April 15

Unpatched High-Severity Vulnerability within Widget Configurations Importer/Exporter Plugin

WordPress Security, WordPress Vulnerabilities


This post was originally published on this site

On March 12, 2020, our Threat Cleverness team discovered the stored Cross-Web site Scripting (XSS) vulnerability in Widget Settings Importer/Exporter, a WordPress plugin with more than 40,000 installations. This flaw permitted an authenticated attacker with reduced, subscriber-degree permissions to import and activate custom made widgets that contains arbitrary JavaScript right into a web site with the plugin set up.

We reached away to the plugin vendor exactly the same time, March 12, 2020, but haven’t yet received a reply. On March 20, 2020, we attained out to the WordPress plugin group and delivered them the entire disclosure of the vulnerability, and after subsequent up using them on April 13, 2020, the plugin provides been taken off the WordPress repository. As there is absolutely no patch available, we recommend deactivating and getting rid of this plugin.

Wordfence Premium customers received a fresh firewall principle on March 12, 2020 to safeguard against exploits targeting these vulnerabilities. Free Wordfence customers received this guideline on April 11, 2020.

Explanation: Authenticated Stored Cross-Web site Scripting(XSS)
Affected Plugin: Widget Configurations Importer/Exporter
Plugin Slug: widget-settings-importexport
Affected Versions
CVE ID: Pending
CVSS Score
: 7.4 (high)
Fully Patched Version: N/A

Widget Settings Importer/Exporter is really a WordPress plugin that provides the opportunity to import and export WordPress Widgets – a WordPress function that adds efficiency to a web site’s header, sidebars and footer. The plugin registers an AJAX activity that is used to execute widget import:

add_motion( 'wp_ajax_import_widget_data', array( __Course__, 'ajax_import_widget_information' ) );

As is the situation with many similar vulnerabilities, the event called by the AJAX actions does not use capability checks or even nonce checks. Which means that any authenticated user, irrespective of their permissions, may use it to import widgets in to the web site, including widgets that contains malicious JavaScript, which may become executed in the internet browser of any website visitor to the website.

Particularly, the ajax_import_widget_data function obtains the widget data to be imported simply by calling file_get_contents upon the supplied import_file parameter. Many sites are usually configured with a placing, allow_url_fopen, which allows this function to find the contents of a remotely hosted document. This allows for an attacker to import a malicious widget to the website by sending a $_POST demand to wp-admin/admin-ajax.php with the activity parameter fixed to import_widget_data, the import_document parameter arranged to the URL of the crafted, remotely hosted JSON document, and the widgets parameter set to spell it out the widget to end up being imported.

If the clear_current parameter is defined, any currently active widgets on the website would also be taken out. If the imported widget includes malicious JavaScript, it may be utilized to redirect website visitors to malvertising websites, or to steal an administrator’s session, potentially resulting in site takeover.

The vulnerable function:

   open public static function ajax_import_widget_information() 

What MUST I Do?

It is likely that plugin will never be patched, therefore we strongly suggest deactivating and removing this plugin from your own site. Plugins with comparable functionality, such as for example Widget Importer & Exporter, can be found and really should be reasonably secure, though it must be considered best exercise to deactivate and get rid of any plugins that aren’t actively used.

Disclosure Timeline

March 12, 2020 – Vulnerability at first uncovered and analyzed. Firewall principle released for Wordfence High quality users. Preliminary outreach to plugin vendor.
March 20, 2020 – We get in touch with the WordPress plugins group and offer them with complete disclosure.
April 11, 2020 – Wordfence free customers receive firewall guideline.
April 13, 2020 – We follow-up with the WordPress plugins group and the plugin will be taken off the WordPress repository.
April 15, 2020 – Vulnerability disclosed after a lot more than 30 times with no reaction from plugin vendor.


Inside today’s write-up, we detailed a stored Cross-Web site Scripting (XSS) vulnerability inside the Widget Configurations Importer/Exporter WordPress plugin. These flaws haven’t yet been patched, therefore we recommend that customers deactivate and delete this plugin instantly until a patch is manufactured available. Sites running Wordfence Superior have already been protected from episodes from this vulnerability since March 12, 2020. Websites running the free edition of Wordfence obtained a firewall principle update on April 11, 2020.

The post Unpatched High-Severity Vulnerability in Widget Settings Importer/Exporter Plugin appeared first on Wordfence.

About the author 

WP Maintain Support Protect

You may also like

Who Attacked SolarWinds and just why WordPress Users Have to know

Who Attacked SolarWinds and just why WordPress Users Have to know

SolarWinds and offer Chain Attacks: Could this happen to WordPress?

SolarWinds and offer Chain Attacks: Could this happen to WordPress?

WordPress Hardening: 18 Methods to Harden Security of one’s Website

WordPress Hardening: 18 Methods to Harden Security of one’s Website
{"email":"Email address invalid","url":"Website address invalid","required":"Required field missing"}

Subscribe to our newsletter now!