3 Vulnerabilities Discovered in Several WordPress Plugins

Three different plugins used by the WordPress content management system were discovered to have vulnerabilities, according to researchers from DXW Security, the British firm that found and disclosed these issues Monday. 

wordpress vulnerabilitiesThese vulnerabilities, having mostly to do with cross-site scripting (XSS) could grant administrative privileges to users.

According to DXW developer Tom Adams, version 3.0 of the iframe plugin WordPress uses contains two of the XSS vulnerabilities; one reflected and one stored. These stored vulnerabilities could grant excessive privileges to users and allow them to insert HTML into pages.

The third, reflected XSS vulnerability could leave pages that use “get_params_from_url” open to attack. Adams refutes WordPress’ claim that version 4.0 resolved the vulnerabilities and advises users to disable the plugin until a new version addresses the bug.

DXW discovered another XSS vulnerability in Yoast’s Google Analytics. With some users having the ability to edit the capabilities of other users, it leaves users open to attack by other, more privileged users that add arbitrary JavaScript to pages.

Adams explains:

“A user with the manage_options capability but not the unfiltered_html capability is able to add arbitrary JavaScript to a page visible to admins.”

Glen Wintle of DXW discovered a blind SQL injection in WordPress’ social network plugin, Symposium. This could enable a hacker to extract password hashes and secure information from a site’s database. Symposium’s creator Simon Goodchild told Wintle the issue was fixed approximately four weeks after DXW’s report of the bug, in version 15.8 of the plugin.

WordPress developers fixed a half-dozen security issues last week when version 4.2.4 of WordPress was released.  A more serious XSS vulnerability, discovered in May, was finally fixed last week. This came just three weeks after another XSS vulnerability was found and fixed in the CMS. Developers were warned these vulnerabilities could be used to fully hack a site and encouraged to update to the latest version, 4.2.3.

Images from Shutterstock.

Ali is a freelance journalist, having 5 years of experience in web journalism and marketing. He contributes to various online publications. With a master degree, now he combines his passions for writing about internet security and technology. When he is not working, he loves traveling and playing games.