Article updated on 7th March 2019
In this issue:
- WooCommerce - cross-site scripting
- Popup Maker - Freemius library vulnerability
- Other popular plugins using Freemius
The latter has made us explore the popularity of Freemius to discover the impact of this vulnerability for other plugins. As a result, we have added four additional plugins to this week’s report, all of which are affected by the Freemius vulnerability in Popup Maker.
Learn why we launched the Monthly WordPress Vulnerability Report in the introductory post including a video message from our Technical Director, Tomasz Lisiecki.
WooCommerce - cross-site scripting!
Image captions are not handled in a safe manner in WooCommerce 3.5.4 and earlier.
Is it safe?
The attack requires access to an account with sufficient privileges and enables the attacker to insert malicious scripts via image captions. This slightly lowers the level of warning for the vulnerability although once the attacker gains access to a privileged WordPress account it becomes a dangerous flaw.
We recommend upgrading to the latest WooCommerce security release 3.5.5.
Popup Maker - Freemius library vulnerability!
WordPress users can easily gain access to functions that change settings in your database.
Is it safe?
If your website allows creating accounts, users with any privileges can exploit the vulnerability. The usual approach of the attackers is to change an option which gives all new accounts the administrative privileges. Creating a fresh account would then let them take control of the entire website.
Update to the latest 1.8.3 version of Popup Maker as soon as possible.
Other popular plugins using Freemius!
We have identified four plugins with over 100,000 installations that have been fixed to patch the Freemius vulnerability. They are: 404 to 301, FooBox Image Lightbox, FooGallery and NextGEN Gallery. The last plugin is active on over 900,000 websites.
All of the four plugins have been updated after the Freemius vulnerability has been patched by the third-party library. Update them at your earliest convenience.