Monthly WordPress Vulnerability Report #3 – November 2018

The November issue of Monthly WordPress Vulnerability Report includes vulnerabilities in some of the most popular plugins out there - Yoast SEO, WooCommerce and Ninja Forms. With a low to moderate level of warning these attacks don't pose a huge threat, although due to a sheer amount of websites affected the vulnerabilities can quickly catch the attention of attackers.

Monthly WordPress Vulnerability Report
Article by Dawid Zimny
I am particularly interested in web analytics. Knowing the way your visitors browse your website will help you improve their browsing experience and is crucial for converting them into clients.

In this issue:

  • WooCommerce
  • Ninja Forms
  • Yoast SEO

Cross-site-scripting and privilege escalation are recurring issues in WordPress and it’s no different this month. WooCommerce suffers from the latter because of the way WordPress handles privileges. A clever file deletion can escalate the Shop Manager’s privileges to the point where they can take control of any other account on the website.

If you want to know why we launched the Monthly WordPress Vulnerability Report, check out the introductory post including a message from our Technical Director, Tomasz Lisiecki, in the form of a short video.


Attackers with the Shop Manager role can delete specific files on the server to gain control over any account, including Admin. It's caused by a flaw in the way WordPress manages privileges.
Is it safe?
Shop Manager roles are assigned to employees and gaining access to an account with such privilege is a requirement. With that being said, the attacker can potentially gain access to these accounts by phishing or XSS attacks and over 4 million WooCommerce shops are affected by the vulnerability.
Our recommendation
The issue is fixed in version 3.4.6 and we strongly recommend you to update the plugin.

Ninja Forms!

The "Submissions" page of Ninja Forms plugin is vulnerable to cross site scripting attacks.
Is it safe?
The attack isn't necesarilly easy to execute and its scope is limited, although it requires no authentication and as such it's best to update the plugin.
Our recommendation
Get your plugin up-to-date with the newset version, 3.19.1.

Yoast SEO!

The plugin can be exploited by users with Manager role because of Authetincated Race Condition. A "race condition" is taking advantage of timing in the code to cause actions in an order different than what the code expects.
Is it safe?
An attacker can execute commands but only if they can aquire an account with Manager role. As such, a risk of an attack is very low, although the issue is fixed in version 9.2.
Our recommendation
Update the plugin to version 9.2 to eliminate a chance of an exploit.

Got Something To Share?

Your email address will not be published. Required fields are marked *