WordPress Vulnerability Report #11 – July 2019

July brought several vulnerabilities in 5 of over 100 WordPress plugins we track. This time the attacks can target not only your website but also your visitors directly. Recent versions of 3 plugins, including powerhouses like WooCommerce, are vulnerable to Cross-Site Request Forgery which could execute malicious HTTP requests in your visitors' browsers. We have also identified vulnerabilities which expose your website and its database to 6 additional attack types.

Monthly WordPress Vulnerability Report
Article by Dawid Zimny
I am particularly interested in web analytics. Knowing the way your visitors browse your website will help you improve their browsing experience and is crucial for converting them into clients.

In this issue:

  • Yoast SEO 1.2.0-11.5 - Authenticated Cross-Site Scripting (XSS)
  • WooCommerce 3.6.4 - Cross-Site Request Forgery, File Type Check
  • Widget Logic 5.10.2 - CSRF and Loose Authorisation
  • WP Google Maps 7.11.34 - CSRF, XSS
  • WP Statistics 12.6.6.1 - Unauthenticated XSS and SQL Injection

From the “regulars” of WordPress Vulnerability Report, such as data sanitisation issues and privilege escalation, to rare loopholes in IP address processing, July was a busy month for security teams of several plugins.

Vulnerabilities of powerhouses such as WooCommerce and Yoast showcase how important it is to keep track of the security of your plugins. Even the most reliable WordPress plugins can become vulnerable at some point.

Here’s the summary of July’s vulnerabilities in over 100 popular WordPress plugins from our list.

If you have questions regarding our report, don’t hesitate to contact us.

We also offer professional security monitoring – including plugin monitoring, offsite backups, and much more. Learn more about our WordPress security and maintenance services.


Secure business website – WordPress core and plugin vulnerabilities

Learn why we launched the WordPress Vulnerability Report in the video message from our Technical Director, Tomasz Lisiecki.

If you’re looking for more information please read our introductory article.

Yoast SEO 1.2.0-11.5 - Authenticated Cross-Site Scripting (XSS)!

Problem
Descriptions of custom taxonomies accept unfiltered HTML, allowing authenticated attackers to execute scripts, gain higher privilege levels and eventually take control of the website and database.
Is it safe?
The plugin affects mostly multi-site installations. However, if your editors had "unfiltered_html" removed on a single WordPress website, or you've created custom roles, your website might still be exposed.
Our recommendation
We recommend updating to at least version 11.6, which fixed the issue.

WooCommerce 3.6.4 - Cross-Site Request Forgery, File Type Check!

Problem
The plugin lacks file type checks for tax rate imports, making the feature vulnerable and an issue with CSV imports enables a cross-site request forgery attack.
Is it safe?
The CSFR attack targets your visitors by forcing their browser to execute malicious HTML queries, while the lack of file type checks could lead to a security breach on your server.
Our recommendation
Update to version 3.6.5 as soon as possible.

Widget Logic 5.10.2 - CSRF and Loose Authorisation!

Problem
A lack of user input sanitisation enables the execution of a CSRF attack. On top of that, importing and updating the plugin's options lacks proper authorisation checks.
Is it safe?
Accounts with insufficient privileges can perform actions restricted to admin-level users and the unfiltered user input is a threat to your visitors.
Our recommendation
Update to the safe version 5.10.3 at your earliest convenience.

WP Google Maps 7.11.34 - CSRF, XSS!

Problem
Missing input sanitisation functions and privilege checks enable both the CSRF and XSS attacks.
Is it safe?
Abusing the lack of privilege checks and unsafe input processing can expose your website to CSRF and XSS attacks.
Our recommendation
Update to at least security release 7.11.35.

WP Statistics 12.6.6.1 - Unauthenticated XSS and SQL Injection!

Problem
The plugin uses wrong functions for IP verification and lacks page URL sanitisation vulnerability with "use cache plugin" option enabled (disabled by default).
Is it safe?
IP issues enable unauthenticated XSS attacks, since it's possible to manipulate the IP with firewalls, while the lack of URL sanitisation makes the site vulnerable to unauthenticated SQL injection that expose your database.
Our recommendation
We recommend updating to version 12.6.7.

Got Something To Share?

Your email address will not be published. Required fields are marked *