Blog: Vulnerable WordPress Plugins Report for the Week of October 27, 2017

Vulnerable Plugins

Nine disclosures this week, with five issues unfixed.

View this week’s vulnerable plugins list.

The largest disclosure this week was most likely the SQL Injection combined with Object Injection vulnerability in the Contact Form for WordPress – Ultimate Form Builder Lite plugin disclosed by Wordfence. At the time of discovery, the vulnerability was being actively exploited in the wild.  The author has released version 1.3.7, so please make sure you have updated.

For this week’s unfixed vulnerabilities, the Full Path Disclosure issue with the Inline Image Upload for BBPress (and it’s Pro version) isn’t a vulnerability by itself, but can be used in combination with other attacks that require knowing the server path. Hopefully the vendor will release a fix soon, but if not, you can mitigate this issue by ensuring display_errors is disabled for php for your site.  The specifics of how you disable it will depend on your hosting set up.  If you’re not sure, contact your hosting provider or system administrator.

Other WordPress News

WordPress version 4.9 is currently in Beta 4 with a Release Candidate scheduled for this Monday, with a final target release date of  Tuesday, November 14th.  It’s always a good idea to test out Release Candidates in your development environments, if possible.  If not, start preparing to update your sites mid-November.

Paul Gilzow

Programmer Analyst, University of Missouri@gilzowhttp://missouri.edu/

Web application security and accessibility evangelist. Software instructor. Conference lecturer and presenter.

Leave a Reply

Your email address will not be published. Required fields are marked *