On-Going Wordpress Plugin Vulnerability Community Alerts

Ryuzaki

お前はもう死んでいる
Moderator
Joined
Sep 3, 2014
Messages
4,783
Likes
9,215
Points
9
I've been wanting to make this thread for a while but always am too busy to fire it off. Almost every day another vulnerability is found in commonly used Wordpress plugins. I know Wordpress wants to set up a system to force auto-updates for these cases, but it doesn't exist yet and lots of people can't opt into it anyways or it risks breaking their sites further.

The point of this is two-fold:
  1. Every additional plugin you install increases your risk of being hacked or harmed in some regard.
  2. Many plugins are coded poorly which also impact your speed and user experience.
Let each post in this thread serve as a reminder to always keep your plugins updated. When a vulnerability is found it's announced to the world. And then the race is on to see who can get to your site first, you (to update the plugin) or the hacker (to hack your site). And that's assuming the developer has even had a chance to push an update.

____

Today's vulnerability is...

Ninja Forms
Update Available: Yes
Vulnerability Rating: Severe
Type: Cross-Site Request Forgery (CSRF) & Cross-Site Scripting (XSS)
Link:
https://ninjaforms.com

Basically, a form can be submitted with a script in such a way that, which is not sanitized or validated by nonces, that executes the script and adds new administrator accounts. From there, they can do whatever they want to your site. Update to Ninja Forms version 3.4.24.2 to patch this vulnerability.
 

Ryuzaki

お前はもう死んでいる
Moderator
Joined
Sep 3, 2014
Messages
4,783
Likes
9,215
Points
9
While I'm at it... Yesterday's vulnerability was... plus some recent bonuses...

Quick Page/Post Redirect Plugin
Update Avaliable: No
Vulnerability Rating: Severe
Type: Unauthenticated Settings Change
Link:
Removed from Repo

This plugin didn't have a capability check and the security nonce was weak, allowing low-privilege users such as a contributor to alter settings in the plugin to 301 redirect your posts, pages, or the whole site to a malicious site through the HTTP Location Header. It will not be fixed as the plugin is abandoned, so you 200,000+ users need to uninstall it.

____

WP GDPR Plugin
Update Avaliable: No
Vulnerability Rating: Severe
Type: Cross-Site Scripting (XSS)
Link:
Removed from Repo

People could drop Javascript code into your comments and then it would be executed when other people visit the page. They can gain access to the entire comments table and change any of the 14 fields within, as well as delete them or change this plugins settings. 6,000+ users should uninstall this.

_____

Elementor
Update Avaliable: Yes
Vulnerability Rating: High Severity
Type: Cross-Site Scripting (XSS)
Link:
https://elementor.com

Over 4 million users need to update their Elementor plugin pronto. Basically any authenticated user (even someone signed up just for comments) can enable Safe Mode, which lets anyone including un-authenticated users interact with the plugins on your site. They could remove all of your security plugins to then unearth more vulnerabilities and have an all-you-can-destroy buffet on your site.

_____

Ultimate Addons for Gutenberg
Update Avaliable: Yes
Vulnerability Rating: Mild
Type: Injection
Link:
https://wordpress.org/plugins/ultimate-addons-for-gutenberg/

The basics is that a user could sent a POST request which would unveil the security nonce for six AJAX actions, letting the user then interact with them, doing stuff like activating and deactivating widgets and messing with updates and file generation.

_____

It'll be hard for me to keep up with all this, as these problems are discovered daily. The most problematic ones will probably cross one of our paths, so sharing information about it here would be good for the community as a whole if you have the time.
 

Ryuzaki

お前はもう死んでいる
Moderator
Joined
Sep 3, 2014
Messages
4,783
Likes
9,215
Points
9
Today's Vulnerability (or yesterday if you want to be picky)...

Wordpress 5.4.0 and below
Update Avaliable: Yes & Automatic
Vulnerability Rating: Severe
Type: Cross-Site Scripting (XSS)


Wordpress automatically updated everyone to version 5.4.1, and is a security update with 7 fixes. They were:
  • Password reset tokens failed to be properly invalidated
  • Certain private posts can be viewed by unauthenticated users
  • Two XSS Issues in the Customizer
  • An XSS issue in the Search Block
  • An XSS issue in wp-object-cache
  • An XSS issue in file uploads
  • An authenticated XSS issue in the block editor
Older installs have been patched too, but you'd do well to check and make sure, because this has now been announced to the world. The script kiddies will be scraping. I always hide my WP version and block access to stuff like the readme.txt and anything that mentions the version.
 

eliquid

Digital Strategist
Joined
Nov 26, 2014
Messages
882
Likes
1,874
Points
3
Is there anyway to prevent WP from updating your site?

I have some that I thought I somehow marked as "do not upgrade". Old WP sites. But someone got updated a day or 2 ago.

Anyway to stop this completely?
 

Ryuzaki

お前はもう死んでいる
Moderator
Joined
Sep 3, 2014
Messages
4,783
Likes
9,215
Points
9
Elementor < v2.8.7
Update Avaliable: Yes
Vulnerability Rating: Medium
Type: Cross-Site Scripting (XSS)


Everyone's favorite page builder is back again. This one required a malicious actor to be a user and have the ability to upload files. If "Enable SVG Uploads" were allowed, a user could upload an SVG image file that contained bad scripts within them. That's because they weren't being sanitized with case-sensitivity. So you could use something like HRef or hReF and still place links to scripts within them.

They also had two sanitization functions to remove PHP comments and PHP code in the wrong order, which would cause PHP to be left in the SVG code and executed.

Not a huge deal. I doubt any of us are letting just anybody become a user and upload files. But if you use Elementor and force users to sign up to comment or for any other reason, make sure those users permissions are locked down properly.

Is there anyway to prevent WP from updating your site?

I have some that I thought I somehow marked as "do not upgrade". Old WP sites. But someone got updated a day or 2 ago.

Anyway to stop this completely?

@eliquid, I've not done this myself but a quick search says you can add the following into your wp-config.php file:

Code:
define( 'WP_AUTO_UPDATE_CORE', false );
add_filter( 'auto_update_plugin', '__return_false' );
add_filter( 'auto_update_theme', '__return_false' );

The name of each filter is self-explanatory. Again, I've not tested this myself, but I do use several wp-config.php commands like this that all work properly.
 

Ryuzaki

お前はもう死んでいる
Moderator
Joined
Sep 3, 2014
Messages
4,783
Likes
9,215
Points
9
Google Site Kit Wordpress Plugin < 1.8.0
Update Avaliable: Yes
Vulnerability Rating: Critical
Type: Privilege Escalation


WordFence found and disclosed this to Google privately, so it's already patched. Just update your plugin. It allows an attacker to change your sitemaps and remove pages from the index through access to Search Console, as long as they can register as a user of any type. It gives them admin-level privileges, so they could do other types of damage too, like inserting links into your posts.
 

Ryuzaki

お前はもう死んでいる
Moderator
Joined
Sep 3, 2014
Messages
4,783
Likes
9,215
Points
9
Pagelayer < 1.1.2
Update Available: Yes
Vulnerability Rating: Critical
Type: Privilege Escalation


WordFence found and disclosed a means for an attacker with subscriber level accounts to forge a request as an administrator, inject malicious Javascript, and update and modify posts, as well as other issues. WordFence describes it as an "Unprotected AJAX and Nonce Disclosure to Stored Cross-Site Scripting and Malicious Modification." Pagelayer is a page builder plugin with over 200,000+ active installations.
 
Joined
Nov 26, 2014
Messages
44
Likes
48
Points
0
A few weeks ago I noticed that a couple of my websites were hacked. All had themes and plugins from Thrive on it that I haven't updated in a while.

Just wanted to give you a heads up as from what I remember some of you were using Themes from Thrive aswell.

"On March 23, 2021, the Wordfence Threat Intelligence Team discovered two recently patched vulnerabilities being actively exploited in Thrive Theme’s “Legacy” Themes and Thrive Theme plugins that were chained together to allow unauthenticated attackers to upload arbitrary files on vulnerable WordPress sites. We estimate that more than 100,000 WordPress sites are using Thrive Theme products that may still be vulnerable."

More info here: https://www.wordfence.com/blog/2021...thrive-themes-actively-exploited-in-the-wild/
 
Last edited: