We reached away to the plugin vendor exactly the same time, March 12, 2020, but haven’t yet received a reply. On March 20, 2020, we attained out to the WordPress plugin group and delivered them the entire disclosure of the vulnerability, and after subsequent up using them on April 13, 2020, the plugin provides been taken off the WordPress repository. As there is absolutely no patch available, we recommend deactivating and getting rid of this plugin.
Wordfence Premium customers received a fresh firewall principle on March 12, 2020 to safeguard against exploits targeting these vulnerabilities. Free Wordfence customers received this guideline on April 11, 2020.
Affected Plugin: Widget Configurations Importer/Exporter
Plugin Slug: widget-settings-importexport
CVE ID: Pending
CVSS Score: 7.4 (high)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Fully Patched Version: N/A
Widget Settings Importer/Exporter is really a WordPress plugin that provides the opportunity to import and export WordPress Widgets – a WordPress function that adds efficiency to a web site’s header, sidebars and footer. The plugin registers an AJAX activity that is used to execute widget import:
add_motion( 'wp_ajax_import_widget_data', array( __Course__, 'ajax_import_widget_information' ) );
ajax_import_widget_data function obtains the widget data to be imported simply by calling
file_get_contents upon the supplied
import_file parameter. Many sites are usually configured with a placing,
allow_url_fopen, which allows this function to find the contents of a remotely hosted document. This allows for an attacker to import a malicious widget to the website by sending a $_POST demand to wp-admin/admin-ajax.php with the
activity parameter fixed to import_widget_data, the
import_document parameter arranged to the URL of the crafted, remotely hosted JSON document, and the widgets parameter set to spell it out the widget to end up being imported.
The vulnerable function:
open public static function ajax_import_widget_information()
What MUST I Do?
It is likely that plugin will never be patched, therefore we strongly suggest deactivating and removing this plugin from your own site. Plugins with comparable functionality, such as for example Widget Importer & Exporter, can be found and really should be reasonably secure, though it must be considered best exercise to deactivate and get rid of any plugins that aren’t actively used.
March 12, 2020 – Vulnerability at first uncovered and analyzed. Firewall principle released for Wordfence High quality users. Preliminary outreach to plugin vendor.
March 20, 2020 – We get in touch with the WordPress plugins group and offer them with complete disclosure.
April 11, 2020 – Wordfence free customers receive firewall guideline.
April 13, 2020 – We follow-up with the WordPress plugins group and the plugin will be taken off the WordPress repository.
April 15, 2020 – Vulnerability disclosed after a lot more than 30 times with no reaction from plugin vendor.
Inside today’s write-up, we detailed a stored Cross-Web site Scripting (XSS) vulnerability inside the Widget Configurations Importer/Exporter WordPress plugin. These flaws haven’t yet been patched, therefore we recommend that customers deactivate and delete this plugin instantly until a patch is manufactured available. Sites running Wordfence Superior have already been protected from episodes from this vulnerability since March 12, 2020. Websites running the free edition of Wordfence obtained a firewall principle update on April 11, 2020.
The post Unpatched High-Severity Vulnerability in Widget Settings Importer/Exporter Plugin appeared first on Wordfence.