Gravityscan Blog

Updates on website security and what's going on in our universe.

New This Week: January 4, 2018

This entry was posted in Drupal, Joomla, vBulletin, Weekly Scanner Updates, Wordpress on Jan 4, 2018 by Colette 0 Replies

Gravityscan consistently adds detection for CMS vulnerabilities. Whether you use WordPress, Joomla, Drupal, vBulletin or any other content management system, Gravityscan detects and alerts you to these new discoveries as they apply to your website so that you can focus on running your business.

In addition to the existing 7000+ vulnerabilities that we already detect, we have added detection for the following new vulnerabilities for the week of January 5, 2018. One is highly critical for Drupal.

WordPress Plugins:

  • Duplicate Page and Post 2.1.0-2.1.1 – Backdoored
  • No Follow All External Links 2.1.0-2.3.0 – Backdoored
  • WP No External Links 4.2.1-4.2.2 – Backdoored
  • Top 10 <= 2.4.3 – Authenticated SQL Injection
  • Captcha 4.3.6–4.4.4 – Backdoored
  • RegistrationMagic – Custom Registration Forms <= 3.8.0.4 – Authenticated SQL Injection
  • RegistrationMagic – Custom Registration Forms <= 3.8.0.4 – Authenticated Reflected XSS
  • CVE 2017-16949 AccessPress Anonymous Post Pro < 3.2.0 – Unauthenticated Arbitrary File Upload
  • CVE 2017-17719 WordPress Concours <= 1.1 – Authenticated Cross-Site Scripting (XSS)
  • CVE 2017-17744 Custom Map <= 1.1 – Authenticated Cross-Site Scripting (XSS)
  • CVE 2017-17753 Csv Import-Export <= 1.1 – Authenticated Cross-Site Scripting (XSS)

       Multiple Mediaburst/Clockwork Plugins – Cross-Site Scripting (XSS)

      • WP e-Commerce – Clockwork SMS < 2.4.2
      • Booking Calendar – Clockwork SMS < 1.1.0
      • Contact Form 7 – Clockwork SMS < 2.4.0
      • Gravity Forms – Clockwork SMS < 2.4.0
      • Fast Secure Contact Form – Clockwork SMS < 2.4.0
      • Formidable – Clockwork SMS < 1.1.0
      • Two-Factor Authentication – Clockwork SM < 1.1.0
      • Clockwork SMS Notifications < 3.0.0
      • Email to SMS < 3.0.0

Drupal Modules:

vBulletin Core:

      • CVE 2017-17672 vBulletin 5 – ‘cacheTemplates’ Unauthenticated Remote Arbitrary File Deletion
      • vBulletin 5 – ‘routestring’ Unauthenticated Remote Code Execution

If you are an existing Gravityscan user, your site is already being scanned for these vulnerabilities. You can try out our Pro service with a free 14-day trial.  This includes the full vulnerability details for each pro site that has ownership verified, the ability to speed up your scans, send SMS alerts and our awesome premium support.

Try out Gravityscan Pro  free for two weeks, on us!

Did you enjoy this post? Share it!


No Replies on "New This Week: January 4, 2018"

You must be a Gravityscan user to join the discussion. Register now or sign in if you already have an account.