Feedback

Monthly WordPress Vulnerability Report #6 – February 2019

#Uncategorised

5th March 2019

In the rather quiet month of February, we have only seen two vulnerabilities in our selection of WordPress plugins – a moderately dangerous issue with WooCommerce and a vulnerability in Freemius, a third-party library used by Popup Maker.

The latter has made us explore the popularity of Freemius to discover the impact of this vulnerability for other plugins. As a result, we have added four additional plugins to this week’s report, all of which are affected by the Freemius vulnerability in Popup Maker.

Learn why we launched the Monthly WordPress Vulnerability Report in the introductory post including a video message from our Technical Director, Tomasz Lisiecki.

WOOCOMMERCE – CROSS-SITE SCRIPTING

Problem
Image captions are not handled in a safe manner in WooCommerce 3.5.4 and earlier.

Is it safe?
The attack requires access to an account with sufficient privileges and enables the attacker to insert malicious scripts via image captions. This slightly lowers the level of warning for the vulnerability although once the attacker gains access to a privileged WordPress account it becomes a dangerous flaw.

Our recommendation
We recommend upgrading to the latest WooCommerce security release 3.5.5.

Level of warning
Moderate

POPUP MAKER – FREEMIUS LIBRARY VULNERABILITY

Problem
WordPress users can easily gain access to functions that change settings in your database.

Is it safe?
If your website allows creating accounts, users with any privileges can exploit the vulnerability. The usual approach of the attackers is to change an option which gives all new accounts the administrative privileges. Creating a fresh account would then let them take control of the entire website.

Our recommendation
Update to the latest 1.8.3 version of Popup Maker as soon as possible.

Level of warning
High

OTHER POPULAR PLUGINS USING FREEMIUS

Problem
We have identified four plugins with over 100,000 installations that have been fixed to patch the Freemius vulnerability. They are 404 to 301, FooBox Image Lightbox, FooGallery and NextGEN Gallery. The last plugin is active on over 900,000 websites.

Is it safe?
Read the previous vulnerability.

Our recommendation
All of the four plugins have been updated after the Freemius vulnerability has been patched by the third-party library. Update them at your earliest convenience.

Level of warning
High

Here’s What You Should Do Next

If you’d like us to work on your website to increase your profits, please get in touch. No matter where you are in the world.

Talk to us

If you are a little unusure whether we are a good fit for each other, head over to this page to learn about our typical clients.

See who we work with

Do you want profit?

Download these FREE resources and optimise your website for conversions.

Included in our resources:

  • Discover how to optimise your website for conversions and grow your business.
  • Learn how to optimise your website using modern SEO techniques.
  • Find out ways of making your website profitable to your business.
  • Plus email notifications of industry insights, tools and tips to help your business grow.

We will never sell, rent or trade your personal information with anyone. Pinky promise.