WordPress Vulnerability Report #9 – May 2019

We have tracked 79 plugins used across our client's websites, as well as other popular WordPress extensions to report on their vulnerabilities in May 2019. The 9th issue of WordPress Vulnerability Report brings you several vulnerabilities in four plugins with over 290,000 installations combined.

Monthly WordPress Vulnerability Report
Article by Dawid Zimny
I am particularly interested in web analytics. Knowing the way your visitors browse your website will help you improve their browsing experience and is crucial for converting them into clients.

In this issue:

  • Ultimate Member 2.0.45 - XSS & File Leaks
  • WP Live Chat Support 8.0.26 - Unauthenticated XSS
  • All-in-One Event Calendar 2.5.38 & 2.5.9 and earlier- Cross-Site Scripting (XSS)
  • Custom Field Suite 2.5.14 - Authenticated XSS

The 9th issue is dominated by one of the most common vulnerabilities, cross-site scripting, caused by data sanitization issues and the absence of privilege checks.


Learn why we launched the WordPress Vulnerability Report in the video message from our Technical Director, Tomasz Lisiecki.

If you’re looking for more information please read our introductory article.

Ultimate Member 2.0.45 - XSS & File Leaks!

Problem
The plugin suffers from a number of vulnerabilities regarding user profiles, forms and file uploads.
Is it safe?
Due to the amount of vulnerabilities and gradual security fixes, only the latest version is secure.
Our recommendation
Update do version 2.0.49 as soon as possible.

WP Live Chat Support 8.0.26 - Unauthenticated XSS!

Problem
One of the functions used in the plugin doesn't use proper privilege settings when being executed.
Is it safe?
Since the issue affects well-known URLs used by the plugin, such as /wp-admin/admin-post.php, an unauthenticated attacker can forge an URL that will execute the function together with a malicious script.
Our recommendation
The issue was fixed in version 8.0.27, however versions 8.0.28 to 8.0.32 added additional security measures and we highly recommend updating to the newest version.

All-in-One Event Calendar 2.5.38 & 2.5.9 and earlier- Cross-Site Scripting (XSS)!

Problem
Event data was sent and requested by the plugin without proper data sanitization.
Is it safe?
Traditionally with cross-site scripting attacks, unfiltered data can lead to malicious script execution on the visitor's end, exposing their information or jeopardising the site if executed on a privileged account.
Our recommendation
The issue was fixed in version 2.5.39. We recommend updating to at least that version and ideally to the newest, 2.5.41.

Custom Field Suite 2.5.14 - Authenticated XSS!

Problem
The plugin was using unsafe methods for various features of custom fields, such as browser autofill, treating text input as HTML.
Is it safe?
The plugin makes it possible to perform an XSS attack, but only for logged in, privileged users (editors or admins).
Our recommendation
The issue was fixed in version 2.5.15. Shortly after the developer added an additional security measure in version 2.5.16. Upgrade to at least version 2.5.15 at your earliest convenience.

Got Something To Share?

Your email address will not be published. Required fields are marked *