20170302 Vulnerable Plugins/Themes Report

This week’s report is pretty large, due in large part to the disclosure of the remaining discoveries from last year’s sumofpwn that were never fixed, despite repeated attempts to contact/work with the developers.

There are a couple of items in the report I want to address directly.  They are listed in the notes section but I want to highlight them. In looking at the svn repository for Adminer, they fixed the issue in v1.4.5, but the plugin has been removed from the public repository. In general, having a world-accessible direct connection to your database is a bad idea. I would suggest going ahead and removing the plugin if you have it installed. You can read more about the initial disclosure.

The disclosure for FormBuilder was for version was 1.0.5 with the latest version being 1.0.8. Though the initial disclosure doesn’t mention it, the plugin does output the contents of user supplied data in other areas (and continues to do so in the most recent version). In addition, the plugin’s description mentions that the plugin is reaching end of life.

Be advised, FormBuilder is nearing end-of-life and may not be actively maintained in the future. It is advisable to switch your WordPress site to some other Form handling plugin at this time.

Given it continues to have potential issues and it’s reaching end-of-life, I would strongly suggest removing.

In regards to the Trust Form plugin, there is a version in the svn repository (2.0.1) where it appears the author tried to address some of the disclosed vulnerabilities. However, there are other areas that are still vulnerable to cross-site scripting, which is most likely why the plugin has been removed from the public repository. I would strongly suggest removing the plugin.

This week’s report.