Updates on WordPress security, Wordfence and what we're cooking in the lab today.

New Vulnerabilities in 6 Popular WordPress Plugins

This entry was posted in WordPress Security on November 11, 2015 by Mark Maunder   44 Replies

This week we have several high profile plugin vulnerabilities we’d like to bring your attention to. If you are using one of these plugins, upgrade to the fixed version immediately.

Fast Secure Contact Form (400,000+ active installs) version 4.0.37 and earlier contain an XSS vulnerability that was publicly announced on October 27th. This was fixed in version 4.0.38. Upgrade immediately if you haven’t already. Note that this plugin is very popular with over 400,000 active installs.

Bulletproof Security (100,000+ active installs) version .52.4 contains a XSS vulnerability that was publicly announced 2 weeks ago. Please upgrade to the newest version which fixes the issue if you haven’t already.

Blubrry PowerPress podcasting plugin (50,000+ active installs) version 6.0.4 and earlier contains an XSS vulnerability publicly announced on October 27th.  Upgrade as soon as possible.

Form Manager version (30,000+ active installs) 1.7.2 and earlier contain an unauthenticated remote command execution (RCE) vulnerability published on October 23rd. This was fixed in 1.7.3.  Upgrade as soon as possible.

WordPress Files Upload (10,000+ active installs) version 3.4.0 and earlier allowed a malicious executable file to be uploaded and executed. This has been fixed in 3.4.1 which was released 13 days ago. Please upgrade immediately if you haven’t already.

Crony Cronjob Manager 0.4.4 (2000+ active installs) and earlier contained an XSS and CSRF vulnerability. The fix was released several weeks ago but it was publicly announced 15 days ago. If you haven’t upgraded this plugin, please do so immediately.

Kudos to Sathish from Cyber Security Works for discovering several of these vulnerabilities and the responsible disclosure.

 

Did you enjoy this post? Share it!

44 Comments on "New Vulnerabilities in 6 Popular WordPress Plugins"

Kumar November 11, 2015 at 9:55 am

Thanks a lot Mark and Sathish

Sathish November 11, 2015 at 5:00 pm

Hi Mark, Thanks for the Credit.

Imran November 11, 2015 at 9:56 am

Luckily I do not have any of these plugins on my site but kudos to Sathish and Wordfence for alerting everyone and doing a wonderful job.

lomokev November 11, 2015 at 10:18 am

I always like reading these posts and relisesing that use none of the plugins! Must be a little embarrassing for Bulletproof Security! Not a Bulletproof as they should be.

Trane Francks November 11, 2015 at 3:18 pm

"Must be a little embarrassing for Bulletproof Security!"

I don't see why. There's no such thing as bug-free software; there is only software for which the bugs have not yet been discovered. What would be embarrassing and harmful were the developers to ignore notifications of these problems and/or not release an update to fix the issue in a timely manner.

My hat goes off to all developers who do their utmost to stay head of the blackhats in the game of cat and mouse that is internet security. And a HUGE thanks to those whitehats who discover vulnerabilities and disclose them in responsible fashion so as to not put the rest of us at unnecessary risk.

mark November 11, 2015 at 3:33 pm

Agreed. Definitely no finger pointing from us unless it's to acknowledge responsible disclosure from the researchers involved and a quick response from the developers affected. As I mentioned in another comment, this kind of response from a dev when a vulnerability is discovered is actually an endorsement of the product.

Clara Ingewati January 19, 2016 at 8:58 am

Kudos to Mark and Sathish <3 <3

Gejala kanker January 21, 2016 at 8:34 pm

Thanks for sharing. this is good information

caryna February 25, 2016 at 2:54 am

Thanks for the update. I'm so grateful for this wonderful plugin and will be recommending it to associates. Keep up the good work!

Sathish November 11, 2015 at 5:02 pm

Thanks Imran.

zen January 20, 2016 at 2:08 pm

Wordfence Security for the invaluable alerts, and also the security features your plugin is offering, nice

vinodh November 11, 2015 at 10:02 am

Thanks for timely update.

David Trounce November 11, 2015 at 10:12 am

Thanks for the update, and especially the WordPress Plugin list. Do you know if Mail Poet is in the clear?

mark November 11, 2015 at 10:15 am

Nothing recent reported for them as far as we're aware.

Owen November 11, 2015 at 10:16 am

Thanks for the notice. Just updated one of them last week. Always good to get this info as fast as possible, so thank you.

Henrik November 11, 2015 at 10:17 am

Thanks for the update!!

usman November 11, 2015 at 10:17 am

The last four out of the six are hardly popular wordpress plugins. But still thank you for the alert. It only takes one install to compromise a site.

mark November 11, 2015 at 10:27 am

It's a tough call to make where to cut off what 'popular' means. We did leave out several that are low usage.

JP November 11, 2015 at 10:34 am

Is there a list somewhere of all the plugins, including the less popular ones?

Wim November 11, 2015 at 11:07 am

Would be interested in such a full list as well

mark November 11, 2015 at 11:32 am

Hey Guys. Will try to put together a few resources for you in a future post.

Wim November 11, 2015 at 1:15 pm

Nice. Thanks

Andi Mariadi June 9, 2016 at 11:08 pm

Owh, thanks for update Sathish.

Rick Cano November 11, 2015 at 10:26 am

Thank you Mark for the update...we use Fast and Secure Contact and Mike Challis is always quick to respond...all of our sites as well as our clients sites are all updated with the new version.

Thank you, RC

mark November 11, 2015 at 10:28 am

Yes it seems that all developers did a great job of being responsive, so I'd say that's a strong endorsement for any of the plugins listed.

118Group November 11, 2015 at 10:36 am

Couldn't resist reading this as soon as I read the teaser subject in my inbox :)

Matt Parker November 11, 2015 at 11:16 am

Thanks for putting these together, echoes the best part about the WP community, togetherness!

Daniel Lo Nigro November 11, 2015 at 11:18 am

"Bulletproof Security (100,000+ active installs) version .52.4 contains a XSS vulnerability"

I guess it's not bulletproof after all :D

Nate November 11, 2015 at 11:34 am

Thanks for the update. We appreciate all your help with client websites.

Cynthia November 11, 2015 at 12:12 pm

I want to thank you for such an awesome product, even the free one is loaded and does so much!

My hosting provider recommended WordFence when I called them about some issues I was having on my website. Once I installed Wordfence I quickly found out just how bad it was.

I went through every line in every section and filled out everything I could. Boy has it made a HUGE difference!

I'm so grateful for this wonderful plugin and will be recommending it to associates. Keep up the good work!

Cynthia

Chook November 11, 2015 at 12:15 pm

Appreciate the notification WF

I'd also like to see a list of other plugins/themes that may not be as popular.

BloggingSpree November 11, 2015 at 1:39 pm

Hey Wordfence team. We can always count on you to deliver. Thanks for the heads up. Absolutely, love what you guys are doing for us. I cannot imagine not to have WordFence on my sites. It is always the first plugin I install.

Rhonda Chapman November 11, 2015 at 3:24 pm

Phew! I don't have any of these plugins installed. It's great to know what to watch for.

Ghulam Mustafa November 11, 2015 at 3:27 pm

Thanks for the update. I am not using any plugin mentioned above but I will keep in mind while working on the security projects for my clients.

Pierre Charles November 11, 2015 at 6:10 pm

Thanks For Keeping My Blog Seure!

Ankush Das November 11, 2015 at 9:03 pm

Thanks for the news! Well, I don't use any of these. But, I stay updated with the list posted by your team. By the way, thank you WordFence for providing great security to my site :)

Sajid November 11, 2015 at 9:23 pm

Thank you Mark,
Great work Sathish.

Graham November 12, 2015 at 12:08 am

You guys are awesome. I don't personally use any of the plugins you mentioned, but it certainly is reassuring to know you are very much on the ball.

Thanks very much.

Todd Cochrane November 12, 2015 at 2:37 am

Whats interesting is that we patched our plugin back in last September yet its just getting covered now.. We have had 2 updates since the issue was first reported.

mark November 12, 2015 at 7:43 am

Your researcher waited until Oct 27th before applying or a CVE identifier: http://permalink.gmane.org/gmane.comp.security.oss.general/18024

So make sure you give credit where it's due. That's why this was only picked up now.

Nyekrip November 14, 2015 at 11:40 pm

thanks for giving an update, and I've update the plugin after read this article.

D Grant November 24, 2015 at 12:20 pm

Today there have been a record number of hack and login attempts on a sister site I have with Wordpress. 90% of the login attempts are coming from Russia. Are you all seeing or experiencing this level of attempted hacks? I'm getting at least 10 an hour, and trying to manually block each IP address is proving to be very time consuming. What can I do?

Thomas November 29, 2015 at 8:55 am

Thanks for this update ! it's really useful to know wich plugins are not safe for my blogs. Kudos to Sathish and Wordfence , well done guys !

Shiya Shamsu December 15, 2015 at 1:40 am

Thanks Sathish and Wordfence Security for the invaluable alerts, and also the security features your plugin is offering. I hope I can be a premium customer soon ?


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 90 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates