Updates on CyberSecurity, WordPress and what we're cooking in the lab today.

Vulnerability Roundup for Thursday July 28th

This entry was posted in Vulnerabilities, WordPress Security on July 28, 2016 by Mark Maunder   12 Replies

This is a roundup of recent vulnerabilities in WordPress plugins that you should be aware of.

This morning we published details of a reflected cross site scripting vulnerability in Easy Forms for MailChimp versions 6.1.2 and older. One of our own researchers discovered this vulnerability and notified the author who released a fix Tuesday. Upgrade immediately if you run this plugin.

The following notable plugins have had vulnerabilities reported in the past week. If you use any of these plugins, upgrade promptly:

Form Lightbox Plugin ScreenshotThe Form Lightbox plugin has been removed from the WordPress repository. However it contains a vulnerability that allows an attacker to update any option in the WP database, thereby gaining admin access to a site. If you use this plugin we recommend that you remove it.

The most recent version of this plugin was version 2.1 and it had approximately 34,000 downloads at the time of it’s removal. The slug for the plugin is form-lightbox.

Improved vulnerability alerting in Wordfence

Note that since the 6.1.11 update of Wordfence, when you are now alerted about a plugin update, if that plugin has a known vulnerability it will be a ‘critical’ alert and if it does not have a known vulnerability the alert will be a ‘warning’. This allows you to easily differentiate between urgent plugin updates and routine.

Summer of Pwnage

In the past month the Dutch community project the Summer of Pwnage has uncovered multiple WordPress vulnerabilities. We encourage you to run your eye down this advisories page from the project and update any of the plugins that you run that may be affected.

We encourage you to share these vulnerabilities with the larger WordPress community to help keep site owners safe from exploitation.

Did you enjoy this post? Share it!


Your rating:

12 Comments on "Vulnerability Roundup for Thursday July 28th"

Sam Perrow July 28, 2016 at 10:13 am • Reply

Hello,
I recently created a WP plugin, and wanted to see if you all would be able to investigate it and let me know of any vulnerabilities. It allows users to use shortcodes to display YouTube videos and images without slowing down page load time. I have made the code/UI as simple as possible, but would love expert advice on how to make it more secure, and fix any issues ahead of time.
Thank you!

mark July 28, 2016 at 10:48 am • Reply

Hi Sam,

Unfortunately we don't offer this service. There are over 40,000 plugins in the repository and we'd love to be able to investigate every plugin for vulnerabilities, but that's not feasible. However I'd encourage you to visit wordfence.com/learn to read about the kinds of vulnerabilities you should avoid writing and how to write secure code.

Mark.

Corey C. July 28, 2016 at 10:28 am • Reply

"[...] when you are now alerted about a plugin update, if that plugin has a known vulnerability it will be a ‘critical’ alert and if it does not have a known vulnerability the alert will be a ‘warning’."

Does this mean that when email alerts are set to be sent for critical issues only, we will now only receive an email about plugin updates IF there's a major security issue?

mark July 28, 2016 at 10:46 am • Reply

Hi Corey,

Yes that's correct. Just reconfirmed with the team.

Mark.

mark July 28, 2016 at 10:51 am • Reply

Corey, here's a sample of what this looks like in the new alert email.

Critical Problems:
* The Plugin "Ninja Forms" needs an upgrade (2.9.41 -> 2.9.54).
Update includes security-related fixes. https://wordpress.org/plugins/ninja-forms/changelog
* The Plugin "WP Job Manager" needs an upgrade (1.23.7 -> 1.25.0).
Update includes security-related fixes. https://wordpress.org/plugins/wp-job-manager/changelog

Magda van Tilburg July 28, 2016 at 10:54 am • Reply

Hi dear Wordfencers!

Today I found this notice from you on my WP-site:

"Notice: Undefined index: coreUnknown in /home/boox/domains/booxalive.nl/public_html/wp-content/plugins/wordfence/lib/wordfenceHash.php on line 141"

Is this related to the above mentioned vulnerabilities?
Or, what does it mean actually? Should I be worried, because I don't know how to handle this?

Thnx anyway for your continuous awesome work!!

Greetz from Amsterdam, Magda

mark July 28, 2016 at 11:37 am • Reply

Hi Magda,

Please visit our forums where they'll be able to help you. I think this is a known issue so they'll have a quick fix for you.

https://wordpress.org/support/plugin/wordfence

Mark.

Magda van Tilburg July 28, 2016 at 12:00 pm • Reply

Thank you, Mark!!

Amit July 28, 2016 at 10:58 am • Reply

I am using wordfence and happy for this reason only, you people keep me updated of everything. Any Vulnerability, any unauthorized access etc. Thanks for the plugin keep te good work up.

Markus July 28, 2016 at 11:19 am • Reply

Hey Guys, Time to thank you for the really good Job you do. Since I use your Wordfence PlugIn on all my WP Blogs I no longer have any Problems with Attacks etc. To use your PlugIn was and is for sure the best decision I ever made in Relation to my WP Blogs.

So keep up your Work! It is important and makes WP safer!

Regards,
Markus

wild23 July 28, 2016 at 12:35 pm • Reply

Wow, just, wow. You guys are providing a real service, but the number of vulnerabilities in plugins must be getting into the hundreds of thousands, and there must be thousands of websites without hands-on updates being taken care of. Big problems waiting to happen...?

Rob Turner August 2, 2016 at 10:21 am • Reply

Great service your providing, we try and use notices like these to scan our servers for people using the plugins and actively inform them that an update is required, As a web host it's worthwhile as some malware can cause us to get on blacklists etc so we are actively trying to keep our noses and the noses of our clients clean.

Get the latest WordPress security updates and news

Sign up for WordPress security alerts, Wordfence product updates and security news via email.