New Vulnerabilities in 6 Popular WordPress Plugins
This week we have several high profile plugin vulnerabilities we’d like to bring your attention to. If you are using one of these plugins, upgrade to the fixed version immediately.
Fast Secure Contact Form (400,000+ active installs) version 4.0.37 and earlier contain an XSS vulnerability that was publicly announced on October 27th. This was fixed in version 4.0.38. Upgrade immediately if you haven’t already. Note that this plugin is very popular with over 400,000 active installs.
Bulletproof Security (100,000+ active installs) version .52.4 contains a XSS vulnerability that was publicly announced 2 weeks ago. Please upgrade to the newest version which fixes the issue if you haven’t already.
Blubrry PowerPress podcasting plugin (50,000+ active installs) version 6.0.4 and earlier contains an XSS vulnerability publicly announced on October 27th. Upgrade as soon as possible.
Form Manager version (30,000+ active installs) 1.7.2 and earlier contain an unauthenticated remote command execution (RCE) vulnerability published on October 23rd. This was fixed in 1.7.3. Upgrade as soon as possible.
WordPress Files Upload (10,000+ active installs) version 3.4.0 and earlier allowed a malicious executable file to be uploaded and executed. This has been fixed in 3.4.1 which was released 13 days ago. Please upgrade immediately if you haven’t already.
Crony Cronjob Manager 0.4.4 (2000+ active installs) and earlier contained an XSS and CSRF vulnerability. The fix was released several weeks ago but it was publicly announced 15 days ago. If you haven’t upgraded this plugin, please do so immediately.
Kudos to Sathish from Cyber Security Works for discovering several of these vulnerabilities and the responsible disclosure.
Comments
9:55 am
Thanks a lot Mark and Sathish
5:00 pm
Hi Mark, Thanks for the Credit.
9:56 am
Luckily I do not have any of these plugins on my site but kudos to Sathish and Wordfence for alerting everyone and doing a wonderful job.
10:18 am
I always like reading these posts and relisesing that use none of the plugins! Must be a little embarrassing for Bulletproof Security! Not a Bulletproof as they should be.
3:18 pm
"Must be a little embarrassing for Bulletproof Security!"
I don't see why. There's no such thing as bug-free software; there is only software for which the bugs have not yet been discovered. What would be embarrassing and harmful were the developers to ignore notifications of these problems and/or not release an update to fix the issue in a timely manner.
My hat goes off to all developers who do their utmost to stay head of the blackhats in the game of cat and mouse that is internet security. And a HUGE thanks to those whitehats who discover vulnerabilities and disclose them in responsible fashion so as to not put the rest of us at unnecessary risk.
3:33 pm
Agreed. Definitely no finger pointing from us unless it's to acknowledge responsible disclosure from the researchers involved and a quick response from the developers affected. As I mentioned in another comment, this kind of response from a dev when a vulnerability is discovered is actually an endorsement of the product.
8:58 am
Kudos to Mark and Sathish <3 <3
8:34 pm
Thanks for sharing. this is good information
2:54 am
Thanks for the update. I'm so grateful for this wonderful plugin and will be recommending it to associates. Keep up the good work!
5:02 pm
Thanks Imran.
2:08 pm
Wordfence Security for the invaluable alerts, and also the security features your plugin is offering, nice
10:02 am
Thanks for timely update.
10:12 am
Thanks for the update, and especially the WordPress Plugin list. Do you know if Mail Poet is in the clear?
10:15 am
Nothing recent reported for them as far as we're aware.
10:16 am
Thanks for the notice. Just updated one of them last week. Always good to get this info as fast as possible, so thank you.
10:17 am
Thanks for the update!!
10:17 am
The last four out of the six are hardly popular wordpress plugins. But still thank you for the alert. It only takes one install to compromise a site.
10:27 am
It's a tough call to make where to cut off what 'popular' means. We did leave out several that are low usage.
10:34 am
Is there a list somewhere of all the plugins, including the less popular ones?
11:07 am
Would be interested in such a full list as well
11:32 am
Hey Guys. Will try to put together a few resources for you in a future post.
1:15 pm
Nice. Thanks
11:08 pm
Owh, thanks for update Sathish.
10:26 am
Thank you Mark for the update...we use Fast and Secure Contact and Mike Challis is always quick to respond...all of our sites as well as our clients sites are all updated with the new version.
Thank you, RC
10:28 am
Yes it seems that all developers did a great job of being responsive, so I'd say that's a strong endorsement for any of the plugins listed.
10:36 am
Couldn't resist reading this as soon as I read the teaser subject in my inbox :)
11:16 am
Thanks for putting these together, echoes the best part about the WP community, togetherness!
11:18 am
"Bulletproof Security (100,000+ active installs) version .52.4 contains a XSS vulnerability"
I guess it's not bulletproof after all :D
11:34 am
Thanks for the update. We appreciate all your help with client websites.
12:12 pm
I want to thank you for such an awesome product, even the free one is loaded and does so much!
My hosting provider recommended WordFence when I called them about some issues I was having on my website. Once I installed Wordfence I quickly found out just how bad it was.
I went through every line in every section and filled out everything I could. Boy has it made a HUGE difference!
I'm so grateful for this wonderful plugin and will be recommending it to associates. Keep up the good work!
Cynthia
12:15 pm
Appreciate the notification WF
I'd also like to see a list of other plugins/themes that may not be as popular.
1:39 pm
Hey Wordfence team. We can always count on you to deliver. Thanks for the heads up. Absolutely, love what you guys are doing for us. I cannot imagine not to have WordFence on my sites. It is always the first plugin I install.
3:24 pm
Phew! I don't have any of these plugins installed. It's great to know what to watch for.
3:27 pm
Thanks for the update. I am not using any plugin mentioned above but I will keep in mind while working on the security projects for my clients.
6:10 pm
Thanks For Keeping My Blog Seure!
9:03 pm
Thanks for the news! Well, I don't use any of these. But, I stay updated with the list posted by your team. By the way, thank you WordFence for providing great security to my site :)
9:23 pm
Thank you Mark,
Great work Sathish.
12:08 am
You guys are awesome. I don't personally use any of the plugins you mentioned, but it certainly is reassuring to know you are very much on the ball.
Thanks very much.
2:37 am
Whats interesting is that we patched our plugin back in last September yet its just getting covered now.. We have had 2 updates since the issue was first reported.
7:43 am
Your researcher waited until Oct 27th before applying or a CVE identifier: http://permalink.gmane.org/gmane.comp.security.oss.general/18024
So make sure you give credit where it's due. That's why this was only picked up now.
11:40 pm
thanks for giving an update, and I've update the plugin after read this article.
12:20 pm
Today there have been a record number of hack and login attempts on a sister site I have with Wordpress. 90% of the login attempts are coming from Russia. Are you all seeing or experiencing this level of attempted hacks? I'm getting at least 10 an hour, and trying to manually block each IP address is proving to be very time consuming. What can I do?
8:55 am
Thanks for this update ! it's really useful to know wich plugins are not safe for my blogs. Kudos to Sathish and Wordfence , well done guys !
1:40 am
Thanks Sathish and Wordfence Security for the invaluable alerts, and also the security features your plugin is offering. I hope I can be a premium customer soon ?