WordPress Security: WooCommerce Vulnerability

WordPress Plugins

woocommerce_logoA serious vulnerability has been discovered in the extremely popular e-commerce plugin for WordPress, “WooCommerce”.

If left unpatched, a WordPress installation utilizing version 2.3.5 or earlier could be vulnerable to a SQL injection attack that requires Shop Manager or Admin access to be exploited. Similar to the WordPress SEO issue we wrote about yesterday, this type of attack is most commonly carried out by tricking a user with escalated permissions into visiting a malformed URL.

A patched version of the “WooCommerce” plugin, ver. 2.3.6, has been released to fix this vulnerability and can be downloaded from WordPress.org or directly from WooThemes. [Read more…]

WordPress Security: WordPress SEO by Yoast Vulnerability

WordPress Plugins

YOAST_logo_RGBA serious vulnerability has been discovered in the WordPress plugin “WordPress SEO by Yoast”.

If left unpatched, a WordPress installation utilizing version 1.7.3 or earlier (see all patched versions below) could be vulnerable to a SQL injection attack that needs author, editor, or admin access to be exploited.  According to Yoast, this type of attack is most commonly carried out by tricking a user with escalated permissions into visiting a malformed URL.

A patched version of the “WordPress SEO by Yoast” plugin, ver. 1.7.4, has been released to fix this vulnerability and can be downloaded from WordPress.org. [Read more…]

WordPress Security: MainWP Child Vulnerability

WordPress Plugins

MainWPA privilege escalation vulnerability has been discovered in the WordPress plugin “MainWP Child”.

MainWP Child is a plugin that works in conjunction with the WordPress management plugin, MainWP, to allow remote administration of WordPress-based websites.

If left unpatched, the flaw in MainWP Child may allow an attacker to log into a site without requiring a password as long as they know an account’s username. [Read more…]

WordPress Security: Zero-Day Vulnerability in “FancyBox for WordPress”

WordPress Plugins

A zero-day vulnerability has been discovered in the WordPress plugin “Fancy Box for WordPress”.

If left unpatched, a WordPress installation utilizing version 3.0.3 or earlier could allow an attacker to install malware or other malicious content on the vulnerable site.

A patched version of the “FancyBox for WordPress” plugin, ver. 3.0.4, has been released that’s reported to fix the vulnerability.

Any site utilizing “FancyBox for WordPress” should either unistall the plugin entirely or update to the patched version of the plugin immediately.

The patched version of “FancyBox for WordPress” is 3.0.4 and can be downloaded from WordPress.org.

Note: Indications are this does not affect the jQuery fancybox.js, Easy FancyBox, NextGen Gallery, or other WordPress plugins with completely different code bases. This alert is specifically for “FancyBox for WordPress” ver. 3.0.3 or earlier.

For more details on the vulnerability, please visit:

Vulnerability in FancyBox Plugin for WordPress – Update immediately (WordFence Blog)

Zero-day in the Fancybox-for-WordPress Plugin (Sucuri Blog)

NO ESC! Technologies Group clients who subscribe to one of our WordPress Maintenance plans have been affected by this vulnerability.

Tech!Alert: Zero-Day Vulnerability Discovered in Adobe Flash Player

Adobe released a critical update to its Flash Player plugin version 16.0.0.296 and earlier that patches a zero-day vulnerability which could allow an attacker to take control of an affected system.

Adobe released a patch for the flaw on February 4th which will be sent to all desktop installs of Flash Player that have auto-update enabled and they expect to release a manually installable update no later than February 5th.

The patched version is 16.0.0.305.
[Read more…]

WordPress 4.1 “Dinah” Released!

wordpress-logo-stacked-rgbNamed for Jazz Singer, Dinah Washington, WordPress 4.1 was released today and brings with it a number of features focused specifically on the writing experience.

All ESC! Technologies Group clients who subscribe to one of our WordPress Maintenance plans will be updated to the latest release as soon as testing is complete — there is nothing you need to do at this point.

So what’s new in WordPress 4.1? [Read more…]

WordPress Security: Slider Revolution *update*

WordPress Plugins

revlogo_wpAnother round of warnings have been issued by blogs and hosting companies alike about the Slider Revolution plugin by ThemePunch.

Mostly, these new warnings are simply a reminder to those who didn’t heed the alerts issued in September that they’d better update (or stop using) old, outdated, installations of this WordPress plugin or risk having their site compromised.

Since our last update, over 100,000 sites have been compromised due to (it is believed) outdated versions of Slider Revolution.

The vulnerable versions of this plugin include any release prior to 4.2.

The current version of Slider Revolution is 4.6.5.  If you’ve not done so, please update your site immediately!

For more information, please see our previous post on this vulnerability.

NO ESC! Technologies Group clients who subscribe to one of our WordPress Maintenance plans have been affected by this vulnerability.

WordPress Security: WP e-Commerce Critical Update

WordPress Plugins

getshoppedA serious vulnerability has been discovered in the popular e-commerce plugin for WordPress called WP e-Commerce.

If left unpatched, a WordPress installation utilizing version 3.8.14.3 of WP e-Commerce or earlier could allow an attacker to gain access to all user names, addresses, and other information of any customer who ever made a purchase from the affected site.

Additionally, an attacker could also perform administrative tasks on an affected site or modify orders placed by customers without actually authenticating as an administrator because, according to Sucuri, the discoverer of the flaw: “The plugin developers assumed that the WordPress’s admin_init hook was only called when the administrator was logged in and visited a page inside /wp-admin/. However, any call to /wp-admin/admin-post.php (or admin-ajax) also executes this hook without requiring the user to be authenticated.”

Any site utilizing WP e-Commerce should update to the patched version of the plugin immediately.

The current version of WP e-Commerce is 3.8.14.4 and can be downloaded from WordPress.org.

For more details on the vulnerability, please visit Sucuri’s Blog:

Advisory for: WordPress WP e-Commerce Plugin

NO ESC! Technologies Group clients who subscribe to one of our WordPress Maintenance plans have been affected by this vulnerability.

WordPress Security: End of Month Vulnerability List

WordPress Plugins

Below is a list of WordPress plugin vulnerabilities to be aware of for the end of October 2014. If your site is running any of the affected plugins, please upgrade immediately – or find an alternative if no patch is available.

Thanks to the security team at Wordfence for the heads up!

  • Creative Contact Form has a shell upload vulnerability in all versions prior to 1.0.0. Upgrade immediately. Reported by ExploitDB.
  • The current version of CP Multi View Event Calendar 1.01 has an SQL injection vulnerability. Uninstall the plugin immediately until a fix is released. Published on PacketStorm by Claudio Viviani.
  • The Alipay plugin for WordPress has an XSS vulnerability in versions 3.6.0 and lower. It may have been fixed in the newest version although that version does not have an entry in the plugin changelog. Disclosed by Prajal Kulkarni on CodeVigilant.
  • The current version of Rich Counter 1.1.5 (possibly abandoned) contains an XSS vulnerability. Uninstall the plugin until a fix is released. Disclosed by XroGuE on Packetstorm.
  • The InfusionSoft Gravity Forms AddOn contains a file upload vulnerability in 1.5.10 and older. Upgrade immediately to 1.5.11. Disclosed by g0blin and metasploit by us3r777.
  • The popular WP Google Maps plugin contains an XSS vulnerability in version 6.0.26 and possibly earlier versions. Upgrade to 6.0.28 immediately. Disclosed by HTBridge.

For more details and links, please visit the Wordfence Security Blog.

note: NO ESC! Technologies Group clients who subscribe to one of our WordPress Maintenance plans have been affected by these vulnerabilities.

Tech Alert: HP Power Adapter Safety Warning

PowercordnumberLARGEHewlett-Packard has recalled 5,577,000 notebook computer AC power cords in the US due to a problem with the AC Power Cord. The cord can overheat posing a potential fire and burn hazard.

Per the US Consumer Product Safety Commission (CPSC):

This recall involves Hewlett-Packard’s LS-15 AC power cord. The power cords were distributed with HP and Compaq notebook and mini notebook computers and with AC adapter-powered accessories such as docking stations. The power cords are black in color and have an “LS-15” molded mark on the AC adapter end of the power cord.

Customers should immediately stop using and unplug the recalled power cords and contact Hewlett-Packard to order a free replacement. Consumers can continue to use the computer on battery power. [Read more…]