Nine disclosures this week, with five issues unfixed.
View this week’s vulnerable plugins list.
The largest disclosure this week was most likely the SQL Injection combined with Object Injection vulnerability in the Contact Form for WordPress – Ultimate Form Builder Lite plugin disclosed by Wordfence. At the time of discovery, the vulnerability was being actively exploited in the wild. The author has released version 1.3.7, so please make sure you have updated.
For this week’s unfixed vulnerabilities, the Full Path Disclosure issue with the Inline Image Upload for BBPress (and it’s Pro version) isn’t a vulnerability by itself, but can be used in combination with other attacks that require knowing the server path. Hopefully the vendor will release a fix soon, but if not, you can mitigate this issue by ensuring display_errors is disabled for php for your site. The specifics of how you disable it will depend on your hosting set up. If you’re not sure, contact your hosting provider or system administrator.
Other WordPress News
WordPress version 4.9 is currently in Beta 4 with a Release Candidate scheduled for this Monday, with a final target release date of Tuesday, November 14th. It’s always a good idea to test out Release Candidates in your development environments, if possible. If not, start preparing to update your sites mid-November.