Blog: Vulnerable WordPress Plugins Report for the Week of June 30, 2017

Vulnerable Plugins

Eight plugins with disclosed vulnerabilities this week, five of which remain unpatched. The most serious is FormCraft which contains two unfixed SQL Injection vulnerabilities.  The packetstorm post mentions the vulnerability being in “FormCraft Basic” but that the plugin directory for google dorking is “formcraft”. The version in the public repository definitely contains the vulnerability, but its directory is named “formcraft-form-builder”.  FormCraft also offers a premium paid version but as best I can tell, its directory is named “formcraft3”. It’s possible there is yet another “basic” version, but I have not been able to locate it so far.  In either case, the vulnerability is definitely present in the public version.  Given the last update was seven months ago, you might consider looking into alternative form builders as a replacement.

The other plugin I want to bring attention to is WP Statistics which also contained a SQL Injection vulnerability (disclosed by Sucuri earlier today).  The developer released an update to correct the issue so it is strongly encouraged that you update as soon as possible.

View this week’s vulnerable plugins list

Other Security News

A report from the Digital Citizens Alliance was released back in March titled Cyber Criminals, College Credentials, and the Dark Web: A Security Challenge Facing U.S. University Communities. It has been on my “to-read” list for awhile and I finally had an opportunity to dig into it.  Researchers tracked how many *.edu accounts from the top 300 Higher Education Institutions were available for sale on the Dark Web.

Note: before you read the report, you need to take some of the information with a grain of salt. The numbers they present were gathered over a period of eight years, and none of the credentials have been verified for authenticity.  In terms of selling credentials on the dark web, we’re dealing with criminals here.  It would not be outside the realm of possibility for them to throw in some fake credentials to pad what they’re selling.

As I have mentioned before, the .edu domain is extremely valuable to attackers as the domain is limited in who can use them.  *.edu credentials are particularly valuable as many companies offer students discounts on products and verify their student status through a *.edu email address.  Even more important, a *.edu credential opens the doors into a university’s network.  From there they can target the university’s internal infrastructure as well as classified and proprietary research data.

We (University of Missouri) made it to #76 with 34K credentials, and a ratio of 75% (available credentials to current student + staff + faculty numbers).

As I mentioned above, these credentials have not been verified, so that number may very well be greatly inflated. However, even if only 10% are legitimate, that’s 3,400 credentials. That’s still a lot of entry points into our systems.  I would certainly encourage you to read the report, see where you rank and then use it to begin conversations with the various groups on your campus.

Dorkbot

The other item I want to mention is the Dorkbot program out of the University of Texas at Austin.  We’ve been working with them for a couple of weeks and I have been extremely impressed with the results.  The service crawls your publicly available web presence (after you sign up, and with your permission) for vulnerabilities, and then sends a notice to your campus/institution’s Information Security Officer.  They have helped us identify numerous vulnerable applications that we were unaware of, and have been able to go back and remediate.  If your institution is not already a participant, I highly recommend you talk to your institution’s security office about joining their program.

Paul Gilzow

Programmer Analyst, University of Missouri@gilzowhttp://missouri.edu/

Web application security and accessibility evangelist. Software instructor. Conference lecturer and presenter.

Leave a Reply

Your email address will not be published. Required fields are marked *