WordPress Security Plugin Vulnerabilities for Oct 30th
This is a WordPress security report for Oct 30th 2014. We are publishing a list of current critical vulnerabilities that we want to draw your attention to. Please scan the list below and if you are using any of the products listed, or if you are aware of anyone using the products listed, please take the appropriate action which we include in each bullet point below.
- Creative Contact Form has a shell upload vulnerability in all versions prior to 1.0.0. Upgrade immediately. Reported by ExploitDB.
- The current version of CP Multi View Event Calendar 1.01 has an SQL injection vulnerability. Uninstall the plugin immediately until a fix is released. Published on PacketStorm by Claudio Viviani.
- (Chinese) The Alipay plugin for WordPress has an XSS vulnerability in versions 3.6.0 and lower. It may have been fixed in the newest version although that version does not have an entry in the plugin changelog. Disclosed by Prajal Kulkarni on CodeVigilant.
- The current version of Rich Counter 1.1.5 (possibly abandoned) contains an XSS vulnerability. Uninstall the plugin until a fix is released. Disclosed by XroGuE on Packetstorm.
- The InfusionSoft Gravity Forms AddOn contains a file upload vulnerability in 1.5.10 and older. Upgrade immediately to 1.5.11. Disclosed by g0blin and metasploit by us3r777.
- The popular WP Google Maps plugin contains an XSS vulnerability in version 6.0.26 and possibly earlier versions. Upgrade to 6.0.28 immediately. Disclosed by HTBridge. Edit: Nick from WP Google Maps has posted a comment below regarding this issue. Looks like they are doing a great job of staying on top of this and future issues.
If you are using any of these plugins, please take the action suggested in the bullet point above. Help spread the word to improve WordPress security for the WordPress community.
Comments
3:56 pm
Thank you for the information! Are these plugins all still being worked on or are some of them abandoned like Rich Counter?
3:59 pm
Hi Max. Looks like Rich Counter is the only one that may have been abandoned. All the others have been updated within the last month and many were updated today.
4:28 pm
Hi all.
Please note that if you update to WP Google Maps 6.0.28 or higher, you will not be affected. Most users have already updated.
Thank you to Htbridge who helped find the vulnerability. We fixed this issue in a matter of days and we are ensuring to the best of our ability that this doesn't happen again in future versions.
Kind regards
Nick
4:35 pm
Thanks very much for weighing in Nick. Please contact me at mark at wordfence dot com in future if you have any questions/comments, want to discuss disclosure or just want to say hi!!
Regards,
Mark - Wordfence Founder & CEO.
4:34 pm
I have to say that this is great stuff that you guys are doing in alerting people to vulnerabilities. From past experience, I know that this takes a lot of work, and can be very time consuming. The key to the vulnerabilities is getting them recognized and fixed quickly. You are providing a very valuable service to the web public by putting out the announcements. The key to everything being 'timely'. I once remember getting a call, around 4:00 am, from a certain office, located in a big white bldg. in Washington, DC, which is surrounded by fences and guard shacks. They wanted to know if I knew anything about the worldwide virus alert that CNN was just broadcasting on tv. Nope, I was sleeping, having a nice dream until the phone rang!
1:08 am
I am now locked out of my own site and cannot get back in. I filled out my e-mail address to get sent an unlock key and it hasn't arrived. I use your product on several blogs but will disable it unless this is resolves quickly. Thank you!
8:49 am
What about Google Maps Widget plugin - that cool?