WordPress plugin flaw lets you take over entire sites

guest · May 28, 2020

200K sites with buggy WordPress plugin exposed to wipe attacks
May 28, 2020
https://www.bleepingcomputer.com/ne...ggy-wordpress-plugin-exposed-to-wipe-attacks/

Two high severity security vulnerabilities found in the PageLayer plugin can let attackers to potentially wipe the contents or take over WordPress sites using vulnerable plugin versions.

PageLayer is a WordPress plugin with over 200,000+ active installations according to numbers available on its Wordpress plugins repository entry.
Bugs can lead to takeover attacks and wiped sites
The vulnerabilities were reported to PageLayer's developer by the Wordfence Threat Intelligence team on April 30 and were patched with the release of version 1.1.2 on May 6.
According to Wordfence, the two security flaws can be exploited by attackers to wipe WordPress sites running older unpatched versions of the plugin, as well as launch takeover attacks.

More details regarding the two PageLayer vulnerabilities, their impact, and how they were patched by the development team can be found in Wordfence's report.
Click to expand...

At least 120K sites still exposed to attacks
While PageLayer 1.1.2 was released on May 6, it only had just over 85,000 new downloads until yesterday, May 27, including both new installs and updates, according to raw downloads data on the WordPress' plugin repository.
This means that at least 120,000 WordPress sites with active PageLayer installation might be exposed to takeover and wipe attacks in the eventuality that hackers decide to exploit these bugs.
Click to expand...

Wordfence: High Severity Vulnerabilities in PageLayer Plugin Affect Over 200,000 WordPress Sites

SAustn2 · May 28, 2020

I take it "new" doesn't always carry the association "and improved".

guest · Jul 9, 2020

Advertising Plugin for WordPress Threatens Full Site Takeovers
Thousands of vulnerable websites need to apply the patch to avoid RCE
July 8, 2020
https://threatpost.com/advertising-plugin-wordpress-full-site-takeovers/157283/

The Adning Advertising plugin for WordPress, a premium plugin with over 8,000 customers, contains a critical remote code-execution vulnerability with the potential to be exploited by unauthenticated attackers.
The plugin’s author, Tunafish, has rolled out a patched version (v.1.5.6), which site owners should update to as soon as possible. No CVE was issued.

The bug could allow complete site takeover, earning it a 10 out of 10 on the CVSS bug-severity scale. Also, it has already been the subject of in-the-wild attacks, according to an analysis from Wordfence issued on Wednesday. That said, the firm said the attacks so far have been limited in scope and scale.
Click to expand...

Wordfence researchers also found a second security vulnerability, which allows unauthenticated arbitrary file deletion via path traversal.
Carrying a high-severity CVSS score of 8.7, this bug is also patched in v.1.5.6.
Click to expand...

Wordfence: Critical Vulnerabilities Patched in Adning Advertising Plugin

guest · Jul 18, 2020

SEO plugin for WordPress would run arbitrary JavaScript inputs instead of scrubbing them
XSS vuln could hijack websites so update your All in One pack
July 17, 2020
https://www.theregister.com/2020/07/17/all_in_one_seo_pack_javascript_sanitisation_vuln

A popular WordPress search engine optimisation plugin with around two million installs could have been abused to hijack a target website, according to a threat intel firm.

"This flaw allowed authenticated users with contributor level access or above the ability to inject malicious scripts that would be executed if a victim accessed the wp-admin panel's 'all posts' page," said WordPress-focused infosec biz Wordfence in a blog post about the vuln in the All in One SEO Pack plugin.
The cross-site scripting (XSS) vuln could have been abused to hijack control of a targeted site from its operators.

Worse, JavaScript inserted into those fields "would also be executed when visiting the page directly if a closing tag was inserted by an attacker before adding their own script". Instead of sanitising inputs, the plugin merely executed them – so escaping the plugin's own </script> tag was trivially easy.
[...] blog admins should enable 2FA where possible to harden all account privilege levels against takeovers.
Click to expand...

Wordfence: 2 Million Users Affected by Vulnerability in All in One SEO Pack

On July 10, 2020, our Threat Intelligence team discovered a vulnerability in All In One SEO Pack, a WordPress plugin installed on over 2 million sites. This flaw allowed authenticated users with contributor level access or above the ability to inject malicious scripts that would be executed if a victim accessed the wp-admin panel’s ‘all posts’ page.
This is considered a medium severity security issue that, as with all XSS vulnerabilities, can result in complete site takeover and other severe consequences.
Click to expand...

guest · Jul 28, 2020

Critical Wordpress plugin bug lets hackers take over hosting account
July 28, 2020
https://www.bleepingcomputer.com/ne...n-bug-lets-hackers-take-over-hosting-account/

Hackers can exploit a maximum severity vulnerability in the wpDiscuz plugin installed on over 70,000 WordPress sites to execute code remotely after uploading arbitrary files on servers hosting vulnerable sites.

wpDiscuz is a WordPress plugin marketed as an alternative to Disqus and Jetpack Comments that provides an Ajax real-time comment system that will store comments within a local database.
Arbitrary file upload bug leading to site takeovers
The vulnerability was reported to wpDiscuz's developers by Wordfence's Threat Intelligence team on June 19 and was fully patched with the release of version 7.0.5 on July 23, after a failed attempt to fix the issue in version 7.0.4.
According to Wordfence threat analyst Chloe Chamberland, the security flaw is rated as critical severity with a CVSS base score of 10/10.

"If exploited, this vulnerability could allow an attacker to execute commands on your server and traverse your hosting account to further infect any sites hosted in the account with malicious code," Chamberland said.
Click to expand...

Over 45,000 still vulnerable to attacks
While wpDiscuz 7.0.5, the version containing a fix for this maximum severity RCE vulnerability, was released on July 23, the plugin only had just over 25,000 downloads during the last week, including both updates and new installs.
Click to expand...

Wordfence: Critical Arbitrary File Upload Vulnerability Patched in wpDiscuz Plugin

On June 19th, our Threat Intelligence team discovered a vulnerability present in Comments – wpDiscuz, a WordPress plugin installed on over 80,000 sites. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server.
Click to expand...

guest · Aug 3, 2020

Newsletter plugin bugs let hackers inject backdoors on 300K sites
August 3, 2020
https://www.bleepingcomputer.com/ne...s-let-hackers-inject-backdoors-on-300k-sites/

Owners of WordPress sites who use the Newsletter plugin are advised to update their installations to block attacks that could use a fixed vulnerability allowing hackers to inject backdoors, create rogue admins, and potentially take over their websites.

The vulnerability was found in the Newsletter WordPress plugin that provides the tools needed to create responsive newsletter and email mail marketing campaigns on WordPress blogs using a visual composer.
Patched within two days
In a report published today by Wordfence's Threat Intelligence team, threat analyst Ram Gall says that he discovered two additional security flaws while analyzing a previous patched published by the plugin's developers on July 13.
Click to expand...

Wordfence spotted a reflected Cross-Site Scripting (XSS) flaw and a PHP Object Injection vulnerability that were both fully patched by Newsletter's development team on July 17 with the release of version 6.8.3, two days after the initial report sent on July 15.

While the two flaws are rated as medium and high severity issues that could allow attackers to add rogue admins and inject backdoors after successfully exploiting the reflected XSS issue on sites running vulnerable versions of the Newsletter plugin.
Additionally, the PHP Object Injection flaw "could be used to inject a PHP object that might be processed by code from another plugin or theme and used to execute arbitrary code, upload files, or any number of other tactics that could lead to site takeover," according to Gall.
Click to expand...

Wordfence: Newsletter Plugin Vulnerabilities Affect Over 300,000 Sites

On July 13, 2020, our Threat Intelligence team was alerted to a recently patched vulnerability in Newsletter, a WordPress plugin with over 300,000 installations. While investigating this vulnerability, we discovered two additional, more serious vulnerabilities, including a reflected Cross-Site Scripting(XSS) vulnerability and a PHP Object Injection vulnerability.
Click to expand...

guest · Aug 15, 2020

Critical Flaws in WordPress Quiz Plugin Allow Site Takeover
August 14, 2020
https://threatpost.com/critical-flaws-wordpress-quiz-plugin-site-takeover/158379/

A plugin that is designed to add quizzes and surveys to WordPress websites has patched two critical vulnerabilities. The flaws can be exploited by remote, unauthenticated attackers to launch varying attacks – including fully taking over vulnerable websites.

The plugin, Quiz and Survey Master, is actively installed on over 30,000 websites. The two critical flaws discovered by researchers include an arbitrary file-upload vulnerability, ranking 10 out of 10 on the CVSS scale; as well as an unauthenticated arbitrary file deletion error, ranking 9.9 out of 10. A patch is available for both issues in version 7.0.1 of the plugin, said the researchers with Wordfence who discovered the flaws, in a Thursday post.
Click to expand...

Wordfence: Critical Vulnerabilities Patched in Quiz and Survey Master Plugin

Ultimately, this meant that unauthenticated users could upload arbitrary files, including PHP files, to a site and achieve remote code execution when there was a quiz enabled on the site that allowed file uploads as a response. This could lead to complete site takeover and hosting account compromise amongst many other scenarios.

Fortunately, the functionality had to be enabled and configured for a quiz in order to be exploitable, meaning that most sites were unlikely to be exploited by this particular vulnerability.
Click to expand...

guest · Aug 21, 2020

WordPress WooCommerce stores under attack, patch now
August 21, 2020
https://www.bleepingcomputer.com/news/security/wordpress-woocommerce-stores-under-attack-patch-now/

Hackers are actively targeting and trying to exploit SQL injection, authorization issues, and unauthenticated stored cross-site scripting (XSS) security vulnerabilities in the Discount Rules for WooCommerce WordPress plugin with more than 30,000 installations.

Discount Rules for WooCommerce is a plugin that makes it simple to manage product pricing and discount campaigns on WooCommerce online stores.

"We have seen an influx of attacks against this vulnerability. Primarily from the IP address 45[.]140.167.17 which attempts to inject the script poponclick[dot]info/click.js into the woocommerce_before_main_content template hook," WebARX CTO Dave Jong who found the vulnerabilities says.
Website takeover risk after successful exploitation
The security flaws found and reported by WebARX could allow the attackers to potentially remotely execute code on the vulnerable sites, execute actions with admin permissions, and potentially takeover compromised sites.
Click to expand...

At least 17K online stores exposed to ongoing attacks
The plugin's developer has addressed the vulnerabilities currently under active attack with the release of Discount Rules for WooCommerce 2.1.0 more than a week ago, on August 13.
Click to expand...

WebARX: Multiple Vulnerabilities In Discount Rules for WooCommerce Plugin

There are SQLi and unauthenticated stored XSS vulnerabilities in Discount Rules for WooCommerce WordPress plugin.
Click to expand...

guest · Sep 2, 2020

Hackers are exploiting a critical flaw affecting >350,000 WordPress sites
Flaw is in File Manager, a plugin with more than 700,000 users; 52% are affected
September 2, 2020
https://arstechnica.com/information...itical-flaw-affecting-350000-wordpress-sites/

Hackers are actively exploiting a vulnerability that allows them to execute commands and malicious scripts on Websites running File Manager, a WordPress plugin with more than 700,000 active installations, researchers said on Tuesday. Word of the attacks came a few hours after the security flaw was patched.

Attackers are using the exploit to upload files that contain webshells that are hidden in an image. From there, they have a convenient interface that allows them to run commands in plugins/wp-file-manager/lib/files/, the directory where the File Manager plugin resides. [...] hackers may be able to exact more damage by uploading scripts that can carry out actions on other parts of a vulnerable site.
Click to expand...

NinTechNet, a website security firm in Bangkok, Thailand, was among the first to report the in-the-wild attacks.
Backdooring vulnerable sites at scale
In email, NinTechNet CEO Jerome Bruandet wrote:

It's a bit too early to know the impact because when we caught the attack, hackers were just trying to backdoor websites. However, one interesting thing we noticed is that attackers were injecting some code to password-protect the access to the vulnerable file (connector.minimal.php) so that other groups of hackers could not exploit the vulnerability on the sites that were already infected.
Click to expand...

Wordfence: 700,000 WordPress Users Affected by Zero-Day Vulnerability in File Manager Plugin

This morning, on September 1, 2020, the Wordfence Threat Intelligence team was alerted to the presence of a vulnerability being actively exploited in File Manager, a WordPress plugin with over 700,000 active installations. This vulnerability allowed unauthenticated users to execute commands and upload malicious files on a target site.
Click to expand...

guest · Sep 10, 2020

mood said: ↑

Hackers are exploiting a critical flaw affecting >350,000 WordPress sites
September 2, 2020
Wordfence: 700,000 WordPress Users Affected by Zero-Day Vulnerability in File Manager Plugin
Click to expand...

Hackers are fighting a war over 300K vulnerable WordPress sites
September 10, 2020
https://www.bleepingcomputer.com/ne...g-a-war-over-300k-vulnerable-wordpress-sites/

Attackers who are actively exploiting a critical remote code execution flaw affecting over 600,000 of WordPress sites running vulnerable File Manager plugin versions have also been seen protecting the sites they compromise from other threat actors' attacks.

The critical vulnerability allows unauthenticated attackers to upload malicious PHP files and execute arbitrary code following successful exploitation [1, 2, 3]. File Manager's dev team addressed the flaw with the release of File Manager 6.9.
In an updated report published today, Defiant threat analyst Ram Gall says that the threat actors haven't stopped their siege, with the total number of WordPress sites being targeted going up to 2.6 million.
Click to expand...

Fighting over control
Both of them have been seen by Defiant while trying to block other attackers' exploit attempts by password protecting the exploitable connector.minimal.php file on sites they've infected.
In all, Defiant's researchers saw attacks trying to exploit this vulnerability originating from more than 370,000 separate IP addresses, with almost no overlap in backdoor access activity.
Click to expand...

Wordfence:
Millions of Sites Targeted in File Manager Vulnerability Attacks (September 4, 2020)
Attackers Fight for Control of Sites Targeted in File Manager Vulnerability (September 10, 2020)

guest · Sep 18, 2020

Stubborn WooCommerce Plugin Bugs Get Third Patch
Users of the Discount Rules for WooCommerce WordPress plugin are urged to apply a third and (hopefully) final patch
September 18, 2020
https://threatpost.com/woocommerce-plugin-bug-allows-site-takeover/159364/

E-commerce sites using the WordPress plugin Discount Rules for WooCommerce are being urged to patch two high-severity cross-site scripting flaws that could allow an attacker to hijack a targeted site. Two fixes for the flaws, first available on Aug. 22 and second on Sept. 2, failed to patch the problem.

A third round of patches for the bugs became available to customers on Sept. 9. On Thursday, the Wordfence Threat Intelligence researchers that were tipped-off to the vulnerabilities, publicly disclosed the flaws and offered a technical analysis.

“We strongly recommend updating to the latest version of this plugin, currently 2.2.1, as soon as possible, since the consequences of a breach on an e-Commerce site can be severe,” wrote researchers at Wordfence.
Click to expand...

Wordfence: High-Severity Vulnerabilities Patched in Discount Rules for WooCommerce

guest · Oct 19, 2020

Vulnerability in WordPress plugin TI WooCommerce Wishlist could allow full site takeover
Flaw in popular add-on allows any logged-in customer to achieve admin status
October 19, 2020
https://portswigger.net/daily-swig/...merce-wishlist-could-allow-full-site-takeover

A critical vulnerability in a WordPress plugin with more than 70,000 active installations could grant an attacker full administrative access, including the ability to modify and takeover a site’s database.

The bug in TI WooCommerce Wishlist has been patched in the latest version (1.21.12). Users are being urged to update as soon as possible, as the vulnerability is currently being exploited in the wild.
Security researchers from NinTechNet described how a lack of a capability check and other flaws could enable a malicious actor to take control of a target site running the plugin.

A blog post reads: [...] allowing an authenticated user to modify the content of the WordPress options table in the database.

“Because WooCommerce allows customer registration, any logged-in customer can exploit this vulnerability,” NinTechNet said.
Click to expand...

Data suggests that there are around 70,000 active installations. More than half of these have updated to at least version 1.21, though it isn’t clear how many users are using the most up-to-date release.
This indicates that thousands of users could be vulnerable to attack.
Click to expand...

guest · Nov 9, 2020

Critical Privilege Escalation Vulnerabilities Affect 100K Sites Using Ultimate Member Plugin
November 9, 2020
https://www.wordfence.com/blog/2020...fect-100k-sites-using-ultimate-member-plugin/

On October 23, 2020, our Threat Intelligence team responsibly disclosed several vulnerabilities in Ultimate Member, a WordPress plugin installed on over 100,000 sites. These flaws made it possible for attackers to escalate their privileges to those of an administrator and take over a WordPress site.

We initially reached out to the plugin’s developer on October 23, 2020. After establishing an appropriate communication channel, we provided the full disclosure details on October 26, 2020.
The plugin’s developer released a patched version of Ultimate Member, 2.1.12, on October 29, 2020.
Click to expand...

We discovered that the user registration form lacked some checks on submitted user data. This oversight made it possible for an attacker to supply arbitrary user meta keys during the registration process that would update those meta keys in the database. This meant that an attacker could supply an array parameter for sensitive meta data such as the wp_capabilities user meta which defines a user’s role.

Unauthenticated Privilege Escalation via User Meta
Description: Privilege Escalation
Affected Plugin: Ultimate Member
CVSS Score: 10.0 (CRITICAL)
This vulnerability is considered very critical as it makes it possible for originally unauthenticated users to easily escalate their privileges to those of an administrator. Once an attacker has administrative access to a WordPress site, they have effectively taken over the entire site and can perform any action, from taking the site offline to further infecting the site with malware.
Click to expand...

Threatpost: Ultimate Member Plugin for WordPress Allows Site Takeover

guest · Dec 12, 2020

Easy WP SMTP WordPress Plugin Vulnerability Let Hackers Takeover Admin Accounts
December 12, 2020
https://techdator.net/easy-wp-smtp-...rability-let-hackers-takeover-admin-accounts/

A popular WordPress plugin has a zero-day vulnerability, which is reportedly being exploited by hackers to take over admin accounts. Easy WP SMTP, installed in over 500,000 sites, is said to be maintaining debug files containing all the emails sent. Hackers here are accessing those files to takeover the password reset link.

Bruandet said the vulnerability is now being exploited and suggested updating the plugin to a new version released on Monday.
Easy WP SMTP’s makers have released a new version of it as v1.4.4, which moves the plugin’s debug log to a better-protected area of WordPress logs folder, thus safe. It’s currently unknown how many sites from the 500,000+ have updated this plug-in.
Click to expand...

WordPress Easy WP SMTP plugin fixed zero-day vulnerability

guest · Dec 17, 2020

WordPress plugin with 5 million installs has a critical vulnerability
December 17, 2020
https://www.bleepingcomputer.com/ne...illion-installs-has-a-critical-vulnerability/

The team behind a popular WordPress plugin has disclosed a critical file upload vulnerability and issued a patch.

The vulnerable plugin, Contact Form 7, has over 5 million active installs making this urgent upgrade a necessity for WordPress site owners out there.
Unrestricted file upload
This week, Contact Form 7 project has disclosed an unrestricted file upload vulnerability (CVE pending) in the WordPress plugin that can allow an attacker to bypass Contact Form 7's filename sanitization protections when uploading files.

An attacker can upload a crafted file with arbitrary code on the vulnerable server using the plugin.
Click to expand...

"Contact Form 7 5.3.2 has been released. This is an urgent security and maintenance release. We strongly encourage you to update to it immediately," reads the project's security advisory.

"Seeing the criticality of the vulnerability and the number of WordPress websites using this popular plugin, we quickly reported the vulnerability. The developer was even quicker in issuing a fix. Kudos to the Contact Form 7 team for leading by example," Behanan told BleepingComputer.
Click to expand...

Astra: Unrestricted File Upload Vulnerability found in Contact Form 7, update immediately (5 million+ sites affected)

Consequences of File Upload Vulnerability in Contact Form 7 (5.3.1 & older versions)

Possible to upload a web shell and inject malicious scripts

Complete takeover of the website & server if there is no containerization between websites on the same server

Defacing the website

Click to expand...

guest · Jan 14, 2021

Critical WordPress-Plugin Bug Found in ‘Orbit Fox’ Allows Site Takeover
January 13, 2021
https://threatpost.com/orbit-fox-wordpress-plugin-bugs/163020/

Two vulnerabilities (one critical) in a WordPress plugin called Orbit Fox could allow attackers to inject malicious code into vulnerable websites and/or take control of a website.

Orbit Fox is a multi-featured WordPress plugin that works with the Elementor, Beaver Builder and Gutenberg site-building utilities. It allows site administrators to add features such as registration forms and widgets. The plugin, from a developer called ThemeIsle, has been installed by 400,000+ sites.
Click to expand...

According to researchers at Wordfence, the first flaw (CVEs are pending) is an authenticated privilege-escalation flaw that carries a CVSS bug-severity score of 9.9, making it critical.

The second bug meanwhile is an authenticated stored cross-site scripting (XSS) issue that allows attackers with contributor or author level access to inject JavaScript into posts.
It’s rated 6.4 on the CVSS scale, making it medium severity.
Click to expand...

Wordfence: Multiple Vulnerabilities Patched in Orbit Fox by ThemeIsle Plugin

We initially reached out to the plugin’s developer on November 19, 2020. After establishing an appropriate communication channel, we provided the full disclosure details on November 24, 2020. After a few follow-ups, the plugin’s developer released a patched version of Orbit Fox by ThemeIsle in version 2.10.3, on December 17, 2020.
These are critical and medium severity vulnerabilities. Therefore, we highly recommend updating to the patched version, 2.10.3, immediately.
Click to expand...

guest · Jul 13, 2021

WordPress File Management Plugin Riddled with Critical Bugs
The bugs allow a range of attacks on websites, including deleting blog pages and remote code execution
July 12, 2021
https://threatpost.com/frontend-file-manager-wordpress-bugs/167687/

A critical cross-site scripting (XSS) bug impacts WordPress sites running the Frontend File Manager plugin and allows remote unauthenticated users to inject JavaScript code into vulnerable websites to create admin user accounts.

The bug is one of six critical flaws impacting the WordPress plugin Front File Manager versions 17.1 and 18.2, active on more than 2,000 websites. Each of the flaws, publicly disclosed Monday, have available patches.
Privilege Escalation
Meanwhile, a privilege escalation issue stems from the “wpfm_get_current_user” function, which is used to retrieve a user ID from the “nmedia-user-file-uploader/inc/helpers.php” script, according to a Monday posting.
Click to expand...

NinTechNet: WordPress Frontend File Manager plugin fixed multiple critical vulnerabilities

The WordPress Frontend File Manager plugin (2,000+ active installations) fixed multiple critical vulnerabilities affecting version 17.1 and, to some extend, version 18.2 (see Timeline below for more details).
Click to expand...

guest · Jul 30, 2021

mood said: ↑

WordPress File Management Plugin Riddled with Critical Bugs July 12, 2021

NinTechNet: WordPress Frontend File Manager plugin fixed multiple critical vulnerabilities
Click to expand...

Remote Code Execution Flaws Patched in WordPress Download Manager Plugin
July 30, 2021
https://www.securityweek.com/remote-code-execution-flaws-patched-wordpress-download-manager-plugin

A vulnerability patched recently in the WordPress Download Manager plugin could be abused to execute arbitrary code under specific configurations, the Wordfence team at WordPress security company Defiant warns.

Tracked as CVE-2021-34639 and having a CVSS score of 7.5, the bug is an authenticated file upload issue that could have allowed attackers to upload files with php4 extensions, as well as files that could be executed if certain conditions were met.
Click to expand...

Tracked as CVE-2021-34638 (CVSS score of 6.5), the issue is a directory traversal that could allow a low privileged user “to retrieve the contents of a site’s wp-config.php file by adding a new download and performing a directory traversal attack using the file[page_template] parameter,” Wordfence says.
By including the path of the uploaded file in the file[page_template] parameter, the user would ensure that the JavaScript could be executed whenever the page was viewed or previewed. This would lead to stored cross-site scripting, allowing the attacker to take over a site by executing code in the administrator’s browser session.
Click to expand...

Wordfence: Multiple Vulnerabilities Patched in WordPress Download Manager

In today’s article, we covered two vulnerabilities in WordPress Download Manager, including a medium-severity vulnerability that could be used to take over a site in multiple ways, as well as a high-severity vulnerability that would be much more difficult to exploit. These vulnerabilities are an excellent example of why analysts look at the mechanism of each vulnerability in order to judge potential impact, as the CVSS score rarely tells the whole story.
Click to expand...

guest · Aug 16, 2021

XSS Bug in SEOPress WordPress Plugin Allows Site Takeover
August 16, 2021
https://threatpost.com/xss-bug-seopress-wordpress-plugin/168702/

A stored cross-site scripting (XSS) vulnerability in the SEOPress WordPress plugin could allow attackers to inject arbitrary web scripts into websites, researchers said.

SEOPress is a search engine optimization (SEO) tool that lets site owners manage SEO metadata, social-media cards, Google Ad settings and more. It’s installed on more than 100,000 sites.

“One feature the plugin implements is the ability to add a SEO title and description to posts, and this can be done while saving edits to a post or via a newly introduced REST-API endpoint,” researchers at Wordfence said in a Monday blog post. “Unfortunately, this REST-API endpoint was insecurely implemented.”
The bug (CVE-2021-34641) allows any authenticated user, like a subscriber, to call the REST route with a valid nonce, and to update the SEO title and description for any post.
Click to expand...

Wordfence: XSS Vulnerability Patched in SEOPress Affects 100,000 sites

On July 29, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in SEOPress, a WordPress plugin installed on over 100,000 sites. This flaw made it possible for an attacker to inject arbitrary web scripts on a vulnerable site which would execute anytime a user accessed the “All Posts” page.

We initially reached out to the plugin developer on July 29, 2021. After receiving confirmation of an appropriate communication channel the next day on July 30, 2021, we provided the full disclosure details. The vendor quickly acknowledged the report and a patch was released on August 4, 2021 in version 5.0.4.
Click to expand...

guest · Oct 14, 2021

Brizy WordPress Plugin Exploit Chains Allow Full Site Takeovers
October 13, 2021
https://threatpost.com/brizy-wordpress-plugin-exploit-site-takeovers/175463/

Vulnerabilities in the Brizy Page Builder plugin for WordPress sites could be chained together to allow attackers to completely take over a website, according to researchers.

Brizy (or Brizy – Page Builder) has been installed on more than 90,000 sites. It’s billed as an intuitive website builder for those without technical skills. It comes with a collection of more than 500 pre-designed blocks, maps and video integration and drag-and-drop design functionality. According to researchers, it also came with a stored cross-site scripting (XSS) issue and an arbitrary file-upload vulnerability prior to version 2.3.17.
Click to expand...

These two bugs, when combined with another flaw that allows authorization bypass and privilege escalation, can become dangerous, Wordfence researchers cautioned.

“During a routine review of our firewall rules, we found traffic indicating that a vulnerability might be present in the Brizy – Page Builder plugin, though it did not appear to be under active attack,” researchers at Wordfence explained in a Wednesday posting. “This led us to discover two new vulnerabilities as well as a previously patched access-control vulnerability in the plugin that had been reintroduced.”
The two fresh bugs can both be chained with the re-introduced access control vulnerability to allow complete site takeover, researchers explained.
Click to expand...

Wordfence: Multiple Vulnerabilities in Brizy Page Builder Plugin Allow Site Takeover

On August 19, 2021, the Wordfence Threat Intelligence team initiated the Responsible Disclosure process for Brizy – Page Builder, a WordPress plugin installed on over 90,000 sites.

During a routine review of our firewall rules, we found traffic indicating that a vulnerability might be present in the Brizy – Page Builder plugin, though it did not appear to be under active attack. This led us to discover two new vulnerabilities as well as a previously patched access control vulnerability in the plugin that had been reintroduced.
Click to expand...

guest · Oct 17, 2021

Injection vulnerabilities in popular WordPress plugin could expose credentials, allow admin access
Fastest Cache is used by more than one million websites
October 15, 2021
https://portswigger.net/daily-swig/...n-could-expose-credentials-allow-admin-access

Vulnerabilities in a popular WordPress plugin Fastest Cache could allow an attacker to gain access to credentials and takeover an admin account.

The security flaws in the extension, which has more than one million active downloads, were discovered during an internal audit of the software by Jetpack Security.
The first flaw, an SQL injection vulnerability which has a CVSS score of 7.7, could grant attackers access to privileged information from an affected site’s database, for example usernames and hashed passwords.
Click to expand...

Researchers also found a cross-site scripting (XSS) bug via a cross-site request forgery (CSRF) flaw that has a CVSS score of 9.6. Exploitation of this vulnerability would allow an attacker to perform the same actions as their victim, potentially an admin user, had privileges to enact.

In a blog post, the researchers from Jetpack provided more technical detail on how they were able to demonstrate the attacks. They credited researcher Marc Montpas with the original finding.
Fastest Cache users are urged to update to the latest version 0.9.5 to protect against these various vulnerabilities.
Click to expand...

guest · Oct 26, 2021

Brutal WordPress plugin bug allows subscribers to wipe sites
October 26, 2021
https://www.bleepingcomputer.com/ne...-plugin-bug-allows-subscribers-to-wipe-sites/

A high severity security flaw found in a WordPress plugin with more than 8,000 active installs can let authenticated attackers reset and wipe vulnerable websites.

The plugin in question, known as Hashthemes Demo Importer, is designed to help admins import demos for WordPress themes with a single, without dealing with installing any dependencies.
The security bug would allow authenticated attackers to reset WordPress sites and delete almost all database content and uploaded media.
Click to expand...

Wordfence QA engineer and threat analyst Ram Gall explained that the plugin failed to properly perform nonce checks, leaking the AJAX nonce on vulnerable sites' admin dashboard for all users, "including low-privileged users such as subscribers."

"While most vulnerabilities can have destructive effects, it would be impossible to recover a site where this vulnerability was exploited unless it had been backed up," Gall added.
While Wordfence reported the vulnerability the bug to the plugin's development team on August 25, 2021, the developers did not reply to the disclosure messages for almost a month.

However, Hashthemes Demo Importer's developer did not mention the 1.1.2 release or the update on the plugin's changelog page despite releasing a security update.
Click to expand...

Wordfence: Site Deletion Vulnerability in Hashthemes Plugin

In today’s post, we discussed a vulnerability in HashThemes Demo Importer that allowed any logged-in user to completely and permanently destroy all of the content on a website.
We’ve discussed the importance of backups in the past, and this vulnerability serves as an important reminder of how critical backups are to your site’s security.
Click to expand...

guest · Nov 10, 2021

Ironic twist: WP Reset PRO bug lets hackers wipe WordPress sites
November 10, 2021
https://www.bleepingcomputer.com/ne...et-pro-bug-lets-hackers-wipe-wordpress-sites/

A high severity security flaw in the WP Reset PRO WordPress plugin can let authenticated attackers wipe vulnerable websites, as revealed by Patchstack security researchers.

It impacts only premium versions of the WP Reset plugin, up to and including the 5.98 release. This plugin is designed to help admins reset their entire site or selected parts to speed up debugging and testing, as well as restore from built-in snapshots with a single mouse click.
WP Reset's free and open-source version is listed in the WordPress plugin repository as having over 300,000 active installations. The developer claims on the official website that the number of users has surpassed 400,000.
Click to expand...

Patchstack CTO Dave Jong explained that the authenticated database reset vulnerability (tracked as CVE-2021-36909) is caused by a lack of authorization and nonce token check and can be exploited by any authenticated user, including low-privileged users such as subscribers.

"It would wipe the site and would make it obvious that something happened, which is why it may not be exploited if a hacker has the intention to hide a backdoor or inject advertisements into the site," Jong told BleepingComputer.
Click to expand...

Patchstack CEO Oliver Sild told BleepingComputer that the bug is "quite critical especially to e-commerce and other sites that have any registration open."

While, at first sight, this bug seems to be useful only for destructive purposes, Sild told BleepingComputer that it could also be exploited to gain access to other sites on the same server.
Click to expand...

guest · Nov 16, 2021

Hundreds of WordPress sites defaced in fake ransomware attacks
November 16, 2021
https://therecord.media/hundreds-of-wordpress-sites-defaced-in-fake-ransomware-attacks/

Hundreds of WordPress sites have been defaced over the weekend with a message claiming that the site’s data was encrypted in what security firm Sucuri has described as “fake ransomware.”

In a copy of the message—included above—the attackers request 0.1 bitcoins (~$6,100) to unlock the affected websites.
So far, the campaign has hit at least 300 sites, according to a Google search result for the text included in the ransom note.
Click to expand...

Examinations carried out by The Record on sites that are still showing the message also found no signs of any form of encryption or error that would prevent users from using the rest of the website. Sucuri said the ransom message had been generated by exploiting a vulnerability in a WordPress plugin named Directorist that was already installed on the affected sites.

Based on the current evidence, the attack appears to be a form of “scareware” meant to frighten non-technical website owners into paying the ransom demand, but one that has failed thus far.
Click to expand...

Sucuri: Fake Ransomware Infection Spooks Website Owners

Sure enough, the ransom warning was completely bogus. Nothing was encrypted at all! It was a simple HTML page generated by this bogus plugin and nothing more. Let’s take a look at this code and see what exactly it was doing.
Click to expand...

guest · Nov 17, 2021

Server-side vulnerabilities in Concrete CMS put thousands of websites under threat
November 16, 2021
https://portswigger.net/daily-swig/...te-cms-put-thousands-of-websites-under-threat

Multiple security vulnerabilities in a popular open source content management system (CMS) could allow a malicious attacker to gain full control of the underlying web server.

The issues were discovered in Concrete CMS by researchers from Fortbridge, who detailed how two race condition vulnerabilities combined with the insecure use of the uniqid() function could allow an attacker with low privileges to achieve remote code execution (RCE).
Click to expand...

Adrian Tiron from Fortbridge told The Daily Swig that the uniqid() function was not cryptographically secure. Instead, it returned a pseudo-random number, “allowing us to guess the name of a pseudo-random directory and then upload a web shell on the server”.

As of this year, there are more than 62,000 live website that are built with Concrete CMS, the researchers said.
Click to expand...

Patch now
Speaking to The Daily Swig, Tiron advised Concrete CMS users to upgrade to versions 8.5.7 and 9.0.1, which are already available.

He added: “The disclosure process was very smooth, and we didn’t encounter any issues, the Concrete CMS team was very friendly and cooperative.”
Click to expand...

Log in or Sign up

WordPress plugin flaw lets you take over entire sites

guest Guest

SAustn2 Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Log in or Sign up

WordPress plugin flaw lets you take over entire sites

guest Guest

SAustn2 Registered Member

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

guest Guest

Useful Searches