The latest vulnerabilities in WordPress plugins
Three Security Bypass vulnerabilities in WordPress plugins: Access Areas, Download Manager, and DukaPress.
1. Security Bypass in WordPress Access Areas Plugin
Danger: Low
Availability of Corrections: Yes
Number of vulnerabilities: 1
CVSSv2 Rating: (AV: N / AC: L / Au: N / C: P / I: P / A: P / E: U / RL: O / RC: C) = Base: 7.5 / Temporal: 5.5
Vector operation: Remote
Impact: Security Bypass
Affected products: WordPress Access Areas Plugin 1.x
Affected versions: WordPress Access Areas version to 1.3.1
Description:
Vulnerabilities allow malicious people to bypass certain security restrictions.
The vulnerability is caused due to improper access restriction to publications. A remote user can change these settings.
Solution: Install the latest version 1.3.1 from the manufacturer.
Link: https://wordpress.org/plugins/wp-access-areas/changelog/
2. Security Bypass in WordPress Download Manager Plugin
Danger: Low
Availability of Corrections: Yes
Number of vulnerabilities: 1
CVSSv2 Rating: (AV: N / AC: L / Au: N / C: N / I: P / A: N / E: U / RL: O / RC: C) = Base: 5 / Temporal: 3.7
Vector operation: Remote
Impact: Security Bypass
Affected products: WordPress Download Manager Plugin 2.x
Affected versions: WordPress Download Manager to version 6.2.93
Description:
The vulnerability can be exploited by malicious people to conduct XSS attacks.
The vulnerability is caused due to insufficient input data processing in functions: “wpdm_delete_file ()” and “wpdm_save_file ()” in the download-manager.php. The remote user can be exploited via a specially crafted request to execute arbitrary script code in a user’s browser session in context of an affected site.
Solution: Install the latest version 2.6.93 from the manufacturer.
Link: https: //wordpress.org/plugins/download-manager/changelog/
3. Security Bypass in WordPress DukaPress Plugin
Danger: Average
Availability of Corrections: Yes
Number of vulnerabilities: 1
CVSSv2 Rating: (AV: N / AC: L / Au: N / C: P / I: P / A: P / E: U / RL: O / RC: C) = Base: 7.5 / Temporal: 5.5
Vector operation: Remote
Impact: Security Bypass
Affected products: WordPress DukaPress Plugin 2.x
Affected versions: WordPress DukaPress version to 2.4
Description:
The vulnerability allow malicious people to bypass certain security restrictions.
The vulnerability is caused due to an unspecified error. Details were not disclosed.
Solution: Install the latest version 2.4 from the manufacturer.
Link: https: //wordpress.org/plugins/dukapress/changelog/
Manufacturers URLs:
WordPress Access Areas Plugin
WordPress Download Manager Plugin
WordPress DukaPress Plugin