WordPress Vulnerability Report #6 – February 2019

In the rather quiet month of February, we have only seen two vulnerabilities in our selection of WordPress plugins - a moderately dangerous issue with WooCommerce and a vulnerability in Freemius, a third-party library used by Popup Maker.

Monthly WordPress Vulnerability Report
Article by Dawid Zimny
I am particularly interested in web analytics. Knowing the way your visitors browse your website will help you improve their browsing experience and is crucial for converting them into clients.
Article updated on 7th March 2019

In this issue:

  • WooCommerce - cross-site scripting
  • Popup Maker - Freemius library vulnerability
  • Other popular plugins using Freemius

The latter has made us explore the popularity of Freemius to discover the impact of this vulnerability for other plugins. As a result, we have added four additional plugins to this week’s report, all of which are affected by the Freemius vulnerability in Popup Maker.

Learn why we launched the Monthly WordPress Vulnerability Report in the introductory post including a video message from our Technical Director, Tomasz Lisiecki.

WooCommerce - cross-site scripting!

Problem
Image captions are not handled in a safe manner in WooCommerce 3.5.4 and earlier.
Is it safe?
The attack requires access to an account with sufficient privileges and enables the attacker to insert malicious scripts via image captions. This slightly lowers the level of warning for the vulnerability although once the attacker gains access to a privileged WordPress account it becomes a dangerous flaw.
Our recommendation
We recommend upgrading to the latest WooCommerce security release 3.5.5.

Popup Maker - Freemius library vulnerability!

Problem
WordPress users can easily gain access to functions that change settings in your database.
Is it safe?
If your website allows creating accounts, users with any privileges can exploit the vulnerability. The usual approach of the attackers is to change an option which gives all new accounts the administrative privileges. Creating a fresh account would then let them take control of the entire website.
Our recommendation
Update to the latest 1.8.3 version of Popup Maker as soon as possible.

Other popular plugins using Freemius!

Problem
We have identified four plugins with over 100,000 installations that have been fixed to patch the Freemius vulnerability. They are: 404 to 301, FooBox Image Lightbox, FooGallery and NextGEN Gallery. The last plugin is active on over 900,000 websites.
Is it safe?
Read above.
Our recommendation
All of the four plugins have been updated after the Freemius vulnerability has been patched by the third-party library. Update them at your earliest convenience.

Got Something To Share?

Your email address will not be published. Required fields are marked *