This article was originally published on this site

WordPress vulnerability news is a weekly digest of highlighted vulnerable plugins for WordPress or vulnerability discloses that have been published (there are other, less critical vulnerabilities on smaller plugins that unfortunately don’t always make it to the list). 

Keeping up to date with security vulnerabilities in WordPress and other CMS’s is an important part of security. That is why we are analyzing vulnerable plugins and newly disclosed vulnerabilities to make sure the sites using the mentioned plugins or themes are protected.

All the vulnerabilities you find from this article have received a virtual patch to the WebARX firewall. It means that if you use the WebARX web application firewall, your site is safe from these vulnerabilities, but it’s always strongly advised to update or delete vulnerable plugins from your site.

Is your WordPress site secured? Take a look at how to secure your site here.

If you are a WordPress plugin developer read how to secure plugins from an attackers’ perspective.

Authenticated Code Injection in ElegantThemes (Divi, Extra, Divi-Builder)

vulnerable plugins

A library of popular WordPress themes and visual page builders.

Vulnerability type: Authenticated code injection
Vulnerable version: 4.0.10 and below
Number of sites affected: N/A

A code injection vulnerability was discovered during a routine code audit that could allow logged-in contributors, authors, and editors to execute a small set of PHP functions.

– Divi version 3.23 and above
– Extra 2.23 and above
– Divi Builder version 2.23 and above.

Product versions 4.0.10 include the security patch.

Read more about the vulnerability here.

CSRF to XSS in WooCommerce Conversion Tracking Plugin

vulnerable plugins

This plugin inserts those codes on the WooCommerce cart page, checkout success page and after user registration. So you can track who is adding your products to cart, who is buying them and who are registering to your site.

Vulnerability: CSRF to XSS
Vulnerable version: 2.0.5 and below
Number of sites affected: 20 000+

The settings page of the plugin is lacking CSRF checks as well as input sanitization, leading to stored XSS.

The PoC will be displayed on January 17, 2020, to give users the time to update.

Read more about the vulnerable plugin here.

Post Submission Spoofing & Stored XSS in Postie Plugin

Postie offers many advanced features for creating posts by email, including the ability to assign categories by name, included pictures and videos, and automatically strip off signatures.

Vulnerability: Post submission spoofing & stored XSS
Vulnerable version: 1.9.40 and below
Number of sites affected: 20 000+

The Postie plugin for WordPress only allows posting of articles submitted by authorized users through a mailing list registered in the plugin settings.

However, through the email sender’s spoofing technique, it was possible to bypass the plugin settings and publish a post as having been sent by a valid user. This could be used to create a post with an XSS payload.

Read more about the vulnerable plugin here.

Unauthorized Authenticated Users Export in Import Users From CSV with Meta

vulnerable plugins

Clean and easy-to-use Import users plugin. It includes custom user meta to be included automatically from a CSV file and delimitation auto-detector.

Vulnerability: Unauthorised authenticated users export
Vulnerable version: 1.15
Number of sites affected: 30 000+

The export_users_csv function, registered as an authenticated AJAX call and allowing to export users, was missing the authorization/capability check. CSRF check was in place, reducing the severity of the issue.

Only version 1.15 seems to be affected as the export functionality is a new feature introduced by it.

Read more about the vulnerable plugin here.

Google Blacklist

Unauthenticated Reflected XSS in Ultimate FAQ Plugin

vulnerable plugins

FAQ plugin that lets you create, organize and publicize your FAQs (frequently asked questions) in no time through your WordPress admin panel.

Vulnerability: Unauthenticated reflected XSS
Vulnerable version: 1.8.30 and below
Number of sites affected: 40 000+

The HTML code generated by the FAQ shortcode does not sanitize the Display_FAQ GET parameter, leading to an unauthenticated reflected Cross-Site Scripting issue on pages where such shortcode is used.

The PoC will be displayed on January 20, 2020, to give users the time to update.

Read more about the vulnerable plugin here.

Arbitrary API Key update via CSRF in WP Simple Spreadsheet Fetcher For Google Plugin

vulnerable plugins

This is the simple plugin to fetch data from Google Sheets and display it on your website.

Vulnerability: Arbitrary API key update via CSRF
Vulnerable version: 0.3.7 and below
Number of sites affected: about 10

The lack of Cross-Site Request Forgery (CSRF) checks on the plugin’s settings page could allow CSRF attacks to set an arbitrary API key.

The PoC will be displayed on January 20, 2020, to give users the time to update.

Read more about the vulnerable plugin here.

Conclusion: Always Update Vulnerable Plugins

WordPress sites are being hacked and infected every day. Some statistics say that about 30,000 websites are infected with some type of malware daily. Every public website is a resource available on the internet and therefore it’s a target. It’s important to understand that as soon as your website is available to the public, it immediately becomes a target. 

It can take just days from a disclosed plugin vulnerability to a full-scale attack campaign. Attacks in this nature are almost always automated. To be able to fight back, you have a small time window to take action. In such cases, web application firewalls have critical importance.

Always keep your plugins updated so you don’t have any vulnerable plugins on your site. If possible, enable automatic updates. If you are using any of the mentioned plugins, you need to update it with the latest version as soon as possible to make sure WordPress plugin security vulnerabilities won’t affect your sites.

WebARX web application firewall gets virtual patches that are distributed automatically among the sites when vulnerabilities are discovered. Threat intelligence and prevention are our main focus and thus our firewall engine is updated on a daily basis.

Websites with WebARX firewall installed are protected from the security issues mentioned in this article. If you are not protecting your WordPress site against plugin vulnerabilities yet go and start for free here.

WordPress security