3 WordPress Plugin Vulnerabilities Disclosed Yesterday
Wordfence found yesterday three WordPress plugin vulnerabilities that I’d like to bring your attention to, all three were CVSS severity level medium.
Two of these vulnerabilities were found in the WP Fastest Cache plugin and the third one on the Caldera Forms plugin.
Local File Inclusion Vulnerability Severity 4.2 (Medium) and Unauthorized Options Update Vulnerability Severity 4.4 (Medium) in WP Fastest Cache
Wordfence Security Researcher Panagiotis Vagenas discovered both of these vulnerabilities in the WP Fastest Cache plugin which they reported to the author yesterday. The Local File Inclusion vulnerability allows an attacker to execute code on the target web server or on a site visitor’s browser. This enables the attacker to steal or manipulate data, perform a denial of service attack or enable additional attack types such as Cross Site Scripting. Nevertheless any website using Wordfence Firewall, were provided protection against this type of attack prior to discovery.
The Options Update vulnerability allows an attacker to access and make changes to the CDN (Content Delivery Network) options for the website. With this control an attacker can direct all requests for css files, images, videos, etc. to their site, allowing them to serve malicious content to visitors of the vulnerable site.
What to do?
The author released a fix within an hour after Wordfence notified him of the vulnerability. If you are using WP Fastest Cache plugin on your website update it asap.
Sensitive Data Exposure Vulnerability Severity 4.3 (Medium) in Caldera Forms
Wordfence Security Researcher Panagiotis Vagenas also discovered this vulnerability, which reported to the Caldera Forms author yesterday alsp. This vulnerability allows an attacker to gain access to potentially sensitive data that has been captured by a Caldera Form.
What to do?
The author released a fix within hours of discovery and published a blog post about it. If you are using this Caldera Forms plugin on your website update it asap.