Fourteen disclosures this week, with six issues unfixed, with three of those critical.
The big news this last week, at least in terms of coverage, was the disclosure by Wordfence of three plugins vulnerable to Object Injection vulnerabilities. Luckily, all three plugins have been fixed with updates issued. Unfortunately, there are several critical vulnerabilities in plugins that remain unfixed. The first is an authenticated arbitrary file upload vulnerability in the WordPress Book List plugin, disclosed by pluginvulnerabilities.com. As for versions affected, they don't list how far back the vulnerability goes. In looking back through the versions, it goes back to at least v5.0. There was a major code restructuring between 4.4 and 5.0, and it appears that the vulnerability was introduced at that point.
Next are authenticated Object Injection and Cross-Site Request Forgery vulnerabilities in the plugin Event List (which has been removed from the public plugin repository, also disclosed by pluginvulnerabilities.com. In looking through the code, it appears the vulnerability was introduced at version 0.7.3. You are encouraged to remove the plugin.
Last is both authenticated and unauthenticated Blind SQL Injection vulnerabilities in the plugin Content Timeline. According to the disclosure, the author of the plugin never responded. In looking at the readme file from the demo site, the last update was sometime in 2017, but doesn't mention any changes related to SQL Injection. Therefore, the assumption is that the current version is still vulnerable. As this is a paid plugin, I would recommend contacting the vendor directly and ask if the vulnerabilities have been addressed. If you do not receive a quick response, then I would recommend removing the plugin and finding an alternative solution.
Other Security News
Earlier this week, Curl, the popular command line tool for transfer data to or from a server, released an update to address a vulnerability where a malicious server could send a malformed response to a PWD command, causing curl to crash. Affected versions are 7.7 up to and including 7.55.1. There are no known exploits targeting this vulnerability.
Subsequent to Yahoo’s acquisition by Verizon, and during integration, the company recently obtained new intelligence and now believes, following an investigation with the assistance of outside forensic experts, that all Yahoo user accounts were affected by the August 2013 theft.
Essentially, if you had a Yahoo account prior to August 2013, your account was affected by the breach. If you haven't already done so, you really need to go change your password.
HighEdWeb, the best conference for those of who work on the web and in higher education starts on Sunday! WPCampus will be there, as will many of our WPCampus community members (myself included). I'll be teaching a hands-on workshop on Sunday covering the OWASP Top 10 and how to mitigate your risks. Last I checked there are still some seats available, so if you aren't already committed on Sunday afternoon come join me. Also, our very own Rachel Cherry and Curtiss Grymala will be teaching a workshop on WordPress in Higher Ed. If you don't come to my workshop, then I'd highly suggest attending theirs. Either way, if you'll be attending, definitely stop in the DPA (aka tech) track and say hello. I'd love to chat about security or WordPress!