This is a monthly roundup of all the WordPress core, WordPress plugins and WordPress themes vulnerabilities reported during the month of October 2016. This roundup is made possible through WP Security Bloggers, an aggregate of popular WordPress security blogs and websites that publish WordPress security news and updates.
Recap of WordPress Vulnerabilities in October 2016
October 2016 was a slow month in terms of reported vulnerabilities, though it is not a boring one, mainly because of an Sensitive Information disclosure vulnerability in the WordPress REST API plugin. Basically the attacker can obtain the username, email address, first name, last name, date of registration, and detailed privilege information about every registered user on the target WordPress with a single HTTP request. Such WordPress REST API security issues were the worry of many WordPress users when WordPress were planning of including the REST API in the core.
Well, the vulnerability was fixed, so we have a better WordPress REST API now. Also, it was never included in the WordPress core, so there is not much to worry about. Below is the complete list of all the reported vulnerabilities during October 2016.
WordPress Plugins Vulnerabilities
- Local File Inclusion in Simple Ads Manager plugin
- CSRF in WP Database Backup plugin
- CSRF in GoDaddy Email Marketing plugin
- CSRF / XSS vulnerabilities in Site Analytics plugin
- Sensitive information disclosure in WordPress REST API
- Arbitrary File Upload in WP Marketplace plugin
- Signature Wrapping in OneLogin SAML SSO plugin
- Blind XSS in Gravity Forms plugin
- CSRF / XSS in WordPress Newsletter plugin
- Arbitrary file viewing in Simply Static plugin
- Reflective XSS in Portfolio plugin
- Multiple XSS vulnerabilities in WP Editor plugin
- XSS in iThemes Security plugin