Updates on WordPress security, Wordfence and what we're cooking in the lab today.

Wordfence Blog

3 Plugin Vulnerabilities Disclosed Yesterday

This entry was posted in Vulnerabilities, WordPress Security on May 24, 2016 by Dan Moen   26 Replies

We disclosed three plugin vulnerabilities yesterday that we’d like to bring to your attention to.

Local File Inclusion Vulnerability Severity 4.2 (Medium) and Unauthorized Options Update Vulnerability Severity 4.4 (Medium) in WP Fastest Cache

Wordfence Security Researcher Panagiotis Vagenas discovered both of these vulnerabilities in the WP Fastest Cache plugin which we reported to the author yesterday. The Local File Inclusion vulnerability allows an attacker to execute code on the target web server or on a site visitor’s browser. This enables the attacker to steal or manipulate data, perform a denial of service attack or enable additional attack types such as Cross Site Scripting. Wordfence Firewall provided protection against this type of attack prior to discovery.

The Options Update vulnerability allows an attacker to access and make changes to the CDN (Content Delivery Network) options for the website. With this control an attacker can direct all requests for css files, images, videos, etc. to their site, allowing them to serve malicious content to visitors of the vulnerable site.

Local File Inclusion CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N

Options Update CVSS Vector: CVSS:3.0/AV:N/AC:H/PR:L/UI:R/S:C/C:L/I:L/A:N

What to do

If you are running the Premium version of Wordfence and have the firewall enabled you are already protected because we added protection for both vulnerabilities yesterday.

Free Wordfence users running this plugin should update the vulnerable plugin immediately. Paid Wordfence users who have the firewall disabled should also update the vulnerable plugin immediately. The author released a fix within an hour of our notifying him of this vulnerability.

Sensitive Data Exposure Vulnerability Severity 4.3 (Medium) in Caldera Forms

Wordfence Security Researcher Panagiotis Vagenas also discovered this vulnerability, which we reported to the Caldera Forms author yesterday. This vulnerability allows an attacker to gain access to potentially sensitive data that has been captured by a Caldera Form.

CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What to do

If you are running the Premium version of Wordfence and have the firewall enabled you are already protected, we added a firewall rule yesterday. Free users of Wordfence and paid users who have the Wordfence firewall disabled who are running this plugin should update to the most recent version immediately. The author released a fix within hours of discovery and published a blog post about it this morning.

Did you enjoy this post? Share it!

26 Comments on "3 Plugin Vulnerabilities Disclosed Yesterday"

tonygreene113 May 24, 2016 at 11:33 am

I'm so glad you folks stay on top of this security stuff with Wordfence. I'm definitely upgrading to the premium version for next month.
All the best.

Cristian Balan May 24, 2016 at 11:35 am

And what's the third plugin?

Dan Moen May 24, 2016 at 11:37 am

Hi Cristian, there were 2 vulnerabilities in one of the plugins. A total of 3 vulnerabilities in 2 plugins.

Roy May 24, 2016 at 11:43 am

Thank you for updating us. Glad we've got you...

Linda May 24, 2016 at 11:51 am

So happy I use y'all. I've had the free version installed for a long while now, and never once have I been disappointed.

James May 24, 2016 at 12:45 pm

Thanks for this update Dan!

I also was looking for the 3rd plugin Vulnerability LOL Thanks for the explanation.

Awesome work guys!!!

Natalie May 24, 2016 at 12:55 pm

I can't live without Wordfence Security and the guys and gals behind it. When I moved across country, my site was hacked 3 times, probably because I accessed it from an unknown computer, etc. However, I learned my lesson to always listen to what the Wordfence team puts out there. You guys (and gals) rock!

Rose May 24, 2016 at 1:30 pm

Yes WORDFENCE is the best. Why people hesitate to go for the Premium Wordfence option? lazyness?

JP May 24, 2016 at 1:34 pm

Can you tell me the version number for the fixed version of WP Fastest Cache? I want to make sure it's updated, because I logged into my site and there was not an update for it. I don't know if it was pushed without intervention.

Dan Moen May 24, 2016 at 2:06 pm

Hi JP, version 0.8.5.7 should contain fixes for both vulnerabilities.

JP May 24, 2016 at 2:10 pm

Thanks, that's what I have, so they must have pushed it. Thanks for letting us know about this.

david May 24, 2016 at 2:46 pm

Hello Dan,

so, we must download manually the plugin and update by FTP to really update WP Fastest Caché ?

Like JP said, ther is not any upgrade on Wordpress dashboard, so we must suppose that we still have installed vulnerable version of the plugin.

Can you Clarify please?

PD: Thanks to Wordfence team for your work.

Dan Moen May 24, 2016 at 3:02 pm

Hi David, on the plugin page in the WordPress backend you should see the version number for each plugin. It is located right below the description. If the version is 0.8.5.7 you have the most recent version of the plugin which should include fixes for both of the vulnerabilities we reported.

david May 24, 2016 at 3:13 pm

Dan, sorry but i don´t understand.. think i lost something... I explain why:

If i have last version (0.8.5.7 ), and i last updated the plugin 21 days ago... but the vulnerability was discovered yesterday....

How is it possible my 0.8.5.7 version already has vulnerability fix?

Dan Moen May 24, 2016 at 3:22 pm

Hi David, I can't speak to the update history on your web server or how the plugin author chose to update the change log. I can say with certainty that we developed our proof of concepts on version 0.8.5.6 and they didn't work any more yesterday evening with version 0.8.5.7. It looks like version 0.8.5.8 is now available and the change log for that version makes reference to our reported vulnerabilities. I hope this helps.

david May 24, 2016 at 3:50 pm

Hey Dan, i think plugin update is really ready now.

Five minutes ago, 0.8.5.8. version update appeared in plugin update section.

That was the problem, seems like plugin author really didn´t update the plugin with the fix.
(Hope it is really fixed).

Best Regards.

Dan Moen May 24, 2016 at 4:09 pm

Hi David, I am glad it is clear now. Our proof of concept for the vulnerability worked for 0.8.5.6 but not for 0.8.5.7, so I think you were fine with 0.8.5.7. It's great to have clarity in the change log for 0.8.5.8 now though. Cheers!

Chook May 24, 2016 at 3:13 pm

v0.8.5.8 just became available (10 mins ago from writing this)

Changelog :

to remove hostname from exclude rule
to fix file cache problem
to change the mobile user-agents
to fix Wordfence Security report

Alejandro Rodriguez May 24, 2016 at 1:38 pm

Definitely my best purchased yo guys are the top of the TOP, i feel security and peaceful in your hand! Keep doing that!

Mark Klinefelter May 24, 2016 at 2:38 pm

Great job Tim and crew! Always sleep better at night with Wordfence Premium. Thanks again.

Shubham Kumar May 24, 2016 at 4:01 pm

You Guys are like a savior man.

Thanks
Shubham

Martin Sabel May 24, 2016 at 4:50 pm

Dan -

Add my name to the chorus of kudos. I can't believe I even thought about publishing a site without WordFence protection. Never again! Thanks for doing what you do. Guys like me sleep much better at night knowing you have our backs.

Martin

Abdelaziz Kaima May 24, 2016 at 5:50 pm

You guys like a Super man :)
Thanks again for great support!

James Taiwo May 25, 2016 at 1:53 am

Awesome! Thanks for this information.

Pritam May 25, 2016 at 9:26 am

You guys awesome.Really doing great job.For you guys I can sleep peacefully without any tension for my blog.If any problems occur I know you guys will take care.

Viktor Vedmak October 14, 2016 at 1:46 am

Yet another reason to be on top of updates.


Protect your websites with the #1 WordPress Security Plugin

Get Premium
Over 100 million downloads

Wordfence Newsletter

Get WordPress Security Alerts and Product Updates