1-26-2018 Updates and New Look

Lots of changes to the blog network today!

Plugin Updates
Caldera Forms v1.5.9.1
Wordfence v7.0.1
XCloner v4.0.7

New theme: SiteOrigin North

The blog network was looking a little dated, so I installed a new theme by SiteOrigin called North.  SiteOrigin also makes a plugin called PageBuilder that gives you a lot of control over layout of pages.  Their theme is responsive, clean and very easy to manipulate.  I think the blog network now has a very clean and professional look.  

Wordfence also had a major update to v7.0.1 with many changes to the framework they use for display and the way they scan for issues.  More info here.

Vulnerabilities in Formidable Forms, Duplicator and Yoast SEO Plugins

Wordfence is a security plugin used on the Lane Blog Network.  The company that produces the plugin is heavily involved in WordPress security and shares what they find with the WordPress community.

The Blog Network does not have any of the plugins listed in this post installed, but it’s a good idea to remember that you need to be mindful of security at all times.

From Wordfence.com

This entry was posted in VulnerabilitiesWordPress Security on November 16, 2017 by Mark Maunder

Vulnerabilities have been reported in the Formidable Forms, Duplicator and Yoast SEO WordPress plugins. The Premium version of Wordfence protects against all of these vulnerabilities, even if you have not updated your plugins yet. We do recommend that you update immediately, whether or not you are using the Premium version of Wordfence.

The details of the vulnerabilities are as follows:

Formidable Forms 2.05.02 and older has multiple severe vulnerabilities

Jouko Pynnönen disclosed multiple vulnerabilities in Formidable Forms version 2.05.02 and older. The report included multiple serious problems:

  • A preview function allowed unauthenticated users to execute an arbitrary shortcode. Normally, the use of shortcodes is restricted to site authors or administrators, as many of them could be used to exploit a site.
  • One of the plugin’s shortcodes included a SQL injection vulnerability.
  • Another shortcode allowed an unauthenticated user to view form responses.
  • Form previews were vulnerable to reflected cross site scripting.
  • Form input was not sufficiently sanitized to prevent stored cross site scripting, which could have been used to target administrators when they viewed form responses.

Formidable Forms is used by over 200,000 active sites according to WordPress.org. The Formidable Forms team has released multiple updates addressing these issues, starting at 2.05.02. We released a firewall rule today, protecting Wordfence Premium customers from attempts to exploit this vulnerability. Free users should upgrade to version 2.05.05 immediately.

Duplicator 1.2.28 and older vulnerable to stored XSS

WPVulnDB also reports that the Duplicator, running on over 1 million active sites, fixed a stored cross site scripting vulnerability affecting versions 1.2.28 and older. This report also included the code changes.

Duplicator version 1.2.29 fixed this issue, but their changelog does not mention a vulnerability (there is no currently entry at all for version 1.2.29). Wordfence includes built-in protection against attacks of this nature, so both Premium and free users should be safe.

Yoast SEO 5.7.1 and older vulnerable to unauthenticated XSS

Ryan Dewhurst’s WPVulnDB is reporting that Yoast SEO fixed an unauthenticated cross site scripting vulnerability that affected versions 5.7.1 and older. The code change showing the fix is linked to from the WPVulnDB report.

Scroll to top