The Dutch hacking community’s Summer of Pwnage (SoP) has disclosed three vulnerabilities in WordPress plugins, including an XSS in the popular Ninja Forms.
That’s because the plugin â€œinsufficiently performs CSRF validation (ajaxreferer and nonce) and fails to perform output encoding according to context at any point where user-supplied input is copied into application responsesâ€, SoP says. The fix is here.
Second, there are multiple SQL injection vulnerabilities in a WordPress video player plugin. These are serious because SoP says they would let an attacker get an admin password.
The vulnerabilities only need â€œlogged in contributorâ€ status to exploit; a slip in how the author of the plugin implemented
esc_sql() means the attacker can inject arbitrary SQL into the plugin.
The patched version is in this Zipfile.
Third, the Icegram lead-capture plugin has a cross-site request forgery vulnerability: any WordPress option can be overwritten with the value TRUE, so an attacker can change the victim’s configuration.
That bug is fixed in Icegram 1.9.19. Â®
The Nuts and Bolts of Ransomware in 2016