WordPress Vulnerability Report #8 – April 2019

The 8th issue of WordPress Vulnerability Report arrives together with the end of our April maintenance cycle. We have tracked the best plugins once again to identify loopholes in 4 popular WordPress extensions, each with at least 100,000 active installations.

Monthly WordPress Vulnerability Report
Article by Dawid Zimny
I am particularly interested in web analytics. Knowing the way your visitors browse your website will help you improve their browsing experience and is crucial for converting them into clients.

In this issue:

  • WP Google Maps 7.11.00-7.11.17 - Unauthenticated SQL Injection
  • Duplicate Page 3.3 - Authenticated SQL Injection
  • WordPress Download Manager 2.9.93 - Authenticated Cross-Site Scripting
  • WP Statistics 12.6.3 - Cross-Site Scripting

With all of our plugins of choice fully secure for the month of April, we have reached outside of our regular list to check the security of other popular extensions.

This time the flavour of the month is unfiltered data. All 4 featured vulnerabilities are caused by code that doesn’t process user input safely.

As a result, the attackers can use the plugins – even without authentication – to execute malicious scripts or queries to a database. Read on to discover the details.

Learn why we launched the WordPress Vulnerability Report in the video message from our Technical Director, Tomasz Lisiecki.

If you’re looking for more information please read our introductory article.

WP Google Maps 7.11.00-7.11.17 - Unauthenticated SQL Injection!

The API of the popular Google Maps plugin doesn't filter certain data input in a secure manner.
Is it safe?
The vulnerability can lead to an SQL injection, allowing the attacker to execute malicious queries in the database. On top of that, the vulnerability doesn't require authenticated account which makes it even more dangerous.
Our recommendation
You should update to at least version 7.11.18 of the plugin. WP Google Maps has received 4 updates since the vulnerability was discovered and all of them include the security patch.

Duplicate Page 3.3 - Authenticated SQL Injection!

Duplicate Page 3.3 uses an URL parameter to determine the desired action of its user. However, the plugin is missing an additional privilege check and a logged in user could manipulate the URL to compromise your site.
Is it safe?
While the plugin requires authentication, the loophole can be used by a logged in user regardless of their role.
Our recommendation
A fix for the issue is available in version 3.4 of the plugin and we recommend updating to version 3.4 or higher.

WordPress Download Manager 2.9.93 - Authenticated Cross-Site Scripting!

Invalid handling of user input in the URL of a "Category" shortcode in the Pro version and the "Advanced Search" feature of the plugin.
Is it safe?
Authenticated users can manipulate the URl to execute malicious script on the website.
Our recommendation
We recommend updating to at least security update 2.9.94.

WP Statistics 12.6.3 - Cross-Site Scripting!

A function intended to get the title of a page returns unfiltered data.
Is it safe?
Manipulating the input in the vulnerable version of WP Statistics can lead to script execution on the site.
Our recommendation
Even though there's no mention of that in the changelog, the code repository of the plugin and further security tests show the version 12.6.4 fixes the issue and we recommend updating at your earliest convenience.

Got Something To Share?

Your email address will not be published. Required fields are marked *