New WordPress plugin and theme vulnerabilities were disclosed during this month, so we want to keep you aware.

We divide the WordPress Vulnerability Roundup into four different categories:

  • 1. WordPress core
  • 2. WordPress Plugins
  • 3. WordPress Themes
  • 4. Breaches From Around the Web

*We include breaches from around the web because it is essential to also be aware of vulnerabilities outside of the WordPress ecosystem. Exploits to server software can expose sensitive data. Database breaches can expose the credentials for the users on your site, opening the door for attackers to access your site.

WordPress Core Vulnerabilities

There haven’t been any disclosed WordPress vulnerabilities in June of 2019.

WordPress Plugin Vulnerabilities

Several new WordPress plugin vulnerabilities have been discovered this make. Make sure to follow the suggested action below to update the plugin or completely uninstall it.

1. WP Statistics

wp statistics logo

WP Statistics plugin, version 12.6.5, and below, is vulnerable to a cross-site scripting attack.

What You Should Do

The vulnerability has been patched, and you should update to version 12.6.6.1.

2. Paid Memberships Pro

paid membership pro logo

Paid Memberships Pro plugin 2.0.5 and below is vulnerable to an Unvalidated Redirect. The plugin was using wp_redirect in places where they should have been using wp_safe_redirect. Using the wp_safe_redirect()function prevents malicious redirects to other hosts,

What You Should Do

The vulnerability has been patched, and you should update to version 2.0.6.

3. Crelly Slider

crelly slider logo

Crelly Slider plugin version 1.3.4 and below is vulnerable to a is vulnerable to an Unauthenticated Arbitrary File Upload attack. The vulnerability allowed subscribers to upload and execute a potentially malicious script.

What You Should Do

The vulnerability has been patched, and you should update to version 1.3.5.

4. Breadcrumbs

Breadcrumbs by Menu logo

Breadcrumbs version 1.0.1 and below had three different vulnerabilities disclosed this month. The plugin was vulnerable to an XXS, and Cross-Site Request Forgery attack

If an attacker took advantage of the vulnerabilities, they would have been able to change the Breadcrumbs settings.

What You Should Do

The vulnerabilities have been patched, and you should update to version 1.0.3.

5. Easy Digital Downloads

Easy Digital Downloads logo

Easy Digital Downloads version 2.9.16 and below is vulnerable to a Stored XSS attack. The vulnerability could allow a Cross Site Scripting attack on the IP addresses for the logs.

What You Should Do

The vulnerability has been patched, and you should update to version 2.9.16.

6. WordPress Download Manager

WordPress Download Manager logo

WordPress Download Manager version 2.9.96 and below has input sanitization vulnerabilities with the email template and package settings.

What You Should Do

The vulnerability has been patched, and you should update to version 2.9.97.

7. Affiliates Manager

Affiliates Manager logo

Affiliates Manager version 2.6.5 and below is vulnerable to a Cross-Site Request Forgery attack. The plugin is missing the proper security checks and nonces in the settings.

The nonce field is used to validate that the contents of the form request came from the current site and not somewhere else.

What You Should Do

The vulnerability has been patched, and you should update to version 2.6.6.

8. Related YT Videos

Related YouTube Videos logo

Related YT Videos version 1.9.8 and below is vulnerable to a Cross-Site Request Forgery and XSS attack. The plugin was missing the proper nonces and sanitization.

What You Should Do

The vulnerability has been patched, and you should update to version 1.9.9.

9. WP Google Maps

WP Google Maps logo

WP Google Maps version 7.11.27 and below is vulnerable to a Cross-Site Request Forgery attack. The settings form on admin post action was missing a nonce.

The nonce field is used to validate that the contents of the form request came from the current site and not somewhere else.

What You Should Do

The vulnerability has been patched, and you should update to version 7.11.28.

WordPress Themes

There haven’t been any disclosed WordPress Theme vulnerabilities in June of 2019.

How to Be Proactive About WordPress Theme & Plugin Vulnerabilities

Running outdated software is the number one reason WordPress sites are hacked. It is crucial to the security of your WordPress site that you have an update routine. You should be logging into your sites at least once a week to perform updates.

Automatic Updates

Using the iThemes Security Pro plugin’s Version Management feature, you can enable automatic WordPress updates to ensure you are getting the latest security patches.

Automatic updates are a great choice for websites that don’t change very often. The lack of needed attention often leaves these sites neglected and vulnerable to attacks.WordPress Version

Version Management Updates
  • WordPress Automatic Updates – All WordPress updates are automatically installed when available.
  • Plugin Automatic Updates – All plugin updates are automatically installed when available.
  • Theme Automatic Updates – All theme updates are automatically installed when available. Use this if you’ve put your theme customizations in a child theme, to not override your customizations by updating the parent theme.
  • Granular Control over Plugin and Theme updates – You may have plugins/themes that you’d like to either manually update, or delay the update until the release has had time to prove stable. You can choose Custom for the opportunity to assign each plugin or theme to either update immediately (Enable), not update automatically at all (Disable) or update with a delay of a specified amount of days (Delay).

version management

Strengthening and Alerting to Critical Issues
  • Strengthen Site When Running Outdated Software – The iThemes Security plugin will automatically enable stricter security when an update has not been installed for a month. First, it will force all users that do not have two-factor enabled to provide a login code sent to their email address before logging back in. Second, it will disable the WP File Editor (to block people from editing plugin or theme code), XML-RPC pingbacks and block multiple authentication attempts per XML-RPC request (both of which will make XML-RPC stronger against attacks without having to turn it off completely).
  • Scan for Other Old WordPress Sites – This will checks for other outdated WordPress installs on your hosting account. A single outdated WordPress site with a vulnerability could allow attackers to compromise all the other sites on the same hosting account.
  • Send Email Notifications – For issues that require intervention, an email is sent to admin-level users.

Breaches From Around the Web

1. Evernote Web Clipper Chrome Extension

The Guardio research team has discovered that the Evernote Web Clipper Chrome extension is vulnerable to a Universal XSS attack. The vulnerability could allow an attacker to gain access to personal emails, social media data, and other personal information.

The Evernote extension included a coding error that allowed someone to bypass Chrome’s site isolation security feature. Now the attacker can redirect traffic to a malicious site and force Evernote to inject malicious code and steal private information.

The extension was patched on June 4th.

Guardio created a video showing the proof of concept.

2. Vim and NeoVim

Vim logo

The terminal text editors Vim before version 8.1.1365 and NeoVim before version 0.3.6 are vulnerable to a pretty nasty Arbitrary Code Execution attack. Using the vulnerability attackers could execute unauthorized commands leading to an almost unlimited number of malicious activities.

The Armin Razmjou the security researcher who discovered the vulnerability included a proof-of-concept on GitHub.

Keep in mind that outdated software is the number one reasons sites get hacked. Every vulnerability that was disclosed so far this month has been patched. Leaving outdated software on your website will leave you vulnerable to attack.

The post WordPress Vulnerability Roundup: June 2019, Part 1 appeared first on iThemes.

Facebook Comments
Spread the love

Posted by News Monkey