Monthly WordPress Vulnerability Report #2: Cross-Site-Scripting

The second issue of our Monthly WordPress Vulnerability Report brings you up-to-date with the security of plugins in October. Last month was a rather safe one for the plugins our clients use, with only one reported as not safe. As a result, we included vulnerabilities of 3 additional, popular plugins.

Monthly WordPress Vulnerability Report
Article by Dawid Zimny
I am particularly interested in web analytics. Knowing the way your visitors browse your website will help you improve their browsing experience and is crucial for converting them into clients.

In this issue:

  • WooCommerce
  • PDF & Print
  • Pie Register
  • Wordfence - cross-site-scripting
  • Wordfence - username disclosure

Cross-site-scripting (an attack that executes a malicious script without the user’s knowledge) was the flavour of the month and with some of the attacks being easy to perform, we recommend checking which plugins are affected.

If you want to know why we launched the Monthly WordPress Vulnerability Report, check out the introductory post including a message from our Technical Director, Tomasz Lisiecki, in the form of a short video.

WooCommerce!

Problem
Users with the Shop Manager role could exceed their capabilities, including a possibility to add PHP scripts when adding attributes to a product.
Is it safe?
The attack requires obtaining an account with the Shop Manager role first but presents an easy way to execute malicious scripts once the attacker gets access to an account with adequate privileges.
Our recommendation
We recommend updating to version 3.4.6. Not only does it fix the issue, it also limits the Shop Manager's ability to edit user roles. Previously they could edit all roles except the admin role, now the default is that they can only edit Customer role and can be changed manually to add additional roles if required.

PDF & Print!

Problem
The “View PDF” and “Print Content” buttons were requesting the site’s URL with parameters that weren’t encoded. This would allow an attacker to include a script executed because of clicking one of the said buttons.
Is it safe?
To execute a cross-site-scripting attack like that, the attacker would need to compromise the website and alter its code, including a malicious script. The visitor's browser wouldn’t see the script as dangerous, executing it and potentially leading to attacks like keylogging, phishing or even identity theft.
Our recommendation
The vulnerability got fixed in version 2.0.3 and we recommend updating earlier versions of the plugin.

Pie Register!

Problem
The "forgotten password" feature wasn't secure and allowed execution of a script appended at the end of "/forgot-password/" URL, effectively making cross-site-scripting attacks possible.
Is it safe?
Compared to PDF & Print, this attack could also be executed by simply tricking the user into clicking a hyperlink with the malicious script (for example by launching a site imitating yours).
Our recommendation
The issue is fixed in version 3.0.18 - we highly recommend updating the plugin.

Wordfence - cross-site-scripting!

Problem
PHP files of 403 & 503 error pages were directly accessible and some of the variables were uninitialised, allowing the attacker to append a URL with initialisation of these variables. These variables could be set as scripts that would get executed when landing on the error page.
Is it safe?
The vulnerability required an old version of PHP (5.4 or earlier) and manually changing the "register_globals" parameter to "on" ("off" is the default). It's a very specific and rare configuration so there's a good chance your site won't be affected by the vulernability.
Our recommendation
Fixed in version 7.1.14, which at the same fixed the next vulnerability. Updating the plugin is recommended.

Wordfence - username disclosure!

Problem
Executing a specific query at the end of the URL disclosed a username of the author of the last post on your site.
Is it safe?
Knowing the username would enable the attacker to execute a brute-force attack on the password of that user. The danger of such an attack would vary depending on the password strength and privileges of the user.
Our recommendation
Fixed in version 7.1.14, along with the previous problem. Update recommended.

Got Something To Share?

Your email address will not be published. Required fields are marked *