While checking fixes of critical issues in a premium plugin, we stumbled across an insufficient filename entropy where the PHP function time() was used to generate a part of the md5 hashed string to form the filename. These files generally contain sensitive data, such as log, PII etc and as it’s not the first we see such a mistake, we though it would be a good idea to make a post out of it.More
February 2020 Monthly Vulnerability Roundup
WordPress Plugin Vulnerabilities
- wpdefault – Backdoor Plugin
- Async Javascript < 2.20.02.27 – Subscriber+ Stored XSS via Plugin Settings Change
- 10Web Map Builder for Google Maps < 1.0.64 – Unauthenticated Stored XSS via Plugin Settings Change
- Modern Events Calendar Lite <= 5.1.6 – Multiple Subscriber+ Stored XSS
- Export Users to CSV <= 1.4.2 – CSV Injection
- Photo Gallery < 1.5.46 – Multiple Cross-Site Scripting (XSS) Issues
- Envira Photo Gallery < 1.7.7 – Authenticated Stored Cross-Site Scripting (XSS) Issue
- Pricing Table by Supsystic < 1.8.2 – Insecure Permissions on AJAX Actions
- Pricing Table by Supsystic < 1.8.2 – Unauthenticated Stored XSS
- Pricing Table by Supsystic < 1.8.1 – Cross-Site Request Forgery to XSS and Setting Changes
- Flexible Checkout Fields for WooCommerce < 2.3.2 – Unauthenticated Settings Update
- Hero Maps Premium < 2.2.3 – Unauthenticated Reflected Cross-Site Scripting (XSS)
- Ultimate Membership Pro < 8.6.2 – Multiple CSRF Issues via AJAX Calls, Insufficient Filename Entropy
- Ultimate Membership Pro < 8.7 – Cross-Site Request Forgery allowing Arbitrary Account Deletion and Creation
- CardGate < 3.1.16 – Unauthorised Payments Hijacking and Order Status Spoofing
- Chained Quiz < 1.1.9.1 – Authenticated Stored XSS
- Modula Image Gallery < 2.2.5 – Authenticated Stored Cross-Site Scripting (XSS)
- Duplicator 1.3.24 & 1.3.26 – Unauthenticated Arbitrary File Download
- Easy Property Listings < 3.4 – Cross-Site Request Forgery (CSRF)
- ThemeREX Addons – Remote Code Execution (0day, Being Exploited)
- wpCentral < 1.5.1 – Improper Access Control to Privilege Escalation
- ThemeGrill Demo Importer < 1.6.3 – Auth Bypass & Database Wipe
- Popup Builder < 3.0 – SQL injection via PHP Deserialization
- GDPR Cookie Consent < 1.8.3 – Improper Access Controls
- Profile Builder and Profile Builder Pro < 3.1.1 – User Registration With Administrator Role
- Participants Database < 1.9.5.6 – Authenticated Time Based SQL Injection
- Ultimate Membership Pro < 8.6.1 – Multiple Critical Vulnerabilities
- Events Manager < 5.9.7.2 – CSV Injection
- Events Manager Pro < 2.6.7.2 – CSV Injection
- Tutor LMS < 1.5.3 – Cross-Site Request Forgery (CSRF)
- Ninja Forms < 3.4.23 – CSRF to Stored Cross-Site Scripting (XSS) Issues
- Strong Testimonials < 2.40.1 – Stored Cross Site Scripting (XSS)
- Htaccess by BestWebSoft <= 1.8.1 – CSRF to edit .htaccess
New Description and PoC fields in API
From today we have two new fields output in our API for enterprise users, the description and poc fields.
We have been displaying this data on the wpvulndb.com website since almost the beginning of the project, but excluded the data from the API due to concerns of the extra bandwidth costs.
We have had a number of users request the data be output within the API over the years, and quite a few recently.
Paid Vulnerability Email Alerts
On March 2nd 2020 we will be introducing paid vulnerability email alerts for instant and daily emails.
Traditionally we have been giving these away free of charge to our users, but the number of subscribers has increased steadily over the years and they are starting to become a significant monthly cost to us.
January 2020 Monthly Vulnerability Roundup
WordPress Plugin Vulnerabilities
- Strong Testimonials < 2.40.1 – Stored Cross Site Scripting (XSS)
- GistPress < 3.0.2 – Authenticated Stored XSS
- Code Snippets < 2.14.0 – CSRF to RCE
- Elementor Page Builder < 2.8.5 – Authenticated Reflected XSS
- Elementor Page Builder < 2.7.6 – Authenticated Stored XSS
- WPS Hide Login < 1.5.5 – Secret Login Page Disclosure
- WP DS FAQ Plus < 1.4.2 – Stored Cross-Site Scripting (XSS)
- wpCentral < 1.4.8 – Privilege Escalation
- Contact Form Clean and Simple <= 4.7.0 – Authenticated Stored XSS
- Calculated Fields Form < 1.0.354 – Authenticated Stored XSS
- Chatbot with IBM Watson < 0.8.21 – DOM Cross-Site Scripting (XSS)
- AccessAlly < 3.3.2 – Arbitrary PHP Execution
- 2J SlideShow < 1.3.40 – Authenticated Arbitrary Plugin Deactivation
- Batch-Move Posts <= 1.5 – Broken Authentication leading to Unauthenticated Stored XSS
- Contextual Adminbar Color < 0.3 – Authenticated Stored Cross-Site Scripting Issue
- Marketo Forms and Tracking <= 1.0.2 – CSRF to XSS
- WP Database Reset < 3.15 – Unauthenticated Database Reset
- WP Database Reset < 3.15 – Privilege Escalation
- Chained Quiz < 1.1.8.2 – Unauthenticated Reflected XSS
- Resim Ara <= 3.0 – Unauthenticated Reflected XSS
- LearnDash < 3.1.2 – Reflected Cross Site Scripting (XSS) issue on the [ld_profile] search field.
- Flamingo < 2.1.1 – CSV Injection
- Backup and Staging by WP Time Capsule < 1.21.16 – Authentication Bypass
- InfiniteWP Client < 1.9.4.5 – Authentication Bypass
- Computer Repair Shop < 2.0 – Authenticated Stored XSS
- Ultimate Member < 2.1.3 – Insecure Direct Object Reference (IDOR)
- Video on Admin Dashboard < 1.1.4 – Authenticated Stored XSS
- WooCommerce – Store Exporter < 2.4 – CSV Injection
- Minimal Coming Soon & Maintenance Mode < 2.15 – CSRF to Stored XSS and Setting Changes
- Minimal Coming Soon & Maintenance Mode < 2.15 – Insecure Permissions: Enable and Disable Maintenance Mode
- Minimal Coming Soon & Maintenance Mode < 2.17 – Insecure permissions: Export Settings/Theme Change
- WP Simple Spreadsheet Fetcher For Google < 0.3.7 – Arbitrary API Key update via CSRF
- Ultimate FAQ < 1.8.30 – Unauthenticated Reflected XSS
- WooCommerce Conversion Tracking < 2.0.5 – CSRF to XSS
- ElegantThemes (divi, extra, divi-builder < 4.0.10) – Authenticated Code Injection
- Postie <= 1.9.40 – Post Submission Spoofing & Stored XSS
- Import Users From CSV with Meta 1.15 – Unauthorised Authenticated Users Export
Dradis WPScan Integration
We’re happy to announce that WPScan’s CLI JSON output can now be seamlessly imported into the Dradis Framework!
New WPScan Vulnerability Webhooks
We have just launched a new feature on our WordPress Vulnerability Database that will allow Enterprise API users to configure a Webhook that will be triggered every time a new vulnerability is added to our database.
This has been a much requested feature by our Enterprise users and we are happy to be able to supply a solution.
Old WPScan Deprecation on February 1st
We released WPScan 3.7.0 on September 13th 2019, which uses the WPVulnDB API to fetch vulnerability data in real time. On February 1st 2020, we will be deprecating the use of older versions of WPScan, prior to version 3.7.0.
Anyone using WPScan that is at a version lesser than 3.7.0 will have to update to at least version 3.7.0, or above, before February 1st 2020.
Our new sponsor: Automattic
We’d like to introduce you to our new sponsor Automattic!More
WPScan WordPress Security Commandments Poster
oday we are releasing three different posters related to WPScan and WordPress security. Hopefully you find them useful enough and beautiful enough to hang on your wall.More