WordPress Vulnerability Report #5 – January 2019

After a busy month for WordPress security specialists in December following the release of the major update of 2018, the new year brought a much-needed drop in the number of WordPress vulnerabilities.

Monthly WordPress Vulnerability Report
Article by Dawid Zimny
I am particularly interested in web analytics. Knowing the way your visitors browse your website will help you improve their browsing experience and is crucial for converting them into clients.

In this issue:

  • Two Factor Authentication - cross-site request forgery
  • Google XML Sitemaps - cross-site scripting
  • WP Job Manager - object injection
  • Health Check & Troubleshooting
  • Yet Another Stars Rating - PHP object injection

The plugins we use for our clients were fully secure after the December security updates, therefore we have investigated WordPress vulnerabilities in January 2019 for several popular extensions outside of our list.

If you want to know why we launched the Monthly WordPress Vulnerability Report, check out the introductory post including a video message from our Technical Director, Tomasz Lisiecki.

Two Factor Authentication - cross-site request forgery!

Problem
Attackers can expose a CSRF vulnerability by persuading a logged in user to visit their malicious website. This allows them to disable the two-step authentication on that user's account.
Is it safe?
There are many nuances to this attack. First, there is the human factor. A logged in user has to visit a malicious website crafted by the attacker. There is a specific requirement of it happening in the same browser session. Last but not least, the attacker needs to gain access to the login credentials. Otherwise, the only thing he can do is disable the two-factor authentication. The removal of two-step authentication will be clear to the user the next time they log in.
Our recommendation
Although the problem is not very serious, update the plugin to secure your website. Upgrade to version 1.3.13 whenever you see fit.

Google XML Sitemaps - cross-site scripting!

Problem
A privileged user can inject a script into the settings page of the plugin. This script then executes when an administrator browses that page.
Is it safe?
Executing unwanted scripts on the administrator account is very dangerous although the first step to carry out the attack is getting access to a privileged account on the website.
Our recommendation
The attack requires access to a privileged account. This makes it less likely to carry it out. We still recommend you to update the plugin to the safe version 4.1.0.

WP Job Manager - object injection!

Problem
An attacker needs to inject upload a malicious PHP Archive (Phar) file to the server. When the file is manipulated by a function, the data in the malicious file is unserialized - this can trigger a malicious function.
Is it safe?
The exploit requires the attacker to upload a file to the server of your website. This is easier than it seems as you can hide a Phar file in a fake JPG. If your website allows uploads and uses the WP Job Manager plugin, it is easy to perform the attack.
Our recommendation
Update the plugin to the safe version (1.31.3) as soon as possible.

Health Check & Troubleshooting!

Problem
Authenticated users can read files beyond their permissions. Accounts with any role can execute various queries that don’t check for the user role.
Is it safe?
Any user can read wp-config file and other system files. In some cases, the user could gain administrative privileges by making use of data in the exposed files.
Our recommendation
Updating to version 1.2.4 is highly recommended.

Yet Another Stars Rating - PHP object injection!

Problem
The shortcode provided by YASR passes unfiltered cookie data to unsafe unserialize() function of PHP.
Is it safe?
By exploiting the vulnerability the attacker can abuse code from other plugins or WordPress core to gain access to sensitive data. It doesn't seem that WordPress core is prone in this case, though with the abundance of custom, opensource plugins it's almost certain the attacker could take advantage of the object injection.
Our recommendation
Version 1.8.7 fixes the issue and you should update the plugin.

Got Something To Share?

Your email address will not be published. Required fields are marked *