Search This Blog
Powered by Blogger.

Blog Archive

Labels

About Me

Load More
Trendy Right Now

Popular Posts

Showing posts with label WordPress. Show all posts
WordPress
Cyber Attacks gravity forms Plugin Supply Chain Attack WordPress

WordPress Plugin Breach: Hackers Gain Control Through Manual Downloads

 



A serious cyberattack recently targeted Gravity Forms, a widely used plugin for WordPress websites. This incident, believed to be part of a supply chain compromise, resulted in infected versions of the plugin being distributed through manual installation methods.

What is Gravity Forms and Who Uses It?

Gravity Forms is a paid plugin that helps website owners create online forms for tasks like registrations, contact submissions, and payments. According to the developer, it powers around a million websites, including those of well-known global companies and organizations.

What Went Wrong?

Cybersecurity researchers from a security firm reported suspicious activity tied to the plugin’s installation files downloaded from the developer’s website. Upon inspection, they discovered that the file named common.php had been tampered with. Instead of functioning as expected, the file secretly sent a request to an unfamiliar domain, gravityapi.org/sites.

Further investigation showed that the altered plugin version quietly collected sensitive data from the infected websites. This included website URLs, admin login paths, installed plugins, themes, and details about the PHP and WordPress versions in use. All this information was then sent to the attackers’ server.

The attack didn’t stop there. The malicious file also downloaded more harmful code disguised as a legitimate WordPress file, storing it in a folder used by the platform’s core features. This hidden code allowed hackers to run commands on the server without needing to log in, essentially giving them full access to the website.

How Did This Affect Site Owners?

The threat mainly impacted those who manually downloaded Gravity Forms versions 2.9.11.1 and 2.9.12 between July 10 and July 11. Developers confirmed that websites which installed the plugin using automated updates from within WordPress were not affected.

In the infected versions, the malware not only blocked future update attempts but also communicated with a remote server to bring in more malicious code. In some cases, the attack even created a secret admin account giving the hackers complete control over the website.

What Should Website Admins Do Now?

The plugin's developer has released a statement acknowledging the issue and has provided instructions to help website owners detect and remove any signs of infection. Users who downloaded the plugin manually during the affected timeframe are strongly advised to reinstall a clean version and scan their websites thoroughly.

Cybersecurity experts also recommend checking for suspicious files and unknown administrator accounts. The domains used in this attack were registered on July 8, suggesting that this breach was carefully planned.

This incident highlights the growing risk of supply chain attacks in the digital world. It serves as a reminder for website administrators to rely on trusted update channels and monitor their sites regularly for any unusual activity.
Read more »
WordPress
Big Fix Technology TI WooCommerce Website WordPress

Critical Bug in E-commerce Website, Over 10000 Customers Impacted


WordPress plugin exploit

Cybersecurity experts have found a critical unpatched security vulnerability impacting the TI WooCommerce Wishlist plugin for WordPress that unauthorized threat actors could abuse to upload arbitrary files.

TI WooCommerce Wishlist has more than 100,000 active installations. It allows e-commerce website users to save their favorite products for later and share the lists on social media platforms. According to Patchstack researcher John Castro, “The plugin is vulnerable to an arbitrary file upload vulnerability which allows attackers to upload malicious files to the server without authentication.”

About the vulnerability 

Labeled as CVE-2025-47577, the vulnerability has a CVSS score of 10.0 (critical), it impacts all variants of the plugin below 2.92 released on November 29, 2024. Currently, there is no patch available. 

According to the security company, the issue lies in a function called "tinvwl_upload_file_wc_fields_factory," which uses another native WordPress function "wp_handle_upload" to validate but sets the override parameters “test_form” and “test_type” to “false.” 

The "test_type" override checks whether the Multipurpose Internal Mail Extension (MIME) file type is as expected, while the “test_form” verifies whether the $_POST['action'] parameter is correct. 

When setting "test_type," it permits the file type validation to escape effectively, permitting any file type to be uploaded. 

Reading the calendar

The TIWooCommerce Wishlist plugin is an extension for WooCommerce stores that lets users create and manage wishlists, sharing and saving their wishlist products. 

Apart from social sharing options, the plugin has AJAX-based functionality and multiple-wishlist support in the premium variant, email alerts, etc. 

Impact of attack

The scale of the potential attack surface is massive. A major concern is that these are ecommerce sites, where customers spend money, this can compound the risk. 

Currently, the latest variant of the plugin is 2.9.2, last updated 6 months ago. As the patch has not yet been released, concerned users are advised to deactivate and remove the plugin until a fix is issued.

The good thing here is that effective compromise is only possible on sites that also contain the WC Fields Factory plugin deployed and active, and the integration is active on the TI WooCommerce Wishlist plugin. This can make things difficult for threat actors. 

Read more »
WordPress
Cyber Security Patchstack Plugin Software Updates WordPress

Hackers Target WordPress Plugin Just Hours After Security Weakness Revealed

 



A newly found security issue in a widely used WordPress tool called OttoKit (previously called SureTriggers) has opened the door for cybercriminals to take over websites. Within just a few hours of the problem being shared publicly, hackers began trying to take advantage of it.

OttoKit is a plugin that helps website owners link their WordPress sites with other services such as Google Sheets, Mailchimp, or online stores like WooCommerce. This tool makes it easy to create automated actions—like sending emails or updating customer lists—without needing to write any code. Over one lakh websites currently rely on this plugin.

The major issue, which affects all versions up to 1.0.78, allows outsiders to get into a website without logging in. This means attackers can skip the usual login checks and gain access to important parts of the site.

The root of the problem comes from how the plugin handles security keys. If the plugin was set up without an API key, the internal “secret code” remains blank. Hackers can then send a fake request without any real login details, and the system mistakenly lets them in.

This bug lets bad actors create new admin-level users, giving them the ability to fully control the site— change settings, install software, or even lock the real owner out.

A cybersecurity researcher who goes by the name 'mikemyers' discovered this error and reported it responsibly. On April 3, the plugin creators fixed the issue and released an updated version, 1.0.79, which closes the security hole.

Unfortunately, attackers were fast to act. Experts from Patchstack, a company that tracks WordPress security, said they noticed the first hacking attempts just four hours after the bug was made public. Hackers used automated tools to create random admin accounts, hoping to break into websites that hadn’t yet been updated.

This case highlights how important it is to quickly install software updates, especially when they fix security flaws.

If your site uses OttoKit or SureTriggers, it is strongly advised to upgrade to version 1.0.79 immediately. Also, check your user accounts for anything unusual—like new admins you didn’t create as well as any strange activity involving plugins, themes, or database access.

Read more »
WordPress
CMS Internet Malicious Codes malware WordPress

Hackers Exploit WordPress Logins, Secretly Run Codes

Hackers Exploit WordPress Logins, Secretly Run Codes

Threat actors are exploiting the Wordpress mu-plugins ("Must-Use Plugins") directory to secretly execute malicious code on each page while avoiding detection. 

The technique was first observed by security researchers at Sucuri in February 2025, but adoption rates are on the rise, with threat actors now utilizing the folder to run three distinct types of malicious code.

Talking about the increase in mu-plugins infections, Sucuri's security analyst Puja Srivastava said, “attackers are actively targeting this directory as a persistent foothold.”

About "Must-have" malware

Must-Use Plugins are a kind of WordPress plugin that automatically runs on every page load without the need to be activated in the admin dashboard.  Mu-plugins are files stored in the 'wp-content/mu-plugins/' and are not listed in the regular “Plugins” admin page, except when the “Must-Use” filter is checked. 

They have genuine use cases like implementing site-wide functionality for custom security rules, dynamically changing variables/codes, and performance tweaks. But as these plugins run every page load and aren’t shown in the standard plugin list, hackers can exploit them to secretly run a variety of malicious activities like injecting malicious code, changing HTML output, or stealing credentials. 

Sucuri found three payloads that hackers are deploying in the mu-plugins directory, suspected to be a part of a larger money aimed campaign.

According to Sucuri, these include:

Fake Update Redirect Malware: Detected in the file wp-content/mu-plugins/redirect.php, this malware redirected site visitors to an external malicious website.

Webshell: Found in ./wp-content/mu-plugins/index.php, it allows attackers to execute arbitrary code, granting them near-complete control over the site.

A spam injector: a spam injection script located in wp-content/mu-plugins/custom-js-loader.php. This script was being used to inject unwanted spam content onto the infected website, possibly to boost SEO rankings for malicious actors or promote scams.

How do you spot it?

A few obvious signs can help to spot this malware. One unusual behavior on the site is unauthorized user redirections to external malicious websites. Secondly, malicious files with weird names appear inside the mu-plugins directory, spoofing real plugins. Third, site admins may observe “elevated server resource usage with no clear explanation, along with unexpected file modifications or the inclusion of unauthorized code in critical directories,” according to Sucuri.

Read more »
WordPress
Hacking Internet Plugins Technology Website WordPress

Hackers Exploit WordPress Sites to Attack Mac and Windows Users


According to security experts, threat actors are abusing out-of-date versions of WordPress and plug-ins to modify thousands of sites to trap visitors into downloading and installing malware.

In a conversation with cybersecurity news portal TechCrunch, Simon Wijckmans, founder and CEO of the web security company c/side, said the hacking campaign is still “very much live”.

Spray and pray campaign

The hackers aim to distribute malware to loot passwords and sensitive data from Mac and Windows users. According to c/side, a few hacked websites rank among the most popular ones on the internet. Reporting on the company’s findings, Himanshu Anand believes it is a “widespread and very commercialized attack” and told TechCrunch the campaign is a “spray and pray” cyber attack targeting website visitors instead of a specific group or a person.

After the hacked WordPress sites load in a user’s browser, the content immediately turns to show a false Chrome browser update page, asking the website visitor (user) to download and install an update to access the website, researchers believe. 

Users tricked via fake sites

When a visitor agrees to the update, the compromised website will ask the user to download a harmful malware file disguised as the update, depending on whether the visitor is a Mac or Windows user. Researchers have informed Automattic (the company) that makes and distributes Wordpress.com about the attack campaign and sent a list of harmful domains. 

According to TechCrunch, Megan Fox, spokesperson for Automattic, did not comment at the time of press. Later, Automattic clarified that the security of third-party plugins is the responsibility of WordPress developers.

“There are specific guidelines that plugin authors must consult and adhere to ensure the overall quality of their plugins and the safety of their users,” Ms Fox told TechCrunch. “Authors have access to a Plugin Handbook which covers numerous security topics, including best practices and managing plugin security,” she added. 

C/side has traced over 10,000 sites that may have been a target of this hacking campaign. The company found malicious scripts on various domains by crawling the internet, using a reverse DNS lookup to find domains and sites linked with few IP addresses which exposed a wider number of domains hosting malicious scripts. TechCrunch has not confirmed claims of C/side’s data, but it did find a WordPress site showing malicious content earlier this week.

Read more »
WordPress
CMS Cyber incidents Cyber Security Cyberattacks CyberCrime CyberThreat database Magento WordPress

Sophisticated Credit Card Skimmer Malware Targets WordPress Checkout Pages

 


Recent cybersecurity reports have highlighted a new, highly sophisticated credit card skimmer malware targeting WordPress checkout pages. This stealthy malware embeds malicious JavaScript into database records, leveraging database injection techniques to effectively steal sensitive payment information. Its advanced design poses significant risks to e-commerce platforms and their users. 
  
Widespread Impact on E-Commerce Platforms 
 
Multiple content management systems (CMS), including WordPress, Magento, and OpenCart, have been targeted by the Caesar Cipher Skimmer. This web skimmer enables the theft of payment data, threatening the financial security of businesses and consumers alike. 

Web skimmers are malicious scripts injected into e-commerce websites to collect financial and payment transaction details. According to cybersecurity firm Sucuri, a recent attack involved modifying the "form-checkout.php" file in the WooCommerce plugin to steal credit card information.
  • Consequences: Financial losses, reputational damage, and legal expenses.
  • Detection Difficulty: Often remains unnoticed until after the damage has occurred.

Signs of a compromised WooCommerce site include customer reports of stolen credit card details. This typically suggests malware capable of skimming customer credentials, warranting immediate investigation and remediation. 

On May 11, 2024, Sucuri identified a campaign misusing the "Dessky Snippets" WordPress plugin, which allows users to add custom PHP code. With over 200 active installations, the plugin was exploited by threat actors to inject malicious PHP code for credit card theft.
  • Attack Vectors: Exploiting plugin vulnerabilities and weak admin credentials.
  • Further Exploitation: Installing additional plugins to escalate malicious activities.
Database-Level Malware Infiltration 

Using the Dessky Snippets plugin, attackers deployed server-side PHP malware that embedded obfuscated JavaScript in the WordPress database.
  • Location: Stored in the wp_options table under widget_block.
  • Activation Trigger: Executes on pages containing "checkout" in the URL, avoiding pages with "cart."
Stealth and Strategic Execution The malware activates only during the final transaction stage, intercepting sensitive financial data without disrupting the user experience.
  • Integration: Utilizes existing payment fields to avoid detection.
  • Stealth Tactics: Remains hidden from standard file-scanning tools.

To conceal its activities, the malware encrypts stolen data using Base64 encoding and AES-CBC encryption. The encrypted data is discreetly sent to attacker-controlled servers via the navigator.sendBeacon function, ensuring stealthy exfiltration without alerting users or administrators. Severe Security Implications This malware poses a critical threat by covertly harvesting sensitive payment information, including credit card numbers and CVV codes.
  • Potential Risks: Fraudulent transactions, identity theft, and illegal data sales.
  • Impact on Businesses: Financial losses, legal liabilities, reputational damage, and erosion of customer trust.
Mitigation and Security Best Practices 
 
To counter such threats, e-commerce platforms must implement robust cybersecurity measures:
  • Regular monitoring of website activity for unusual behavior.
  • Timely updates of all plugins and platform software.
  • Proactive vulnerability management and penetration testing.
  • Strong admin credentials and limited plugin installations.
Staying vigilant and proactive in cybersecurity practices is essential to safeguarding sensitive customer data and maintaining the integrity of e-commerce operations.
Read more »
WordPress
fake websites Financial Fraud phishing PhishWP WordPress

Hackers Use PhishWP to Steal Payment Info on WordPress Sites

 



Cybersecurity researchers have uncovered a malicious WordPress plugin called PhishWP that transforms legitimate websites into tools for phishing scams. This plugin allows attackers to set up fake payment pages mimicking trusted services like Stripe, tricking users into divulging sensitive details, including credit card numbers, expiration dates, billing information, and even one-time passwords (OTPs) used for secure transactions. 


How PhishWP Works

PhishWP works by setting up fake WordPress sites or hacking into legitimate ones. It then generates phishing checkout pages that closely mimic real payment interfaces. Victims receive this interface with false site addresses, where they enter sensitive financial information, including security codes and OTPs.

The stolen data is sent to attackers in real time because the plugin integrates with Telegram. Therefore, attackers can use or sell the information almost immediately. The browser details captured by PhishWP include IP addresses and screen resolutions, which attackers can use for future fraudulent activities.


Key Features 

What has made the phishing plugin more advanced is that it ensures operations are seamless and almost undetectable. 

Realistic Payment Interfaces: The plugin mimics the appearance of trusted services like Stripe.  

3D Secure Code Theft: It fetches the OTP sent to everyone in the verification processes to successfully process fraudulent transactions.

Real-time Data Transfer: Telegram is used to send stolen information to attackers in real time.  

Customizable and Worldwide: Multi-language support and obfuscation features enable phishing attacks across the globe.  

Fake Confirmations: Victims receive fake emails that confirm purchases, which delays the suspicion.  


Step-by-Step Analysis  

1. Setup: Attackers either hack a legitimate WordPress site or create a fake one.

2. Deceptive Checkout: PhishWP personalizes payment pages to resemble actual processors. 

3. Data Theft: Victims unknowingly provide sensitive information, including OTPs. 

4. Exploitation: The stolen data is immediately sent to attackers, who use it for unauthorized transactions or sell it on dark web markets.


How to Protect Yourself

To avoid falling victim to threats like PhishWP:  

1. Verify website authenticity before entering payment details.  

2.  Look for secure connections (HTTPS) and valid security certificates.  

3. Use advanced tools like SlashNext’s Browser Phishing Protection, which blocks malicious URLs and identifies phishing attempts in real time.

Protecting your personal and financial data begins with understanding how cyberattacks work, don’t let hackers take the upper hand.



Read more »
WordPress
ClearFake infostealers Plugins Vulnerabilities and Exploits WordPress

Infostealer-Injecting Plugins infect Thousands of WordPress Sites

 

Hackers are using WordPress sites to install malicious plugins that propagate malware that steals information by displaying fake updates and errors.

Infostealing malware has become a global nuisance for security defenders in recent years, as compromised credentials are used to infiltrate networks and steal data. 

Since 2023, a malicious campaign known as ClearFake has been used to display bogus web browser update banners on compromised sites that spread data-stealing malware. 

A new campaign named ClickFix was launched in 2024; it is quite similar to ClearFake, but it poses as software error warnings with fixes included. These "fixes" are actually PowerShell scripts that, when executed, will download and install malware that steals data. 

This year has seen a rise in ClickFix attacks, in which threat actors hack websites to show banners displaying fake issues for Facebook, Google Meet conferences, Google Chrome, and even captcha pages. 

Malicious WordPress plugins

Last week, GoDaddy disclosed that the ClearFake/ClickFix threat actors had infiltrated over 6,000 WordPress sites, installing malicious plugins that displayed the fake alerts associated with these operations. 

"The GoDaddy Security team is tracking a new variant of ClickFix (also known as ClearFake) fake browser update malware that is distributed via bogus WordPress plugins," notes GoDaddy security researcher Denis Sinegubko. "These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end-users.” 

Sucuri, a website security firm, has also identified a fraudulent plugin called "Universal Popup Plugin" as part of this operation. When installed, the malicious plugin will hook into various WordPress activities, depending on the type, and inject a malicious JavaScript script into the site's HTML.

Sinegubko's analysis of web server access logs indicates that the threat actors are using stolen admin credentials to enter into the WordPress site and install the plugin in an automated manner. Threat actors log in with a single POST HTTP request rather than first accessing the site's login page. This shows that the process is automated after the credentials have been received. 

Although it's unknown how the threat actors are getting the credentials, the researcher points out that it might be through information-stealing malware, phishing, and brute force attempts in the past.
Read more »
WordPress
DarkCracks malware Obfuscation Technique phishing WordPress

DarkCracks Malware Exploits Vulnerabilities in GLPI and WordPress Systems


 

A malware framework named DarkCracks has been identified by cybersecurity experts from QiAnXin. This newly discovered threat takes advantage of weaknesses in GLPI, an IT asset management system, and WordPress websites. DarkCracks has raised alarm due to its ability to remain hidden and undetected by most antivirus programs, posing a risk to users and businesses relying on these platforms.

DarkCracks operates as a highly advanced malware framework, designed to exploit vulnerable systems over a prolonged period. Instead of merely infecting devices, it uses them as Launchers to deploy additional malicious components. Attackers gain entry by targeting compromised public websites, such as school networks or transportation systems, turning them into platforms to spread malware to other unsuspecting users.

Once attackers infiltrate a server, they initiate a multi-phase attack by uploading files that execute further malicious tasks. These components are responsible for gathering sensitive data, maintaining long-term access, and keeping control over the infected systems under the radar of most cybersecurity defences. The malware is designed for long-term exploitation, adapting to changes and remaining operational even when parts of it are detected and removed by security measures.

What makes DarkCracks particularly dangerous is its ability to evade detection for extended periods. Some of its elements have managed to stay hidden for over a year, avoiding detection by even the most sophisticated cybersecurity tools. Despite QiAnXin’s analysis, some core elements, including the Launcher, remain unidentified, making it extremely challenging for IT teams to fully neutralise the threat.

Adding to the complexity, DarkCracks employs a backup system that uses a three-layer URL verification technique. This ensures the malware can continue operating even if its primary servers are taken down, providing resilience and making it harder for cybersecurity teams to disrupt its activities.

Possible Phishing Attacks on Korean Users

In a unique finding, researchers uncovered a file titled “Kim Young-mi’s Resume” in Korean, suggesting that the attackers may be using spear-phishing techniques to target users in Korea. This file, discovered on one of the compromised servers, indicates that attackers could be tailoring their phishing efforts to specific regions, a method that could increase their chances of success in gaining unauthorised access.

The DarkCracks campaign came to light in June 2024 when an unusual amount of network traffic was observed from an IP linked to a compromised GLPI server. The investigation revealed that cybercriminals had already uploaded malicious files onto compromised servers, using techniques like encryption and obfuscation to mask their activities.

How to Defend Against DarkCracks

To protect against this emerging threat, cybersecurity experts are urging organisations, particularly those using GLPI or WordPress, to take immediate precautions. Key recommendations include regularly updating all software and systems to ensure that known vulnerabilities are patched. This can help prevent the malware from exploiting security holes.

In addition, IT teams are advised to monitor network traffic for unusual activity, including unexpected connections to external servers. Frequent security audits can also help identify unauthorised file uploads or suspicious activities within the system. Advanced detection tools capable of recognizing the layered obfuscation techniques used by DarkCracks are also essential in preventing and identifying these stealthy attacks.

By implementing these defensive strategies, businesses can reduce their risk of falling victim to the DarkCracks malware and protect their systems from long-term exploitation.


Read more »
WordPress
Critical security flaw Cyber Attacks Data Theft WordPress

Critical Security Flaw Discovered in LiteSpeed Cache Plugin for WordPress

 

A major security vulnerability has been uncovered in the LiteSpeed Cache plugin, used on over 5 million WordPress websites worldwide. The flaw, identified as CVE-2024-44000, was discovered by Rafie Muhammad, a security researcher at Patchstack. Rated with a CVSS score of 9.8, the vulnerability poses a severe threat to WordPress users by allowing unauthorized individuals to take control of logged-in accounts, including those with administrative access. 

LiteSpeed Cache is primarily known for its role in improving website performance by caching and optimizing site content. However, this recent flaw creates an alarming situation where attackers can hijack user sessions and potentially gain full control over a website, including administrative privileges. Once attackers obtain admin-level access, they can upload malicious plugins, alter site functionality, or even take down the website entirely, causing long-term damage.

The vulnerability is linked to the plugin’s debug log feature, which inadvertently leaks sensitive HTTP response headers, including "Set-Cookie" headers. If this feature is enabled or was previously active, attackers can exploit the flaw by accessing the /wp-content/debug.log file, hijacking user sessions. 

The issue arises when HTTP response headers, including session cookies, are written into the debug log file. If this file is not deleted after the debug feature is disabled, it remains vulnerable to exploitation. Attackers can access the file and use the data to gain control of user sessions. 

For the exploit to succeed, two conditions must be met: the debug log feature must be active or previously enabled, and attackers must be able to access the debug log file. In response, LiteSpeed has issued a patch in version 6.5.0.1. They also recommend users implement stricter .htaccess rules to block access to log files and delete any old debug logs that could contain sensitive information.
Read more »
WordPress
Cache Plugin Cyber Attacks CyberCrime Cyberhackers Cybersecurity CyberThreat LitesSpeed Patchstack Vulnerabilities WordPress

Critical LiteSpeed Cache Plugin Flaw CVE-2024-28000 Sparks a Surge in Cyberattacks

 


According to cyber security researchers, there is a critical security flaw in the LiteSpeed Cache plugin for WordPress that users can exploit without authentication to gain administrative privileges on the site. It is an all-in-one site acceleration plugin that features an exclusive server-level cache along with a suite of optimization features designed to make the websites more efficient with LiteSpeed Cache for WordPress. As a WordPress Multisite plugin, LowSide supports a wide range of plugins, including WooCommerce, bbPress, and Yoast SEO, for the best possible experience. 

There is no compatibility issue with ClassicPress when using LiteSpeed Cache for WordPress. In LiteSpeed Cache, which comes bundled with WordPress, there is a critical vulnerability that can allow attackers to take full control of millions of sites once a rogue admin account is created. This is an open-source and almost universally popular WordPress site acceleration plugin with over 5 million active installations, and it also supports WooCommerce, bbPress, ClassicPress, and Yoast SEO. It is available as a free download. 

In LiteSpeed Cache versions 6.3.0.1 and earlier, the plugin's user simulation feature has an unauthenticated privilege escalation vulnerability (CVE-2024-28000). As a result of this vulnerability, the highest bounty has been awarded in the history of bug bounty hunting for WordPress. This researcher has been rewarded USD 14,400 in cash through the Patchstack Zero Day program as part of this award. It would be great if anyone else interested in joining the community as well would be able to benefit from the program. 

This vulnerability has been automatically protected for all Patchstack users who have enabled protection, so they are no longer at risk. For only $5 per site per month, Patchstack offers a free Community account, where users can scan for vulnerabilities and apply protection for only $5 / site per month by creating a PatchStack account. It is the plugin's user simulation feature that is vulnerable to the vulnerability, as it uses a weak security hash as part of its security process. 

It must be said that the hash value is generated by using an insecure random number generator and the value is stored without being salted or related to a particular request made by the user.  The Patchstack security research tool warns that the hash is relatively easy to guess due to the limited number of possible values, which allows attackers to iterate through all possible hashes to discover the appropriate one and to simulate a user who is an administrator. 

This vulnerability affects all versions of the LiteSpeed Cache plugin for WordPress, from version 6.3.0.1 onwards. In addition, the plugin is susceptible to privilege escalation attacks. Certainly! Here is the rewritten information in a formal, expanded, and third-person tone: --- The security vulnerability identified as CVE-2024-28000 in the LiteSpeed Cache plugin has been linked to a critical issue concerning the improper restriction of role simulation functionality. This flaw allows a user with access to a valid hash—discoverable through debug logs or susceptible to brute-force attacks—to alter their current user ID to that of an administrator. 

This, in turn, enables unauthenticated attackers to impersonate an administrator and utilize the `/wp-json/wp/v2/users` REST API endpoint to create a new user account with administrative privileges. The vulnerability is present in all versions of the LiteSpeed Cache plugin up to and including version 6.3.0.1. The vulnerability was addressed in LiteSpeed Cache version 6.4, released on August 13, 2024. Website administrators utilizing the plugin are strongly advised to update to this latest version to prevent exploitation. 

The urgency of this update is underscored by a report from Wordfence, a leading WordPress security provider, which disclosed that over 30,000 attacks targeting CVE-2024-28000 were blocked within a single day. This surge in attacks illustrates the swift adoption of this exploit by cybercriminals, who are leveraging the vulnerability to compromise WordPress installations. Currently, the attacks are predominantly directed at non-Windows-based WordPress sites. This is because the vulnerability exploits a PHP method called `sys_getloadavg()`, which is not available on Windows systems. 

Consequently, while Windows-based WordPress installations are not vulnerable to this specific exploit, other systems remain at significant risk. The flaw was reported to Patchstack's bug bounty program by security researcher John Blackbourn on August 1, 2024. The LiteSpeed development team promptly created and released a patch with LiteSpeed Cache version 6.4 on August 13. Successful exploitation of this vulnerability can grant unauthenticated visitors administrator-level access, potentially allowing them to fully control compromised websites. 

This control includes installing malicious plugins, altering critical settings, redirecting traffic to harmful sites, distributing malware to visitors, or stealing user data. Additionally, in June 2024, the Wordfence Threat Intelligence team reported that a threat actor had compromised at least five plugins on WordPress.org, adding malicious PHP scripts to enable the creation of administrator accounts on affected websites. 

To protect against this vulnerability, Wordfence Premium, Wordfence Care, and Wordfence Response users were provided with a firewall rule effective from August 20, 2024. Users of the free version of Wordfence will receive similar protection starting on September 19, 2024.
Read more »
Wordpress Security
data security email spam Plugins Vulnerabilities and Exploits Website Hacking WordPad Vulnerability WordPress Wordpress Security

WordPress Vulnerabilities, Exploiting LiteSpeed Cache and Email Subscribers Plugins

 

In recent cybersecurity developments, hackers have been leveraging a critical vulnerability within the LiteSpeed Cache plugin for WordPress to exploit websites running outdated versions. LiteSpeed Cache, a popular caching plugin utilized by over five million WordPress sites, is designed to enhance page load times, improve user experience, and boost search engine rankings. 

However, security experts at Automattic's security team, WPScan, have observed a significant increase in malicious activities targeting WordPress sites with versions of the LiteSpeed Cache plugin older than 5.7.0.1. The vulnerability in question, tracked as CVE-2023-40000, is a high-severity unauthenticated cross-site scripting flaw. 

Attackers are taking advantage of this vulnerability to inject malicious JavaScript code into critical WordPress files or the database of vulnerable websites. By doing so, they are able to create administrator-level user accounts with specific names like 'wpsupp-user' or 'wp-configuser.' Additionally, the presence of certain strings, such as "eval(atob(Strings.fromCharCode," within the database, serves as an indicator of an ongoing compromise. 

Despite efforts by many LiteSpeed Cache users to update to newer, non-vulnerable versions, an alarming number of sites—up to 1,835,000—still operate on outdated releases, leaving them susceptible to exploitation. In a separate incident, hackers have turned their attention to another WordPress plugin called "Email Subscribers," exploiting a critical SQL injection vulnerability, CVE-2024-2876. 

This vulnerability, affecting plugin versions 5.7.14 and older, allows attackers to execute unauthorized queries on databases, thereby creating new administrator accounts on vulnerable WordPress sites. Although "Email Subscribers" boasts a significantly lower number of active installations compared to LiteSpeed Cache, with approximately 90,000, the observed attacks highlight the opportunistic nature of cybercriminals. 

To address these threats effectively, WordPress site administrators are urged to promptly update plugins to the latest versions, remove unnecessary components, and remain vigilant for signs of suspicious activity, such as the sudden creation of new admin accounts. In the event of a confirmed breach, comprehensive cleanup measures are essential, including the deletion of rogue accounts, password resets for all existing accounts, and the restoration of clean backups for both the database and site files. By staying proactive and implementing robust security practices, website owners can minimize the risk of falling victim to such malicious activities and safeguard their online assets effectively.
Read more »
WordPress
Cyberattacks Cybersecurity Cyberthreats LayerSlider Plugin Vulnerabilities and Exploits WordPress

LayerSlider Plugin Imperils 1 Million WordPress Sites, Urgent Fixes Mandated!

 


The LayerSlider WordPress slider plugin has been installed by more than one million people and offers a full package of features for editing web content, creating digital visual effects, and designing graphic content in a single application. 

Considering that WordPress is the most popular website builder in the world, as well as used by roughly half of all websites on the planet, it makes it an ideal target for cybercriminals all over the world. Despite that, hackers have turned their attention and focus to third-party themes and plugins, which are seldom as secure as the platform itself, because most people consider this platform to be relatively secure. 

In addition, Defiant’s Wordfence team stated that unauthenticated attackers can append SQL queries to existing queries to extract information such as password hashes due to the lack of sufficient escape of the parameter supplied by the user, as well as the lack of sufficient preparation of the existing SQL query. 

There is a vulnerability of over 1 million WordPress sites attributed to a premium plugin referred to as LayerSlider, requiring administrators to prioritize applying security updates to that plugin. In addition to being a visual web content editor, LayerSlider also offers graphic design software, as well as digital visual effects that enable users to create animations and rich content for their websites. It is noted by its website that there are millions of people using it globally. 

During the week of March 25, 2024, a researcher named AmrAwad found a critical vulnerability (CVSS score: 9.8) affecting WordPress security firm Wordfence through their bug bounty program. He received $5,500 for his responsible reporting. AmrAwad was recognized for his responsible reporting. 

If an attacker has access to sensitive data from the site's database, such as password hashes, from versions 7.9.11 through 7.10.0 of the plugin, the website could be put at risk of a complete takeover or data breach in the future. In LayerSlider, SQL injection is possible as well as the function that queries slider pop-up markups is done by the “ls_get_popup_markup” function. 

If the “id” parameter of this function is not a number, it is not sanitized before it is passed to “find”. Moreover, even though the plugin escapes $args values with the “esc_sql” function, the “where” key is not included in this function, so attacker-controlled inputs within “where” can be used to query the victim's database by the attacker-controlled inputs. 

 By manipulating “id” and “where”, an attacker can craft a request in such a way that sensitive data from the database, such as password hashes, can be extracted by manipulating those variables. As the structure of possible queries limits the attack to a time-based blind SQL injection, attackers must observe the database's response times to determine the data from the database. There are several ways in which threat actors can enter WordPress sites through vulnerable WordPress plugins to steal data or compromise a website. 

It has been shown that, in January, more than 6,700 WordPress sites were exploited by Balada Injector malware triggered by a cross-site scripting flaw in the Popup Builder plugin logged under CVE-2023-6000. In addition to the thousands of sites that were exposed to the TagDiv Composer plugin flaw tracked as CVE-2023-3169 in October, Balada Injector was installed on over 9,000 sites. In the past six years, over a million WordPress sites have been compromised by the Balada Injector campaign. 

According to Sucuri, the Balada Injector has been responsible for more than a million WordPress sites that have been compromised in this campaign. It is important to note that CVE-2024-2879 still allows malicious actors to access sensitive user information and password hashes from a compromised website's database, despite this limitation. Malicious actors can do this without having any authentication on the website. 

There is a further complication because the queries are not prepared using WordPress' '$wpdb->prepare()' function, which ensures that usernames and passwords are sanitized before a query is sent to the database. This prevents SQL injection because the input is therefore sanitized before it is submitted to the database. It was quickly acknowledged by the Kreatura Team of the plugin's creators that the plugin had been prone to the flaw and it was immediately addressed. 

It has been less than 48 hours since the developers contacted me about the release of a security update. There are critical vulnerabilities in LayerSlider, which are addressed in version 7.10.1, but it is strongly recommended that all users upgrade to version 7.10.1. A WordPress site admin should in general make sure that all their plugins are up-to-date, remove any plugins that are not required, use strong passwords for their accounts, and deactivate any dormant accounts that could be hacked. 

In the world of WordPress, there are thousands of themes and plugins available, each of which builds upon the WordPress experience for the user and makes it better. Some of these are free programs, but the commercial ones tend to have a dedicated team who work on improving them as well as maintaining the security of the program. This happens mainly because hackers choose to target free-to-use themes and plugins.

Many of these are used by millions of people today, but their developers have abandoned them and they are prone to vulnerabilities that have never been addressed (or rarely) by the developers. A safe and secure installation process involves administrators installing themes and plugins that they intend to use, and ensuring that they are always updated to the most recent version of those themes and plugins.
Read more »
WordPress
Cyber Assault Cyber Attacks CyberCrime Cybersecurity JavaScript Malware attacks Sucuri WordPress

Evasive Sign1 Malware Hits 39,000 WordPress Sites in Widespread Cyber Assault

 


In the past six months, a major malware campaign known as Sign1 has compromised over 39,000 WordPress sites, using malicious JavaScript injections to direct people to scams. In a report published this week by Sucuri, it is estimated that no less than 2,500 sites have been infected by this latest malware variant over the past two months. 

As part of the attack, rogue JavaScript is injected into legitimate HTML widgets or plugins, allowing attackers to insert arbitrary JavaScript, along with other code, which provides attackers with an opportunity for their malicious code to be inserted. It was discovered that a new malicious malware campaign called FakeUpdates was targeting WordPress websites with malware shortly after Check Point Software Technologies Ltd. revealed it. 

In addition to its stealthy nature, Sign1 malware has a perilous reputation due to its stealthy tactics. It generates dynamic URLs through time-based randomization, which is extremely difficult to detect and block with security software. The malware's code is also obfuscated, so it's more difficult to detect it. Sign1 is also able to target visitors to certain websites, including popular search engines and social media platforms. This might be one of the most concerning aspects of malware. 

Sucuri’s report estimates that over 39,000 WordPress websites have been infected with Sign1 so far, suggesting a level of sophistication that could enable attackers to focus on users deemed more susceptible to scams. Sucuri’s report indicates that this level of sophistication suggests an attacker's ability to focus on users who are more likely to be targeted by scammers. Sucuri's client has been breached due to a brute force attack, so website owners should take immediate measures to protect their websites and visitors. 

However, although specific details of how the attackers compromised other sites remain unclear, it is believed that the attackers utilized brute force assaults and plugin vulnerabilities to get into WordPress sites via brute force attacks. When the attackers get inside, they usually use the WordPress plugin Simple Custom CSS and JS to inject their malicious JavaScript through the custom HTML widgets, or they may even use the legitimate Simple Custom CSS and JS plugin as well. 

With its sophisticated evasion tactics, Sign1 can bypass conventional blocking measures by dynamically altering URLs every 10 minutes by utilizing time-based randomization; this allows it to circumvent conventional blocking strategies. Since these domains were registered just before the attacks they carried out, they remain off blocklists because of their fleeting nature. 

The attackers, initially hosted by Namecheap, have since moved their operations to HETZNER for web hosting. Cloudflare provides an additional layer of anonymity through IP address obfuscation for IP addresses. A significant challenge for security tools that attempt to detect the injected code is the intricacies of the injected code, which features XOR encoding and arbitrary variable names, which make it very difficult to detect them. 

The Sucuri insights revealed that the Sign1 malware has evolved to an increasingly sophisticated and stealthy stage, as well as being more resilient to steps taken to block it. Infections have dramatically increased over the past six months, especially with new malware versions unleashed on the market each week. Sign1, which has accelerated its sophistication and adaptability in recent months, has taken on an increasingly sophisticated and adaptive appearance since the campaign was initiated in January 2024. 

As a result of such developments, website administrators must immediately take extra precautions and implement robust protected measures to ensure that their websites remain secure. A HETZNER and Cloudflare server hosts the domains, obscuring both the hosting addresses as well as the IP addresses of the domains. 

Moreover, it may not be obvious that the injection code contains XOR encoding and random names for variables, so if you were to detect it, you would still have a hard time. Approximately six months have passed since the malware campaign started, the researchers concluded, adding that it has been developing actively since then. 

The campaign is still ongoing today. There are always spikes in infections whenever new versions are released by the developers. There has been an attack on about 2,500 websites so far on this latest attack that has been happening since the beginning of January 2024.

To keep a website secure, the researchers recommend that website owners implement a strong combination of usernames and passwords so that their website cannot be breached by brute-force attacks, which could be used against them. The attackers may also gain unrestricted access to your premises the moment you uninstall every plugin and theme that is unused or unnecessary on your website.
Read more »
WordPress
IDOR Payment Gateway Firm PII Plugin Flaws Vulnerabilities and Exploits WooCommerce Strip Payment WooCommerce WordPress Plugins WordPress

WordPress: Strip Payment Plugin Flaw Exposes Customers' Order Details


A critical vulnerability has recently been discovered in the WooCommerce Gateway plugin for WordPress. Apparently, it has compromised sensitive customer information related to their orders to unauthorized data. On WordPress e-commerce sites, the plugin supported payment processing for over 900,000 active installations. It was susceptible to the CVE-2023-34000 unauthenticated insecure direct object reference (IDOR) bug.

WooCommerce Stripe Payment

WooCommerce Strip Payment is a payment gateway for WordPress e-commerce sites, with 900,000 active installs. Through Stripe's payment processing API, it enables websites to accept payment methods like Visa, MasterCard, American Express, Apple Pay, and Google Pay.

About the Vulnerability

Origin of the Flaw

The vulnerability originated from unsafe handling of order objects and an improper access control measures in the plugin’s ‘javascript_params’ and ‘payment_fields’ functions.

Due to these coding errors, it is possible to display order data for any WooCommerce store without first confirming the request's permissions or the order's ownership (user matching).

Consequences of the Flaw

The payment gateway vulnerability could eventually enable unauthorized users access to the checkout page data that includes PII (personally identifiable information), email addresses, shipping addresses and the user’s full name.

Since the data listed above is listed as ‘critical,’ it could further lead to additional cyberattacks wherein the threat actor could attempt account hijacks and credential theft through phishing emails that specifically target the victim.

How to Patch the Vulnerability?

Users of the WooCommerce Strip Gateway plugin should update to version 7.4.1 in order to reduce the risks associated with this vulnerability. On April 17, 2023, specialists immediately notified the plugin vendor of the vulnerability, CVE-2023-34000. On May 30, 2023, a patch that addressed the problem and improved security was made available.

Despite the patch's accessibility, the concerning WordPress.org data point to risk. The truth is that unsafe plugin versions are still being used by more than half of the active installations. The attack surface is greatly increased in this situation, which attracts cybercriminals looking to take advantage of the security flaw.

Adding to this, the gateway needs safety measures to be taken swiftly like updating version 7.4.1 and ensuring that all plugins are constantly updated, and keeping an eye out for any indications of malicious activities. Website supervisors can preserve sensitive user data and defend their online companies from potential cyber threats by giving security measures a first priority.

Read more »
Zero- day vulnerability
Balada Injector Sucuri Vulnerabilities and Exploits WordPress WordPress Plugin Wordpress Security WordPress Threat Zero- day vulnerability

WordPress Security: 1 Million WordPress Sites Hacked via Zero-Day Plug-in Bugs


A campaign that utilizes several WordPress plug-ins and theme vulnerabilities to inject malicious code into websites, including a sizable number of zero-days, has infected at least 1 million WordPress-sponsored websites. 

According to a study conducted by Sucuri, the campaign, which it named "Balada Injector," is prolific and Methuselah-like in its endurance, infecting victim sites with malware at least since 2017. After being injected into the page, the malicious code leads users to a variety of scam websites, such as those offering fake tech support, bogus lottery wins, and push notifications requesting Captcha solutions. 

However, behind the scenes, injected scripts look for numerous files, including access logs, error logs, debug information files, database management tools, administrator credentials, and more, that might include any sensitive or potentially helpful information. In addition, backdoors are loaded into the websites for enduring access and, occasionally, site takeover. 

While the 1 million statistic represents the total number of sites that have been infected over the past five years, researchers only recently linked all the activities into a single operation. The campaign is still going strong and does not appear to be slowing down. 

A Focus on WordPress Plug-in & Theme Vulnerabilities 

Sucuri researchers were able to link all of the observed activity to the Balada Injector campaign since it has a few easily distinguishable attributes. These include using a rotating roster of domain names where malicious scripts are placed on haphazard subdomains, uploading and leaving numerous backdoors all across the hacked environment, and spammy redirects. 

Moreover, the developers of Balada Injector also exploit security flaws in WordPress plug-ins and themes, which is likely most noteworthy. These modular WordPress add-ons enable site administrators to integrate a variety of features, such as polling support, message board assistance, or click-to-call integration for e-commerce businesses. 

"All sorts of vulnerabilities in WordPress themes and plugins can allow an attacker to inject code or gain unauthorized access to the website — which can eventually be escalated to the level where code injections are possible[…]This entire time, Balada Injector has been quickly adding newly disclosed vulnerabilities (and sometimes disclosed zero-days), occasionally starting massive waves of infections within a few hours after vulnerability disclosures," Sucuri analysis explains. 

Sucuri has been tracking new waves of activity happening every couple of weeks, with lulls in between that are "probably utilised for gathering and testing newly reported and zero-day vulnerabilities." 

Moreover, older vulnerabilities are also included in the mix, with some still in use by the campaign for months or years after being patched. 

Targeting the WordPress Ecosystem 

Given how the WordPress ecosystem is extremely buggy, it has become a popular target for cybercriminals among any other stripes. 

"Depending on how you measure it, in 2023, WordPress still powers 60% of the websites available on the Internet today[…]The sheer volume of code that goes into this, the degree of customization often present on WordPress sites, and in general the WordPress plug-in ecosystem's complexity, popularity, and the lack of consistent security measures and practices, contribute to its attractiveness to cybercriminals as a rich hunting ground for exploitable bugs," says Casey Ellis, founder, and CTO at the Bugcrowd bug bounty platform. 

Protecting Against WordPress Plug-in Insecurity 

To safeguard oneself against Balada Injector and other WordPress threats, companies must first ensure that all of their website software is updated, delete unused plug-ins and themes, and implement a Web application firewall to protect against Balada Injector and other WordPress threats. 

According to Mike Parkin, senior technical engineer at Vulcan Cyber, the ease with which plug-ins can be added to WordPress from authorized download stores (much like the ecosystem for mobile apps) adds to the security issue. As a result, education for the Web team regarding the risks of installing unapproved modules is also necessary. 

"The myriad available plug-ins, multiple places to get them, and the ease of deployment — you have a recipe for easy malicious plug-in distribution," he says. 

Even large organizations are not resistant to WordPress Security problems. "There are cases, even in large enterprises, where a website is developed and maintained by an individual or small team[…]Often, those folks aren’t especially security conscious and are more interested in keeping their site up and fresh than they are in doing it securely. Patches get missed. Security alerts get missed. New and interesting plug-ins get installed without making sure they are safe or, sometimes, even work," he adds.  

Read more »
WordPress
Command and Control(C2) Doctor Web JavaScript exploit malware Vulnerabilities and Exploits WordPress

WordPress: New Linux Malware Exploits Over Two Dozen CMS Vulnerabilities


Recently, WordPress websites are being attacked by a previously unidentified Linux malware strain that compromises vulnerable systems by taking advantage of vulnerabilities in over twenty plugins and themes. 

In the attacks, a list of 19 different plugins and themes with known security flaws are weaponized and used to launch an implant that can target a specific website in order to increase the network's reach. 

"If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts […] As a result, when users click on any area of an attacked page, they are redirected to other sites," says Russian security vendor Doctor Web, in a report published last week. 

Additionally, Doctor Web says that it has identified a new version of the backdoor, that apparently uses a new command-and-control (C2) domain, along with an updated list of vulnerabilities over 11 additional plugins, taking this total to 30. 

While it is still unclear if the second version is a remnant from the earlier version or a functionality that is yet to be enabled, both variants includes an unimplemented method for brute-forcing WordPress administrator accounts. 

"If such an option is implemented in newer versions of the backdoor, cybercriminals will even be able to successfully attack some of those websites that use current plugin versions with patched vulnerabilities," the company said. 

Moreover, WordPress users are advised to keep all the components of the platforms updated, along with third-party add-ons and themes. It is recommended to use robust and unique logins and passwords in order to protect their accounts.  

Read more »
WordPress
API Apple CMS Data Breach Hacker Password Hacking Twitter User Privacy WordPress

Data Breach Targets Fast Company News

Fast Company's Apple News website currently displays a statement from the business confirming that it was hacked on Sunday afternoon, followed by another intrusion on Tuesday night that let threat actors to send bigoted notifications to smartphones via Apple News.

In a press release issued last night, the company claimed that "the statements are repulsive and are not by the contents and culture of Fast Company.  We have suspended FastCompany.com while we look into the matter and will not reopen it until it is resolved."

As soon as individuals on Twitter noticed the offensive Apple News notifications, the company disabled the Fast Company channel on the news network.

Data breach tactics

The website's webpage started to load up with articles headlined "Hacked by Vinny  Troia. [redacted] tongue my [redacted]. Thrax was here. " on Sunday afternoon, which was the first indication that Fast Company had been compromised.

In their ongoing dispute with security analyst Vinny Troia, members of the breached hacking group and the now-defunct RaidForums regularly deface websites and carry out attacks that they attribute to the researcher. Fast Company took the website offline for a while to address the defacement, but on Tuesday at around 8 PM EST, another attack occurred.

Hackers claim that after discovering that Fast Company was using WordPress for their website, they were able to compromise the company. The HTTP basic authentication which was supposed to have protected this WordPress installation was disregarded. The threat actor goes on to claim that they were able to enter the WordPress content management system by utilizing a relatively simple default password used on dozens of users.

Fast Company, according to the post, had a 'ridiculously easy' default password that was used on numerous accounts, including an admin account. The compromised account would have then been utilized by the threat actors to gain access to, among other things, authentication tokens and Apple News API credentials.

They assert that by using these tokens, they were able to set up administrator accounts on the CMS platforms, which were then used to send notifications to Apple News.

Threat actors gained access to an undefined number of customer names, birthdates, contact numbers, email, physical addresses, and personal documents, including license and passport numbers, through this same forum, which was at the center of the previous Optus breach. The hacker in question claims to have made 10,200 records available thus far. It's uncertain whether or when Apple News would reactivate the Fast Company channel.



Read more »
WordPress
Backups Bugs data security Flaws Security Vulnerabilities and Exploits WordPress

New Zero-day Flaw in BackupBuddy Plugin Leaves WordPress Users at Risk

 

Wordfence, a WordPress security company, has disclosed that a zero-day vulnerability in the BackupBuddy plugin is being actively exploited. 

"This vulnerability makes it possible for unauthenticated users to download arbitrary files from the affected site which can include sensitive information," it stated.

Users can back up their entire WordPress installation from the dashboard, including theme files, pages, posts, widgets, users, and media files, among other things. The flaw (CVE-2022-31474, CVSS score: 7.5) affects versions 8.5.8.0 to 8.7.4.1 of the plugin, which has an estimated 140,000 active installations. It was fixed in version 8.7.5, which was released on September 2, 2022. 

The problem stems from the "Local Directory Copy" function, which is intended to keep a local copy of the backups. The vulnerability, according to Wordfence, is the consequence of an insecure implementation that allows an unauthenticated threat actor to download any arbitrary file on the server. Additional information about the vulnerability has been withheld due to active in-the-wild abuse and the ease with which it can be exploited.

The plugin's developer, iThemes, said, "This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation. This could include the WordPress wp-config.php file and, depending on your server setup, sensitive files like /etc/passwd."

Wordfence reported that the targeting of CVE-2022-31474 began on August 26, 2022, and that it has blocked nearly five million attacks since then. The majority of the intrusions attempted to read the files listed below -
  • /etc/passwd
  • /wp-config.php
  • .my.cnf
  • .accesshash
Users of the BackupBuddy plugin are encouraged to update to the most recent version. They should determine that they may have been compromised, it's recommended to reset the database password, change WordPress Salts, and rotate API keys stored in wp-config.php.
Read more »
WordPress
AWS Google Drive Vulnerabilities and Exploits WordPress

5 Million Attacks Targeting 0-Day in BackupBuddy Plugin Blocked: Wordfence Report


Vulnerability exploited in the wild 

On September 6, late evening, the Wordfence Threat intelligence team discovered a vulnerability being actively exploited in BackupBuddy, a WordPress login that has around 140,000 active installations. 

The vulnerability allows unauthorised users to download arbitrary from the compromised site which may have sensitive data. It impacts versions 8.5.8.0 to 8.7.4.1, and was fully fixed by September 2, 2022, in version 8.7.5. 

Because of the fact that it is an actively exploited vulnerability, experts recommend users make sure that their site is updated to the latest fixed version 8.7.5 which iThemes has made available to all site owners using a vulnerable version regardless of the licence status.

About the vulnerability

The BackupBuddy plugin for WordPress is made to make backup management easy for owners of WordPress sites. One of the plugin features is storing backup files in various different locations, like AWS, Google Drive, and OneDrive. 

There is also an option to store backup downloads locally through the "Local Directory Copy" option. Sadly, the process to download these locally stored files was not executed safely, which can allow unauthorised users to download any file that is stored on the server.

How is the vulnerability exploited?

Notably, the plugin registers an admin_init hook for the function aimed to download local backup files and the process itself lacks any nonce validation or capability checks. 

It means that the function can be activated via any administrative page, this includes the ones that can be called without any verification, allowing unauthorised users to call the function.

The backup location isn't validated; thus, an arbitrary file could be sneaked and downloaded. 

Because of this vulnerability being exploited in the wild, due to its ease of exploitation, Wordfence has shared some details about the vulnerability.

How to stay safe?

Wordfence suggests for looking up the 'local download 'or the 'local-destination-id' parameter when checking requests in your access logs. "Presence of these parameters along with a full path to a file or the presence of ../../ to a file indicates the site may have been targeted for exploitation by this vulnerability," it says. 

If the site is breached, it may mean that BackupBuddy was the reason for the breach.

In its report, Wordfence concludes:

"we detailed a zero-day vulnerability being actively exploited in the BackupBuddy plugin that makes it possible for unauthenticated attackers to steal sensitive files from an affected site and use the information obtained in those files to further infect a victim. This vulnerability was patched yesterday and we strongly recommend updating to the latest version of the plugin, currently version 8.7.5."





Read more »
Subscribe to: Posts (Atom)