Monthly WordPress Vulnerability Report #1: Privilege Escalation

The first day of October marks the debut of our "Monthly WordPress Vulnerability Report”. In the first issue, we‘re covering the most recent security vulnerabilities of WordPress and the plugins used by us and our clients. For our inaugural report, we include not only the updates in the past month but also some of the most important ones from the end of August.

Monthly WordPress Vulnerability Report
Article by Dawid Zimny
I am particularly interested in web analytics. Knowing the way your visitors browse your website will help you improve their browsing experience and is crucial for converting them into clients.

In this issue:

  • Contact Form 7
  • Gravity Forms: Multiple Form Instances
  • Breadcrumb NavXT
  • WooCommerce
  • NinjaForms - Cross-Site Scripting
  • NinjaForms - CSV Injection
  • Export Users to CSV

Our report provides an easy-to-understand explanation of the issue, information on whether the developer fixed the plugin and our recommendation on what to do next.

You can learn more in our introduction post.

Contact Form 7!

Problem
It escalated the permissions for the Contributor role due to a bug in the code. A logged-in user in the Contributor role could edit the contact forms. By default, the plugin reserves the edit permission for the users with Administrator and Editor roles.
Is it safe?
Fixed in version 5.0.4, released September, 4th 2018.
Our recommendation
The plugin now reads the permissions for the Contributor role correctly. The security of the functionality that allowed you to send file attachments in replies to your visitors got improved. You can only specify file paths from within the secure wp-content directory of your website. As a result, a potential attacker is less likely to attach malicious files to the e-mails you send to your visitors.

Gravity Forms: Multiple Form Instances!

Problem
The plugin hasn't been updated in 2 years and was tested only up to WordPress version 4.5.13, which is more than 3 major WP releases that haven't been tested.
Is it safe?
It is unlikely that the plugin will work correctly with a current WordPress release.
Our recommendation
We strongly recommend ditching this plugin.

Breadcrumb NavXT!

Problem
Breadcrumb NavXT API responses were exposing WordPress usernames. Moreover, the revealing function from the API is accessible without authentication, which means anyone can get a list of usernames. With a database of usernames, it would be possible to launch a bruteforce attack on the passwords.
Is it safe?
Fixed in version 6.2.0, released September, 24th 2018.
Our recommendation
The vulnerability is fixed in the newest version of the plugin. On top of that, you can also disable the API in "wp-config.php" file of your website by setting "BCN_DISABLE_REST_API" to "true".

WooCommerce!

Problem
Versions 3.4.4 and earlier of WooCommerce suffer from an error in one of the functions that allows object injection. The bug itself doesn't increase the risk of the attack since executing the injection requires the privilege to edit attributes. With that being said, this issue might escalate the consequences of a potential attack.
Is it safe?
WooCommerce 3.4.5 provides a security update with an appropriate fix. It was released August, 29th 2018.
Our recommendation
Although the issue doesn't increase the risk of an attack happening and the attacker would need to get access to a privileged account first, it's recommended to update the plugin as soon as possible.

NinjaForms - Cross-Site Scripting!

Problem
The import function of NinjaForms allowed importing forms that contained malicious JavaScript code.
Is it safe?
Version 3.3.14 (August, 27th 2018) fixes the issue.
Our recommendation
Just like with the previous WooCommerce vulnerability, the attacker would need to access a secured account with administrative privileges. Considering an import can happen without the administrator having the import page open at all, it's still recommended to update the plugin. You could be tricked into importing a malicious form without your knowledge. We also recommend you to check for any new forms on your websites and deleting all of the unwanted ones. Do not try to inspect the form, as it might execute the malicious code in your browser.

NinjaForms - CSV Injection!

Problem
Another functionality of NinjaForms allows you to export the submissions to your forms to a .csv file, which you can then open in a spreadsheet software. Infected spreadsheets can contain malicious hyperlinks or even system commands that get executed when you open the file. Although the major spreadsheet software has all kinds of security measures for these scenarios, it's still possible for an attacker to create an unsafe .csv file.
Is it safe?
Patched in NinjaForms 3.3.14 and further improved the security of CSV with patch 3.3.14.1 (August, 28th 2018).
Our recommendation
Even though the risk is low, updating the plugin is the safe way to go and that's our recommendation. If you have exported forms to .csv it might be worth checking the exports for malicious content. You can do that by opening the file in a text editor, rather than a spreadsheet software. Look for any cells that start with these characters: =, @, +, -. You can also delete your old exports and replace them with new ones generated after updating the plugin.

Export Users to CSV!

Problem
Versions 1.1.1 and older of the Export Users to CSV plugin are also vulnerable to CSV injection. The sole purpose of the plugin is exporting the data of users to .csv files and the nature of the vulnerability is similar to the one of NinjaForms. In this instance any user can input malicious functions to the fileds in their profile, which might execute system commands when an administrator creates a .csv file and opens it in spreadsheet software.
Is it safe?
Although the plugin is tested up to WordPress 4.8.7, it hasn't been updated in 7 months and the issue is not fixed.
Our recommendation
The least you can do to ensure you're safe while still using the plugin is to make sure your files are not infected before opening them in spreadsheet software. You can do that just like with NinjaForms - open the file in a text editor and look for any cells starting with =, @, +, or - characters. If you'd rather replace the addon, we can recommend "Export WordPress data to XML/CSV". The plugin has over 50000 active installations and is being used on some of our clients' sites. Not only does it cover the functionality of "Export Users to CSV", it also offers a lot of additional export possibilities within a single plugin.

Got Something To Share?

Your email address will not be published. Required fields are marked *