The Dutch hacking community's Summer of Pwnage (SoP) has disclosed three vulnerabilities in WordPress plugins, including an XSS in the popular Ninja Forms.
That's because the plugin “insufficiently performs CSRF validation (ajaxreferer and nonce) and fails to perform output encoding according to context at any point where user-supplied input is copied into application responses”, SoP says. The fix is here.
Second, there are multiple SQL injection vulnerabilities in a WordPress video player plugin. These are serious because SoP says they would let an attacker get an admin password.
The vulnerabilities only need “logged in contributor” status to exploit; a slip in how the author of the plugin implemented
esc_sql() means the attacker can inject arbitrary SQL into the plugin.
The patched version is in this Zipfile.
Third, the Icegram lead-capture plugin has a cross-site request forgery vulnerability: any WordPress option can be overwritten with the value TRUE, so an attacker can change the victim's configuration.
That bug is fixed in Icegram 1.9.19. ®