker to send forged emails to all recipients from the available lists of contacts or subscribers, with complete control over the content and subject of the email.

The PoC will be displayed on September 24, 2020, to give users the time to update.

All In One WP Security & Firewall

WordPress user account security, login security, registration security and more.

Vulnerability: CSRF & XSS
Fixed in version: 4.4.4
The number of sites affected: 900 000+

The plugin is vulnerable to Cross-Site Scripting (XSS) within the admin panel, which could be exploited by using a Cross-Site Request Forgery (CSRF) attack.

The vulnerability affecting the All In One WP Security & Firewall plugin required the victim to be running an older web browser to be exploited.

Read more about the plugin vulnerability here.

Asset CleanUp: Page Speed Booster

Vulnerability: CSRF & XSS
Fixed in version: 1.3.6.7
The number of sites affected: 90 000+

Read more about the plugin vulnerability here.

Sticky Menu, Sticky Header (or anything!) on Scroll

The Sticky Menu (or Sticky Header) On Scroll plugin allows you to make any element on your pages “sticky” as soon as it hits the top of the page when you scroll down. 

Vulnerability: CSRF & XSS
Fixed in version: 2.21
The number of sites affected: 100 000+

Read more about the plugin vulnerability here.

LearnPress

LearnPress is a WordPress LMS Plugin.

Vulnerability: CSRF & XSS
Fixed in version: 3.2.7.3
The number of sites affected: 50 000+

Read more about the plugin vulnerability here.

Cookiebot

Cookiebot is a cloud-driven solution that automatically controls cookies and trackers.

Vulnerability: CSRF & XSS
Fixed in version: 3.6.1
The number of sites affected: 50 000+

Read more about the plugin vulnerability here.

Absolutely Glamorous Custom Admin

With this plugin, you can customize the WordPress admin panel, login page, admin menu, admin bar, etc.

Vulnerability: CSRF & XSS
Fixed in version: 6.5.5
The number of sites affected: 40 000+

Read more about the plugin vulnerability here.

Elementor Addon Elements

This plugin adds new widgets to Elementor Page Builder.

Vulnerability: CSRF & XSS
Fixed in version: 1.6.4
The number of sites affected: 90 000+

Read more about the plugin vulnerability here.

Chamber Dashboard Business Directory

Display your directory using short-code or business directory block.

Vulnerability: Authenticated stored cross-site scripting
Fixed in version: no known fix
The number of sites affected: 1 000+

The plugin does not sanitize user input when creating or editing business in the dashboard, allowing high privilege users (Editor+) to set XSS payloads in various fields.

Read more about the plugin vulnerability here.

Protect your sites from plugin vulnerabilities
Start protecting your site with WebARX

TRY FOR FREE

Advanced Database Cleaner

Clean up database by deleting orphaned items such as ‘old revisions’, ‘spam comments’, optimize database and more.

Vulnerability: Authenticated SQL injection
Fixed in version: 3.0.2
The number of sites affected: 50 000+

The plugin did not properly sanitise user input given, allowing high privilege users (admin+) to perform SQL injection attacks.

The PoC will be displayed on September 20, 2020, to give users the time to update.

Constant Contact Forms

plugin vulnerability

With Constant Contact Forms you can capture visitor information from your WordPress site.

Vulnerability: Multiple Authenticated Stored XSS
Fixed in version: 1.8.8
The number of sites affected: 40 000+

Multiple stored cross-site scripting vulnerabilities in Constant Contact Forms for WordPress 1.8.7 and lower allow high-privileged user (Editor+) to inject arbitrary Javascript code or HTML in posts where the malicious form is embed.

The PoC will be displayed on September 20, 2020, to give users the time to update.

ActiveCampaign

plugin vulnerability

Create personalized customer experiences across channels with the ActiveCampaign plug-in for WordPress.

Vulnerability: Cross-Site Request Forgery in Settings
Fixed in version: 8.0.2
The number of sites affected: 50 000+

The ActiveCampaign 8.0.1 plugin is lacking CSRF check on its Settings form, which could allow attacker to make a logged-in administrator change API Credentials to attacker’s account.

The PoC will be displayed on September 20, 2020, to give users the time to update.

NextScripts: Social Networks Auto-Poster

plugin vulnerability

This plugin automatically publishes posts from your blog to your Social Media accounts such as Facebook, Twitter, Google+(Google Plus), Blogger, Tumblr, Flickr, LinkedIn, and more.

Vulnerability: Insufficient Privilege Validation
Fixed in version: 4.3.18
The number of sites affected: 100 000+

It can be exploited by any subscriber and potentially by an unauthenticated users once an attacker with a subscriber account changes the plugin settings.

Read more about the plugin vulnerability here.

Plugin Vulnerability Needs A Virtual Patch Or An Update

WebARX web application firewall gets virtual patches that are distributed automatically among the sites when vulnerabilities are discovered. Threat intelligence and prevention are our main focus and thus our firewall engine is updated on a daily basis.

Websites with WebARX firewall installed are protected from the security issues mentioned in this article. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.

Wordpress security

suggested articles

Start your free 7-day trial now

Protect your websites from malicious traffic - set-up in under 3 minutes.

Try it now

WebARX is compatible with the following platforms:

PHP
WordPress
Magento
Drupal
Joomla