Feedback

WordPress Vulnerability Report #9 – May 2019

#Uncategorised

31st May 2019

We have tracked 79 plugins used across our client’s websites, as well as other popular WordPress extensions to report on their vulnerabilities in May 2019. The 9th issue of WordPress Vulnerability Report brings you several vulnerabilities in four plugins with over 290,000 installations combined.

The 9th issue is dominated by one of the most common vulnerabilities, cross-site scripting, caused by data sanitization issues and the absence of privilege checks.

Learn why we launched the WordPress Vulnerability Report in the video message from our Technical Director, Tomasz Lisiecki.

If you’re looking for more information please read our introductory article.

ULTIMATE MEMBER 2.0.45 – XSS & FILE LEAKS

Problem
The plugin suffers from a number of vulnerabilities regarding user profiles, forms and file uploads.

Is it safe?
Due to the number of vulnerabilities and gradual security fixes, only the latest version is secure.

Our recommendation
Update do version 2.0.49 as soon as possible.

Level of warning
High

WP LIVE CHAT SUPPORT 8.0.26 – UNAUTHENTICATED XSS

Problem
One of the functions used in the plugin doesn’t use proper privilege settings when being executed.

Is it safe?
Since the issue affects well-known URLs used by the plugin, such as /wp-admin/admin-post.php, an unauthenticated attacker can forge an URL that will execute the function together with a malicious script.

Our recommendation
The issue was fixed in version 8.0.27, however versions 8.0.28 to 8.0.32 added additional security measures and we highly recommend updating to the newest version.

Level of warning
High

ALL-IN-ONE EVENT CALENDAR 2.5.38 & 2.5.9 AND EARLIER- CROSS-SITE SCRIPTING (XSS)

Problem
Event data was sent and requested by the plugin without proper data sanitization.

Is it safe?
Traditionally with cross-site scripting attacks, unfiltered data can lead to malicious script execution on the visitor’s end, exposing their information or jeopardising the site if executed on a privileged account.

Our recommendation
The issue was fixed in version 2.5.39. We recommend updating to at least that version and ideally to the newest, 2.5.41.

Level of warning
Moderate

CUSTOM FIELD SUITE 2.5.14 – AUTHENTICATED XSS

Problem
The plugin was using unsafe methods for various features of custom fields, such as browser autofill, treating text input as HTML.

Is it safe?
The plugin makes it possible to perform an XSS attack, but only for logged in, privileged users (editors or admins).

Our recommendation
The issue was fixed in version 2.5.15. Shortly after the developer added an additional security measure in version 2.5.16. Upgrade to at least version 2.5.15 at your earliest convenience.

Level of warning
Low

Here’s What You Should Do Next

If you’d like us to work on your website to increase your profits, please get in touch. No matter where you are in the world.

Talk to us

If you are a little unusure whether we are a good fit for each other, head over to this page to learn about our typical clients.

See who we work with