WordPress admin? Thinking of spending time with the family? Think again

P0wnage party pops plugins, providing plenty of party-pooping projects

The Dutch hacking community's Summer of Pwnage (SoP) has disclosed three vulnerabilities in WordPress plugins, including an XSS in the popular Ninja Forms.

Since Ninja Forms claims more than 600,000 users, we'll start there: the now-fixed reflected XSS bug allows attackers to inject malicious JavaScript into the victim's application.

That's because the plugin “insufficiently performs CSRF validation (ajaxreferer and nonce) and fails to perform output encoding according to context at any point where user-supplied input is copied into application responses”, SoP says. The fix is here.

Second, there are multiple SQL injection vulnerabilities in a WordPress video player plugin. These are serious because SoP says they would let an attacker get an admin password.

The vulnerabilities only need “logged in contributor” status to exploit; a slip in how the author of the plugin implemented esc_sql() means the attacker can inject arbitrary SQL into the plugin.

The patched version is in this Zipfile.

Third, the Icegram lead-capture plugin has a cross-site request forgery vulnerability: any WordPress option can be overwritten with the value TRUE, so an attacker can change the victim's configuration.

That bug is fixed in Icegram 1.9.19. ®


Biting the hand that feeds IT © 1998–2017