WordPress Security Updates: July 2020

This monthly report is provided for the WordPress community at large from Pagely’s head of security, Robert Rowley. Rowley and the entire security team keep their finger on the pulse of any potential vulnerabilities that might affect our customers, as well as any WordPress user.

We sincerely hope these efforts help any and all that could use information from the experts on monthly security issues. We commend the researches and developers that help to identify and patch these issues in a timely fashion.

WordPress Core No notable WordPress core security releases.

Plugin/Theme Vulnerabilities of Note Security & Malware scan by CleanTalk https://wpvulndb.com/vulnerabilities/10292 This vulnerability within CleanTalk allows an authenticated user, such as an editor or subscriber, to make unauthorized Ajax calls which could lead to file deletion or downloads and also potentially function calls.

Adning Advertising https://wpvulndb.com/vulnerabilities/10293 The Adning Advertising plugin has a vulnerability in versions lower than 1.5.6 which allows unauthenticated requests to upload or delete files, leading to an RCE attack, which can then lead to full site takeover.

Wise Chat https://wpvulndb.com/vulnerabilities/10299 Wise Chat versions lower than 2.8.4 are susceptible to a CSV injection via a command sent in chat messages by an unauthenticated user that is included in an exported CSV file, which then could potentially lead to an RCE attack.

Email Verification for WooCommerce https://wpvulndb.com/vulnerabilities/10318 The Email Verification for Woocommerce plugin prior to version 1.8.2 is affected by a loose comparison issue. This could potentially lead to any user (authenticated or non-authenticated), to log into the WordPress site.

SRS Simple Hits Counter https://wpvulndb.com/vulnerabilities/10316 The SRS Simple Hits counter plugin is currently vulnerable to an unauthenticated blind SQL injection vulnerability. The responsible reporting parties at Tenable ( https://www.tenable.com/security/research/tra-2020-42 ) are working with the developer to write a more comprehensive patch to address this vulnerability, and will not release more details on the attack until they know a patch has been released. Site owners using SRS Simple Hits Counter plugin on their sites should keep an eye out daily for the patch to be released.

Payment Form For Paypal Pro https://wpvulndb.com/vulnerabilities/10287 The Payment Form for Paypal Pro plugin versions before 1.1.65 are vulnerable to an unauthenticated SQL injection attack. The attack is a trivial single request which can expose the contents of your database (which includes user passwords and potentially other secrets) to the attack. This is a high risk vulnerability and site owners should patch immediately.

WooCommerce Subscriptions https://wpvulndb.com/vulnerabilities/10330 The WooCommerce Subscription plugin is vulnerable to an unauthenticated stored cross site scripting (XSS) attack in the subscription billing process. Attackers can submit their XSS attack payload to during the billing step in the signup process, and later that payload will be executed on the browser of the administrator/user who reviews the attacker’s account. Site owners should update WooCommerce Subscriptions plugin to version 2.6.3 and not check any new user account information until that update is performed.

TC Custom JavaScript https://wpvulndb.com/vulnerabilities/10325 The TC Custom Javascript plugin is vulnerable to an unauthenticated stored cross site scripting attack. Sites running versions before 1.2.2 should update immediately, attackers can add their own javascript or HTML to the footer of all pages loaded by WordPress with a few basic requests. This vulnerability is likely to be targeted by SEO spam bots.

KingComposer https://wpvulndb.com/vulnerabilities/10297 The KingComposer plugin is vulnerable to a reflected cross site scripting vulnerability in versions before 2.9.5 This means the attacker’s malicious HTML/javascript will only be available to the browser making this request. This still poses a high risk if an attacker can trick an already logged in user to click on a malicious link/form to the website, potentially exposing secrets viewable by the user giving them to the attacker.

JobSearch https://wpvulndb.com/vulnerabilities/10328 The JobSearch plugin versions before 1.5.6 are vulnerable to a reflected cross site scripting vulnerability. Much like the KingComposer vulnerability above it is a high risk if logged in users to be targeted. The proof of concept for this vulnerability will be released on August 6th, 2020, site owners should patch before this date.

See previous months’ WordPress security updates from May and June .

WordPress Security Updates: July 2020

WordPress Security Updates: June 2020

Pagely Security Updates

WordPress Security Updates: April 2020

WordPress Security Updates: March 2020

WordPress Security Updates: Feb 2020

WordPress Security Updates: Jan 2020

The Short History of Unauthenticated Site Options Update Vulnerabilities

Can WordPress Developers and Security Researchers get along?

For Safety, the P3 Plugin Has Been Banned