WordPress Vulnerability Report #10 – June 2019

The 10th issue of WordPress Vulnerability Report marks the end of the July maintenance and security cycle here at Nerd Cow. After tracking over 80 plugins used on our clients' websites, as well as dozens of other popular WordPress extensions, we've compiled yet another report on WordPress security. Discover the WordPress vulnerabilities that surfaced in July 2019.

Monthly WordPress Vulnerability Report
Article by Dawid Zimny
I am particularly interested in web analytics. Knowing the way your visitors browse your website will help you improve their browsing experience and is crucial for converting them into clients.

In this issue:

  • Advanced Custom Fields 5.7.10 - User Input Processing
  • Easy Digital Downloads 2.9.15 - Cross-Site Scripting
  • Shortlinks by Pretty Links 2.1.9 - Cross-Site Scripting and CSV Injection
  • WP Statistics 12.6.5 - Authenticated Cross-Site Scripting

Data validation in some WordPress functions, or lack thereof, has been a talking point for developers for years now. This month it was back to haunt developers of 4 plugins, causing 3 high-risk vulnerabilities.

Here’s a quick look at WordPress plugins that could negatively impact the security of your website this month.


Learn why we launched the WordPress Vulnerability Report in the video message from our Technical Director, Tomasz Lisiecki.

If you’re looking for more information please read our introductory article.

Advanced Custom Fields 5.7.10 - User Input Processing!

Problem
Because of data sanitisation issues in WordPress, the user input in ACF is mishandled and in combination with other plugins can lead to serious vulnerabilities.
Is it safe?
The vulnerability affects accounts with low privilege but there are many possible attacks that can be executed using this loophole.
Our recommendation
Update the plugin to the newest version, or at least version 5.7.12 where the issue was fixed.

Easy Digital Downloads 2.9.15 - Cross-Site Scripting!

Problem
Incorrect interpretation of IP addresses in the logs meant the output could be manipulated to execute malicious scripts on Admin's end.
Is it safe?
The XSS attack will mostly happen on privileged accounts and requires immediate attention.
Our recommendation
Update to the safe version 2.9.16 as soon as possible.

Shortlinks by Pretty Links 2.1.9 - Cross-Site Scripting and CSV Injection!

Problem
Certain user data, such as referrer, user agent (browser) and IP is not validated in the plugin. Similarly, exporting click data to CSV is vulnerable because of the lack of validation, which could cause an offline attack by executing malicious scripts in Microsoft Excel.
Is it safe?
Neither of the vulnerabilities requires authorisation and as such, they pose a serious threat to your website.
Our recommendation
Update to version 2.1.10.

WP Statistics 12.6.5 - Authenticated Cross-Site Scripting!

Problem
A lack of sanitisation in post title allows an attacker with access to a privileged account to include a script in the title.
Is it safe?
WP Statistics executes the script when you load the plugin dashboard. If the post is one of your top 10 visited posts, the attacker could delete it and the script will still execute, leaving almost no trace of the attacker.
Our recommendation
The vulnerability is fixed in version 12.6.6.1 and you should update the plugin at your earliest convenience.

Got Something To Share?

Your email address will not be published. Required fields are marked *