Insufficient Privilege Validation in NextScripts: Social Networks Auto-Poster

Insufficient Privilege Validation in NextScripts: Social Networks Auto-Poster

NextScripts: Social Networks Auto-Poster is a plugin that  automatically publishes posts from your blog to your Social Media accounts such as Facebook, Twitter, Google+, Blogger, Tumblr, Flickr, LinkedIn, Instagram, Telegram, YouTube, WordPress, etc. During a routine research audit for our Sucuri Firewall, we discovered a post deletion, arbitrary posting in ... Read More

Vulnerabilities Digest: July 2020

Relevant Plugins and Vulnerabilities: PluginVulnerabilityPatched VersionInstalls Asset CleanUp: Page Speed Authenticated XSS 1.4.6.7 80000 Quiz And Survey Master Authenticated Stored XSS 7.0.0 30000 Comments – wpDiscuz 7.0.0 – Arbitrary File Upload 7.0.5 70000 Real Estate 7 Reflected XSS 3.0.4 8000 CarePlus Reflected XSS — 5000 WooCommerce Subscriptions Unauthenticated Stored XSS ... Read More

Vulnerabilities Digest: June 2020

Highlights for June 2020 Cross site scripting is still the most common vulnerability in WordPress Plugins. Bad actors are taking advantage of the lack of restrictions in critical functions and issues surrounding user input data sanitization. Massive local file inclusion (LFI) attempts have been discovered attempting to harvest WordPress and ... Read More
Cross Site Scripting in YITH WooCommerce Ajax Product Filter

Cross Site Scripting in YITH WooCommerce Ajax Product Filter

During a routine research audit for our Sucuri Web Application Firewall, we discovered a cross-site scripting (XSS) vulnerability affecting 100,000+ users of the YITH WooCommerce Ajax Product Filter plugin. Current State of the Vulnerability This security bug was fixed in the 3.11.1 release. We are not aware of any exploit ... Read More

Vulnerable Plugins: June 2020 Update

This is a mid-month update to our regular Monthly Vulnerability Digest, which reveals a number of new patches for disclosed vulnerabilities. PluginVulnerabilityPatched VersionInstalls Elementor Page Builder Authenticated Stored XSS 2.9.10 5000000 AdRotate Authenticated SQL Injection 5.8.4 40000 Brizy – Page Builder Improper Access Controls 1.0.126 60000 Careerfy Unauthenticated XSS 3.9.0 ... Read More

Misuse of WordPress update_option() function Leads to Website Infections

In the past four months, Sucuri has seen an increase in the number of plugins affected by the misuse of WordPress’ update_option() function. This function is used to update a named option/value in the options database table. If developers do not implement the permission flow correctly, attackers can gain admin ... Read More
Icegram Persistent Cross-Site Scripting

Icegram Persistent Cross-Site Scripting

Icegram is a plugin that helps you collect email addresses for your newsletter. Other features include light-box popup offers, header action bars, toast notifications, and slide-in messengers. Versions 1.10.28.2 and lower are affected by a persistent Cross-Site Scripting in the admin area. This plugin has over 40,000 installations and any ... Read More
Persistent Cross-site Scripting in WP Live Chat Support Plugin

Persistent Cross-site Scripting in WP Live Chat Support Plugin

During a routine research audits for our Sucuri Firewall, we discovered an Unauthenticated Persistent Cross-Site Scripting (XSS) affecting 60,000+ users of the WP Live Chat Support WordPress plugin. Current State of the Vulnerability Though this security bug has been fixed in the 8.0.27 release, it can be exploited by an ... Read More
Persistent XSS via CSRF in WP Meta and Date Remover

Persistent XSS via CSRF in WP Meta and Date Remover

During regular research audits for our Sucuri Firewall (WAF), we discovered a Cross Site Request Forgery (CSRF) leading to a persistent Cross Site Scripting vulnerability affecting 70,000+ users of the WP Meta and Date Remover plugin for WordPress. Disclosure / Response Timeline: April 30 – Initial contact attempt May 07 ... Read More

Insufficient Privilege Validation in WooCommerce Checkout Manager

Due to the poor handling of a vulnerability disclosure, a new attack vector has appeared for the WooCommerce Checkout Manager WordPress plugin and is affecting over 60,000 sites. If you are using this plugin, we recommend that you update it to version 4.3 immediately. As we’ve seen some exploit attempts ... Read More