Tuesday, 26 January 2016

WordPress Security: Core XSS and 4 Plugin vulnerabilities

This has certainly been an eventful month in WordPress security. January 6th saw a WordPress core security update. Upgrade immediately to version 4.4.1 of WordPress core if you haven’t already.
The vulnerability that WordPress 4.4.1 fixes is a cross site scripting or XSS vulnerability.
The Automattic team did not release details of the vulnerability in the announcement, but the patch was reverse engineered by several security teams and they used the code change to come up with a proof of concept exploit. The exploit has also been posted on twitter. The result is that the exploit for this security issue is now in the wild so it’s very important that you update asap.
The following plugins also had vulnerabilities reported and in most cases, fixed, this month:
  • Commentator plugin version 2.5.2 and older is affected by a reflected XSS vulnerability. Fixed in version 2.5.3.
  • WordPress Download Manager 2.8.7 and older suffer from multiple vulnerabilities including privilege escalation, directory listing and unauthorized file download. Fixed in version 2.8.8.
  • Simple Download Monitor 3.2.8 has multiple vulnerabilities that allows users to list all uploaded files, delete file thumbnails and download password protected files without a password. 3.2.9 fixes this issue.
  • Simple Ads Manager 2.9.4.116 contains a SQL injection vulnerability (details here) that allows a remote attacker to access the administrator’s hashed password and other sensitive database data. Version 2.9.4.118 fixes the issue.
If you have not updated the plugins above, do so immediately.