Feedback

Monthly WordPress Vulnerability Report #5 – January 2019

#Uncategorised

1st February 2019

After a busy month for WordPress security specialists in December following the release of the major update of 2018, the new year brought a much-needed drop in the number of WordPress vulnerabilities.

The plugins we use for our clients were fully secure after the December security updates, therefore we have investigated WordPress vulnerabilities in January 2019 for several popular extensions outside of our list.

If you want to know why we launched the Monthly WordPress Vulnerability Report, check out the introductory post including a video message from our Technical Director, Tomasz Lisiecki.

TWO FACTOR AUTHENTICATION – CROSS-SITE REQUEST FORGERY

Problem
Attackers can expose a CSRF vulnerability by persuading a logged-in user to visit their malicious website. This allows them to disable the two-step authentication on that user’s account.

Is it safe?
There are many nuances to this attack. First, there is the human factor. A logged-in user has to visit a malicious website crafted by the attacker. There is a specific requirement of it happening in the same browser session. Last but not least, the attacker needs to gain access to login credentials. Otherwise, the only thing he can do is disable the two-factor authentication. The removal of two-step authentication will be clear to the user the next time they log in.

Our recommendation
Although the problem is not very serious, update the plugin to secure your website. Upgrade to version 1.3.13 whenever you see fit.

Level of warning
Low

GOOGLE XML SITEMAPS – CROSS-SITE SCRIPTING

Problem
A privileged user can inject a script into the settings page of the plugin. This script then executes when an administrator browses that page.

Is it safe?
Executing unwanted scripts on the administrator account is very dangerous although the first step to carry out the attack is getting access to a privileged account on the website.

Our recommendation
The attack requires access to a privileged account. This makes it less likely to carry it out. We still recommend you to update the plugin to the safe version 4.1.0.

Level of warning
Moderate

WP JOB MANAGER – OBJECT INJECTION

Problem
An attacker needs to inject upload a malicious PHP Archive (Phar) file to the server. When the file is manipulated by a function, the data in the malicious file is unserialized – this can trigger a malicious function.

Is it safe?
The exploit requires the attacker to upload a file to the server of your website. This is easier than it seems as you can hide a Phar file in a fake JPG. If your website allows uploads and uses the WP Job Manager plugin, it is easy to perform the attack.

Our recommendation
Update the plugin to the safe version (1.31.3) as soon as possible.

Level of warning
High

HEALTH CHECK & TROUBLESHOOTING

Problem
Authenticated users can read files beyond their permissions. Accounts with any role can execute various queries that don’t check for the user role.

Is it safe?
Any user can read wp-config file and other system files. In some cases, the user could gain administrative privileges by making use of data in the exposed files.

Our recommendation
Updating to version 1.2.4 is highly recommended.

Level of warning
High

YET ANOTHER STARS RATING – PHP OBJECT INJECTION

Problem
The shortcode provided by YASR passes unfiltered cookie data to unsafe unserialize() function of PHP.

Is it safe?
By exploiting the vulnerability the attacker can abuse code from other plugins or WordPress core to gain access to sensitive data. It doesn’t seem that WordPress core is prone in this case, though with the abundance of custom, opensource plugins it’s almost certain the attacker could take advantage of the object injection.

Our recommendation
Version 1.8.7 fixes the issue and you should update the plugin.

Level of warning
High

Here’s What You Should Do Next

If you’d like us to work on your website to increase your profits, please get in touch. No matter where you are in the world.

Talk to us

If you are a little unusure whether we are a good fit for each other, head over to this page to learn about our typical clients.

See who we work with

Do you want profit?

Download these FREE resources and optimise your website for conversions.

Included in our resources:

  • Discover how to optimise your website for conversions and grow your business.
  • Learn how to optimise your website using modern SEO techniques.
  • Find out ways of making your website profitable to your business.
  • Plus email notifications of industry insights, tools and tips to help your business grow.

We will never sell, rent or trade your personal information with anyone. Pinky promise.