On-Going Wordpress Plugin Vulnerability Community Alerts

[Ryuzaki]

I've been wanting to make this thread for a while but always am too busy to fire it off. Almost every day another vulnerability is found in commonly used Wordpress plugins. I know Wordpress wants to set up a system to force auto-updates for these cases, but it doesn't exist yet and lots of people can't opt into it anyways or it risks breaking their sites further.

The point of this is two-fold:

1. Every additional plugin you install increases your risk of being hacked or harmed in some regard.
2. Many plugins are coded poorly which also impact your speed and user experience.

Let each post in this thread serve as a reminder to always keep your plugins updated. When a vulnerability is found it's announced to the world. And then the race is on to see who can get to your site first, you (to update the plugin) or the hacker (to hack your site). And that's assuming the developer has even had a chance to push an update.

____

Today's vulnerability is...

Ninja Forms
Update Available: Yes
Vulnerability Rating: Severe
Type: Cross-Site Request Forgery (CSRF) & Cross-Site Scripting (XSS)
Link: https://ninjaforms.com

Basically, a form can be submitted with a script in such a way that, which is not sanitized or validated by nonces, that executes the script and adds new administrator accounts. From there, they can do whatever they want to your site. Update to Ninja Forms version 3.4.24.2 to patch this vulnerability.

 

[Ryuzaki]

While I'm at it... Yesterday's vulnerability was... plus some recent bonuses...

Quick Page/Post Redirect Plugin
Update Avaliable: No
Vulnerability Rating: Severe
Type: Unauthenticated Settings Change
Link: Removed from Repo

This plugin didn't have a capability check and the security nonce was weak, allowing low-privilege users such as a contributor to alter settings in the plugin to 301 redirect your posts, pages, or the whole site to a malicious site through the HTTP Location Header. It will not be fixed as the plugin is abandoned, so you 200,000+ users need to uninstall it.

____

WP GDPR Plugin
Update Avaliable: No
Vulnerability Rating: Severe
Type: Cross-Site Scripting (XSS)
Link: Removed from Repo

People could drop Javascript code into your comments and then it would be executed when other people visit the page. They can gain access to the entire comments table and change any of the 14 fields within, as well as delete them or change this plugins settings. 6,000+ users should uninstall this.

_____

Elementor
Update Avaliable: Yes
Vulnerability Rating: High Severity
Type: Cross-Site Scripting (XSS)
Link: https://elementor.com

Over 4 million users need to update their Elementor plugin pronto. Basically any authenticated user (even someone signed up just for comments) can enable Safe Mode, which lets anyone including un-authenticated users interact with the plugins on your site. They could remove all of your security plugins to then unearth more vulnerabilities and have an all-you-can-destroy buffet on your site.

_____

Ultimate Addons for Gutenberg
Update Avaliable: Yes
Vulnerability Rating: Mild
Type: Injection
Link: https://wordpress.org/plugins/ultimate-addons-for-gutenberg/

The basics is that a user could sent a POST request which would unveil the security nonce for six AJAX actions, letting the user then interact with them, doing stuff like activating and deactivating widgets and messing with updates and file generation.

_____

It'll be hard for me to keep up with all this, as these problems are discovered daily. The most problematic ones will probably cross one of our paths, so sharing information about it here would be good for the community as a whole if you have the time.

 

[Ryuzaki]

Today's Vulnerability (or yesterday if you want to be picky)...

Wordpress 5.4.0 and below
Update Avaliable: Yes & Automatic
Vulnerability Rating: Severe
Type: Cross-Site Scripting (XSS)

Wordpress automatically updated everyone to version 5.4.1, and is a security update with 7 fixes. They were:

• Password reset tokens failed to be properly invalidated
• Certain private posts can be viewed by unauthenticated users
• Two XSS Issues in the Customizer
• An XSS issue in the Search Block
• An XSS issue in wp-object-cache
• An XSS issue in file uploads
• An authenticated XSS issue in the block editor

Older installs have been patched too, but you'd do well to check and make sure, because this has now been announced to the world. The script kiddies will be scraping. I always hide my WP version and block access to stuff like the readme.txt and anything that mentions the version.

 

[eliquid]

Is there anyway to prevent WP from updating your site?

I have some that I thought I somehow marked as "do not upgrade". Old WP sites. But someone got updated a day or 2 ago.

Anyway to stop this completely?

 

[Ryuzaki]

Elementor < v2.8.7
Update Avaliable: Yes
Vulnerability Rating: Medium
Type: Cross-Site Scripting (XSS)

Everyone's favorite page builder is back again. This one required a malicious actor to be a user and have the ability to upload files. If "Enable SVG Uploads" were allowed, a user could upload an SVG image file that contained bad scripts within them. That's because they weren't being sanitized with case-sensitivity. So you could use something like HRef or hReF and still place links to scripts within them.

They also had two sanitization functions to remove PHP comments and PHP code in the wrong order, which would cause PHP to be left in the SVG code and executed.

Not a huge deal. I doubt any of us are letting just anybody become a user and upload files. But if you use Elementor and force users to sign up to comment or for any other reason, make sure those users permissions are locked down properly.

Is there anyway to prevent WP from updating your site?

I have some that I thought I somehow marked as "do not upgrade". Old WP sites. But someone got updated a day or 2 ago.

Anyway to stop this completely?

@eliquid, I've not done this myself but a quick search says you can add the following into your wp-config.php file:

define( 'WP_AUTO_UPDATE_CORE', false );
add_filter( 'auto_update_plugin', '__return_false' );
add_filter( 'auto_update_theme', '__return_false' );

The name of each filter is self-explanatory. Again, I've not tested this myself, but I do use several wp-config.php commands like this that all work properly.

 

[Ryuzaki]

Google Site Kit Wordpress Plugin < 1.8.0
Update Avaliable: Yes
Vulnerability Rating: Critical
Type: Privilege Escalation

WordFence found and disclosed this to Google privately, so it's already patched. Just update your plugin. It allows an attacker to change your sitemaps and remove pages from the index through access to Search Console, as long as they can register as a user of any type. It gives them admin-level privileges, so they could do other types of damage too, like inserting links into your posts.

 

[Ryuzaki]

Pagelayer < 1.1.2
Update Available: Yes
Vulnerability Rating: Critical
Type: Privilege Escalation

WordFence found and disclosed a means for an attacker with subscriber level accounts to forge a request as an administrator, inject malicious Javascript, and update and modify posts, as well as other issues. WordFence describes it as an "Unprotected AJAX and Nonce Disclosure to Stored Cross-Site Scripting and Malicious Modification." Pagelayer is a page builder plugin with over 200,000+ active installations.

 

[Saiten]

A few weeks ago I noticed that a couple of my websites were hacked. All had themes and plugins from Thrive on it that I haven't updated in a while.

Just wanted to give you a heads up as from what I remember some of you were using Themes from Thrive aswell.

"On March 23, 2021, the Wordfence Threat Intelligence Team discovered two recently patched vulnerabilities being actively exploited in Thrive Theme’s “Legacy” Themes and Thrive Theme plugins that were chained together to allow unauthenticated attackers to upload arbitrary files on vulnerable WordPress sites. We estimate that more than 100,000 WordPress sites are using Thrive Theme products that may still be vulnerable."

More info here: https://www.wordfence.com/blog/2021...thrive-themes-actively-exploited-in-the-wild/

 

[Ryuzaki]

I kind of got sick of updating this thread but here's two vulnerabilities today that probably effect nearly everyone here:

Wordpress < 5.7.2
Update Available: Yes
Vulnerability Rating: Critical
Type: Object Injection

If you have automatic updates for the WP Core on then you're good to go. This is a problem with PHPMailer, which Wordpress uses. The basics is that if you have unsanitized inputs (from pre-built themes) then code injection, SQL injection, path traversal and other issues can happen.

WP Autoptimize Plugin < 2.8.4
Update Available: Yes
Vulnerability Rating: Critical
Type: Stored XSS

The basics of this one is a bad actor could upload a file that then delivers a payload from another domain to your users, your admin user (which then offers access to the rest of the site or server), etc. The payload can also be stored on your own server, which then serves as a first-party file.

 

[Darth]

I kind of got sick of updating this thread but here's two vulnerabilities today that probably effect nearly everyone here:

You're the MVP

 

[gunnar]

If you are using WP User Avatar for a multi author blog, like i did, don't update. It installs garbage and breaks your site.
Some pages were redirected to wp-login, new pages generated, and XMLRPC script called with every page visit.

Read more: https://wordpress.org/support/plugin/wp-user-avatar/reviews/?filter=1

 

[Bobish]

WP Fastest Cache plugin exploit that can lead to full site takeover patched on 10/14

https://www.searchenginejournal.com/wp-fastest-cache-vulnerability/424278/

 

[Ryuzaki]

Ten Vulnerable Plugins Right Now. Update if you use them:

1. Updraft Wordpress Backup Plugin - 3,000,000+
2. Header Footer Code Manager - 300,000+
3. Ad Inserter – Ad Manager & AdSense Ads - 200,000+
4. Popup Builder WordPress plugin - 200,000+
5. Anti-Malware Security and Brute-Force Firewall - 200,000+
6. WP Content Copy Protection & No Right Click - 100,000+
7. Database Backup for WordPress - 100,000+
8. GiveWP – Donation Plugin and Fundraising Platform - 100,000+
9. Download Manager - 100,000+
10. Advanced Database Cleaner WordPress plugin - 80,000+

The Updraft one is very popular and was so bad that Wordpress pushed an automatic update, but you may have those turned off, so please check your sites.

They're all some variation of Cross-Site Scripting exploits, SQL Injection exploits, Cross Site Request Forgery vulnerabilities, not sanitizing and escaping fragments, and so forth.

 

[Darth]

Wow, re Updraft, that's a biggie! Ad Inserter too...

SECURITY: Thanks to Marc-Alexandre Montpas of Automattic for this report (CVE: CVE-2022-23303). All versions of UpdraftPlus from March 2019 onwards have contained a vulnerability caused by a missing permissions-level check, allowing untrusted users access to backups. If your site does not have non-admin users, or if your non-admin users are all trusted (and your site does not allow users to sign up themselves), then you are not vulnerable (but we always recommend updating to the latest version in any case). Please see https://updraftplus.com/updraftplus-security-release-1-22-3-2-22-3/ for more details.

 

[Rewire]

I remember Joomla had huge vulnerability. People made millions with hacked links and fast rankings.

 

[NetZero]

Woocommerce Payment

FYI I got an e-mail from Wordfence this morning so it's fresh. A major attack on this specific plugin going on.
https://www.wordfence.com/blog/2023...PjQ&utm_content=266639985&utm_source=hs_email

 

[wikibum]

Even if you keep plugins updated - some vulnerabilities won't be found until AFTER they happen. Another reason why constant backups are key.