Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label Plugin. Show all posts
WordPress
Cyber Attacks gravity forms Plugin Supply Chain Attack WordPress

WordPress Plugin Breach: Hackers Gain Control Through Manual Downloads

 



A serious cyberattack recently targeted Gravity Forms, a widely used plugin for WordPress websites. This incident, believed to be part of a supply chain compromise, resulted in infected versions of the plugin being distributed through manual installation methods.

What is Gravity Forms and Who Uses It?

Gravity Forms is a paid plugin that helps website owners create online forms for tasks like registrations, contact submissions, and payments. According to the developer, it powers around a million websites, including those of well-known global companies and organizations.

What Went Wrong?

Cybersecurity researchers from a security firm reported suspicious activity tied to the plugin’s installation files downloaded from the developer’s website. Upon inspection, they discovered that the file named common.php had been tampered with. Instead of functioning as expected, the file secretly sent a request to an unfamiliar domain, gravityapi.org/sites.

Further investigation showed that the altered plugin version quietly collected sensitive data from the infected websites. This included website URLs, admin login paths, installed plugins, themes, and details about the PHP and WordPress versions in use. All this information was then sent to the attackers’ server.

The attack didn’t stop there. The malicious file also downloaded more harmful code disguised as a legitimate WordPress file, storing it in a folder used by the platform’s core features. This hidden code allowed hackers to run commands on the server without needing to log in, essentially giving them full access to the website.

How Did This Affect Site Owners?

The threat mainly impacted those who manually downloaded Gravity Forms versions 2.9.11.1 and 2.9.12 between July 10 and July 11. Developers confirmed that websites which installed the plugin using automated updates from within WordPress were not affected.

In the infected versions, the malware not only blocked future update attempts but also communicated with a remote server to bring in more malicious code. In some cases, the attack even created a secret admin account giving the hackers complete control over the website.

What Should Website Admins Do Now?

The plugin's developer has released a statement acknowledging the issue and has provided instructions to help website owners detect and remove any signs of infection. Users who downloaded the plugin manually during the affected timeframe are strongly advised to reinstall a clean version and scan their websites thoroughly.

Cybersecurity experts also recommend checking for suspicious files and unknown administrator accounts. The domains used in this attack were registered on July 8, suggesting that this breach was carefully planned.

This incident highlights the growing risk of supply chain attacks in the digital world. It serves as a reminder for website administrators to rely on trusted update channels and monitor their sites regularly for any unusual activity.
Read more »
WordPress
Cyber Security Patchstack Plugin Software Updates WordPress

Hackers Target WordPress Plugin Just Hours After Security Weakness Revealed

 



A newly found security issue in a widely used WordPress tool called OttoKit (previously called SureTriggers) has opened the door for cybercriminals to take over websites. Within just a few hours of the problem being shared publicly, hackers began trying to take advantage of it.

OttoKit is a plugin that helps website owners link their WordPress sites with other services such as Google Sheets, Mailchimp, or online stores like WooCommerce. This tool makes it easy to create automated actions—like sending emails or updating customer lists—without needing to write any code. Over one lakh websites currently rely on this plugin.

The major issue, which affects all versions up to 1.0.78, allows outsiders to get into a website without logging in. This means attackers can skip the usual login checks and gain access to important parts of the site.

The root of the problem comes from how the plugin handles security keys. If the plugin was set up without an API key, the internal “secret code” remains blank. Hackers can then send a fake request without any real login details, and the system mistakenly lets them in.

This bug lets bad actors create new admin-level users, giving them the ability to fully control the site— change settings, install software, or even lock the real owner out.

A cybersecurity researcher who goes by the name 'mikemyers' discovered this error and reported it responsibly. On April 3, the plugin creators fixed the issue and released an updated version, 1.0.79, which closes the security hole.

Unfortunately, attackers were fast to act. Experts from Patchstack, a company that tracks WordPress security, said they noticed the first hacking attempts just four hours after the bug was made public. Hackers used automated tools to create random admin accounts, hoping to break into websites that hadn’t yet been updated.

This case highlights how important it is to quickly install software updates, especially when they fix security flaws.

If your site uses OttoKit or SureTriggers, it is strongly advised to upgrade to version 1.0.79 immediately. Also, check your user accounts for anything unusual—like new admins you didn’t create as well as any strange activity involving plugins, themes, or database access.

Read more »
SQL
2FA CVE CVE vulnerability CVEs Cyber Security E-Commerce Websites Patchstack PII Plugin Plugin Flaws SQL

Critical Vulnerability in TI WooCommerce Wishlist Plugin Exposes 100K+ Sites to SQL Attacks

 

A critical vulnerability in the widely-used TI WooCommerce Wishlist plugin has been discovered, affecting over 100,000 WordPress sites. The flaw, labeled CVE-2024-43917, allows unauthenticated users to execute arbitrary SQL queries, potentially taking over the entire website. With a severity score of 9.3, the vulnerability stems from a SQL injection flaw in the plugin’s code, which lets attackers manipulate the website’s database. This could result in data breaches, defacement, or a full takeover of the site. As of now, the plugin remains unpatched in its latest version, 2.8.2, leaving site administrators vulnerable. 

Cybersecurity experts, including Ananda Dhakal from Patchstack, have highlighted the urgency of addressing this flaw. Dhakal has released technical details of the vulnerability to warn administrators of the potential risk and has recommended immediate actions for website owners. To mitigate the risk of an attack, website owners using the TI WooCommerce Wishlist plugin are urged to deactivate and delete the plugin as soon as possible. Until the plugin is patched, leaving it active can expose websites to unauthorized access and malicious data manipulation. If a website is compromised through this flaw, attackers could gain access to sensitive information, including customer details, order histories, and payment data. 

This could lead to unauthorized financial transactions, stolen identities, and significant reputational damage to the business. Preventing such attacks requires several steps beyond removing the vulnerable plugin. Website administrators should maintain an updated security system, including regular patching of plugins, themes, and the WordPress core itself. Using a Web Application Firewall (WAF) can help detect and block SQL injection attempts before they reach the website. It’s also advisable to back up databases regularly and ensure that backups are stored in secure, off-site locations. Other methods of safeguarding include limiting access to sensitive data and implementing proper data encryption, particularly for personally identifiable information (PII). 

Website administrators should also audit user roles and permissions to ensure that unauthorized users do not have access to critical parts of the site. Implementing two-factor authentication (2FA) for site logins can add an extra layer of protection against unauthorized access. The repercussions of failing to address this vulnerability could be severe. Aside from the immediate risk of site takeovers or data breaches, businesses could face financial loss, including costly recovery processes and potential fines for not adequately protecting user data. Furthermore, compromised sites could suffer from prolonged downtime, leading to lost revenue and a decrease in user trust. Rebuilding a website and restoring customer confidence after a breach can be both time-consuming and costly, impacting long-term growth and sustainability.  

In conclusion, to safeguard against the CVE-2024-43917 vulnerability, it is critical for website owners to deactivate the TI WooCommerce Wishlist plugin until a patch is released. Administrators should remain vigilant by implementing strong security practices and regularly auditing their sites for vulnerabilities. The consequences of neglecting these steps could lead to serious financial and reputational damage, as well as the potential for legal consequences in cases of compromised customer data. Proactive protection is essential to maintaining business continuity in the face of ever-evolving cybersecurity threats.
Read more »
WordPress
Cyberattacks Cybersecurity Cyberthreats LayerSlider Plugin Vulnerabilities and Exploits WordPress

LayerSlider Plugin Imperils 1 Million WordPress Sites, Urgent Fixes Mandated!

 


The LayerSlider WordPress slider plugin has been installed by more than one million people and offers a full package of features for editing web content, creating digital visual effects, and designing graphic content in a single application. 

Considering that WordPress is the most popular website builder in the world, as well as used by roughly half of all websites on the planet, it makes it an ideal target for cybercriminals all over the world. Despite that, hackers have turned their attention and focus to third-party themes and plugins, which are seldom as secure as the platform itself, because most people consider this platform to be relatively secure. 

In addition, Defiant’s Wordfence team stated that unauthenticated attackers can append SQL queries to existing queries to extract information such as password hashes due to the lack of sufficient escape of the parameter supplied by the user, as well as the lack of sufficient preparation of the existing SQL query. 

There is a vulnerability of over 1 million WordPress sites attributed to a premium plugin referred to as LayerSlider, requiring administrators to prioritize applying security updates to that plugin. In addition to being a visual web content editor, LayerSlider also offers graphic design software, as well as digital visual effects that enable users to create animations and rich content for their websites. It is noted by its website that there are millions of people using it globally. 

During the week of March 25, 2024, a researcher named AmrAwad found a critical vulnerability (CVSS score: 9.8) affecting WordPress security firm Wordfence through their bug bounty program. He received $5,500 for his responsible reporting. AmrAwad was recognized for his responsible reporting. 

If an attacker has access to sensitive data from the site's database, such as password hashes, from versions 7.9.11 through 7.10.0 of the plugin, the website could be put at risk of a complete takeover or data breach in the future. In LayerSlider, SQL injection is possible as well as the function that queries slider pop-up markups is done by the “ls_get_popup_markup” function. 

If the “id” parameter of this function is not a number, it is not sanitized before it is passed to “find”. Moreover, even though the plugin escapes $args values with the “esc_sql” function, the “where” key is not included in this function, so attacker-controlled inputs within “where” can be used to query the victim's database by the attacker-controlled inputs. 

 By manipulating “id” and “where”, an attacker can craft a request in such a way that sensitive data from the database, such as password hashes, can be extracted by manipulating those variables. As the structure of possible queries limits the attack to a time-based blind SQL injection, attackers must observe the database's response times to determine the data from the database. There are several ways in which threat actors can enter WordPress sites through vulnerable WordPress plugins to steal data or compromise a website. 

It has been shown that, in January, more than 6,700 WordPress sites were exploited by Balada Injector malware triggered by a cross-site scripting flaw in the Popup Builder plugin logged under CVE-2023-6000. In addition to the thousands of sites that were exposed to the TagDiv Composer plugin flaw tracked as CVE-2023-3169 in October, Balada Injector was installed on over 9,000 sites. In the past six years, over a million WordPress sites have been compromised by the Balada Injector campaign. 

According to Sucuri, the Balada Injector has been responsible for more than a million WordPress sites that have been compromised in this campaign. It is important to note that CVE-2024-2879 still allows malicious actors to access sensitive user information and password hashes from a compromised website's database, despite this limitation. Malicious actors can do this without having any authentication on the website. 

There is a further complication because the queries are not prepared using WordPress' '$wpdb->prepare()' function, which ensures that usernames and passwords are sanitized before a query is sent to the database. This prevents SQL injection because the input is therefore sanitized before it is submitted to the database. It was quickly acknowledged by the Kreatura Team of the plugin's creators that the plugin had been prone to the flaw and it was immediately addressed. 

It has been less than 48 hours since the developers contacted me about the release of a security update. There are critical vulnerabilities in LayerSlider, which are addressed in version 7.10.1, but it is strongly recommended that all users upgrade to version 7.10.1. A WordPress site admin should in general make sure that all their plugins are up-to-date, remove any plugins that are not required, use strong passwords for their accounts, and deactivate any dormant accounts that could be hacked. 

In the world of WordPress, there are thousands of themes and plugins available, each of which builds upon the WordPress experience for the user and makes it better. Some of these are free programs, but the commercial ones tend to have a dedicated team who work on improving them as well as maintaining the security of the program. This happens mainly because hackers choose to target free-to-use themes and plugins.

Many of these are used by millions of people today, but their developers have abandoned them and they are prone to vulnerabilities that have never been addressed (or rarely) by the developers. A safe and secure installation process involves administrators installing themes and plugins that they intend to use, and ensuring that they are always updated to the most recent version of those themes and plugins.
Read more »
Plugin
Artifical Intelligence Chat Bot ChatGPT Cyber Security Data Privacy OpenAI Plugin

Challenge Arising From the ChatGPT Plugin

OpenAI's ChatGPT has achieved important advancements in AI language models and provides users with a flexible and effective tool for producing human-like writing. But recent events have highlighted a crucial problem: the appearance of third-party plugins. While these plugins promise improved functionality, they can cause grave privacy and security problems.

The use of plugins with ChatGPT may have hazards, according to a Wired article. When improperly vetted and regulated, third-party plugins may jeopardize the security of the system and leave it open to attack. The paper's author emphasizes how the very thing that makes ChatGPT flexible and adjustable also leaves room for security flaws.

The article from Data Driven Investor dives deeper into the subject, highlighting how the installation of unapproved plugins might expose consumers' sensitive data. Without adequate inspection, these plugins might not follow the same exacting security guidelines as the main ChatGPT system. Private information, intellectual property, and delicate personal data may thus be vulnerable to theft or unlawful access.

These issues have been addressed in the platform documentation by OpenAI, the company that created ChatGPT. The business is aware of the potential security concerns posed by plugins and urges users to use caution when choosing and deploying them. In order to reduce potential risks, OpenAI underlines how important it is to only use plugins that have been validated and confirmed by reliable sources.

OpenAI is still taking aggressive steps to guarantee the security and dependability of ChatGPT as the problem develops. Users are encouraged to report any suspicious or malicious plugins they come across when interacting with the system by the company. Through investigation and appropriate action, OpenAI is able to protect users and uphold the integrity of its AI-powered platform.

It is worth noting that not all plugins pose risks. Many plugins, when developed by trusted and security-conscious developers, can bring valuable functionalities to ChatGPT, enhancing its usefulness and adaptability in various contexts. However, the challenge lies in striking the right balance between openness to innovation and safeguarding users from potential threats.

OpenAI's commitment to addressing the plugin problem signifies its dedication to maintaining a secure and reliable platform. As users, it is essential to be aware of the risks and exercise diligence when choosing and employing plugins in conjunction with ChatGPT.

Read more »
WordPress
attacks Plugin Site Vulnerabilities and Exploits WordPress

Alert WordPress Admins! Uninstall the Modern WPBakery Plugin Immediately

 

WordPress administrators have been cautioned to uninstall a problematic plugin or risk a total site takeover. This threat is associated with a plugin that is no longer in use: Modern WPBakery page builder extensions. CVE-2021-24284 is a vulnerability in the plugin that allows "unauthenticated arbitrary file upload through the 'uploadFontIcon' AJAX action." 

As a result, attackers might upload malicious PHP scripts to the WordPress site, resulting in remote code execution and site takeover. There has been a significant surge in attacks due to this defunct WordPress relic. 

Researchers detected "many vulnerable endpoints" in Modern WPBakery in 2021, which might lead to the injection of malicious JavaScript or even the deletion of arbitrary data. The goal of the game this time is to upload rogue PHP files and then inject malicious JavaScript into the site. 

Approximately 1.6 million sites have been examined for the presence of the plugin by malicious actors, and current estimates imply that 4,000 to 8,000 websites are still hosting the plugin. Check and delete immediately. 

The current recommendation is to search for the plugin and then uninstall it as quickly as possible. It has been entirely abandoned, and no security updates will be sent. If anyone has it installed, it's only a matter of time until the exploiters find their way to your Modern WPBakery hosting website and begin collecting information. It's advised to as soon as possible, remove this out-of-date invitation to site-wide compromise.
Read more »
Subscribe to: Posts (Atom)