Vulnerability Roundup for Thursday July 28th
This is a roundup of recent vulnerabilities in WordPress plugins that you should be aware of.
This morning we published details of a reflected cross site scripting vulnerability in Easy Forms for MailChimp versions 6.1.2 and older. One of our own researchers discovered this vulnerability and notified the author who released a fix Tuesday. Upgrade immediately if you run this plugin.
The following notable plugins have had vulnerabilities reported in the past week. If you use any of these plugins, upgrade promptly:
- Contact Form Email version 1.1.47 and older contains an authenticated reflected XSS vulnerability. Upgrade to 1.1.48 as soon as possible.
- Code Snippets 2.6.1 and older contains an authenticated reflected XSS vulnerability. Upgrade to 2.7.0 as soon as possible.
- Lazy Load contains a stored XSS vulnerability in version 0.6 and earlier. Upgrade ASAP.
The Form Lightbox plugin has been removed from the WordPress repository. However it contains a vulnerability that allows an attacker to update any option in the WP database, thereby gaining admin access to a site. If you use this plugin we recommend that you remove it.
The most recent version of this plugin was version 2.1 and it had approximately 34,000 downloads at the time of it’s removal. The slug for the plugin is form-lightbox.
- The Ninja Forms plugin version 2.9.51 and older contains multiple authenticated cross site scripting vulnerabilities. Upgrade to version 2.9.54 as soon as possible.
Improved vulnerability alerting in Wordfence
Note that since the 6.1.11 update of Wordfence, when you are now alerted about a plugin update, if that plugin has a known vulnerability it will be a ‘critical’ alert and if it does not have a known vulnerability the alert will be a ‘warning’. This allows you to easily differentiate between urgent plugin updates and routine.
Summer of Pwnage
In the past month the Dutch community project the Summer of Pwnage has uncovered multiple WordPress vulnerabilities. We encourage you to run your eye down this advisories page from the project and update any of the plugins that you run that may be affected.
We encourage you to share these vulnerabilities with the larger WordPress community to help keep site owners safe from exploitation.