WordPress Vulnerability Report #14 – October 2019

Only two plugins used on our clients’ websites needed security patches in October. However, a security release was required to fix several issues in WordPress core and multiple plugins were affected by an HTML injection vulnerability in WordPress emails.

Monthly WordPress Vulnerability Report
Article by Dawid Zimny
I am particularly interested in web analytics. Knowing the way your visitors browse your website will help you improve their browsing experience and is crucial for converting them into clients.

In this issue:

  • WordPress 5.2.3 - Various Vulnerabilities
  • Fast Velocity Minify 2.7.6 - Full Path Disclosure
  • Popup-Maker 1.8.12 - Access Control Issues & Cross-site Request Forgery
  • Email Templates, WP HTML Mail, WP Email Template - HTML Injection

Our goal is to make the Web secure and transparent for everyone. If you have questions regarding our report, don’t hesitate to contact us.

We also offer professional security monitoring – including plugin monitoring, offsite backups, and much more. Learn more about our WordPress security and maintenance services and subscribe to our newsletter for monthly updates on WordPress vulnerabilities.


Secure business website – WordPress core and plugin vulnerabilities

Learn why we launched the WordPress Vulnerability Report in the video message from our Technical Director, Tomasz Lisiecki.

If you’re looking for more information please read our introductory article.

WordPress 5.2.3 - Various Vulnerabilities!

Problem
WordPress 5.2.4 was a security release that patched up multiple problems with the platform. As updates to the WordPress core are extremely important, especially the security ones, we included a general entry rather than describing every little issue.
Is it safe?
The issues were fixed in security updates to WordPress 5.2, 5.1 and even the older releases since version 3.7.
Our recommendation
Update to the newest version of your WordPress release as soon as possible.

Fast Velocity Minify 2.7.6 - Full Path Disclosure!

Problem
The plugin is used to optimise your website's performance. It has to access your files to do that, and versions up to 2.7.6 don't use a secure authentication method when the plugin is retrieving cached information about files. Instead of checking for account privileges, it's sufficient to send a query from an admin-level page.
Is it safe?
Anyone that has access to the dashboard (subscriber role or higher) can forge a request and access the full path of your website. This isn’t a high-impact vulnerability on its own but can fuel larger attacks and to find bigger vulnerabilities in your the structure of your site.
Our recommendation
Upgrade the plugin to the secure version 2.7.7 at your earliest convenience.

Popup-Maker 1.8.12 - Access Control Issues & Cross-site Request Forgery!

Problem
Popup-Maker lacks access validation in two of the plugin’s functions. This allows unauthenticated attackers to read website info, such as the server or PHP configuration. In another function, insufficient validation of HTTP requests makes it possible for an attacker to direct some of your traffic to websites, where they can perform arbitrary actions on behalf of the victims.
Is it safe?
These validation issues pose low to moderate danger for your site and your visitors. They can be exposed remotely and in the case of Access Control, don't require authentication.
Our recommendation
Update to at least version 1.8.13, where these issues got patched.

Email Templates, WP HTML Mail, WP Email Template - HTML Injection!

Problem
These plugins breathe a new life into the unpleasant plain text emails sent by WordPress. They are used on over 35,000 websites and together with other similar plugins, HTML injection vulnerability can lead to a number of other attacks.
Is it safe?
Plain text emails don't require any sort of sanitisation for WordPress, as the format can't be exploited. The emails sent by these plugins are HTML rather than raw text, which means the visitor can for example include a malicious URL in a comment that will appear with a different, "safe" anchor text to the admin. This can lead to phishing attacks and malicious script execution.
Our recommendation
Update to the latest version of any plugin that changes your emails from raw text to formatted HTML.

Got Something To Share?

Your email address will not be published. Required fields are marked *