WordPress Vulnerability Roundup: June 2019, Part 2

New WordPress plugin and theme vulnerabilities were disclosed during the last half of June, so we want to keep you aware.

We divide the WordPress Vulnerability Roundup into four different categories:

• 1. WordPress Core Vulnerabilities
• 2. WordPress Plugin Vulnerabilities
• 3. WordPress Theme Vulnerabilities
• 4. Breaches From Around the Web

*We include breaches from around the web because it is essential to also be aware of vulnerabilities outside of the WordPress ecosystem. Exploits to server software can expose sensitive data. Database breaches can expose the credentials for the users on your site, opening the door for attackers to access your site.

WordPress Core Vulnerabilities

WordPress Plugin Vulnerabilities

Several new WordPress plugin vulnerabilities have been discovered this make. Make sure to follow the suggested action below to update the plugin or completely uninstall it.

1. Messenger Customer Chat

The Messenger Customer Chat plugin, version 1.2, and below, is vulnerable to a Cross-Site Request Forgery attack. The vulnerability will allow an attacker to change some of the WordPress site settings.

What You Should Do

2. Support Board – Chat And Help Desk | Support & Chat

The Support Board – Chat And Help Desk | Support & Chat plugin, version 1.2.8, and below, is vulnerable to a Cross-Site Scripting attack.

What You Should Do

3. Seo by Rank Math

The Seo by Rank Math plugin, version 1.0.26, and below, is vulnerable to a Cross-Site Scripting attack.

What You Should Do

4. WP-Members Membership Plugin

The WP-Members Membership plugin, version 3.2.7, and below, is vulnerable to a Cross-Site Request Forgery attack. The vulnerability will allow an attacker to create, edit, and delete new fields.

What You Should Do

5. Real Estate Manager

The Real Estate Manager plugin is vulnerable to a Plugin Arbitrary Settings Update attack. The lack of authorization and CSRF checks in the save_admin_settings() AJAX function is the cause of the vulnerability.

What You Should Do

6. LionScripts: IP Blocker Lite

The LionScripts: IP Blocker Lite plugin, version 10.3, and below, is vulnerable to a Cross-Site Request Forgery attack that could lead to an Arbitrary File Upload attacks.

What You Should Do

7. WebP Express

The WebP Express plugin, version 0.14.10, and below, are vulnerable to a multitude of attacks, Cross-Site Request Forgery, Arbitrary File Upload, Cross-Site Scripting, an Unauthorized Access attacks.

What You Should Do

8. Import users from CSV with meta

The Import users from CSV with meta plugin, version 1.14.1.2, and below, is vulnerable to a  Cross-Site Scripting attack.

What You Should Do

9. Deny All Firewall

The Deny All Firewall plugin, version 1.14.1.2, and below, is vulnerable to a  Cross-Site Request Forgery attack. The vulnerability would allow an attacker to remove the Deny All Firewall from the .htaccess and render the plugin useless.

What You Should Do

10. Facebook for WooCommerce

The Facebook for WooCommerce plugin, version 1.9.12, and below, is vulnerable to a Cross-Site Request Forgery attack.

The vulnerability will allow an attacker to change some of the WordPress site settings.

What You Should Do

11. Shortlinks by Pretty Links – Best WordPress Link Tracking Plugin

The Shortlinks by Pretty Links plugin, version 2.1.9, and below, is vulnerable to a Cross-Site Scripting and a CSV Injection attack. The vulnerability would allow an attacker to inject malicious code in the WordPress dashboard.

The vulnerability will allow an attacker to change some of the WordPress site settings.

What You Should Do

12. Sina Extension for Elementor

The Sina Extension for Elementor plugin, version 2.1.9, and below, is vulnerable to a Local File Inclusion attack.

What You Should Do

13. CP Contact Form with PayPal

The CP Contact Form with PayPal plugin, version 1.3.01, and below, is vulnerable to a  Cross-Site Scripting attack.

What You Should Do

14. Share This Image

The Share This Image plugin, version 1.19, and below, is vulnerable to a Cross-Site Scripting attack.

What You Should Do

15. ads-for-wp

The ads-for-wp plugin is vulnerable to a Cross-Site Request Forgery attack.

What You Should Do

16. User Email Verification for WooCommerce

The User Email Verification for WooCommerce plugin, version 3.3.0, and below, is vulnerable to a Cross-Site Request Forgery attack leading to an Option update.

What You Should Do

17. Advanced Woo Search

The Advanced Woo Search plugin, version 1.6.8, and below, is vulnerable to a Cross-Site Request Forgery leading to a Cross-Site Scripting attack.

What You Should Do

18. ACF: Better Search

The ACF: Better Search plugin, version 3.3.0, and below, is vulnerable to a Cross-Site Request Forgery attack.

What You Should Do

19. Widget Logic

The Widget Logic plugin, version 5.9.0, and below, is vulnerable to a Cross-Site Request Forgery leading to a Remote Code Execution attack.

Danne Witz reported that attackers could make admin users add malicious code to custom sidebar widgets resulting in remote code execution.

What You Should Do

WordPress Theme Vulnerabilities

How to Be Proactive About WordPress Theme & Plugin Vulnerabilities

Running outdated software is the number one reason WordPress sites are hacked. It is crucial to the security of your WordPress site that you have an update routine. You should be logging into your sites at least once a week to perform updates.

Breaches From Around the Web

1. Kubernetes Command Line Interface Flaw

Kubectl is a command line interface for Kubernetes–the open source container managed created by Google– has a pretty ugly vulnerability. The kubectl cp command could enable a directory traversal so that a malicious container could replace or create files on a users workstation.

Be sure you update kubectl to a version that has been patched.

2. NASA Gets Hacked

An unauthorized Raspberry Pi device that was connected to the Jet Propulsion Laboratory servers was compromised. After successfully attacking the Raspberry  Pi device the hackers were able to gain access to other systems, including the Deep Space Network array of radio telescopes.

The story highlights the importance of security every device on your network.

3. Netflix Finds Linux and FreeBSD Vulnerabilities

Netflix’s streaming service requires a huge infrastructure, powerful tools, and talented people. You can watch Branden Gregg live debugging Minecraft or check out the Netflix open source software center to see that Netflix is as much of a tech company as it is an entertainment company.

Now that you know Netflix is a tech company, it shouldn’t be a surprise that they discovered and disclosed three vulnerabilities. The two Linux and one FreeBSD are all TCP based denial of service attacks. You can find a detailed explanation of the vulnerabilities and workarounds on Netflix’s GitHub.

The post WordPress Vulnerability Roundup: June 2019, Part 2 appeared first on iThemes.