Only two plugins used on our clients’ websites needed security patches in October. However, a security release was required to fix several issues in WordPress core and multiple plugins were affected by an HTML injection vulnerability in WordPress emails.
1 min read time
Article by Dawid Zimny
I am particularly interested in web analytics. Knowing the way your visitors browse your website will help you improve their browsing experience and is crucial for converting them into clients.
In this issue:
WordPress 5.2.3 - Various Vulnerabilities
Fast Velocity Minify 2.7.6 - Full Path Disclosure
Popup-Maker 1.8.12 - Access Control Issues & Cross-site Request Forgery
Email Templates, WP HTML Mail, WP Email Template - HTML Injection
Our goal is to make the Web secure and transparent for everyone. If you have questions regarding our report, don’t hesitate to contact us.
We also offer professional security monitoring – including plugin monitoring, offsite backups, and much more. Learn more about our WordPress security and maintenance services and subscribe to our newsletter for monthly updates on WordPress vulnerabilities.
Secure business website – WordPress core and plugin vulnerabilities
Learn why we launched the WordPress Vulnerability Report in the video message from our Technical Director, Tomasz Lisiecki.
WordPress 5.2.4 was a security release that patched up multiple problems with the platform. As updates to the WordPress core are extremely important, especially the security ones, we included a general entry rather than describing every little issue.
Is it safe?
The issues were fixed in security updates to WordPress 5.2, 5.1 and even the older releases since version 3.7.
Update to the newest version of your WordPress release as soon as possible.
Fast Velocity Minify 2.7.6 - Full Path Disclosure!
The plugin is used to optimise your website's performance. It has to access your files to do that, and versions up to 2.7.6 don't use a secure authentication method when the plugin is retrieving cached information about files. Instead of checking for account privileges, it's sufficient to send a query from an admin-level page.
Is it safe?
Anyone that has access to the dashboard (subscriber role or higher) can forge a request and access the full path of your website. This isn’t a high-impact vulnerability on its own but can fuel larger attacks and to find bigger vulnerabilities in your the structure of your site.
Upgrade the plugin to the secure version 2.7.7 at your earliest convenience.
Popup-Maker 1.8.12 - Access Control Issues & Cross-site Request Forgery!
Popup-Maker lacks access validation in two of the plugin’s functions. This allows unauthenticated attackers to read website info, such as the server or PHP configuration. In another function, insufficient validation of HTTP requests makes it possible for an attacker to direct some of your traffic to websites, where they can perform arbitrary actions on behalf of the victims.
Is it safe?
These validation issues pose low to moderate danger for your site and your visitors. They can be exposed remotely and in the case of Access Control, don't require authentication.
Update to at least version 1.8.13, where these issues got patched.
Email Templates, WP HTML Mail, WP Email Template - HTML Injection!
These plugins breathe a new life into the unpleasant plain text emails sent by WordPress. They are used on over 35,000 websites and together with other similar plugins, HTML injection vulnerability can lead to a number of other attacks.
Is it safe?
Plain text emails don't require any sort of sanitisation for WordPress, as the format can't be exploited. The emails sent by these plugins are HTML rather than raw text, which means the visitor can for example include a malicious URL in a comment that will appear with a different, "safe" anchor text to the admin. This can lead to phishing attacks and malicious script execution.
Update to the latest version of any plugin that changes your emails from raw text to formatted HTML.