Feedback

Monthly WordPress Vulnerability Report #2: Cross-Site-Scripting

#Uncategorised

1st November 2018

The second issue of our Monthly WordPress Vulnerability Report brings you up-to-date with the security of plugins in October. Last month was a rather safe one for the plugins our clients use, with only one reported as not safe. As a result, we included vulnerabilities of 3 additional, popular plugins.

Cross-site-scripting (an attack that executes a malicious script without the user’s knowledge) was the flavour of the month and with some of the attacks being easy to perform, we recommend checking which plugins are affected.

If you want to know why we launched the Monthly WordPress Vulnerability Report, check out the introductory post including a message from our Technical Director, Tomasz Lisiecki, in the form of a short video.

WooCommerce

Problem
Users with the Shop Manager role could exceed their capabilities, including a possibility to add PHP scripts when adding attributes to a product.

Is it safe?
The attack requires obtaining an account with the Shop Manager role first but presents an easy way to execute malicious scripts once the attacker gets access to an account with adequate privileges.

Our recommendation
We recommend updating to version 3.4.6. Not only does it fix the issue, but it also limits the Shop Manager’s ability to edit user roles. Previously they could edit all roles except the admin role, now the default is that they can only edit Customer role and can be changed manually to add additional roles if required.

Level of warning
Moderate

PDF & Print

Problem
The “View PDF” and “Print Content” buttons were requesting the site’s URL with parameters that weren’t encoded. This would allow an attacker to include a script executed because of clicking one of the said buttons.

Is it safe?
To execute a cross-site-scripting attack like that, the attacker would need to compromise the website and alter its code, including a malicious script. The visitor’s browser wouldn’t see the script as dangerous, executing it and potentially leading to attacks like keylogging, phishing or even identity theft.

Our recommendation
The vulnerability got fixed in version 2.0.3 and we recommend updating earlier versions of the plugin.

Level of warning
Moderate

Pie Register

Problem
The “forgotten password” feature wasn’t secure and allowed execution of a script appended at the end of “/forgot-password/” URL, effectively making cross-site-scripting attacks possible.

Is it safe?
Compared to PDF & Print, this attack could also be executed by simply tricking the user into clicking a hyperlink with the malicious script (for example by launching a site imitating yours).

Our recommendation
The issue is fixed in version 3.0.18 – we highly recommend updating the plugin.

Level of warning
High

Wordfence – cross-site scripting

Problem
PHP files of 403 & 503 error pages were directly accessible and some of the variables were uninitialised, allowing the attacker to append a URL with initialisation of these variables. These variables could be set as scripts that would get executed when landing on the error page.

Is it safe?
The vulnerability required an old version of PHP (5.4 or earlier) and manually changing the “register_globals” parameter to “on” (“off” is the default). It’s a very specific and rare configuration so there’s a good chance your site won’t be affected by the vulnerability.

Our recommendation
Fixed in version 7.1.14, which at the same fixed the next vulnerability. Updating the plugin is recommended.

Level of warning
Low

Wordfence – username disclosure

Problem
Executing a specific query at the end of the URL disclosed a username of the author of the last post on your site.

Is it safe?
Knowing the username would enable the attacker to execute a brute-force attack on the password of that user. The danger of such an attack would vary depending on the password strength and privileges of the user.

Our recommendation
Fixed in version 7.1.14, along with the previous problem. Update recommended.

Level of warning
Low

Here’s What You Should Do Next

If you’d like us to work on your website to increase your profits, please get in touch. No matter where you are in the world.

Talk to us

If you are a little unusure whether we are a good fit for each other, head over to this page to learn about our typical clients.

See who we work with

Do you want profit?

Download these FREE resources and optimise your website for conversions.

Included in our resources:

  • Discover how to optimise your website for conversions and grow your business.
  • Learn how to optimise your website using modern SEO techniques.
  • Find out ways of making your website profitable to your business.
  • Plus email notifications of industry insights, tools and tips to help your business grow.

We will never sell, rent or trade your personal information with anyone. Pinky promise.