Monthly WordPress Vulnerability Report #4 – December 2018

The recent WordPress 5.0 release makes the December issue of Monthly WordPress Vulnerability Report our most extensive one to date. The new update caused issues with many of the plugins and the core of WordPress itself. Six WordPress 5.0 vulnerabilities affect the core of the platform - and a lot of smaller plugins at the same time - while 4 plugins we use for our clients were exposed to malicious attacks following the update.

Monthly WordPress Vulnerability Report
Article by Dawid Zimny
I am particularly interested in web analytics. Knowing the way your visitors browse your website will help you improve their browsing experience and is crucial for converting them into clients.

In this issue:

  • WordPress core - activation screen indexing
  • WordPress - cross-site scripting affecting plugins
  • WordPress core - Apache cross-site scripting
  • WordPress core - authenticated cross-site scripting
  • WordPress core - authenticated file deletion
  • WordPress core - post type privilege escalation
  • Advanced Custom Fields - cross-site scripting
  • Ninja Forms - authenticated redirect
  • Monster Insights - stored cross-site scripting
  • Jetpack - stored cross-site scripting

The number of reports on WordPress 5.0 vulnerabilities makes the fourth issue of WordPress Vulnerability Report our most important one so far. They quickly deployed a new 5.0.1 security release to patch up the platform, and we have summed them up for you in an easily digestible way once again.


Even though the December issue is lengthy, we strongly recommend you read it through and through. Updating to the 5.0 version of WordPress and all affected plugins is crucial for your website’s safety. The 5.0.1 security release is for all WordPress versions since 3.7.

If you want to know why we launched the Monthly WordPress Vulnerability Report, check out the introductory post including a message from our Technical Director, Tomasz Lisiecki, in the form of a short video.

WordPress core - activation screen indexing!

Problem
In some rare cases, the activation screen for newly registered users was indexed by search engines, leading to possible leaks of e-mail addresses and even the generated passwords.
Is it safe?
Though the possibility of a password exposure is extremely rare, the issue requires little to no effort from the attacker's side. Even without a password leak, exposing user e-mails is a serious privacy issue.
Our recommendation
Update to the 5.0.1 security release of WordPress as soon as possible.

WordPress - cross-site scripting affecting plugins!

Problem
Specifically crafted URLs can expose some plugins to a cross-site scripting attack.
Is it safe?
While the vulnerability does not affect the WordPress core itself and only some plugins, it's a relatively easy way to perform an attack.
Our recommendation
Update to the 5.0.1 security release of WordPress as soon as possible.

WordPress core - Apache cross-site scripting!

Problem
Authors on WordPress sites hosted on Apache Web Servers are able to upload files that bypass the validation and can enable a cross-site scripting (XSS) vulnerability.
Is it safe?
An XSS attack can execute malicious code on your visitor's machines and requires patching. The issue receives a moderate level of warning since it requires the attacker to be in possession of an account.
Our recommendation
It will be fixed with an update to 5.0.1 that's already recommended in light of more serious vulnerabilities.

WordPress core - authenticated cross-site scripting!

Problem
In some instances, authors managing a WordPress website can edit comments made by users with higher privilege levels, potentially exposing the site to an XSS attack by manipulating comments of more privileged users.
Is it safe?
Performing the attack isn't possible without access to an author account on the website, but it's easy to execute once the attacker infiltrates the website.
Our recommendation
It will be fixed with an update to 5.0.1 that's already recommended in light of more serious vulnerabilities.

WordPress core - authenticated file deletion!

Problem
Authors with sufficient privileges can manipulate meta data in a way that would allow them to delete files that they normally can't delete.
Is it safe?
The situation is identical to the previous issue.
Our recommendation
The issue alone justifies an immediate update to WordPress 5.0.1 - considering it also fixes all the previous issues, it's a must.

WordPress core - post type privilege escalation!

Problem
Attackers with access to an author account can potentially create posts with a type that only administrators are allowed to create. This can lead to potential cross-site scripting and object injection attacks. In case of some plugins, the vulnerability allows attackers to read the database of your WordPress site.
Is it safe?
Even though this vulnerability also requires access to an account on your website, the implications might be way more serious than in the previous issues.
Our recommendation
We highly recommend you to update to security release 5.0.1.

Advanced Custom Fields - cross-site scripting!

Problem
Fields with custom value are exposed to unfiltered HTML insertion, allowing a potential XSS attack.
Is it safe?
In line with many of the WordPress core issues, this vulnerability requires access to an author account first.
Our recommendation
We recommend updating to version 5.7.8 for both free and PRO versions of the plugin as soon as possible.

Ninja Forms - authenticated redirect!

Problem
Form submissions download page was vulnerable to a redirection attack from an authenticated account. An attacker could redirect privileged users - even admins - to a malicious website.
Is it safe?
Form submissions download page was vulnerable to a redirection attack from an authenticated account. An attacker could redirect privileged users - even admins - to a malicious website. The attack requires access to an account on your website but being able to redirect privileged accounts to any other website is very dangerous. 
Our recommendation
We recommend upgrading to Ninja Forms version 3.3.19.1, which fixes the issue.

Monster Insights - stored cross-site scripting!

Problem
Access to an account with lower privilege enables attackers to create a notification for more privileged users which accept JavaScript in their body.
Is it safe?
The next time a user logs in into the administrative panel of WordPress, a malicious script will get executed.
Our recommendation
The issue is fixed in version 9.2 and you should immediately update the plugin.

Jetpack - stored cross-site scripting!

Problem
Users with at least Contributor privileges can insert scripts into the HTML of blog posts.
Is it safe?
If an admin (or any user with higher privileges) views the blog post after the attack, the malicious script will execute on their device.
Our recommendation
Update to Jetpack 6.5 to avoid this critical vulnerability.

Got Something To Share?

Your email address will not be published. Required fields are marked *