Plugin name: Data privacy extended (data protection law) - GDPR Module Vulnerability name: CSRF (Cross-Site Request Forgery) in the "Delete Account" Affected Prestashop versions: v1.6.0.4 - v1.7.6.0 Vulnerable Version: <3.7.8 Patched version: 3.7.8 Vulnerability Reported: 20th June 2019 Vulnerability Patched: 25th June 2019 While performing a security audit on one of our Prestashop clients at Astra, I found a critical…
MyBB, earlier known as MyBulletinBoard is a free and open source forum software based on PHP & My SQL. Recently it has been found vulnerable to a critical stored XSS (Cross-Site Scripting) and RCE (Remote-code Execution) in version 1.8.20 and before. Due to this any malefactor holding only a user account on the forum can hijack any board by sending a malicious private message to the administrator or by creating a malicious post.
WP live chat support plugin, with more than 50,000+ installs is, again found vulnerable to grave vulnerability identified as CVE-2019-12498, which lets any unauthorized user to steal chat history or hijack current chat sessions. Versions 8.0.32 and prior are vulnerable.
The website analytics plugin for WordPress Slimstat, has been found vulnerable to stored XSS (cross-site scripting) vulnerability in versions <=4.8. At moment of writing this blog, it is installed on 1,00,000+ websites. Slimstat is a known plugin for tracking website analytics in real time, it monitors and reports stats of access logs, returning customers and registered users, JavaScript events, etc.
Owing to the widespread presence of WordPress, hackers, in fact try incessantly to make past every popular WordPress plugin. As a result, vulnerability disclosures in WordPress plugins almost seem like a never ending process. This time its Fb messenger live chat by Zotabox. So, FB messenger live chat by Zotabox has recently been disclosed to have persistent XSS vulnerability.
Another plugin has entered the ever-growing list of vulnerable WordPress plugins. The WordPress free plugin FV Flowplayer Video Player which is being used for embedding FLV or MP4 videos into posts or pages is found to be vulnerable to XSS, SQL injection & CSV Export. Installed on 40,000+ websites at present, it has been updated only 4 days ago after…
Day after day, a vulnerability or an attack on the WordPress CMS comes to light. Clearly, this is not the end of it. Adding to the precedented vulnerabilities, another quite severe cross-site scripting vulnerability is exposed on the WordPress plugin wp-live-chat-support.
