Unauthenticated Arbitrary Post Deletion Vulnerability Patched in LeadConnector WordPress Plugin

On February 8th, 2024, during the second Wordfence Bug Bounty Extravaganza, a submission was received for an Arbitrary Post Deletion vulnerability in LeadConnector, a WordPress plugin with more than 20,000 active installations. This vulnerability could be used by unauthenticated attackers to delete arbitrary posts or pages.

Props to Krzysztof Zając who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $197.00 for this discovery during our Bug Bounty Program Extravaganza.

Wordfence PremiumWordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on February 9, 2024. Sites using the free version of Wordfence received the same protection on March 10, 2024.

Wordfence contacted the LeadConnector Team on February 8, 2024. After not receiving a reply they escalated the issue to the WordPress.org Security Team on March 8, 2024. After that, the developer released a patch on April 23, 2024.

We urge users to update their sites with the latest patched version of LeadConnector, which is version 1.8, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2024/04/197-bounty-awarded-for-unauthenticated-arbitrary-post-deletion-vulnerability-patched-in-leadconnector-wordpress-plugin/

Arbitrary Options Update Vulnerability Patched in WP Datepicker WordPress Plugin

On April 14th, 2024, during the Wordfence Bug Bounty Extravaganza a submission was received for an Arbitrary Options Update vulnerability in WP Datepicker, a WordPress plugin with more than 10,000 active installations. This vulnerability could be used by authenticated attackers, with subscriber-level access and above, to update arbitrary options which can easily be leveraged for privilege escalation.

Props to Lucio Sá who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $493.00 for this discovery during our Bug Bounty Program Extravaganza.

Paid Wordfence users received a firewall rule to protect against any exploits targeting this vulnerability on April 16, 2024. Sites using the free version of Wordfence will receive the same protection 30 days later on May 16, 2024.

Wordfence contacted the developer Fahad Mahmood on April 16, 2024, and received a response on the same day. After providing full disclosure details the next day, the developer released the first patch on the same day. A fully patched version, 2.1.1, was released on April 19, 2024. We would like to commend Fahad Mahmood for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of WP Datepicker, which is version 2.1.1, as soon as possible.

Over 300,000 WordPress Websites Affected by Critical Forminator Plugin Vulnerability

The Forminator plugin for WordPress, utilized by over 500,000 sites, has a vulnerability that could let attackers upload files to the server without restrictions.

Developed by WPMU DEV, Forminator is a customizable tool for creating contact forms, surveys, quizzes, feedback forms, polls, and payment forms on WordPress. It features drag-and-drop functionality and integrates with many third-party services.

On Thursday, Japan’s Computer Emergency Response Team (CERT) issued a warning through its vulnerability notes portal (JVN) about a critical security issue in Forminator, known as CVE-2024-28890 (CVSS v3: 9.8). This flaw could let remote attackers upload malware to WordPress sites using the plugin.

According to the JVN, a remote attacker could gain sensitive information by accessing server files, moderating a site using the plugin, or causing a denial-of-service (DoS) incident.

JPCERT’s security bulletin lists three specific vulnerabilities in Forminator:

  • CVE-2024-28890 – Insufficient file validation during uploads allows remote attackers to upload and run malicious files on the server. This affects Forminator 1.29.0 and earlier.
  • CVE-2024-31077 – An SQL injection flaw enabling remote attackers with admin privileges to execute arbitrary SQL queries in the site’s database. This impacts Forminator 1.29.3 and earlier.
  • CVE-2024-31857 – A cross-site scripting (XSS) flaw allowing attackers to inject HTML and script code into a user’s browser by tricking them into clicking on a crafted link. This affects Forminator 1.15.4 and older.

Site administrators using the Forminator plugin are advised to update to version 1.29.3 or later to mitigate all three vulnerabilities.

According to WordPress.org, since the security update was released on April 8, 2024, about 180,000 site admins have downloaded the plugin, implying that about 320,000 sites could still be vulnerable.

At the time of writing, there have been no public reports of active exploitation of CVE-2024-28890. However, the flaw’s high severity and low difficulty pose a significant risk for those who delay updating the plugin.

To reduce the risk of attacks on WordPress sites, administrators should minimize the use of plugins, ensure they’re always updated, and deactivate those not actively in use.

Source: https://blog.wpsec.com/over-300000-wordpress-websites-affected-by-critical-forminator-plugin-vulnerability

Privilege Escalation Vulnerability Patched in User Registration WordPress Plugin

On March 9th, 2024, during the second Wordfence Bug Bounty Extravaganza, a submission was received for a Privilege Escalation vulnerability in User Registration, a WordPress plugin with more than 60,000 active installations. This vulnerability makes it possible for an authenticated attacker to grant themselves administrative privileges by updating the default user role.

Props to Stiofan who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $2,063.00 for this discovery during our Bug Bounty Program Extravaganza.

All Wordfence users are protected against any exploits targeting this vulnerability by the Wordfence firewall’s protection.

Wordfence tried to contact WPEverest on March 13, 2024 through their contact form, however, we did not receive a response. On April 9, 2024, they reached out directly to an email address we had from a previous disclosure and received a response the same day. The full disclosure details were then sent on April, 10, 2024. After providing full disclosure details, the developer released a patch on April 15, 2024. We would like to commend WPEverest for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of User Registration, which is version 3.2.0, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2024/04/2063-bounty-awarded-for-privilege-escalation-vulnerability-patched-in-user-registration-wordpress-plugin

SQL Injection Vulnerability Patched in WP Activity Log Premium WordPress Plugin

On February 24th, 2024, during the second Wordfence Bug Bounty Extravaganza, a submission was received for an authenticated SQL Injection vulnerability in WP Activity Log Premium, a WordPress plugin with more than 20,000 estimated active installations. This vulnerability can be leveraged to extract sensitive data from the database, such as password hashes.

Props to 1337_Wannabe who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $400.00 for this discovery during our Bug Bounty Program Extravaganza.

All Wordfence users are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in SQL Injection protection.

Wordfence reached out to Melapress on February 29, 2024 via their contact form. Since we did not receive a reply, we tried another contact method on March 27, 2024, and received a response on March 27, 2024. After providing full disclosure details, the developer released a patch on April 9, 2024. We would like to commend Melapress for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of WP Activity Log Premium, which is version 4.6.4.1, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2024/04/400-bounty-awarded-for-sql-injection-vulnerability-patched-in-wp-activity-log-premium-wordpress-plugin

Unauthenticated SQL Injection Vulnerability Patched in Email Subscribers by Icegram Express WordPress Plugin

On March 25th, 2024, during the second Wordfence Bug Bounty Extravaganza, a submission was received for an unauthenticated SQL Injection vulnerability in Email Subscribers by Icegram Express, a WordPress plugin with more than 90,000 active installations. This vulnerability can be leveraged to extract sensitive data from the database, such as password hashes.

Props to Arkadiusz Hydzik who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $1,250.00 for this discovery during our Bug Bounty Program Extravaganza.

All Wordfence users are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in SQL Injection protection.

Wordfence contacted the Icegram Team regarding a separate vulnerability on March 21, 2024, and received a response on the same day. After providing full disclosure details about this vulnerability on March 25, 2024, the developer released a patch on March 27, 2024. We would like to commend the Icegram Team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of Email Subscribers by Icegram Express, which is version 5.7.15, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2024/04/1250-bounty-awarded-for-unauthenticated-sql-injection-vulnerability-patched-in-email-subscribers-by-icegram-express-wordpress-plugin

WordPress 6.5.2 released: Unauthenticated Stored Cross-Site Scripting Vulnerability Patched in WordPress Core

WordPress 6.5.2 was released on April 9, 2024. It included a single security patch, along with a handful of bug fixes. The security patch was for a Stored Cross-Site Scripting vulnerability that could be exploited by both unauthenticated users, when a comment block is present on a page, and by authenticated users who have access to the block editor such as contributors.

All Wordfence users are already protected against exploits targeting this vulnerability through unauthenticated methods. Users of paid versions of Wordfence received a firewall rule to protect against any exploits targeting this vulnerability through authenticated methods on April 10, 2024. Sites using the free version of Wordfence will receive the same protection 30 days later on May 10, 2024.

The patch has been backported to version 6.1 and later of WordPress. We urge all WordPress users to verify that their sites are updated to 6.5.2, or another backported security release, immediately as this issue could allow full site takeover when the right conditions are met. Most sites should have auto-updated, however, it’s a good idea to verify the auto-update was successful.

Source and more info: https://www.wordfence.com/blog/2024/04/unauthenticated-stored-cross-site-scripting-vulnerability-patched-in-wordpress-core

see also: https://wpscan.com/blog/unauthenticated-stored-xss-fixed-in-wordpress-core/

Privilege Escalation and Local File Inclusion Vulnerabilities Patched in MasterStudy LMS WordPress Plugin

On February 25th, 2024, during the second Wordfence Bug Bounty Extravaganza, a submission was received for a Privilege Escalation vulnerability in MasterStudy LMS, a WordPress plugin with more than 10,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by updating user metadata during registration. The next day on February 26th, 2024, and later on March 31st, we also received submissions for a Local File Inclusion vulnerability in the MasterStudy LMS WordPress plugin. This vulnerability makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files.

Props to Hiroho Shimada who discovered and responsibly reported these vulnerabilities through the Wordfence Bug Bounty Program. This researcher earned a bounty of $625.00 for the Privilege Escalation and $312.00 for the Local File Inclusion during our Bug Bounty Program Extravaganza.

All Wordfence users are protected against any exploits targeting these vulnerabilities by the Wordfence firewall’s protection.

Wordfence contacted StylemixThemes on March 13, 2024, and received a response on the same day. After providing full disclosure details, the developer released the first patch on March 20, 2024, the second patch on March 27, 2024, and the third patch on April 4, 2024. We would like to commend StylemixThemes for their prompt response and timely patches.

We urge users to update their sites with the latest patched version of MasterStudy LMS, which is version 3.3.4, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2024/04/937-bounty-awarded-for-privilege-escalation-and-local-file-inclusion-vulnerabilities-patched-in-masterstudy-lms-wordpress-plugin

Arbitrary File Upload Patched in WEmanage App Worker WordPress Plugin

On February 1st, 2024, during the Wordfence Bug Bounty Extravaganza, a submission was received for an Arbitrary File Upload vulnerability in Management App for WooCommerce, a WordPress plugin with 1,000+ active installations. This vulnerability makes it possible for authenticated users such as subscribers and customers to upload arbitrary files to a vulnerable site and achieve remote code execution.

Props to Lucio Sá who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $657.00 for this discovery during our Bug Bounty Program Extravaganza.

Paid Wordfence users received a firewall rule to protect against any exploits targeting this vulnerability on February 2, 2024. Sites using the free version of Wordfence received the same protection on March 3, 2024.

Wordfence contacted the WEmanage Team on February 2, 2024. After not receiving a reply we escalated the issue to the WordPress.org Security Team on March 8, 2024. After that, the developer released a patch on March 24, 2024.

We urge users to update their sites with the latest patched version of Management App for WooCommerce, version 1.2.3 at the time of this writing, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2024/04/657-bounty-awarded-for-arbitrary-file-upload-patched-in-wemanage-app-worker-wordpress-plugin/

Unauthenticated SQL Injection Vulnerability Patched in LayerSlider WordPress Plugin

On March 25th, 2024, during the second Wordfence Bug Bounty Extravaganza, a submission was received for an unauthenticated SQL Injection vulnerability in LayerSlider, a WordPress plugin with more than 1,000,000 estimated active installations. This vulnerability can be leveraged to extract sensitive data from the database, such as password hashes.

Props to 1337_wannabe who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $5,500.00 for this discovery during our Bug Bounty Program Extravaganza, their highest bounty yet! 

All Wordfence users are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in SQL Injection protection.

Wordfence contacted the Kreatura Team on March 25, 2024, and received a response on the next day. After providing full disclosure details, the developer released a patch on March 27, 2024. We would like to commend the Kreatura Team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of LayerSlider, which is version 7.10.1, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2024/04/5500-bounty-awarded-for-unauthenticated-sql-injection-vulnerability-patched-in-layerslider-wordpress-plugin/

and Critical Security Flaw Found in Popular LayerSlider WordPress Plugin