WordPress Vulnerability Roundup: January 2020, Part 1

>>> Shared from Original Post iThemes

New WordPress plugin and theme vulnerabilities were disclosed during the first half of January, so we want to keep you aware. In this post, we cover recent WordPress plugin, theme and core vulnerabilities and what to do if you are running one of the vulnerable plugins or themes on your website.

The WordPress Vulnerability Roundup is divided into four different categories:

  • 1. WordPress core
  • 2. WordPress plugins
  • 3. WordPress themes
  • 4. Breaches from around the web

Note: You can skip ahead to the Vulnerability Summary Chart for the first part of January 2020 listed below.

WordPress Core Vulnerabilities

There haven’t been any disclosed WordPress vulnerabilities in January of 2020.

WordPress Plugin Vulnerabilities

Several new WordPress plugin vulnerabilities have been discovered this month so far. Make sure to follow the suggested action below to update the plugin or completely uninstall it.

1. Donorbox

Donor Box Logo

Donorbox versions 7.1 and 7.1.1 is vulnerable to a Stored Cross-Site Request Forgery attack.

What You Should Do

The vulnerability has been patched, and you should update it to version 7.1.2.

2. Quiz And Survey Master

Quiz and Survey Master Logo

Quiz and Survey Master version 6.3.4 and below is vulnerable to an Authenticated Reflected XSS attack.

What You Should Do

The vulnerability has been patched, and you should update it to version 6.3.5.

3. 301 Redirects

301-redirects-logo

301 Redirects version 2.4.0 and below has multiple vulnerabilities, including Authenticated Arbitrary Redirect Injection and Modification, XSS, and CSRF.

What You Should Do

The vulnerability has been patched, and you should update it to version 2.45.

4. Rencontre

Rencontre Logo

Rencontre version 3.2.2 and below includes multiple Cross-Site Request Forgery vulnerabilities.

What You Should Do

The vulnerability has been patched, and you should update it to version 3.2.3.

5. Featured Image from URL

Featured Image from URL Logo

Featured Image from URL versions 2.7.7 and below is missing Access Controls on REST routes creating a Broken Authentication vulnerability.

What You Should Do

The vulnerability has been patched, and you should update it to version 2.7.8.

6. bbPress Members Only

bbPress Members Only Logo

bbPress Members Only versions 1.2.1 and below is vulnerable to a Cross-Site Request Forgery attack on the plugins Optional Settings page.

What You Should Do

The vulnerability has been patched, and you should update it to version 1.3.1.

7. bbPress Login Register Links On Forum Topic Pages

bbPress Login Register Links On Forum Topic Pages Logo

bbPress Login Register Links On Forum Topic Pages versions 2.7.5 and below includes a Cross-Site Request Forgery vulnerability that can lead to a Stored Cross-Site Scripting attack.

What You Should Do

The vulnerability has been patched, and you should update it to version 2.8.5.

8. GDPR Cookie Compliance

GDPR Cookie Compliance Logo

GDPR Cookie Compliance versions 4.0.2 and below lacks a capabilities check and a security nonce which will allow an authenticated user to delete the plugin settings.

What You Should Do

The vulnerability has been patched, and you should update it to version 4.0.3.

9. Photo Gallery

Photo Gallery Logo

Photo Gallery versions 2.0.6 and below is vulnerability to an Arbitrary Plugin Deactivation attack. The plugin doesn’t check capabilities and will allow subscribers to deactivate the plugin via the WordPress AJAX API.

What You Should Do

The vulnerability has been patched, and you should update it to version 2.0.7.

10. Minimal Coming Soon & Maintenance Mode

Minimal Coming Soon Page Logo

Minimal Coming Soon & Maintenance Mode versions 2.10 and below has multiple vulnerabilities, including an insecure permission flaw that could allow authenticated users to enable, disable, the plugin and import/export the settings. The plugin also includes a Cross-Site Forgery to Stored XSS and Settings Changes vulnerability.

What You Should Do

The vulnerability has been patched, and you should update it to version 2.17.

11. WooCommerce Conversion Tracking

WooCommerce Conversion Tracking Logo

WooCommerce Conversion Tracking versions 2.04 and below is vulnerable to a Cross-Site Forgery Request leading to a Stored XSS attack.

What You Should Do

The vulnerability has been patched, and you should update it to version 2.0.5.

12. Postie

Postie Logo

Postie versions 1.9.40 and below have a Post Spoofing and Stored XSS vulnerability that can lead to an unauthenticated user publishing a new post. This is a zero-day vulnerability and anyone can easily find instructions on exploiting the Postie plugin.

What You Should Do

WordPress.org closed Postie on January 8th, 2019, so I would suggest removing the plugin and finding a replacement.

13. Import Users From CSV with Meta

Import Users From CSV with Meta Logo

Import Users From CSV with Meta versions 1.15 has an Unauthorised Authenticated Users Export vulnerability. A missing capabilities check would allow an unauthorized user to export WordPress users.

What You Should Do

The vulnerability has been patched, and you should update it to version 1.15.0.1.

14. Ultimate FAQ

Ultimate FAQ Logo

Ultimate FAQ versions 1.8.29 and below have an Unauthenticated Reflected XSS vulnerability. The FAQ shortcode does not sanitize the Display_FAQ GET parameter, which can lead to a Reflected Cross-Site Scripting attack on pages where the shortcode is displayed.

What You Should Do

The vulnerability has been patched, and you should update it to version 1.8.30.

15. WP Simple Spreadsheet Fetcher For Google

WP Simple Spreadsheet Fetcher for Google Logo

WP Simple Spreadsheet Fetcher For Google versions 0.3.6 and below have a Cross-Site Forgery Request vulnerability that could allow an attacker to set and arbitrary API key.

What You Should Do

The vulnerability has been patched, and you should update it to version 0.3.7.

16. Backup and Staging by WP Time Capsule

Backup and Staging by WP Time Capsule Logo

Backup and Staging by WP Time Capsule versions 1.21.15
and below have an Authentication Bypass vulnerability that would allow an attacker to login as an Admin user.

What You Should Do

The vulnerability has been patched, and you should update it to version 1.21.16.

17. InfiniteWP Client

InfiniteWP Client Logo

InfiniteWP Client versions 1.9.4.4 and below have an Authentication Bypass vulnerability that would allow an attacker to login as an Admin user.

What You Should Do

The vulnerability has been patched, and you should update it to version 1.9.4.5.

18. Ultimate Auction

Ultimate Auction Logo

Ultimate Auction version 4.0.5 and below have multiple Cross-Site Request Forgery and Cross-Site Scripting vulnerabilities.

What You Should Do

The vulnerability has been patched, and you should update it to version 4.0.6.

19. WooCommerce – Store Exporter

WooCommerce - Store Exporter Logo

WooCommerce – Store Exporter version 2.3.1 and below is vulnerable to a CSV injection attack.

What You Should Do

The vulnerability has been patched, and you should update it to version 2.4.

20. Awesome Support

Awesome Support Logo

Awesome Support version 5.7.1 and below are vulnerable to a stored XSS attack.

What You Should Do

The vulnerability has been patched, and you should update it to version 5.8.0.

21. Videos on Admin Dashboard

Videos on Admin Dashboard Logo

Videos on Admin Dashboard version 1.1.3 and below are vulnerable to an Authenticated Stored XSS attack.

What You Should Do

The vulnerability has been patched, and you should update it to version 1.1.4.

22. Computer Repair Shop

Computer Repair Shop Logo

Computer Repair Shop version 1.0 is vulnerable to an Authenticated Stored XSS attack.

What You Should Do

The vulnerability has been patched, and you should update it to version 2.0.

23. LearnDash

LearnDash Logo

LearnDash version 3.1.1and below is vulnerable to a Reflected Cross-Site Scripting attack.

What You Should Do

The vulnerability has been patched, and you should update it to version 3.1.2.

WordPress Themes

1. ListingPro

ListingPro Logo

ListingPro versions 2.5.3 and below are vulnerable to an Unauthenticated Reflected XSS attack.

What You Should Do

The vulnerability has been patched, and you should update it to version 2.5.4.

2. Travel Booking

Travel Booking Logo

Travel Booking versions 2.7.8.5 and below have a Reflected & Persistent XSS vulnerability.

What You Should Do

The vulnerability has been patched, and you should update it to version 2.7.8.6.

3. ElegantThemes Divi Builder

Elegant Themes Logo

ElegantThemes Divi, Divi Builder and Extra below versions 4.0.10 are vulnerable to an Authenticated Code Injection attack.

What You Should Do

The vulnerability has been patched, and you should update it to version 4.0.10.

4. EasyBook

EasyBook Logo

EasyBook versions 1.2.1 and below have multiple vulnerabilities including, an Unauthenticated Reflected XSS, an Authenticated Persistent XSS, and an Insecure Direct Object Reference.

What You Should Do

The vulnerability has been patched, and you should update it to version 1.2.2.

5. TownHub

TownHub Logo

TownHub versions 1.0.5 and below have multiple vulnerabilities including, an Unauthenticated Reflected XSS, an Authenticated Persistent XSS, and an Insecure Direct Object Reference.

What You Should Do

The vulnerability has been patched, and you should update it to version 1.0.6.

6. CityBook

CityBook Theme

CityBook versions 2.9.4 and below have multiple vulnerabilities including, an Unauthenticated Reflected XSS, an Authenticated Persistent XSS, and an Insecure Direct Object Reference.

What You Should Do

The vulnerability has been patched, and you should update it to version 2.9.5.

7. Real Estate 7

Real Estate 7 Logo

Real Estate 7 versions 2.3.3 and below have multiple vulnerabilities including, an Unauthenticated Reflected XSS, an Authenticated Persistent XSS, and an Insecure Direct Object Reference.

What You Should Do

The vulnerability has been patched, and you should update it to version 2.3.4.

How to Be Proactive About WordPress Theme & Plugin Vulnerabilities

Running outdated software is the number one reason WordPress sites are hacked. It is crucial to the security of your WordPress site that you have an update routine. You should be logging into your sites at least once a week to perform updates.

Automatic Updates Can Help

Automatic updates are a great choice for WordPress websites that don’t change very often. Lack of attention often leaves these sites neglected and vulnerable to attacks. Even with recommended security settings, running vulnerable software on your site can give an attacker an entry point into your site.

Using the iThemes Security Pro plugin’s Version Management feature, you can enable automatic WordPress updates to ensure you are getting the latest security patches. These settings help protect your site with options to automatically update to new versions or to increase user security when the site’s software is outdated.

Version Management Update Options
  • WordPress Updates –Automatically install the latest WordPress release.
  • Plugin Automatic Updates – Automatically install the latest plugin updates. This should be enabled unless you actively maintain this site on a daily basis and install the updates manually shortly after they are released.
  • Theme Automatic Updates – Automatically install the latest theme updates. This should be enabled unless your theme has file customizations.
  • Granular Control over Plugin and Theme updates – You may have plugins/themes that you’d like to either manually update, or delay the update until the release has had time to prove stable. You can choose Custom for the opportunity to assign each plugin or theme to either update immediately (Enable), not update automatically at all (Disable) or update with a delay of a specified amount of days (Delay).
Strengthening and Alerting to Critical Issues
  • Strengthen Site When Running Outdated Software – Automatically add extra protections to the site when an available update has not been installed for a month. The iThemes Security plugin will automatically enable stricter security when an update has not been installed for a month. First, it will force all users that do not have two-factor enabled to provide a login code sent to their email address before logging back in. Second, it will disable the WP File Editor (to block people from editing plugin or theme code), XML-RPC pingbacks, and block multiple authentication attempts per XML-RPC request (both of which will make XML-RPC stronger against attacks without having to turn it off completely).
  • Scan for Other Old WordPress Sites – This will checks for other outdated WordPress installs on your hosting account. A single outdated WordPress site with a vulnerability could allow attackers to compromise all the other sites on the same hosting account.
  • Send Email Notifications – For issues that require intervention, an email is sent to admin-level users.

Managing Multiple WP Sites? Update Plugins, Themes & Core At Once from the iThemes Sync Dashboard

iThemes Sync is our central dashboard to help you manage multiple WordPress sites. From the Sync dashboard, you can view available updates for all your sites and then update plugins, themes, and WordPress core with one click. You can also get daily email notifications when a new version update is available.


Try Sync FREE for 30 daysLearn more

Breaches From Around the Web

We include breaches from around the web because it is essential to also be aware of vulnerabilities outside of the WordPress ecosystem. Exploits to server software can expose sensitive data. Database breaches can expose the credentials for the users on your site, opening the door for attackers to access your site.

1. NSA Discovers Vulnerability in Windows 10

Windows 10 Logo

The NSA found a dangerous Microsoft software flaw, so be sure you have the latest Windows Security Patch. The vulnerability is related to the Windows crypt32.dll, which handles certificates and cryptographic messaging functions. If exploited, a hacker could use the vulnerability to forge digital signatures.

Summary of WordPress Vulnerabilities for January 2020, Part 1

Type
Vulnerability
Fix

Core
No WordPress Core vulnerabilities were disclosed in the first half of January 2020.

Plugins
Donorbox versions 7.1 and 7.1.1 is vulnerable to a Stored Cross-Site Request Forgery attack.
The vulnerability has been patched, and you should update it to version 7.1.2.

Quiz and Survey Master version 6.3.4 and below is vulnerable to an Authenticated Reflected XSS attack.
The vulnerability has been patched, and you should update it to version 6.3.5.

301 Redirects version 2.4.0 and below has multiple vulnerabilities, including Authenticated Arbitrary Redirect Injection and Modification, XSS, and CSRF.
The vulnerability has been patched, and you should update it to version 2.45.

Rencontre version 3.2.2 and below includes multiple Cross-Site Request Forgery vulnerabilities.
The vulnerability has been patched, and you should update it to version 3.2.3.

Featured Image from URL versions 2.7.7 and below is missing Access Controls on REST routes creating a Broken Authentication vulnerability.

The vulnerability has been patched, and you should update it to version 2.7.8.

bbPress Members Only versions 1.2.1 and below is vulnerable to a Cross-Site Request Forgery attack on the plugins Optional Settings page.

The vulnerability has been patched, and you should update it to version 1.3.1.

bbPress Login Register Links On Forum Topic Pages versions 2.7.5 and below includes a Cross-Site Request Forgery vulnerability that can lead to a Stored Cross-Site Scripting attack.

The vulnerability has been patched, and you should update it to version 2.8.5.

GDPR Cookie Compliance versions 4.0.2 and below lacks a capabilities check and a security nonce which will allow an authenticated user to delete the plugin settings.

The vulnerability has been patched, and you should update it to version 4.0.3.

Photo Gallery versions 2.0.6 and below is vulnerability to an Arbitrary Plugin Deactivation attack

The vulnerability has been patched, and you should update it to version 2.0.7.

The vulnerability has been patched, and you should update it to version 2.17.

The vulnerability has been patched, and you should update it to version 2.0.5.

Postie versions 1.9.40 and below have a Post Spoofing and Stored XSS vulnerability that can lead to an unauthenticated user publishing a new post. This is a zero-day vulnerability and anyone can easily find instructions on exploiting the Postie plugin.

WordPress.org closed Postie on January 8th, 2019, so I would suggest removing the plugin and finding a replacement.

Import Users From CSV with Meta versions 1.15 has an Unauthorised Authenticated Users Export vulnerability. A missing capabilities check would allow an unauthorized user to export WordPress users.

The vulnerability has been patched, and you should update it to version 1.15.0.1.

Ultimate FAQ versions 1.8.29 and below have an Unauthenticated Reflected XSS vulnerability. The FAQ shortcode does not sanitize the Display_FAQ GET parameter, which can lead to a Reflected Cross-Site Scripting attack on pages where the shortcode is displayed.

The vulnerability has been patched, and you should update it to version 1.8.30.

WP Simple Spreadsheet Fetcher For Google versions 0.3.6 and below have a Cross-Site Forgery Request vulnerability that could allow an attacker to set and arbitrary API key.

The vulnerability has been patched, and you should update it to version 0.3.7.

Backup and Staging by WP Time Capsule versions 1.21.15 and below have an Authentication Bypass vulnerability that would allow an attacker to login as an Admin user.

The vulnerability has been patched, and you should update it to version 1.21.16.

InfiniteWP Client versions 1.9.4.4 and below have an Authentication Bypass vulnerability that would allow an attacker to login as an Admin user.

The vulnerability has been patched, and you should update it to version 1.9.4.5.

Ultimate Auction version 4.0.5 and below have multiple Cross-Site Request Forgery and Cross-Site Scripting vulnerabilities.

The vulnerability has been patched, and you should update it to version 4.0.6.

WooCommerce – Store Exporter version 2.3.1 and below is vulnerable to a CSV injection attack.

The vulnerability has been patched, and you should update it to version 2.4.

Awesome Support version 5.7.1 and below are vulnerable to a stored XSS attack.

The vulnerability has been patched, and you should update it to version 5.8.0.

Videos on Admin Dashboard version 1.1.3 and below are vulnerable to an Authenticated Stored XSS attack.

The vulnerability has been patched, and you should update it to version 1.1.4.

Computer Repair Shop version 1.0 is vulnerable to an Authenticated Stored XSS attack.

The vulnerability has been patched, and you should update it to version 2.0.

LearnDash version 3.1.1and below is vulnerable to a Reflected Cross-Site Scripting attack.

The vulnerability has been patched, and you should update it to version 3.1.2.

Themes
ListingPro versions 2.5.3 and below are vulnerable to an Unauthenticated Reflected XSS attack.
The vulnerability has been patched, and you should update it to version 2.5.4.

Travel Booking versions 2.7.8.5 and below have a Reflected & Persistent XSS vulnerability.
The vulnerability has been patched, and you should update it to version 2.7.8.6.

ElegantThemes Divi, Divi Builder and Extra below versions 4.0.10 are vulnerable to an Authenticated Code Injection attack.
The vulnerability has been patched, and you should update it to version 4.0.10.

EasyBook versions 1.2.1 and below have multiple vulnerabilities including, an Unauthenticated Reflected XSS, an Authenticated Persistent XSS, and an Insecure Direct Object Reference.

The vulnerability has been patched, and you should update it to version 1.2.2.

TownHub versions 1.0.5 and below have multiple vulnerabilities including, an Unauthenticated Reflected XSS, an Authenticated Persistent XSS, and an Insecure Direct Object Reference.

The vulnerability has been patched, and you should update it to version 1.0.6.

CityBook versions 2.9.4 and below have multiple vulnerabilities including, an Unauthenticated Reflected XSS, an Authenticated Persistent XSS, and an Insecure Direct Object Reference.

The vulnerability has been patched, and you should update it to version 2.9.5.

Real Estate 7 versions 2.3.3 and below have multiple vulnerabilities including, an Unauthenticated Reflected XSS, an Authenticated Persistent XSS, and an Insecure Direct Object Reference.

The vulnerability has been patched, and you should update it to version 2.3.4.

A WordPress Security Plugin Can Help Secure Your Website

iThemes Security Pro, our WordPress security plugin, offers 30+ ways to secure and protect your website from common WordPress security vulnerabilities. With WordPress, two-factor authentication, brute force protection, strong password enforcement, and more, you can add an extra layer of security to your website.

Learn more about WordPress security with 10 key tips. Download the ebook now: A Guide to WordPress Security

Get iThemes Security

The post WordPress Vulnerability Roundup: January 2020, Part 1 appeared first on iThemes.

>>> Read the Full Story at iThemes