Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label WordPress Plugin. Show all posts
WordPress Plugin
Cyber Attacks Cyber Hacking Pop-ups Website Website Hack WordPress hacks WordPress Plugin

Hackers Exploit Vulnerability in Popup Builder Plugin for WordPress

 

In a concerning development for website owners and administrators, hackers have been exploiting a vulnerability in the popular Popup Builder plugin for WordPress, resulting in the infection of over 3,300 websites worldwide. This security flaw, officially tracked as CVE-2023-6000, allows malicious actors to execute cross-site scripting (XSS) attacks on websites that are using outdated versions of the Popup Builder plugin, specifically versions 4.2.3 and older. 

The vulnerability was initially disclosed in November 2023, raising alarm bells in the cybersecurity community. Despite this disclosure, many site administrators failed to promptly update their systems, leaving them vulnerable to exploitation by hackers. Now, the consequences of this oversight are becoming apparent, with Sucuri, a prominent cybersecurity firm, reporting a recent surge in attacks targeting WordPress sites through this vulnerability. 

At the core of the exploit is the injection of malicious code into the Custom JavaScript or Custom CSS sections of the WordPress admin interface. This injected code is then stored within the 'wp_postmeta' database table, allowing hackers to manipulate the behavior of the Popup Builder plugin. By leveraging event handlers within the plugin, such as popup open or close events, hackers can execute various malicious actions, including redirecting unsuspecting visitors to phishing pages or malware-dropping sites. Sucuri's analysis has revealed that the attacks originate from domains such as "ttincoming.traveltraffic[.]cc" and "host.cloudsonicwave[.]com." 

As a proactive measure, site owners are advised to block access to these domains to mitigate the risk of infection. However, blocking domains alone may not be sufficient to fully protect websites from exploitation. To effectively safeguard against this threat, website owners must update to the latest version of the Popup Builder plugin, currently version 4.2.7. 

This updated version addresses CVE-2023-6000 and other security vulnerabilities, providing enhanced protection against malicious attacks. Despite the availability of patches, WordPress statistics indicate that a significant number of active sites continue to use outdated versions of the plugin, leaving them vulnerable to exploitation. 

In the unfortunate event of a website being infected, swift action is necessary to mitigate further damage. Site administrators should immediately remove any malicious entries injected into the Popup Builder's custom sections and conduct thorough scans to detect and eliminate any hidden backdoors that could facilitate reinfection. The prevalence of this vulnerability underscores the importance of maintaining robust cybersecurity practices for WordPress sites. 

By staying vigilant, promptly applying software updates, and implementing proactive security measures, website owners can better protect their sites and mitigate the risk of falling victim to malicious attacks. As the threat landscape continues to evolve, proactive security measures are essential to safeguarding the integrity and security of WordPress websites.
Read more »
WordPress Plugin
Avada Builder Plugin Avada Theme Patchstack Security flaw Vulnerabilities and Exploits WordPress Plugin

Avada Theme and Plugin Witnesses Critical Vulnerabilities


Several vulnerabilities have been discovered in the popular Avada theme and its companion Avada Builder plugin by security researcher Rafie Muhammad from Patchstack, who revealed that many WordPress websites are vulnerable to these flaws. 

Avada Theme and Plugin

Avada theme – the most popular theme in WordPress – is the top-selling theme in ThemeForest, selling over 900,000 copies. The theme is paired with an Avada Builder plugin, developed by ThemeFusion.

This theme calls itself "The Complete WordPress Website Building Toolkit," and is geared for premium website builders. Without ever writing a single line of code, it can create everything from one-page business websites to an online marketplace.

Security Flaws

Among the many vulnerabilities exhibited in the Avada Builder plugin, the first is the Authentic SQL Injection(CVE-2023-39309). By exploiting this flaw, the threat actors may enable authentication access, followed by compromising sensitive data and may execute remote code. 

The second vulnerability, named ‘Reflected Cross-Site Scripting (XSS)’ vulnerability (identified as CVE-2023-39306) enables unauthenticated attackers to steal sensitive data and perhaps elevate their privileges on affected WordPress sites.

Additionally, Patchstack found a number of flaws in the Avada theme. A Contributor+ Arbitrary File Upload vulnerability (CVE-2023-39307) is the first among them. In this case, Contributors are given the authority to upload whatever file they choose, including potentially harmful PHP scripts, allowing remote code execution and jeopardizing the integrity of the site.

The discovery of a similar Author+ bug (CVE-2023-39312) is also significant. Here, Authors are given the option to post malicious zip files, potentially introducing the website as susceptible to vulnerabilities and remote code execution.

Also, this series of vulnerabilities include the Contributor+ Server-Side Request Forgery (SSRF) vulnerability (CVE-2023-39313). This flaw allows Contributors to send requests to internal WordPress services, which could lead to illegal actions or data access within the organizational structure.

The vulnerabilities were first discovered and reported to the Avada vendor on July 6, 2023, following which patched versions were made available on July 11. The security alert was made public on August 10, 2023, and Patchstack added the flaws to their database of vulnerabilities.

In order to address the flaws, users are advised to update their Avada Builder plugin to version 3.11.2 and the Avada theme to version 7.11.2, ensuring website security.

Read more »
WordPress Plugin
CMS Software User Privacy Vulnerabilities and Exploits. WordPress Plugin

Critical WordPress Plugin Vulnerabilities

 

WordPress, the popular content management system (CMS), is no stranger to security vulnerabilities. In recent news, critical vulnerabilities have been discovered in certain WordPress plugins, putting thousands of websites at risk. These vulnerabilities have the potential to allow unauthorized access and compromise the security of affected websites.

One such plugin affected by a critical vulnerability is Bookit, developed by StylemixThemes. An authentication bypass vulnerability was identified, which could allow unauthorized users to gain access to sensitive information or carry out malicious activities on the compromised websites. The Bookit plugin is widely used for managing bookings and appointments on WordPress sites, making the vulnerability particularly concerning for businesses relying on this functionality.

The vulnerability in Bookit was promptly addressed by StylemixThemes, with an updated version released to patch the security flaw. It is crucial for all users of the Bookit plugin to ensure they have installed the latest version to mitigate the risk of exploitation.

Another noteworthy vulnerability was found in the Abandoned Cart Lite for WooCommerce plugin developed by Tyche Softwares. This vulnerability also involved an authentication bypass, potentially enabling unauthorized access to affected websites. Abandoned Cart Lite for WooCommerce is a widely used plugin for recovering abandoned shopping carts and increasing sales for online stores.

Tyche Softwares acted swiftly to address the vulnerability and released an updated version of the plugin to eliminate the security risk. Website owners who utilize the Abandoned Cart Lite for WooCommerce plugin should prioritize updating to the latest version to safeguard their sites from potential exploitation.

The discovery of these critical vulnerabilities underscores the ongoing challenges faced by the WordPress community in ensuring the security of their websites. As WordPress continues to be the most popular content management system globally, it also becomes an attractive target for cybercriminals seeking to exploit vulnerabilities in plugins and themes.

To mitigate the risk of falling victim to such attacks, WordPress users are advised to implement the following security practices:
  1. Regularly update all installed plugins and themes to the latest versions, as developers often release patches to address security vulnerabilities.
  2. Use reputable plugins and themes from trusted sources, and be cautious when installing plugins with a limited or no update history.
  3. Monitor security news and announcements from WordPress security providers, such as Wordfence, to stay informed about the latest vulnerabilities and recommended actions.
  4. Employ a reliable security plugin that can help detect and prevent potential attacks, such as brute-force login attempts or suspicious activities.
By following these guidelines, WordPress users can enhance the security posture of their websites and reduce the risk of falling victim to plugin vulnerabilities and other security threats.
Read more »
WordPress Plugin
Elementor Pro Remote Code Execution Threat actors Vulnerabilities and Exploits WordFence WordPress Plugin

Critical WordPress Plugin Vulnerability Enables Hackers To Exploit Over 1M Sites


Threat actors are apparently exploiting two security flaws in the Elementor Pro and Ultimate Addons for Elementor WordPress plugins, in an effort to remotely execute arbitrary code and completely compromise unpatched targets.

As reported by the Threat Intelligence team at Wordfence, reports of threat actors attempting to exploit the two issues in ongoing attacks had appeared as of May 6.

Elementor Pro 

Elementor Pro is a paid plugin with an estimated number of over 1 million active installs, enabling users to quickly and easily develop WordPress websites from scratch, with the aid of a built-in theme builder, a visual form widget designer, and custom CSS support.

The Elementor Pro vulnerability is an RCE (Remote Code Execution) bug rated as Critical. It enables attackers with registered user access to upload arbitrary files to the affected websites and remotely execute code.

In order to preserve access to the compromised sites, attackers who successfully exploit this security issue can either install backdoors or webshells, obtain full admin access to completely compromise the site, or even entirely eliminate the site.

In case they are unable to register as users, they can exploit the second vulnerability in the over 110,000-site-installed Ultimate Addons for Elementor WordPress plugin, which will let them sign up as subscriber-level users on any site using the plugin even if user registration is disabled.

"Then they proceed to use the newly registered accounts to exploit the Elementor Pro [..] vulnerability and achieve remote code execution," as Wordfence discovered.

Mitigation Measures 

In order to protect oneself from the ongoing attacks, it is advised to update your Elementor Pro to version 2.9.4, that patches the remote code execution vulnerability.

Users of the Ultimate Addons for Elementor will have to upgrade to version 1.24.2 or later. To be sure that your website has not already been compromised, Wordfence advises taking the following actions:

  • Check for any unknown subscriber-level users on your site. 
This may indicate that your site has been compromised as a part of this active campaign. If so, remove those accounts. 
  • Check for files named “wp-xmlrpc.php.” 
These may indicate any compromise. So, it is advised to check your site for evidence of this file. 
  • Delete any unknown files or folders found in /wp-content/uploads/elementor/custom-icons/ directory.
The presence of files here following the creation of a rogue subscriber-level account is an obvious indication of compromise.  

Read more »
Zero- day vulnerability
Balada Injector Sucuri Vulnerabilities and Exploits WordPress WordPress Plugin Wordpress Security WordPress Threat Zero- day vulnerability

WordPress Security: 1 Million WordPress Sites Hacked via Zero-Day Plug-in Bugs


A campaign that utilizes several WordPress plug-ins and theme vulnerabilities to inject malicious code into websites, including a sizable number of zero-days, has infected at least 1 million WordPress-sponsored websites. 

According to a study conducted by Sucuri, the campaign, which it named "Balada Injector," is prolific and Methuselah-like in its endurance, infecting victim sites with malware at least since 2017. After being injected into the page, the malicious code leads users to a variety of scam websites, such as those offering fake tech support, bogus lottery wins, and push notifications requesting Captcha solutions. 

However, behind the scenes, injected scripts look for numerous files, including access logs, error logs, debug information files, database management tools, administrator credentials, and more, that might include any sensitive or potentially helpful information. In addition, backdoors are loaded into the websites for enduring access and, occasionally, site takeover. 

While the 1 million statistic represents the total number of sites that have been infected over the past five years, researchers only recently linked all the activities into a single operation. The campaign is still going strong and does not appear to be slowing down. 

A Focus on WordPress Plug-in & Theme Vulnerabilities 

Sucuri researchers were able to link all of the observed activity to the Balada Injector campaign since it has a few easily distinguishable attributes. These include using a rotating roster of domain names where malicious scripts are placed on haphazard subdomains, uploading and leaving numerous backdoors all across the hacked environment, and spammy redirects. 

Moreover, the developers of Balada Injector also exploit security flaws in WordPress plug-ins and themes, which is likely most noteworthy. These modular WordPress add-ons enable site administrators to integrate a variety of features, such as polling support, message board assistance, or click-to-call integration for e-commerce businesses. 

"All sorts of vulnerabilities in WordPress themes and plugins can allow an attacker to inject code or gain unauthorized access to the website — which can eventually be escalated to the level where code injections are possible[…]This entire time, Balada Injector has been quickly adding newly disclosed vulnerabilities (and sometimes disclosed zero-days), occasionally starting massive waves of infections within a few hours after vulnerability disclosures," Sucuri analysis explains. 

Sucuri has been tracking new waves of activity happening every couple of weeks, with lulls in between that are "probably utilised for gathering and testing newly reported and zero-day vulnerabilities." 

Moreover, older vulnerabilities are also included in the mix, with some still in use by the campaign for months or years after being patched. 

Targeting the WordPress Ecosystem 

Given how the WordPress ecosystem is extremely buggy, it has become a popular target for cybercriminals among any other stripes. 

"Depending on how you measure it, in 2023, WordPress still powers 60% of the websites available on the Internet today[…]The sheer volume of code that goes into this, the degree of customization often present on WordPress sites, and in general the WordPress plug-in ecosystem's complexity, popularity, and the lack of consistent security measures and practices, contribute to its attractiveness to cybercriminals as a rich hunting ground for exploitable bugs," says Casey Ellis, founder, and CTO at the Bugcrowd bug bounty platform. 

Protecting Against WordPress Plug-in Insecurity 

To safeguard oneself against Balada Injector and other WordPress threats, companies must first ensure that all of their website software is updated, delete unused plug-ins and themes, and implement a Web application firewall to protect against Balada Injector and other WordPress threats. 

According to Mike Parkin, senior technical engineer at Vulcan Cyber, the ease with which plug-ins can be added to WordPress from authorized download stores (much like the ecosystem for mobile apps) adds to the security issue. As a result, education for the Web team regarding the risks of installing unapproved modules is also necessary. 

"The myriad available plug-ins, multiple places to get them, and the ease of deployment — you have a recipe for easy malicious plug-in distribution," he says. 

Even large organizations are not resistant to WordPress Security problems. "There are cases, even in large enterprises, where a website is developed and maintained by an individual or small team[…]Often, those folks aren’t especially security conscious and are more interested in keeping their site up and fresh than they are in doing it securely. Patches get missed. Security alerts get missed. New and interesting plug-ins get installed without making sure they are safe or, sometimes, even work," he adds.  

Read more »
WordPress Plugin
All In One Cyber Security SEO WordPress WordPress Plugin

All In One SEO Plugin Affects Millions of WordPress Websites

 

All in One SEO, a popular WordPress SEO-optimization plugin, contains a combination of security flaws that, when coupled into an exploit chain, might expose website owners to website takeover. 

As per Sucuri researchers, an attacker with an account on the site – such as a subscriber, shopping account holder, or member – can exploit the weaknesses, which is a privilege-escalation bug and a SQL-injection problem. 

“WordPress websites by default allow any user on the web to create an account,” researchers said in a posting on Wednesday. “By default, new accounts are ranked as a subscriber and do not have any privileges other than writing comments. However, certain vulnerabilities, such as the ones just discovered, allow these subscriber users to have vastly more privileges than they were intended to have.” 

Furthermore, the pair is ideal for straightforward exploitation, thus users must upgrade to the patched version, v. 4.1.5.3. The issues in the plugin utilized by more than 3 million websites, were discovered by Marc Montpas, an Automattic security researcher. 

The more serious of the two issues is the privilege-escalation problem, which affects All in One SEO versions 4.0.0 and 4.1.5.2. It has a significant vulnerability-severity rating of 9.9 out of 10 on the CVSS vulnerability-severity scale, owing to its simplicity of exploitation and the possibility to install a backdoor on the webserver. 

Sucuri researcher indicated that the vulnerability "can be exploited by simply changing a single character of a request to upper-case." 

Fundamentally, the plugin can send commands to different REST API endpoints while also performing a permissions check to ensure that no one is doing anything they are not authorized to do. According to the post, the REST API routes are case-sensitive, thus an attacker only needs to change the case of one character to circumvent the authentication checks. 

“When exploited, this vulnerability can overwrite certain files within the WordPress file structure, effectively giving backdoor access to any attacker,” Sucuri researchers said. “This would allow a takeover of the website, and could elevate the privileges of subscriber accounts into admins.” 

The second bug has a CVSS severity of 7.7 and impacts All in One SEO versions 4.1.3.1 and 4.1.5.2. The problem is on an API endpoint called "/wp-json/aioseo/v1/objects." As per Sucuri, if attackers abused the prior vulnerability to get admin capabilities, they would gain entry to the endpoint and also be capable of sending malicious SQL instructions to the back-end database to collect user passwords, admin information, and other sensitive information. 

In order to safeguard themselves, All in One SEO customers should update to the patched version, researchers advised.
Read more »
WordPress Plugin
Cyber Crime E-Skimming User Security WordPress Plugin

Threat Actors Stealing Credit Card Details Via e-Commerce WordPress Sites

 

As the holiday shopping season approaches, threat actors are intensifying their efforts to infect website owners, thereby administrators should remain vigilant, Sucuri researchers warned. The attackers are now injecting credit card swipers into random plugins of e-commerce WordPress sites to steal customer payment details.

The researchers identified a new technique where threat actors are injecting card skimmers into WordPress plugin files as it avoids the heavily guarded ‘wp-admin’ and ‘wp-includes’ core directories, where most injections are short-lived. 

“The attackers know that most security plugins for WordPress contain some way to monitor the file integrity of core files (that is, the files in wp-admin and wp-includes directories). This makes any malware injected into these files very easy to spot even by less experienced website administrators. The next logical step for them would be to target plugin and theme files.” reads the analysis published by Sucuri.

According to a new Sucuri investigation, threat actors first get into WordPress sites and inject a backdoor into the website for persistence. This means that the attacker can retain access to the site, even if the administrator installs the latest security updates for WordPress and installed plugins. 

The backdoor grabs a list of administrators and exploits their authorization cookie and current user login to access the website. Then the attackers add their malicious code to random plugins, Sucuri researchers pointed out that many of the scripts did not contain any typical encoding or obfuscation techniques to avoid detection.

The examination of the code disclosed the presence of references to WooCommerce and multiple unknown variables. The researchers discovered that one of these undefined variables references a domain (array-slice[.]page) hosted on an Alibaba server in Germany, which is strange considering that the infected e-store was operated by a business in North America. 

“If you operate an eCommerce website, be sure to be extra cautious during the holiday season. This is when we see attacks and compromises on e-commerce websites at their highest volume as attackers are poised to make handsome profits from stolen credit card details. Make sure to follow best security practices, harden your administrator dashboard and ideally place your website behind a firewall service,” the researchers concluded.
Read more »
WordPress Plugin
Cyber Attacks Ransom Attack Ransom Payment Ransomware WordPress WordPress Plugin

WordPress Sites Hacked in Fake Ransomware Attacks

 

A new wave of cyberattacks began late last week, hacking over 300 WordPress sites and displaying fraudulent encryption notifications in an attempt to mislead site owners into paying 0.1 bitcoin for recovery. 

These ransom requests include a countdown timer in order to create a feeling of urgency and perhaps terrify a web administrator into paying the ransom. While the 0.1 bitcoin ($6,069.23) ransom demand is little in contrast to what is seen in high-profile ransomware operations, it may still be a significant sum for many website owners. 

Sucuri, a cybersecurity firm hired by one of the victims to conduct incident response, identified these attacks. The researchers revealed that the websites had not been encrypted, but rather that the threat actors had altered an installed WordPress plugin to show a ransom message and countdown when the page was accessed. 

In addition to presenting a ransom note, the plugin would change the 'post status' of all WordPress blog entries to 'null,' leading them to become unpublished. As a result, the cyber actors developed a simple but strong illusion that gave the impression that the site had been encrypted. 

The site was restored to its usual state after deleting the plugin and running a command to republish the posts and pages. Sucuri discovered that the first place where the actor's IP address showed in the network traffic records was the wp-admin panel. This suggests that the infiltrators gained access to the site as administrators, either by brute-forcing the password or by obtaining stolen credentials from dark web markets. 

This was not an isolated attack, but rather part of a larger campaign, giving legitimacy to the second scenario. Sucuri discovered a plugin called Directorist, which is a tool for creating online company directory listings on websites. 

Sucuri has identified around 291 websites hit by this attack, with a Google search revealing a mix of cleaned-up and still-displaying ransom letters. All of the sites BleepingComputer found in search results utilise the same Bitcoin address, 3BkiGYFh6QtjtNCPNNjGwszoqqCka2SDEc, which has not received any ransom payments. 

Safeguarding against website encryptions

Sucuri recommends the following security procedures to keep WordPress sites safe from hackers: • Review the site's admin users, delete any fraudulent accounts, and update/change any wp-admin passwords. 
  • Protect the wp-admin administrator page. 
  • Modify the passwords for all other access points (database, FTP, cPanel, etc). 
  • Protect your website using a firewall. 
  • Adhere to dependable backup techniques that will make restoration simple in the event of a genuine encryption incident. 
Because WordPress is frequently targeted by threat actors, it is also critical to ensure that all of your installed plugins are up to date. 

BleepingComputer was notified about a recent fix for the Directorist plugin, which addressed an issue that enabled low-privilege users to run arbitrary code. While Sucuri's analysis does not identify the plugin as an infiltration point, the presence of this vulnerability makes sense in the context of the specific assault. 

This also implies that eradicating the virus and restoring the site would not prevent the attackers from striking again as long as the Directorist plugin is still in an older, vulnerable version.
Read more »
Wordpress Security
Flaws Malicious Sites Sensitive Data Leak Vulnerabilities and Exploits WordPress Plugin Wordpress Security

This WordPress Plugin Flaw Impacts 1M Sites & Allows Malicious Redirects

 

A high-severity issue in the OptinMonster plugin permits unauthorised API access and sensitive information leak on around a million WordPress sites. 

The flaw, identified as CVE-2021-39341, was found by researcher Chloe Chamberland on September 28, 2021, and a fix was made available on October 7, 2021. All OptinMonster plugin users are recommended to upgrade to version 2.6.5 or later, as all previous versions are impacted. 

OptinMonster is a popular WordPress plugin for creating stunning opt-in forms that assist site owners in converting visitors to subscribers/customers. It is primarily a lead generation and monetization tool, and it is used on roughly a million websites because of its ease of use and variety of features.

According to Chamberland's vulnerability disclosure report, OptinMonster's power is based on API endpoints that provide easy integration and a streamlined design process. However, the execution of these endpoints isn't always safe, with the '/wp-json/omapp/v1/support' endpoint being the most crucial example. 

This endpoint can provide information such as the site's entire route on the server, API keys used for site requests, and more. An attacker with access to the API key could make modifications to the OptinMonster accounts or even inject malicious JavaScript snippets into the site. Without anyone's knowledge, the site would run this code every time a visitor activated an OptinMonster element.

To make circumstances terrible, the intruder would not even need to authenticate on the targeted site in order to use the API endpoint, since an HTTP request would circumvent security checks under certain, simple conditions. While the '/wp-json/omapp/v1/support' endpoint is the worst-case scenario, it is not the only insecure REST-API endpoint that may be exploited. 

When the researcher's findings reached the OptinMonster team, the popular WordPress plugin's developers understood that the entire API needed to be revisited. As a result, all OptinMonster upgrades that appear on the WordPress dashboard in the next weeks must be installed, as they will most likely resolve further API issues. 

Meanwhile, any API keys that may have been stolen were instantly invalidated, forcing site owners to produce new keys. This case demonstrates how widely deployed and popular WordPress plugins can harbour several undetected flaws over extended periods.
Read more »
XSS
MySQL Vulnerabilities and Exploits WordPress WordPress Plugin WP Fastest Chache Plugin XSS

WordPress WP Fastest Cache Plugin Discovered With Multiple Vulnerabilities

 

WP Fastest Cache is among a handful of WordPress plugins meant to improve the performance of a website. It seeks to reduce the frequency of database queries necessary to render the website and related server load by producing and maintaining a static replica of the articles and webpages. 

JetPack security experts uncovered several vulnerabilities in the popular WordPress plugin WP Fastest Cache that might enable an attacker to fully exploit admin rights. Outcomes have an impact on over a million WordPress installations. 

There are several flaws that have been discovered by the researchers, two of the many are: 

  • Authentic MySQL Injection 

Using an authenticated MySQL injection login, users can gain access to administrator-level data in the system. A MySQL injection vulnerability is a cyberattack on a database server that stores website components such as credentials and usernames. An effective MySQL injection attack might result in a total website takeover. 

“If exploited, MySQL injection bugs can give attackers access to privileged information from the affected site’s database (such as username and hash password). This can only be exploited if the Classic Editor plugin is also installed and activated on the site,” stated The Jetpack Security Bulletin. 

XSS was stored through cross-site request forgery 

XSS (cross-site scripting) flaws are rather widespread and stem from flaws in website input correction. If somehow the user inserts something into the website, such as a contact form, and the data is not deleted, the user may be attacked by XSS. 

Sanitization entails limiting what may be submitted to a single intended input, such as text, rather than a script or command. A faulty input enables the attacker to insert malicious scripts, which might also subsequently be used to target administrators who visit the site and install malicious files into their browsers; appears as though they are loading or blocking their credentials. 

Whenever an intruder convinces a user, such as a login administrator, into accessing the site and executing different actions, it is referred to as a cross-site application forgery. 

Such vulnerabilities are difficult to exploit since they rely on the traditional editor plugin being loaded and the attacker having some type of user verification. However, these flaws are still significant, and JetPack advises that customers must update their WP Fastest Cache plugins to at least version 0.95, which was released on October 14, 2021. 

According to the jet pack: “If exploited, MySQL injection bug attackers can gain access to privileged information from the affected site’s database (such as username and hash password). Successful exploitation of the vulnerabilities of CSRF and Stored XSS can allow bad actors to login to the administrator on the targeted site.”
Read more »
Wordpress Vulnerability
Flaws Plugins Security Flaws Vulnerabilities and Exploits Web security Website Takeover Website vulnerability WordPress Plugin Wordpress Vulnerability

Brizy WordPress Plugin Exploit Chains Permit Full Site Takeovers

 

According to researchers, flaws in the Brizy Page Builder plugin for WordPress sites may be linked together to allow attackers to totally take over a website. 

Brizy (or Brizy - Page Builder) is used on over 90,000 websites. It's advertised as an easy-to-use website builder for individuals with no technical knowledge. It has over 500 pre-designed blocks, maps and video integration, and drag-and-drop creation capability. 

Before version 2.3.17, it also had a stored cross-site scripting (XSS) vulnerability and an arbitrary file-upload vulnerability, according to researchers. 

“During a routine review of our firewall rules, we found traffic indicating that a vulnerability might be present in the Brizy – Page Builder plugin, though it did not appear to be under active attack,” researchers at Wordfence explained in a Wednesday posting. 

“This led us to discover two new vulnerabilities as well as a previously patched access-control vulnerability in the plugin that had been reintroduced.” 

According to the researchers, the two new flaws may be chained together with the reintroduced access control weakness to enable total site takeover. Any logged-in user, in combination with the stored XSS flaw, would be able to edit any published post and inject malicious JavaScript into it. Meanwhile, a combination with the other flaw may allow any logged-in user to post potentially executable files and achieve remote code execution. 

A Reintroduced Access Control Bug Serves as the Attack's Foundation

The previous access-control problem (now listed as CVE-2021-38345) was fixed in June 2020 but reappeared this year in version 1.0.127. According to Wordfence, it's a high-severity problem caused by a lack of adequate authorisation checks, allowing attackers to edit posts. The plugin used a pair of administrator functions for a wide range of authorization checks, and any user that passed one of these tests was considered to be an administrator.

"Being logged in and visiting any endpoint in the wp-admin directory was sufficient to pass this check," as per the researchers. 

As a result, all logged-in users, such as newsletter subscribers, were able to alter any post or page made or updated with the Brizy editor, even if it had already been published. 

According to Wordfence’s analysis, “While this vulnerability might only be a nuisance on its own, allowing attackers to replace the original contents of pages, it enabled two additional vulnerabilities that could each be used to take over a site.” 
 
The first follow-on bug (CVE-2021-38344) is a medium-severity stored XSS flaw that allows intruders to insert malicious scripts into web pages. Because it is a stored XSS issue rather than a reflected one, victims are only required to visit the affected page to be attacked. 

The flaw allows a less-privileged user (such as a contributor or subscriber) to attach JavaScript to an update request, which is subsequently executed if the post is read or previewed by another user, such as an administrator. It becomes hazardous, however, when paired with the authorisation bypass, according to the researchers. 

The second new vulnerability is a high-severity arbitrary file-upload flaw (CVE-2021-38346), which might allow authenticated users to post files to a website. According to Wordfence researchers, the authorization check vulnerability allows subscriber-level users to elevate their privileges and subsequently upload executable files to a place of their choice via the brizy_create_block_screenshot AJAX method. According to the evaluation, other types of assaults are also possible.

“While the plugin appended .JPG to all uploaded filenames, a double extension attack was also possible,” researchers explained. 

“For instance, a file named shell.php would be saved as shell.php.jpg, and would be executable on a number of common configurations, including Apache/modPHP with an AddHandler or unanchored SetHandler directive. An attacker could also prepend their filename with ../ to perform a directory traversal attack and place their file in an arbitrary location, which could potentially be used to circumvent execution restrictions added via .htaccess.” 

Thus, “by supplying a file with a .PHP extension in the id parameter, and base64-encoded PHP code in the ibsf parameter, an attacker could effectively upload an executable PHP file and obtain full remote code execution on a site, allowing site takeover,” they added. 

Users can protect themselves by switching to the most recent version of the plugin, 2.3.17.
Read more »
WordPress Plugin
Security Issues Vulnerabilities and Exploits WordFence WordPress Plugin

Several Critical Flaws Identified in WordPress Plugin

 

Wordfence researchers warned of multiple flaws in a popular WordPress plugin that allows an attacker to upload arbitrary files to a vulnerable site to achieve remote code execution (RCE). On May 27, researchers discovered four security vulnerabilities, which were all assigned a high CVSS score of 9.8. 

The first issue discovered was a privilege escalation flaw CVE-2021-34621. “During user registration, users could supply arbitrary user metadata that would get updated during the registration process. This included the wp_capabilities user meta that controls a user’s capabilities and role. This made it possible for a user to supply wp_capabilities as an array parameter while registering, which would grant them the supplied capabilities, allowing them to set their role to any role they wanted, including the administrator,” researchers explained.

In addition, there was no check to validate that user registration was enabled on the site, meaning users could register as an administrator even on sites where user registration was disabled. This meant that attackers could completely take charge of a susceptible WordPress site. 

CVE-2021-34622, the second flaw in the user profile update functionality, uses the same technique as above but requires an attacker to have an account on a vulnerable site for the exploit to work. 

“However, since the registration function did not validate if user registration was enabled, a user could easily sign up and exploit this vulnerability, if they were not able to exploit the privilege escalation vulnerability during registration,” according to Wordfence researchers. 

Arbitrary file upload is the third flaw present in the image uploader component (CVE-2021-34623). The image uploader in ProfilePress was insecurely implemented using the exif_imagetype function to determine whether a file was safe or not. An attacker could disguise a malicious file by uploading a spoofed file which would bypass the exif_imagetype check.

CVE-2021-34624, the fourth and the last flaw present in the plugin’s ‘custom fields’ functionality, which also checks for malicious files, could be exploited to achieve RCE.

ProfilePress, formerly known as WP User Avatar, facilitates the uploading of WordPress user profile images and is installed on over 400,000 sites. Its only functionality was to upload photos; however, a recent change saw the plugin augmented with new features including user login and registration. Unfortunately, the new features introduced several security flaws. 

Chloe Chamberland, threat analyst at Wordfence discovered the bug by using a tool called WPDirectory to search the WordPress plugin repository for specific lines of code. “I did a routine search for wp_ajax hooks and found that this plugin had introduced some new AJAX actions that I hadn’t previously noticed before, which led to me further investigating them,” the researcher told. 
Read more »
Subscribe to: Posts (Atom)