• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Labs Note

Vulnerable Plugins: June 2020 Update

June 19, 2020John Castro

0
SHARES
FacebookTwitterSubscribe

This is a mid-month update to our regular Monthly Vulnerability Digest, which reveals a number of new patches for disclosed vulnerabilities.

Plugin Vulnerability Patched Version Installs
Elementor Page Builder Authenticated Stored XSS 2.9.10 5000000
AdRotate Authenticated SQL Injection 5.8.4 40000
Brizy – Page Builder Improper Access Controls 1.0.126 60000
Careerfy Unauthenticated XSS 3.9.0 5000
SportsPress Authenticated Stored XSS 2.7.2 20000
JobSearch Unauthenticated XSS 1.5.1 5000
Newspaper Unauthenticated XSS 10.3.4 6000
Multi Scheduler Record Deletion CSRF — 20

Highlights

  • Cross-site scripting is the most common vulnerability in WordPress plugins
  • None of these plugins have been identified in massive attacks

Relevant Plugins

SportsPress

Sportspress fixed an authenticated stored cross-site scripting vulnerability in version 2.7.2. This vulnerability allows authenticated attackers to arbitrarily update the “sportspress_event_teams_delimiter” plugin option, allowing for the potential execution of malicious scripts every time the site is loaded.

Since this bug is really easy for attackers to exploit in malware campaigns, we’ve been following it closely but haven’t detected any massive abuses as an attack vector. We believe this is primarily due to the fact that the vulnerability exploit requires access to a compromised user within the vulnerable site.

Patch:

Index: sportspress/tags/2.7.2/includes/admin/settings/class-sp-settings-events.php
===================================================================
--- a/sportspress/tags/2.7.2/includes/admin/settings/class-sp-settings-events.php
+++ b/sportspress/tags/2.7.2/includes/admin/settings/class-sp-settings-events.php         
         if ( isset( $_POST['sportspress_event_teams_delimiter'] ) )
-            update_option( 'sportspress_event_teams_delimiter', $_POST['sportspress_event_teams_delimiter'] );
+            update_option( 'sportspress_event_teams_delimiter', sanitize_text_field( $_POST['sportspress_event_teams_delimiter'] ) );
 }

AdRotate

Adrotate fixed an authenticated SQL Injection in version 5.8.4. We haven’t detected any massive automated attacks targeting this plugin.

Patch:

    if(isset($_GET['status'])) $status = esc_attr($_GET['status']);
     if(isset($_GET['view'])) $view = esc_attr($_GET['view']);
     if(isset($_GET['id'])) $id = esc_attr($_GET['id']);
     if(isset($_GET['file'])) $file = esc_attr($_GET['file']);
+
+    if(!is_numeric($status)) $status = 0;
+    if(!is_numeric($id)) $id = 0;

The majority of the public vulnerabilities in this mid-month update require the possession of a user account within the vulnerable site, which reduces the odds of any massive infections.

That being said, to mitigate risk from these recently patched vulnerabilities we strongly encourage all affected users to update their plugins as soon as possible.

0
SHARES
FacebookTwitterSubscribe

Categories: Security Advisory, Vulnerability DisclosureTags: Black Hat Tactics, Hacked Websites, Malware, Obfuscation, Redirects, Vulnerability, WordPress Plugins and Themes

About John Castro

John Castro is Sucuri's Vulnerability Researcher who joined the company in 2015. His main responsibilities include threat intelligence and vulnerability analysis. John's professional experience covers more than a decade of pentesting, vulnerability research and malware analysis. When John isn't working with WordPres plugin vulnerabilities, you might find him hiking or hunting for new restaurants. Connect with him on LinkedIn

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

How to Clean a Hacked Website Guide

How to know you can trust a plugin

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.