Roundup of February 2017 WordPress Vulnerability in WordPress Core, Plugins & Themes

This is the second series in the monthly WordPress Vulnerability Roundup for 2017. This monthly WordPress Vulnerability Roundup is a collection of vulnerabilities and securities issues published by WordPress security blogs and websites that publish WordPress security news and update. It is made possible by Wpwhitesecurity. Subscribe to AdeMike to keep up-to-date with the latest happenings in the world of WordPress.

Very few WordPress Vulnerabilities was reported for WordPress Core, plugins and themes in the month of February. This month WordPress Vulnerability is relatively lower compared with January and we hope it is a sign of better things to come for the WordPress community.

 

Overview of WordPress Vulnerability in February 2017

In February 2017, 15 WordPress Plugins were found to have vulnerabilities and only one premium WordPress theme have vulnerability. We had hope it will be a sign of good thing as earlier stated but the response of the theme Developer when he was informed of the security issue made us to think otherwise. You definitely need to check it out.

Below is the complete list of all the WordPress Vulnerability in plugins and theme reported in February 2017:

 

WordPress Vulnerability in Plugins

Blind SQL Injeciton in Kama Click Counter

SQL Injection Vulnerability in NextGEN Gallery for WordPress

Multiple SQL Injection vulnerabilities in Mail Masta

Persistent Cross-Site Scripting (XSS) Vulnerability in Easy Table

Reflected Cross-Site Scripting (XSS) Vulnerability in Time Sheets

Open Redirect Vulnerability in GTranslate

CSRF and Cross-Site Scripting (XSS) Vulnerabilities in Democracy Poll

Reflected Cross-Site Scripting (XSS) Vulnerability in Time Sheets

Open Redirect Vulnerability in GTranslate

Local File Inclusion (LFI) Vulnerability in Posts in Page

Arbitrary File Upload Vulnerability in Web Tripwire

Persistent Cross-Site Scripting (XSS) Vulnerability in XO Security

Arbitrary File Upload Vulnerability in SpamTask

Arbitrary File Upload Vulnerability in WP Simple Cart

 

WordPress Vulnerability in Themes

Unauthenticated Directory Traversal in Javo Spot Premium Theme

 

,

WordPress Vulnerabilities: Core, Plugins & Themes Vulnerabilities Roundup for January 2017

 

In January 33 WordPress plugin vulnerabilities were reported, and 12 in WordPress core. Since we have been keeping a record of reported vulnerabilities, this has been the busiest month for WordPress core vulnerability. All these vulnerabilities are all a good sign, that WordPress is simply becoming a more secure software, as explained in Crunching the numbers, how secure WordPress is?

Below is the complete list of all the WordPress plugins and themes vulnerabilities reported in December 2016:

WordPress Vulnerabilities in Plugins

  • CSRF ad XSS vulnerabilities in ABASE plugin
  • Arbitrary file upload vulnerability in Seo Spy plugin
  • Arbitrary file upload vulnerability in PHP Analytics plugin
  • Arbitrary file upload vulnerability in Social plugin
  • Remote Code Execution (RCE) in Google Maps by Daniel Martyn plugin
  • Arbitrary file upload vulnerability in ChikunCounter plugin
  • Arbitrary File Upload Vulnerability in Developer Tools plugin
  • Unauthenticated PHP Object injection in CMS Commander Client plugin
  • Unauthenticated PHP Object injection in Google Forms plugin
  • Arbitrary File Upload vulnerability in DOP Slider plugin
  • CSRF and XSS vulnerabilities in Hupso Share Buttons for Twitter, Facebook & Google+ plugin
  • Open redirect vulnerability in moreAds SE
  • Reflected Cross-Site Scripting (XSS) Vulnerability in moreAds SE plugin
  • Information Disclosure Vulnerability in W3 Total Cache plugin
  • CSRF and XSS in Arigato Autoresponder and Newsletter plugin
  • Reflected Cross-Site Scripting (XSS) vulnerability in Event Notifier plugin
  • Remote Local File Inclusion in Direct Download for WooCommerce
  • Reflected Cross-Site Scripting (XSS) Vulnerability in WangGuard plugin
  • SQL Injection in 404 Redirection Manager
  • Reflected Cross-Site Scripting (XSS) Vulnerability in Super Socializer
  • Cross-Site Scripting (XSS) & CSRF in Responsive Poll plugin
  • Privilege Escalation in WP Support Plus Responsive Ticket System plugin
  • PHP Object Injection Vulnerability in Post Grid plugin
  • Username enumeration bypasses in Stop User Enumeration plugin
  • Cross-Site Scripting (XSS) in Chained Quiz plugin
  • Cross-site Scripting vulnerability in WooCommerce plugin
  • Authenticated Arbitrary File Deletion in Slider plugin
  • Authenticated Path Traversal in XCloner – Backup and Restore plugin
  • Authenticated Arbitrary File Deletion Vulnerability in BuddyPress
  • Information disclosure in Pike Firewall WordPress plugin

WordPress Vulnerabilities in Core

  • Unauthenticated privilege escalation in a REST API endpoint
  • Cross-Site Scripting (XSS) in posts list table
  • SQL Injection in WP_Query
  • Press This available to unauthorised users
  • Cross site request forgert (CSRF) in WordPress prior to 4.7.1
  • Information Disclosure in WordPress prior to 4.7.1
  • Cross-site request forgery (CSRF) in the accessibility mode of widget editing
  • Cross-site scripting (XSS) vulnerability via theme name fallback
  • Cross-site request forgery (CSRF) bypass via uploading a Flash file.
  • Cross-site scripting in update-core.php
  • User information disclosure in WordPress Rest API
  • Remote code execution vulnerability in PHPMailer (shipped with WordPress)

You can read the release notes of WordPress 4.7.1 for more information on the above mentioned WordPress vulnerabilities in Core that are not linked.

 

Source: WPWhiteSecurity

,

Overview of WordPress Vulnerabilities in December 2016

In this December 2016 monthly roundup of WordPress core, plugins and themes reported vulnerabilities, very few WordPress plugins vulnerabilities were reported.

Overview of WordPress Plugins Vulnerabilities in December 2016

27 WordPress plugins vulnerabilities were discovered in December. Also in the month of December, the trend of plugins being removed from the WordPress repository still continues. It was noticed that that the number of plugins being taken offline from the WordPress repository is increasing. Plugins are taken offline when developers do not fix vulnerabilities, or the developers cannot be reached hence the vulnerabilities are not fixed. This is a good initiative since it ensures that the majority of WordPress plugins on the repository are being maintained and above all, are secure.

Below is the complete list of all the WordPress plugins a vulnerabilities reported in December 2016:

WordPress Plugins Vulnerabilities

  • CSRF security issue in Copy-Me plugin
  • SSRF vulnerability in Nelio AB Testing plugin
  • SQL Injection in Xtreme Locator Dealer Locator plugin
  • Blind Injection in ZM Gallery plugin
  • SQL Injection in WP Private Messages plugin
  • CSRF / Database Update vulnerability in ZX_CSV Upload plugin
  • SQL Injection in Single Personal Message plugin
  • SQL Injection in WP Support Plus Responsive Ticket System plugin
  • Authenticated Information Disclosure in Backup & Restore Dropbox plugin
  • Stored XSS and CSRF in Quiz and Survey Master plugin
  • Multiple SQL Injection and XSS vulnerabilities in Podlove Podcast Publisher
  • Reflected XSS vulnerability in MailChimp for WordPress plugin
  • Arbitraty File Upload vulnerability in Delete All Comments plugin
  • Reflected Cross-site Scripting in Social Pug – Easy Social Share Buttons plugin
  • CSRF vulnerability in Multisite Post Duplicator plugin
  • PHP Object Injection in BP Profile Search
  • CSRF & XSS vulnerabilities in Twitter Cards Meta plugin
  • Information Disclosure vulnerability in WooCommerce Email Test plugin
  • Arbitrary file deletion vulnerability in Image Slider plugin
  • Unauthenticated change of password critical security issue in Ultimate Member plugin
  • SQL Injection in WA Form Builder
  • SQL Injection vulnerability in Product Catalog plugin
  • Unauthenticated SQL Injection in BBS e-Franchise plugin
  • Local File Inclusion in WP Vault plugin

This vulnerabilities and security issues roundup is made possible through WP Security Bloggers.

,

November WordPress Vulnerabilities RoundUp

This is a monthly roundup of WordPress Vulnerabilities for the month of November. This monthly roundup takes care of all the vulnerabilities in WordPress plugins and themes reported during the month of November 2016. This roundup is made possible through Wp Security Bloggers, an aggregate of popular WordPress security blogs and websites that publish WordPress security news and updates. During November no WordPress vulnerabilities was reported in the WordPress core.

Overview of WordPress Vulnerabilities in November 2016

39 WordPress vulnerabilities in plugin were reported in November. That is the highest number of vulnerabilities ever recorded since July this year, when WP White Securities started recording these statistics.

There has also been an increasing trend in the number of plugins being taken offline from the WordPress repository. Plugins are taken offline when developers do not fix vulnerabilities, or the developers cannot be reached hence the vulnerabilities are not fixed. This is a good initiative since it ensures that the majority of WordPress plugins on the repository are being maintained and above all, are secure.

Below is the complete list of all the WordPress Vulnerabilities found in plugins and themes reported in November 2016:

WordPress Vulnerabilities in Plugins

WordPress Vulnerabilities in Themes

Source

How to Delete Uncategorized Category From WordPress

Delete Uncategorized Category In WordPress

Sometimes you might be having difficulty to delete uncategorized category in WordPress. By default WordPress blog posts are categorized under the ‘uncategorized’ section. This can sometimes be annoying as blog posts not manually categorized will be listed under this category section.

And if you go to the Category section of WordPress, there is no option to delete uncategorized category from the list.  This can be annoying. I’m sure some you know exactly what I’m talking about.

 

no-option-to-delete-uncategorized

 

Well, you don’t have to worry about this anymore. Today, I’m going to pass along the steps you can use to delete the uncategorized category so you won’t have to deal with this little annoying item anymore. Even if you have some posts in the ‘uncategorized’ category, don’t worry, they won’t be deleted and you won’t lose them. They will just be transferred to whatever the new default category is.

STEP 1: CREATE A NEW CATEGORY

You can skip this step if you have created different categories for your blog but if you have not, continue.

  • Under Post > Categories, here you have the categories listed on the right side, on the left side is the option to add a New Category
  • Input the new category you want, input the slug (this is the URL-friendly version of the category name usually in lower case)
  • Click on Add New Category and this category will be created.

adding-category

newcategory-added

 

STEP 2: CHANGE THE DEFAULT POST CATEGORY

Under Settings > Writing, there is an option called Default Post Category. This is the category that all of your post will be under automatically. The WordPress Default is set to ‘uncategorized’. You will not be able to delete whatever category is selected here. This is why you are unable to delete uncategorized category.

  • Go to Setting > Writing
  • Click on the Drop down arrow beside the Default Post Category
  • Switch it to another category and
  • Click Save Change

change-writing-setting

 

STEP 3: DELETE ‘UNCATEGORIZED’

Now that you have changed the default post category from ‘uncategorized’ to another of your choice, you will be able to delete the unwanted ‘uncategorized’ category. To delete uncategorized category:

  • Go to Posts > Categories
  • Hover your mouse on ‘uncategorized’ dropdown
  • You will notice that the option to delete uncategorized is now visible.
  • Click on ‘Delete’ and its gone!
  • It is that simple! Say goodbye to uncategorized posts.

delete-uncategorise

uncategorised-deleted

 

Note: Deleting a category does not delete the posts in that category. Instead, posts that were only assigned to the deleted category are set to the New Default category you have selected in Step Two. So don’t worry!

 

Please remember that categories are your primary navigation and gateway to content on your site. Use them wisely. Use names that tell the visitor in an instant that they are in the right place. Use names that guide the user to the help and information they want.

Things You Need to Know About Categories

Here are a few things you need to know about categories in WordPress.

  • A category will not appear in your category navigation unless there is a published post in it.
  • Category names should be keyword specific not made-up or fun names. They are important navigation links so call them what they represent..
  • You can have one post in multiple categories.
  • Categories can have subcategories.
  • By default, the WordPress permalink structure for categories include the word “category” in the permalink such as http://example.com/category/blogging/.
  • By default, the WordPress permalink structure for subcategories is http://example.com/category/blogging/blogging-tips/, featuring the parent category slug name first, followed by the subcategory slug.
  • Categories have their own feeds. The link to the feed is in the structure of http://example.com/category/blogging/feed/ by default.
  • Pages do not have categories, only posts.