Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Wordpress Security. Show all posts
Zero- day vulnerability
Balada Injector Sucuri Vulnerabilities and Exploits WordPress WordPress Plugin Wordpress Security WordPress Threat Zero- day vulnerability

WordPress Security: 1 Million WordPress Sites Hacked via Zero-Day Plug-in Bugs


A campaign that utilizes several WordPress plug-ins and theme vulnerabilities to inject malicious code into websites, including a sizable number of zero-days, has infected at least 1 million WordPress-sponsored websites. 

According to a study conducted by Sucuri, the campaign, which it named "Balada Injector," is prolific and Methuselah-like in its endurance, infecting victim sites with malware at least since 2017. After being injected into the page, the malicious code leads users to a variety of scam websites, such as those offering fake tech support, bogus lottery wins, and push notifications requesting Captcha solutions. 

However, behind the scenes, injected scripts look for numerous files, including access logs, error logs, debug information files, database management tools, administrator credentials, and more, that might include any sensitive or potentially helpful information. In addition, backdoors are loaded into the websites for enduring access and, occasionally, site takeover. 

While the 1 million statistic represents the total number of sites that have been infected over the past five years, researchers only recently linked all the activities into a single operation. The campaign is still going strong and does not appear to be slowing down. 

A Focus on WordPress Plug-in & Theme Vulnerabilities 

Sucuri researchers were able to link all of the observed activity to the Balada Injector campaign since it has a few easily distinguishable attributes. These include using a rotating roster of domain names where malicious scripts are placed on haphazard subdomains, uploading and leaving numerous backdoors all across the hacked environment, and spammy redirects. 

Moreover, the developers of Balada Injector also exploit security flaws in WordPress plug-ins and themes, which is likely most noteworthy. These modular WordPress add-ons enable site administrators to integrate a variety of features, such as polling support, message board assistance, or click-to-call integration for e-commerce businesses. 

"All sorts of vulnerabilities in WordPress themes and plugins can allow an attacker to inject code or gain unauthorized access to the website — which can eventually be escalated to the level where code injections are possible[…]This entire time, Balada Injector has been quickly adding newly disclosed vulnerabilities (and sometimes disclosed zero-days), occasionally starting massive waves of infections within a few hours after vulnerability disclosures," Sucuri analysis explains. 

Sucuri has been tracking new waves of activity happening every couple of weeks, with lulls in between that are "probably utilised for gathering and testing newly reported and zero-day vulnerabilities." 

Moreover, older vulnerabilities are also included in the mix, with some still in use by the campaign for months or years after being patched. 

Targeting the WordPress Ecosystem 

Given how the WordPress ecosystem is extremely buggy, it has become a popular target for cybercriminals among any other stripes. 

"Depending on how you measure it, in 2023, WordPress still powers 60% of the websites available on the Internet today[…]The sheer volume of code that goes into this, the degree of customization often present on WordPress sites, and in general the WordPress plug-in ecosystem's complexity, popularity, and the lack of consistent security measures and practices, contribute to its attractiveness to cybercriminals as a rich hunting ground for exploitable bugs," says Casey Ellis, founder, and CTO at the Bugcrowd bug bounty platform. 

Protecting Against WordPress Plug-in Insecurity 

To safeguard oneself against Balada Injector and other WordPress threats, companies must first ensure that all of their website software is updated, delete unused plug-ins and themes, and implement a Web application firewall to protect against Balada Injector and other WordPress threats. 

According to Mike Parkin, senior technical engineer at Vulcan Cyber, the ease with which plug-ins can be added to WordPress from authorized download stores (much like the ecosystem for mobile apps) adds to the security issue. As a result, education for the Web team regarding the risks of installing unapproved modules is also necessary. 

"The myriad available plug-ins, multiple places to get them, and the ease of deployment — you have a recipe for easy malicious plug-in distribution," he says. 

Even large organizations are not resistant to WordPress Security problems. "There are cases, even in large enterprises, where a website is developed and maintained by an individual or small team[…]Often, those folks aren’t especially security conscious and are more interested in keeping their site up and fresh than they are in doing it securely. Patches get missed. Security alerts get missed. New and interesting plug-ins get installed without making sure they are safe or, sometimes, even work," he adds.  

Read more »
WP Residence Theme
Cybersecurity Threats Real Estate Websites Vulnerabilities and Exploits Wordpress Security WP Residence Theme

Popular Real Estate Theme in WordPress Leaves Websites Vulnerable to Cyber Attacks


The WP Residence Theme: An Overview of a Popular Real Estate Theme

Real estate sites are one of the most famous and thriving sites on the web, and WordPress is one of the most generally used content management systems (CMS) for making and handling these sites. But recent reports have disclosed that there is a flaw in one of the most popular real estate themes for WordPress that has been abused by threat actors to get access to personal info and hack websites.

The flaw exists in the WP Residence theme, which thousands of real estate websites use across the world. The theme lets site owners to make and manage property listings, show property details, and handle user inquiries. The issue coms from a vulnerability in the theme’s code, which lets threat actors to execute arbitrary code and get administrative privileges on the site.

When the threat actors gain access to the website’s backend, they can steal sensitive information, like user credentials, personal data, and financial information. They can also deploy malicious code, which can cause more dangerous attacks, like spreading malware or ransomware, disrupting the site, or launching a distributed denial-of-service (DDoS) attack.

The Discovery of the Vulnerability: How Wordfence Identified the Issue

The flaw was first found by Wordfence, a leading cybersecurity firm that specialises in WordPress security. The firm discovered that the flaw was being actively exploited in the open, which hints that threat actors were already exploiting it to hack real estate websites. The vulnerability impacted all variants of the WP Residence theme up to version 1.60.3, which was launched in January 2021.

Wordfence immediately alerted the theme’s developers, who released a patch to fix the issue. The patch was included in version 1.60.4, which was released in February 2021. Website owners who use the WP Residence theme are urged to update to the latest version as soon as possible to protect their website from potential attacks.

The Importance of Maintaining Strong Website Security Practices

This incident highlights the importance of keeping your website up-to-date with the latest software patches and security updates. Even popular and well-maintained themes and plugins can contain vulnerabilities that can be exploited by hackers. Therefore, it’s essential to have a robust security strategy in place, which includes regular backups, malware scans, and security audits.

In conclusion, the vulnerability in the WP Residence theme is a reminder that no website is immune to cyber-attacks. Website owners need to be vigilant and proactive in securing their websites, especially if they handle sensitive information or financial transactions. By following best practices for website security and staying informed about the latest threats and vulnerabilities, website owners can protect their website and their users from harm.



Read more »
Wordpress Security
Flaws Malicious Sites Sensitive Data Leak Vulnerabilities and Exploits WordPress Plugin Wordpress Security

This WordPress Plugin Flaw Impacts 1M Sites & Allows Malicious Redirects

 

A high-severity issue in the OptinMonster plugin permits unauthorised API access and sensitive information leak on around a million WordPress sites. 

The flaw, identified as CVE-2021-39341, was found by researcher Chloe Chamberland on September 28, 2021, and a fix was made available on October 7, 2021. All OptinMonster plugin users are recommended to upgrade to version 2.6.5 or later, as all previous versions are impacted. 

OptinMonster is a popular WordPress plugin for creating stunning opt-in forms that assist site owners in converting visitors to subscribers/customers. It is primarily a lead generation and monetization tool, and it is used on roughly a million websites because of its ease of use and variety of features.

According to Chamberland's vulnerability disclosure report, OptinMonster's power is based on API endpoints that provide easy integration and a streamlined design process. However, the execution of these endpoints isn't always safe, with the '/wp-json/omapp/v1/support' endpoint being the most crucial example. 

This endpoint can provide information such as the site's entire route on the server, API keys used for site requests, and more. An attacker with access to the API key could make modifications to the OptinMonster accounts or even inject malicious JavaScript snippets into the site. Without anyone's knowledge, the site would run this code every time a visitor activated an OptinMonster element.

To make circumstances terrible, the intruder would not even need to authenticate on the targeted site in order to use the API endpoint, since an HTTP request would circumvent security checks under certain, simple conditions. While the '/wp-json/omapp/v1/support' endpoint is the worst-case scenario, it is not the only insecure REST-API endpoint that may be exploited. 

When the researcher's findings reached the OptinMonster team, the popular WordPress plugin's developers understood that the entire API needed to be revisited. As a result, all OptinMonster upgrades that appear on the WordPress dashboard in the next weeks must be installed, as they will most likely resolve further API issues. 

Meanwhile, any API keys that may have been stolen were instantly invalidated, forcing site owners to produce new keys. This case demonstrates how widely deployed and popular WordPress plugins can harbour several undetected flaws over extended periods.
Read more »
Wordpress Vulnerability
malware Plugins Wordpress Security Wordpress Vulnerability

WordPress Websites Infected with Malware Via Fake jQuery Files


Cybersecurity experts discovered fake variants of the jQuery Migrate plugin inserted in various sites that had unclear codes to launch malware. The files are tagged as jquery-migrate.min.js and jquery-migrate.js, currently located where Java files are generally found on WordPress websites but in reality are fake. Presently, around 7 Million websites use the jQuery Migrate plugin, the popularity of the plugin may have led hackers to use it as a decoy to plant their malware under the plugin name. 

Cybersecurity experts Adrian Stoian and Denis Sinegubko earlier this week discovered fake jQuery files pretending to be jQuery migrate plugins on several websites. To avoid getting caught, the infected files interchange with legitimate files having ./wp-includes/js/jquery/ directory where all the WordPress files are present. 

These counterfeit files have further muddled the codes using an anonymous analytics.js file containing malicious codes. As of now, the threat level of this attack is yet to be determined, but a search query shared by Sinegubko revealed that the malicious code infected around forty web pages.  

The filename 'analytics' however, has nothing to do with the metrics of websites. Bleeping computer enquired some infected file codes. "The code has references to "/wp-admin/user-new.php" which is the WordPress administration page for creating new users. Moreover, the code accesses the _wpnonce_create-user variable which WordPress uses to enforce Cross-Site Request Forgery (CSRF) protections," reports Bleeping Computer. 

In general, if the hackers get the CSRF tokens, it allows them to imitate fake requests from the user end. Attaching these malicious scripts on WordPress websites allows hackers to deploy various cyberattacks using that may vary from credit card skimming for Megacart scams or redirecting users to scammed websites. Here, the victims may be led to fake survey forums, tech assistance frauds, requests for subscribing to spam notifications, or installing malicious browser extensions.  

Helpnet Security reports, "everyone with half a mind for security will tell you not to click on links in emails, but few people can explain exactly why you shouldn’t do that. Clicking on that link means that an attacker can fake any user-supplied input on a site and make it indistinguishable from a user doing it themselves."
Read more »
Wordpress Security
Vulnerability Wordpress Security

Update your Wordpress, Prevent Your website from Being Hacked

WordPress has come up with its 4.2.2 version in order to increase its users security. It has also urged people to update their sites immediately.

Samuel Sidler, researcher at WordPress.org, wrote that the new version is aimed to address two security issues.

The first one is the Genericons icon font package, used in themes and plugins, which contained an HTML file vulnerable to a cross-site scripting attack. 

On May 7 all affected themes and plugins including twenty fifteen default theme have been updated by the WordPress security team after a DOM-based Cross-Site Scripting (XSS) vulnerability was discovered.

Security researchers from Sucuri warned that the vulnerability is being exploited in the wild days before disclosure.

Robert Abela of Netsparker reported that in a bid to protect other Genericons usage, WordPress 4.2.2 scans the wp-content directory for this HTML file and removes it.

Secondly, WordPress versions 4.2 and previous versions are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. So, WordPress 4.2.2 includes a comprehensive fix for this issue according to a separate report by Rice Adu and Tong Shi.

WordPress 4.2.2 also contains fixes for 13 bugs from 4.2.

People just have to download WordPress 4.2.2 or venture over to Dashboard. Then click “Update Now” button. 

Sites that support automatic background updates have begun to update to WordPress 4.2.2.
Read more »
Wordpress Security
Vulnerability Wordpress Security

Multiple vulnerabilities in TheCartPress WordPress plugin

Multiple vulnerabilities has been discovered in TheCartPress WordPress plugin by the High-Tech Bridge Security Research Lab.

The vulnerabilities can be exploited to execute arbitrary PHP code, disclose sensitive data, improper access control, and to perform Cross-Site Scripting attacks against users.

To exploit the local PHP File Inclusion vulnerability, an attacker needs to have administrator privileges on WordPress installation. PHP does not properly verify the URL before being used in  ‘include()’ function , and can be abused to include arbitrary local files via directory traversal sequences.

HTTP POST parameters are supplied by many users during the checkout process. These parameters are not being sanitized before being stored in the local database.  Which can be easily exploited by a non-authenticated attacker, they  may inject malicious HTML and JS code that will be stored in the application database, and made available to any non-authenticated user on the following URL:
http://wordpress/wp-admin/admin-ajax.php?order_id=[order_id]&action=tcp_print_or der

Due to broken authentication mechanism any non-authenticated user may browse orders of other users. They easily predict the order ID, enables them to steal all currently-existing orders.

The vulnerability can be reproduced by opening the  following URL:
http://wordpress/shopping-cart/checkout/?tcp_checkout=ok&order_id=[order_id]

And full details of the orders can be viewed by opening the following URL
http://wordpress/wp-admin/admin-ajax.php?order_id=[order_id]&action=tcp_print_or der

Inputs  can be passed via the "search_by", "address_id", "address_name", "firstname", "lastname", "street", "city", "postcode", "email", "post_id" and "rel_type", and "post_type"  GET parameter. These are not properly verified before being returned to the user. An attacker can logged-in as  administrator to open a link, and execute arbitrary HTML and script code in browser in context of the vulnerable website.
Read more »
Wordpress Security
Backdoors hacker news Information Security Spam Report Wordpress Security

WordPress Plugins containing Backdoor distributed via phishing emails

What would you do when you receive an email offering Pro version of Wordpress plugin for free, if you are a WordPress user? Don't get tempted by such kind of emails, they also give malicious code for free!

Sucuri reported about a phishing emails asking their clients to download Pro-version of "All in one SEO Pack" WordPress plugin.  The email claims that the plugin is $79.00 worth and giving it for free.

"You have been chosen by WordPress to take part in our Customer Rewarding Program.  You are the 23rd from 100 uniques winners." The phishing email reads.

Credit : Sucuri

The download link provided in the email is not linked to WordPress plugin store, it is linked to a zip file hosted in a compromised website.

Security researchers at Sucuri analyzed the plugin and found out that it is modified with a Backdoor which gives attackers full access to the server.

The malicious code in the plugin replaces the index.php file with the malicious code retrieved from the attacker's server.  So, when user visit the site, they either redirected to SPAM sites or to Exploit kits where it will infect the visitor's system.
Read more »
Wordpress Security
Featured Information Security IT Security News Spam Report Wordpress Security

Infected Social media widget plugin puts spam link in 1000s of WordPress sites



If you are using Social Media widget plugin in your WordPress site, make sure to remove it immediately.  Sucuri has discovered that the plugin is being used to inject spam into your site.

The Social Media Widget is a simple sidebar widget that allows users to input their social media website profile URLs and other subscription options to show an icon on the sidebar to that social media site and more that open up in a separate browser window.


It is one of the popular plugin with more than 935,000 downloads, it means thousands of WordPress sites are affected.

According to Sucuri malware report, the plugin has a hidden call to a malicious url "hxxp://i.aaur.net/i.php", which is used to inject "Pay Day Loan" spam into the websites running the plugin.

The malicious code was added only in the latest version of the plugin , SMW 4.0.  Users are recommended to remove the plugin from their sites. The plugin has been removed from the WordPress Plugin repository.
Read more »
Wordpress Security
Blogger Security Breaking News Information Security News IT Security News Security News Wordpress Security

WordPress.com boosts security with Two Step authentication


WordPress.com , a blog web hosting service provided, announced that they have enabled Two-step authentication feature to keep your blogger account secure.

Two factor authentication is a security feature that prompts you to enter a temporary secret number sent to your phone whenever you log into your account.

How to enable Two step authentication in Wordpress?
To enable this feature, go to the new Security tab in your WordPress.com account settings, and go through the setup wizard.

"We know your blog is important to you, and today we’re proud to announce Two Step Authentication: an optional new feature to help you keep your WordPress.com account secure." Wordpress.com blog post reads.
Read more »
Subscribe to: Posts (Atom)