IgniteUp users are being urged to update to version 3.4.1
Developers behind a popular WordPress plugin that’s used to display ‘coming soon’ and maintenance mode pages have addressed a range of security vulnerabilities.
Previous versions of the IgniteUp plugin, which has more than 30,000 active installations, were found to be vulnerable to numerous issues, including cross-site scripting (XSS), information disclosure, and arbitrary file deletion.
Among the clutch of vulnerabilities identified by security researcher Jerome Bruandet was a security bug that could allow an unauthenticated user to delete any file or folder on the target website.
Bruandet, whose findings were published on the NinTechNet blog, also discovered that the AJAX API in the plugin’s contact form did not validate or sanitize user input, resulting in an HTML injection and potential cross-site request forgery (CSRF) vulnerability.
In addition, a stored XSS vulnerability could provide a bridgehead for the injection of malicious JavaScript in the WordPress admin backend, said the researcher.
Moreover, a lack of admin checks and omission of a security nonce could allow an unauthenticated attacker to download all email addresses held by a WordPress site running the plugin.
Bruandet also noted that two functions – removeSubscribers and activateTemplate – could be used to delete subscribers or switch the plugin’s template.
Responding to a request for further information, NinTechNet told The Daily Swig: “We usually find [those] kind of vulnerabilities in plugins and themes installed on infected WordPress websites, when trying to find the entry point of the hack.
“After auditing them, we always report the issues to their authors in order to have them fixed asap.”
The vulnerabilities were reported to the WordPress security team on September 20.
The new version (3.4.1), which was released November 8, includes fixes for all of the bugs, said Bruandet.
Designed by Sri-Lanka based Ceylon Systems, the IgniteUp plugin displays customised ‘coming soon’ or ‘website under maintenance’ messages, with the option of a countdown timer.
The Daily Swig has also contacted Ceylon Systems for further comment.
RELATED Patch Now: exploit released for WordPress plugin RCE bug