WordPress Vulnerability Report #7 – March 2019

March proved to be another quiet month for the plugins we use on our clients' sites. We have identified two vulnerabilities that don't require authentication - in WordPress comments and a popular WooCommerce addon, as well as a WordPress core loophole that could lead to code execution

Monthly WordPress Vulnerability Report
Article by Dawid Zimny
I am particularly interested in web analytics. Knowing the way your visitors browse your website will help you improve their browsing experience and is crucial for converting them into clients.

In this issue:

  • WordPress 3.9-5.1 - Cross-Site Scripting in Comments
  • WordPress 3.7-4.9.8 & 5.0 - Code Execution
  • Abandoned Cart Lite for WooCommerce - SQL Injection

Considering the severity of the unauthenticated issues and the possible scope of the second WordPress core vulnerability, we encourage you to do a thorough security check and update your plugins to the newest versions.

Learn why we launched the Monthly WordPress Vulnerability Report in the introductory post including a video message from our Technical Director, Tomasz Lisiecki.

WordPress 3.9-5.1 - Cross-Site Scripting in Comments!

Due to logic flaws and the way comments are stored and processed, an unauthenticated attacker could post a comment with a link to malicious site. If an Admin visited that link, the attacker's script would execute in the background.
Is it safe?
Since this attack only requires comments to be enabled and no authentication, this vulnerability affects a huge number of WordPress websites.
Our recommendation
Update to WordPress 5.1.1 as soon as possible.

WordPress 3.7-4.9.8 & 5.0 - Code Execution!

Unlike the first attack, this one requires authentication with at least Author privileges. After logging in, the user can upload an image file that will trigger malicious code and allow them to take over the entire site.
Is it safe?
The vulnerability is caused by a very old issue with WordPress core. On top of the authentication requirement, the issue only occurs when you have installed a plugin that handles entries incorrectly. This makes the attack fairly unlikely but also hard to track, as any plugin could be affected.
Our recommendation
The exploit is not possible in WordPress 4.9.9 and 5.0.1. We highly recommend updating to the newest WordPress build, however if you use any of these two versions you're secure from this specific loophole.

Abandoned Cart Lite for WooCommerce - SQL Injection!

An unauthenticated user can manipulate the input fields during checkout to execute malicious scripts.
Is it safe?
Flawed processing of input data enables the visitor to manipulate the entries so that admins browsing saved carts will trigger the execution of malicious scripts.
Our recommendation
Update the plugin to the safe 2.2.3 version at the earliest convenience.

Got Something To Share?

Your email address will not be published. Required fields are marked *