Category: Wordpress

WordPress Core 6.0.2 Security & Maintenance Release – What You Need to Know

On August 30, 2022, the WordPress core team released WordPress version 6.0.2, which contains patches for 3 vulnerabilities, including a High Severity SQLi vulnerability in the Links functionality as well as two Medium Severity Cross-Site Scripting vulnerabilities.

These patches have been backported to every version of WordPress since 3.7. WordPress has supported automatic core updates for security releases since WordPress 3.7, and the vast majority of WordPress sites should receive a patch for their major version of WordPress automatically over the next 24 hours. We recommend verifying that your site has been automatically updated to one of the patched versions. Patched versions are available for every major version of WordPress since 3.7, so you can update without risking compatibility issues. If your site has not been updated automatically we recommend updating manually.

Vulnerability Analysis

As with every WordPress core release containing security fixes, the Wordfence Threat Intelligence team analyzed the code changes in detail to evaluate the impact of these vulnerabilities on our customers, and to ensure our customers remain protected.

We have determined that these vulnerabilities are unlikely to be targeted for exploitation due to the special cases needed to exploit. In most circumstances these vulnerabilities require either elevated privileges, such as those of an administrator, or the presence of a separate vulnerable or malicious plugin. Nonetheless, the Wordfence firewall should protect against any exploits that do not require administrative privileges. In nearly all cases administrators already have the maximum level of access and attackers with that level of access are unlikely to use convoluted and difficult exploits when simpler paths to making configuration changes or obtaining sensitive information are readily available.

Description: SQL Injection via Links LIMIT clause
Affected Versions: WordPress Core < 6.0.2
Researcher: FVD
CVE ID: Pending
CVSS Score: 8.0 (High)
CVSS Vector:CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Fully Patched Version: 6.0.2

The WordPress Link functionality, previously known as “Bookmarks”, is no longer enabled by default on new WordPress installations. Older sites may still have the functionality enabled, which means that millions of legacy sites are potentially vulnerable, even if they are running newer versions of WordPress. Fortunately, we found that the vulnerability requires administrative privileges and is difficult to exploit in a default configuration. It is possible that 3rd party plugins or themes might allow this vulnerability to be used by editor-level users or below, and in these cases the Wordfence firewall will block any such exploit attempts.

Vulnerable versions of WordPress failed to successfully sanitize the limit argument of the link retrieval query in the get_bookmarks function, used to ensure that only a certain number of links were returned. In a default configuration, only the Links legacy widget calls the get_bookmarks function in a way that allows this argument to be set by a user. Legacy widgets involve additional safeguards, and the injection point of the query itself poses additional difficulties, making this vulnerability nontrivial to exploit.

Description: Contributor+ Stored Cross-Site Scripting via use of the_meta function
Affected Versions: WordPress Core < 6.0.2
Researcher: John Blackbourn
CVE ID: Pending
CVSS Score: 4.9 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:C/C:L/I:L/A:N
Fully Patched Version: 6.0.2

WordPress content creators, such as Contributors, Editors, Authors, and Administrators, have the ability to add custom fields to any page and post created. The purpose of this is to make it possible for site content creators to add and associate additional data to posts and pages.

WordPress has several functions available to site owners to display custom fields created and associated with posts and pages. One of these functions is the the_meta function which retrieves the supplied post’s or page’s custom field data, which is stored as post meta data, through the get_post_custom_keys and get_post_custom_values functions. Once the custom fields for a post/page are retrieved, the function outputs the post meta keys and values data as a list. Unfortunately, in versions older than 6.0.2 this data was unescaped on output making it possible for any injected scripts in post meta keys and values to be executed.

Due to the fact that any user with access to the post editor can add custom meta fields, users with access to the editor such as contributors could inject malicious JavaScript that executes on any page or post where this function is called.

WordPress core does not call the_meta anywhere in its codebase by default. As such this vulnerability does require a plugin or theme that calls the the_meta function, or for this function to have been programmatically added to a PHP file for execution, so the vast majority of site owners are not vulnerable to this issue. The the_meta function is considered deprecated as of 6.0.2 and get_post_meta is the recommended alternative.

The Wordfence Threat Intelligence Team deployed a firewall rule to help protect Wordfence PremiumCare & Response customers today. Wordfence Free users will receive the same protection in 30 days on September 29, 2022.

Description: Stored Cross-Site Scripting via Plugin Deactivation and Deletion errors
Affected Versions: WordPress Core < 6.0.2
Researcher: ​​Khalilov Moe
CVE ID: Pending
CVSS Score: 4.7 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:L/I:L/A:N
Fully Patched Version: 6.0.2

The final vulnerability involves the error messages displayed when a plugin has been deactivated due to an error, or when a plugin can not be deleted due to an error. As these error messages were not escaped, any JavaScript present in these error messages would execute in the browser session of an administrator visiting the plugins page. This vulnerability would require a separate malicious or vulnerable plugin or other code to be installed on the site, which would typically require an administrator to install it themselves. In almost all cases where this vulnerability might be exploitable an attacker would already have a firm foothold on the vulnerable site.

Our built-in XSS rule should block any attempts to generate crafted error messages based on user input to a vulnerable plugin, and the Wordfence scanner will detect any malicious plugins uploaded by an administrator.

Conclusion

In today’s article, we covered three vulnerabilities patched in the WordPress 6.0.2 Security and Maintenance Release. Most actively used WordPress sites should be patched via automatic updates within the next 24 hours, and any sites that remain vulnerable would only be exploitable under very specific circumstances.

We have released a firewall rule to Wordfence PremiumCare, and Response users to protect against any exploits targeting the the_meta function and this rule should become available to Wordfence free users after 30 days, on on September 29, 2022.

As always, we strongly recommend updating your site to a patched version of WordPress if it hasn’t been updated automatically. As long as you are running a version of WordPress greater than 3.7, an update is available to patch these vulnerabilities while keeping you on the same major version, so you will not need to worry about compatibility issues.

Props to Khalilov Moe, John Blackbourn, & FVD for discovering and responsibly disclosing these vulnerabilities. Special thanks to Wordfence Threat Intelligence Lead Chloe Chamberland for collaborating on this post.

Source :
https://www.wordfence.com/blog/2022/08/wordpress-core-6-0-2-security-maintenance-release-what-you-need-to-know/

Password Security and the Internet of Things (IoT)

The Internet of Things (IoT) is here, and we’re using it for everything from getting instant answers to random trivia questions to screening visitors at the door. According to Gartner, we were expected to use more than 25 billion internet-connected devices by the end of 2021. But as our digital lives have become more convenient, we might not yet have considered the risks involved with using IoT devices.

How can you keep yourself secure in today’s IoT world, where hackers aim to outsmart your smart home? First we’ll look at how hackers infiltrate the IoT, and then we’ll look at what you can do right now to make sure the IoT is working for you – not against you.

How hackers are infiltrating the Internet of Things

While we’ve become comfortable asking voice assistants to give us the weather forecast while we prep our dinners, hackers have been figuring out how to commandeer our IoT devices for cyber attacks. Here are just a few examples of how cyber criminals are already infiltrating the IoT.

Gaining access to and control of your camera

Have you ever seen someone with a sticker covering the camera on their laptop or smartphone? There’s a reason for that. Hackers have been known to gain access to these cameras and spy on people. This has become an even more serious problem in recent years, as people have been relying on videoconferencing to safely connect with friends and family, participate in virtual learning, and attend telehealth appointments during the pandemic. Cameras now often come with an indicator light that lets you know whether they’re being used. It’s a helpful protective measure, but not a failsafe one.

Using voice assistants to obtain sensitive information

According to Statista, 132 million Americans used a digital voice assistant once a month in 2021. Like any IoT gadget, however, they can be vulnerable to attack. According to Ars Technica, academic researchers have discovered that the Amazon Echo can be forced to take commands from itself, which opens the door to major mischief in a smart home. Once an attacker has compromised an Echo, they can use it to unlock doors, make phone calls and unauthorized purchases, and control any smart home appliances that the Echo manages.

Many bad actors prefer the quiet approach, however, slipping in undetected and stealing information. They can piggyback on a voice assistant’s privileged access to a victim’s online accounts or other IoT gadgets and make off with any sensitive information they desire. With the victim being none the wiser, the attackers can use that information to commit identity fraud or stage even more ambitious cyber crimes.

Hacking your network and launching a ransomware attack

Any device that is connected to the internet, whether it’s a smart security system or even a smart fridge, can be used in a cyber attack. Bad actors know that most people aren’t keeping their IoT gadgets’ software up to date in the same way they do their computers and smartphones, so they take advantage of that false sense of security. Once cyber criminals have gained access to an IoT device, they can go after other devices on the same network. (This is because most home networks are designed to trust devices that are already connected to them.) When these malicious actors are ready, they can launch a ransomware attack that brings your entire digital life to a halt – unless you agree to fork over a hefty sum in bitcoin, that is.

Using bots to launch a DDOS attack

Although most people never notice it, hackers can and do infect IoT devices with malware en masse, gaining control over them in the process. Having turned these zombie IoT devices into bots, the hackers then collectively use them to stage what’s called a botnet attack on their target of choice. This form of assault is especially popular for launching distributed denial of service (DDOS) attacks, in which all the bots in a botnet collectively flood a target with network requests until it buckles and goes offline.

How you can keep your Internet of Things gadgets safe from hackers

So how can you protect your IoT devices from these determined hackers? Fortunately, you can take back control by becoming just a little more cyber smart. Here are a few ways to keep your IoT gadgets safe from hackers:

  • Never use the default settings on your IoT devices. Although IoT devices are designed to be plug-and-play so you can start enjoying them right away, their default settings are often not nearly as secure as they should be. With that in mind, set up a unique username and strong password combination before you start using any new IoT technology. While you’re at it, see if there’s an option to encrypt the traffic to and from your IoT device. If there is, turn it on.
  • Keep your IoT software up to date. Chances are, you regularly install the latest software updates on your computer and phone. Hackers are counting on you to leave your IoT gadgets unpatched, running outdated software with vulnerabilities they can exploit, so be sure to keep the software on your IoT devices up to date as well.
  • Practice good password hygiene. We all slip into bad password habits from time to time – it’s only human – but they put our IoT security at risk. With this in mind, avoid re-using passwords and be sure to set unique, strong passwords on each of your IoT devices. Update those passwords from time to time, too. Don’t store your passwords in a browser, and don’t share them via email. A password manager can help you securely store and share your passwords, so hackers never have a chance to snatch them.
  • Use secure, password-protected WiFi. Cyber criminals are notorious for sneaking onto open, insecure WiFi networks. Once they’re connected, they can spy on any internet activity that happens over those networks, steal login credentials, and launch cyber attacks if they feel like it. For this reason, make sure that you and your IoT devices only use secure, password-protected WiFi.
  • Use multi-factor authentication as an extra layer of protection. Multi-factor authentication (MFA), gives you extra security on top of all the other measures we mentioned above. It asks you to provide one more credential, or factor, in addition to a password to confirm you are who you say you are. If you have MFA enabled and a hacker tries to log in as you, you’ll get a notification that a login attempt is in progress. Whenever you have the option to enable MFA on any account or technology, take advantage of it.

Protect your Internet of Things devices with smart password security

The IoT is making our lives incredibly convenient, but that convenience can be a little too seductive at times. It’s easy to forget that smart home devices, harmless-looking and helpful as they are, can be targeted in cyber attacks just like our computers and phones. Hackers are counting on you to leave your IoT gadgets unprotected so they can use them to launch damaging attacks. By following these smart IoT security tips, you can have the best of both worlds, enjoying your smart life and better peace of mind at the same time.

Learn how LastPass Premium helps you strengthen your password security.

Source :
https://blog.lastpass.com/2022/08/password-security-and-the-iot/

Staying Safe With QR Codes

QR codes link the offline to the online. What started as a way to streamline manufacturing in the automotive industry is now a widespread technology helping connect the physical world to digital content. And as the world embraced remote, no-touch solutions during the Covid pandemic, QR codes became especially popular. QR codes offer convenience and immediacy for businesses and consumers, but cybercriminals also take advantage of them. Here’s what you need to know about QR codes and how to stay safe when using them. 

Why QR codes? 

Due to their size and structure, the two-dimensional black and white barcodes we call QR codes are very versatile. And since most people carry a smartphone everywhere, they can quickly scan QR codes with their phone’s camera. Moreover, since QR codes are relatively easy to program and accessible for most smartphone users, they can be an effective communication tool. 

They also have many uses. For example, QR codes may link to a webpage, start an app or file download, share contact information, initiate a payment, and more. Covid forced businesses to be creative with touchless experiences, and QR codes provide a convenient way to transform a physical touchpoint into a digital interaction. During Covid, QR codes became a popular way to look at restaurant menus, communicate Covid policies, check in for an appointment, and view marketing promotions, among other scenarios.  

As a communication tool, QR codes can transmit a lot of information from one person to another, making it easy for someone to take action online and interact further with digital content.  

What hackers do with QR codes 

QR codes are inherently secure, and no personally identifiable information (PII) is transmitted while you’re scanning them. However, the tricky part about QR codes is that you don’t know what information they contain until you scan them. So just looking at the QR code won’t tell you if it’s entirely trustworthy or not. 

For example, cybercriminals may try to replace or sticker over a QR code in a high-traffic, public place. Doing so can trick people into scanning a malicious QR code. Or, hackers might send malicious QR codes digitally by email, text, or social media. The QR code scam might target a specific individual, or cybercriminals may design it to attract as many scans as possible from a large number of people. 

Once scanned, a malicious QR code may take you to a phishing website, lead you to install malware on your device, redirect a payment to the wrong account, or otherwise compromise the security of your private information.  

In the same way that cybercriminals try to get victims to click phishing links in email or social media, they lure people into scanning a QR code. These bad actors may be after account credentials, financial information, PII, or even company information. With that information, they can steal your identity or money or even break into your employer’s network for more valuable information (in other words, causing a data breach). 

QR code best practices for better security 

For the most part, QR code best practices mirror the typical security precautions you should take on social media and elsewhere in your digital life. However, there are also a few special precautions to keep in mind regarding QR codes. 

Pay attention to context. Where is the code available? What does the code claim to do (e.g., will it send you to a landing page)? Is there someone you can ask to confirm the purpose of the QR code? Did someone send it unprompted? Is it from a business or individual you’ve never heard of? Just like with phishing links, throw it out when in doubt. 

Look closely at the code. Some codes may have specific colors or branding to indicate the code’s purpose and destination. Many codes are generic black and white designs, but sometimes there are clues about who made the code. 

Check the link before you click. If you scan the QR code and a link appears, double-check it before clicking. Is it a website URL you were expecting? Is it a shortened link that masks the full URL? Is the webpage secure (HTTPS)? Do you see signs of a phishing attack (branding is slightly off, strange URL, misspelled words, etc.)? If it autogenerates an email or text message, who is the recipient and what information is it sending them? If it’s a payment form, who is receiving the payment? Read carefully before taking action. 

Practice password security. Passwords and account logins remain one of the top targets of cyber attacks. Stolen credentials give cybercriminals access to valuable personal and financial information. Generate every password for every account with a random password generator, ideally built into a password manager for secure storage and autofill. Following password best practices ensures one stolen password results in minimal damage. 

Layer with MFA. Adding multi-factor authentication to logins further protects against phishing attacks that steal passwords. With MFA in place, a hacker still can’t access an account after using a stolen password. By requiring additional login data, MFA can prevent cybercriminals from gaining access to personal or business accounts. 

QR codes remain a popular marketing and communication tool. They’re convenient and accessible, so you can expect to encounter them occasionally. Though cyber attacks via QR codes are less common, you should still stay vigilant for signs of phishing and social engineering via QR codes. To prevent and mitigate attacks via QR codes, start by building a solid foundation of digital security with a trusted password manager

Source :
https://blog.lastpass.com/2022/08/staying-safe-with-qr-codes/

Fake DDoS Pages On WordPress Sites Lead to Drive-By-Downloads

It’s not uncommon for users to experience “DDoS Protection” pages when casually browsing the web. These DDoS protection pages are typically associated with browser checks performed by WAF/CDN services which verify if the site visitor is, in fact, a human or is part of a Distributed Denial of Service (DDoS) attack or other unwanted bot.

Under normal circumstances, DDoS pages usually don’t affect users much — they simply perform a check or request a skill testing question in order to proceed to the desired webpage. However, a recent surge in JavaScript injections targeting WordPress sites has resulted in fake DDoS prevent prompts which lead victims to download remote access trojan malware.

Bots prompt usage of DDoS protection

The web is absolutely rife with bots and crawlers. There are varying estimates of how much total web traffic are bots but most put it at anywhere between 25-45% of all traffic!

Bots themselves are automated queries to websites done by computer programs. Some bots are good and actually essential for the functioning of the web as we know it today. These include crawlers such as GoogleBot, BingBot, and Baidu Spider which scan and index content from webpages so that they can be discovered during search.

Bad bots, on the other hand, make up an even greater portion of web traffic. These include DDoS traffic, scrapers gobbling up emails addresses to send spam, bots attempting to find vulnerable websites to compromise, content stealers, and more.

Furthermore, bots eat up bandwidth on websites, causing increased hosting costs and disruption of meaningful website visitor statistics. The gradual increase of bad bot traffic has prompted many websites to deter or otherwise block them entirely, resulting in the nearly ubiquitous usage of DDoS prevention services and CAPTCHAs on websites.

CAPTCHA for human verification
CAPTCHA for human verification

Although a nuisance, these browser verification checks are essential to deterring unwanted and malicious traffic from legitimate websites.

Sucuri Firewall Block Page

Fake DDoS protection prompts used to serve RATs

Unfortunately, attackers have begun leveraging these familiar security assets in their own malware campaigns. We recently discovered a malicious JavaScript injection affecting WordPress websites which results in a fake CloudFlare DDoS protection popup.

Fake DDoS protection prompt
Fake DDoS protection prompt

Since these types of browser checks are so common on the web many users wouldn’t think twice before clicking this prompt to access the website they’re trying to visit. However, the prompt actually downloads a malicious .iso file onto the victim’s computer.

Malicious .iso downloaded from fake DDoS prompt
Malicious .iso downloaded from fake DDoS prompt

This is followed by a new message coaxing the user into opening the file in order to obtain a verification code to access the website:

Verification code request
Verification code request
The .iso file does in fact contain a verification code so as to not disrupt the ruse
The .iso file does in fact contain a verification code so as to not disrupt the ruse

What most users do not realise is that this file is in fact a remote access trojan, currently flagged by 13 security vendors at the time of writing this article.

The VirusTotal report for this malicious file
The VirusTotal report for this malicious file

We reached out to our good friend Jerome Segura at MalwareBytes to see what happens to unfortunate victims’ Windows computers when they install this malware onto their endpoint devices:

“This is NetSupport RAT. It has been linked to FakeUpdates/SocGholish and typically used to check victims before ransomware rollout. The ISO file contains a shortcut disguised as an executable that runs powershell from another text file.

It also installs RaccoonStealer and drops the following payloads:

https://www.virustotal.com/gui/file/4d24b359176389301c14a92607b5c26b8490c41e7e3a2abbc87510d1376f4a87/detection

https://www.virustotal.com/gui/file/299472f1d7e227f31ef573758452e9a57da2e3f30f3160c340b09451b032f8f3?nocache=1

After that, just about anything can happen depending on the victim.”

– Jerome Segura

Screenshot courtesy of Jerome Segura
Screenshot courtesy of Jerome Segura

The infected computer could be used to pilfer social media or banking credentials, detonate ransomware, or even entrap the victim into a nefarious “slave” network, extort the computer owner, and violate their privacy — all depending on what the attackers decide to do with the compromised device.

A look at the malware itself

When malicious actors aim to infect endpoint devices they need a distribution network. Quite often this takes form in malicious or phishing emails sent to potential victim’s inboxes. In this case, however, the remote access trojans are distributed through hacked WordPress websites.

So, how does this WordPress malware actually work and what does it look like?

Most prominently we see three short lines of malicious code affecting the following file: ./wp-includes/js/jquery/jquery.min.js

Malware found in jquery.min.js
Malicious code found in jquery.min.js

We have also seen instances of this very same malware injected into the active theme file of the victim’s WordPress website. In any event, the files it is appended onto will load once the site is opened up in the browser, prompting the download of the malicious remote access trojan.

Located at adogeevent[.]com is a heavily obfuscated JavaScript sample containing the payload:

Payload in heavily obfuscated JavaScript


This JavaScript then communicates with a second malicious domain which loads more JavaScript that initiates the download prompt for the malicious .iso file: hxxps://confirmation-process[.]at/fortest/parsez[.]php?base=www.REDACTED.com&full=https://www.REDACTED.com/?v11

Malicious .iso file


We can see the reference to the security_install.iso file here (hosted at a free Austrian file sharing service free[.]files[.]cnow[.]at), as well as a second malicious .msi file which also contains malware — although, in this case, it is commented out:

Second malicious .msi file

How to protect your site from infection

This case is a great example of both the importance of website security — and the importance of remaining vigilant when browsing the web. It’s not just SEO rankings or website reputations that are on the line, but the very security and privacy of everyone who visits your website. Malicious actors will take whatever avenues are available to them to compromise computers and push their malware onto unsuspecting victims.

Remote Access Trojans (RATs) are regarded as one of the worst types of infections that can affect a computer as it gives the attackers full control over the device. At that point, the victim is at their mercy. Website owners and visitors alike must take any and all precautions to protect themselves.

Here are a number of key steps you can take to mitigate risk from this infection.

Website owners:

  • Keep all software on your website up to date
  • Use strong passwords
  • Use 2FA on your administrative panel
  • Place your website behind a firewall service
  • Employ file integrity monitoring

Regular website visitors:

  • Make sure your computer is running a robust antivirus program
  • Place 2FA on all important logins (such as your bank, social media)
  • Practice good browsing habits; don’t open strange files!
  • Keep your browser and all software on your computer updated/patched
  • Use a script blocker in your browser (advanced)

If you think that your website has been infected by this malware or you want to protect your website against infection, we’re always happy to help.

Source :
https://blog.sucuri.net/2022/08/fake-ddos-pages-on-wordpress-lead-to-drive-by-downloads.html

High Severity Vulnerability Patched in Download Manager Plugin

On July 8, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Download Manager,” a WordPress plugin that is installed on over 100,000 sites. This flaw makes it possible for an authenticated attacker to delete arbitrary files hosted on the server, provided they have access to create downloads. If an attacker deletes the wp-config.php file they can gain administrative privileges, including the ability to execute code, by re-running the WordPress install process.

Wordfence PremiumWordfence Care, and Wordfence Response received a firewall rule on July 8, 2022 to provide protection against any attackers that try to exploit this vulnerability. Wordfence Free users will receive this same protection 30 days later on August 7, 2022.

We attempted to reach out to the developer on July 8, 2022, the same day we discovered the vulnerability. We never received a response so we sent the full details to the WordPress.org plugins team on July 26, 2022. The plugin was fully patched the next day on July 27, 2022.

We strongly recommend ensuring that your site has been updated to the latest patched version of “Download Manager”, which is version 3.2.53 at the time of this publication.

Description: Authenticated (Contributor+) Arbitrary File Deletion
Affected Plugin: Download Manager
Plugin Slug: download-manager
Plugin Developer: W3 Eden, Inc.
Affected Versions: <= 3.2.50
CVE ID: CVE-2022-2431
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: 3.2.51

Download Manager is a popular WordPress plugin designed to allow site content creators to share downloadable files that are stored as posts. These downloads can be displayed on the front-end of the WordPress site for users to download. Unfortunately, vulnerable versions of the plugin contain a bypass in how the downloadable file is stored and subsequently deleted upon post deletion that make it possible for attackers to delete arbitrary files on the server.

More specifically, vulnerable versions of the plugin register the deleteFiles() function that is called via the before_delete_post hook. This hook is triggered right before a post has been deleted and its intended functionality in this case is to delete any files that may have been uploaded and associated with a “download” post.

At first glance this looks like a relatively safe functionality assuming the originally supplied file path is validated. Unfortunately, however, that is not the case as the path to the file saved with the “download” post is not validated to ensure it was a safe file type or in a location associated with a “download” post. This means that a path to an arbitrary file with any extension can be supplied via the file[files][] parameter when saving a post and that would be the file associated with the “download” post. On many configurations an attacker could supply a path such as /var/www/html/wp-config.php that would associate the site’s WordPress configuration file with the download post.

32add_action('before_delete_post', array($this, 'deleteFiles'), 10, 2);
979899100101102103104functiondeleteFiles($post_id, $post){    $files= WPDM()->package->getFiles($post_id, false);    foreach($filesas$file) {        $file= WPDM()->fileSystem->locateFile($file);        @unlink($file);    }}

When the user goes to permanently delete the “download” post the deleteFiles() function will be triggered by the before_delete_post hook and the supplied file will be deleted, if it exists.

This can be used by attackers to delete critical files hosted on the server. The wp-config.php file in particular is a popular target for attackers as deletion of this file would disconnect the existing database from the compromised site and allow the attacker to re-complete the initial installation process and connect their own database to the site. Once a database is connected, they would have access to the server and could upload arbitrary files to further infect the system.

Demonstrating site reset upon download post deletion.

This vulnerability requires contributor-level access and above to exploit, so it serves as an important reminder to make sure you don’t provide contributor-level and above access to untrusted users. It’s also important to validate that all users have strong passwords to ensure your site won’t subsequently be compromised as a result of a vulnerability like this due to an unauthorized actor gaining access via a weak or compromised password.

Timeline

  • July 8, 2022 – Discovery of the Arbitrary File Deletion Vulnerability in the “Download Manager” plugin. A firewall rule is released to Wordfence PremiumWordfence Care, and Wordfence Response users. We attempt to initiate contact with the developer.
  • July 26, 2022 – After no response from the developer, we send the full disclosure details to the WordPress plugins team. They acknowledge the report and make contact with the developer.
  • July 27, 2022. – A fully patched version of the plugin is released as version 3.2.51.
  • August 7, 2022 – Wordfence free users receive the firewall rule.

Conclusion

In today’s post, we detailed a flaw in the “Download Manager” plugin that makes it possible for authenticated attackers to delete arbitrary files hosted on an affected server, which could lead to remote code execution and ultimately complete site compromise. This flaw has been fully patched in version 3.2.51.

We recommend that WordPress site owners immediately verify that their site has been updated to the latest patched version available, which is version 3.2.53 at the time of this publication.

Wordfence PremiumWordfence Care, and Wordfence Response received a firewall rule on July 8, 2022 to provide protection against any attackers trying to exploit this vulnerability. Wordfence Free users will receive this same protection 30 days later on August 7, 2022.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

Source :
https://www.wordfence.com/blog/2022/08/high-severity-vulnerability-patched-in-download-manager-plugin/

PayPal phishing kit added to hacked WordPress sites for full ID theft

A newly discovered phishing kit targeting PayPal users is trying to steal a large set of personal information from victims that includes government identification documents and photos.

Over 400 million individuals and companies are using PayPal as an online payment solution.

The kit is hosted on legitimate WordPress websites that have been hacked, which allows it to evade detection to a certain degree.

Breaching websites with weak login

Researchers at internet technology company Akamai found the phishing kit after the threat actor planted it on their WordPress honeypot.

The threat actor targets poorly secured websites and brute-forces their log in using a list of common credential pairs found online. They use this access to install a file management plugin that allows uploading the phishing kit to the breached site.

Installing the malicious plugin
Installing the file management plugin (Akamai)

Akamai discovered that one method the phishing kit uses to avoid detection is to cross-reference IP addresses to domains belonging to a specific set of companies, including some orgs in the cybersecurity industry.

Performing a site check
Performing a site check (Akamai)

Legit-looking page

The researchers noticed that the author of the phishing kit made an effort to make the fraudulent page look professional and mimic the original PayPal site as much as possible.

One aspect they observed was that the author uses htaccess to rewrite the URL so that it does not end with the extension of the PHP file. This adds to a cleaner, more polished appearance that lends legitimacy.

Rewriting URL to remove php ending
Rewriting URL to remove php ending (Akamai)

Also, all graphical interface elements in the forms are styled after PayPal’s theme, so the phishing pages have a seemingly authentic appearance.

Data stealing process

Stealing a victim’s personal data starts with presenting them a CAPTCHA challenge, a step that creates a false sense of legitimacy.

Bogus CAPTCHA step on the phishing site
Bogus CAPTCHA step on the phishing site (Akamai)

After this stage, the victim is asked to log into their PayPal account using their email address and password, which are automatically delivered to the threat actor.

This is not all, though. Under the pretense of “unusual activity” associated with the victim’s account, the threat actor asks for more verification information.

Warning about unusual account activity
Warning about unusual account activity (Akamai)

In a subsequent page, the victim is asked to provide a host of personal and financial details that include payment card data along with the card verification code, physical address, social security number, mother’s maiden name.

It appears that the phishing kit was built to squeeze all the personal information from the victim. Apart from the card data typically collected in phishing scams, this one also demands the social security number, mother’s maiden name, and even the card’s PIN number for transactions at ATM machines.

More info collected
More info collected (Akamai)

Collecting this much information is not typical to phishing kits. However, this one goes even further and asks victims to link their email account to PayPal. This would give the attacker a token that could be used to access the contents of the provided email address.  

Phishing email accounts
Phishing email accounts (Akamai)

Despite having collected a massive amount of personal information, the threat actor is not finished. In the next step, they ask the victim to upload their official identification documents to confirm their identity.

The accepted documents are passport, national ID, or a driver’s license and the upload procedure comes with specific instructions, just as PayPal or a legitimate service would ask from their users.

Instructions on how to upload documents
Instructions on how to upload documents (Akamai)

Cybercriminals could use all this information for a variety of illegal activities ranging from anything related to identity theft to launder money (e.g. creating cryptocurrency trading accounts, registering companies) and maintaining anonymity when purchasing services to taking over banking accounts or cloning payment cards.

Uploading government documents and taking a selfie to verify them is a bigger ballgame for a victim than just losing credit card information — it could be used to create cryptocurrency trading accounts under the victim’s name. These could then be used to launder money, evade taxes, or provide anonymity for other cybercrimes. – Akamai

Although the phishing kit appears sophisticated, the researchers discovered that its file upload feature comes with a vulnerability that could be exploited to upload a web shell and take control of the compromised website.

Provided the huge amount of information requested, the scam may appear obvious to some users. However, Akamai researchers believe that this specific social engineering element is what makes the kit successful.

They explain that identity verification is normal these days and this can be done in multiple ways. “People judge brands and companies on their security measures these days,” the researchers say.

The use of the captcha challenge signals from the beginning that additional verification may be expected. By using the same methods as legitimate services, the threat actor solidifies the victim’s trust.

Users are advised to check the domain name of a page asking for sensitive information. They can also go to the official page of the service, by typing it manually in the browser, to check if identity verification is in order.

Source :
https://www.bleepingcomputer.com/news/security/paypal-phishing-kit-added-to-hacked-wordpress-sites-for-full-id-theft/

PSA: Sudden Increase In Attacks On Modern WPBakery Page Builder Addons Vulnerability

The Wordfence Threat Intelligence team has been monitoring a sudden increase in attack attempts targeting Kaswara Modern WPBakery Page Builder Addons. This ongoing campaign is attempting to take advantage of an arbitrary file upload vulnerability, tracked as CVE-2021-24284, which has been previously disclosed and has not been patched on the now closed plugin. As the plugin was closed without a patch, all versions of the plugin are impacted by this vulnerability. The vulnerability can be used to upload malicious PHP files to an affected website, leading to code execution and complete site takeover. Once they’ve established a foothold, attackers can also inject malicious JavaScript into files on the site, among other malicious actions.

All Wordfence customers have been protected from this attack campaign by the Wordfence Firewall since May 21, 2021, with Wordfence Premium, Care, and Response customers having received the firewall rule 30 days earlier on April 21, 2021. Even though Wordfence provides protection against this vulnerability, we strongly recommend completely removing Kaswara Modern WPBakery Page Builder Addons as soon as possible and finding an alternative as it is unlikely the plugin will ever receive a patch for this critical vulnerability. We are currently protecting over 1,000 websites that still have the plugin installed, and we estimate that between 4,000 and 8,000 websites in total still have the plugin installed.

We have blocked an average of 443,868 attack attempts per day against the network of sites that we protect during the course of this campaign. Please be aware that while 1,599,852 unique sites were targeted, a majority of those sites were not running the vulnerable plugin.

total volume of attacks

Description: Arbitrary File Upload/Deletion and Other
Affected Plugin: Kaswara Modern WPBakery Page Builder Addons
Plugin Slug: kaswara
Affected Versions: <= 3.0.1
CVE ID:CVE-2021-24284
CVSS Score: 10.0 (Critical)
CVSS Vector:CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Fully Patched Version: NO AVAILABLE PATCH.

Indicators of Attack

The majority of the attacks we have seen are sending a POST request to /wp-admin/admin-ajax.php using the uploadFontIcon AJAX action found in the plugin to upload a file to the impacted website. Your logs may show the following query string on these events:

/wp-admin/admin-ajax.php?action=uploadFontIcon HTTP/1.1

We have observed 10,215 attacking IP addresses, with the vast majority of exploit attempts coming from these top ten IPs:

  • 217.160.48.108 with 1,591,765 exploit attempts blocked
  • 5.9.9.29 with 898,248 exploit attempts blocked
  • 2.58.149.35 with 390,815 exploit attempts blocked
  • 20.94.76.10 with 276,006 exploit attempts blocked
  • 20.206.76.37 with 212,766 exploit attempts blocked
  • 20.219.35.125 with 187,470 exploit attempts blocked
  • 20.223.152.221 with 102,658 exploit attempts blocked
  • 5.39.15.163 with 62,376 exploit attempts blocked
  • 194.87.84.195 with 32,890 exploit attempts blocked
  • 194.87.84.193 with 31,329 exploit attempts blocked
total exploit attempts

Indicators of Compromise

Based on our analysis of the attack data, a majority of attackers are attempting to upload a zip file named a57bze8931.zip. When attackers are successful at uploading the zip file, a single file named a57bze8931.php will be extracted into the /wp-content/uploads/kaswara/icons/ directory. The malicious file has an MD5 hash of d03c3095e33c7fe75acb8cddca230650. This file is an uploader under the control of the attacker. With this file, a malicious actor has the ability to continue uploading files to the compromised website.

The indicators observed in these attacks also include signs of the NDSW trojan, which injects code into otherwise legitimate JavaScript files and redirects site visitors to malicious websites. The presence of  this string in your JavaScript files is a strong indication that your site has been infected with NDSW:

;if(ndsw==

Some additional filenames that attackers are attempting to upload includes:

  • [xxx]_young.zip where [xxx] varies and typically consists of 3 characters like ‘svv_young’
  • inject.zip
  • king_zip.zip
  • null.zip
  • plugin.zip

What Should I Do If I Use This Plugin?

All Wordfence users, including FreePremiumCare, and Response, are protected from exploits targeting this vulnerability. However, at this time the plugin has been closed, and the developer has not been responsive regarding a patch. The best option is to fully remove the Kaswara Modern WPBakery Page Builder Addons plugin from your WordPress website.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that can lead to complete site takeover.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance.

Source :
https://www.wordfence.com/blog/2022/07/attacks-on-modern-wpbakery-page-builder-addons-vulnerability/

Yoast SEO 19.3: Schema improvements, new word complexity assessment

Something has to be readable for machines and humans to understand it, right? Easy-to-read content has a greater chance of success as more people tend to understand it quickly. The same goes for machines — search engines rely on structured data to help them understand the meaning of your pages. In Yoast SEO 19.3, we’re bringing readability improvements to both humans and machines.

Schema structured data in Yoast SEO 19.3

You probably know the importance of structured data — search engines use it to grasp your content. They use those insights to determine if your content is valid for a rich result, visually highlighting it in the search results. But schema does other things as well.

A better way to handle images in the schema

In Yoast SEO 19.3, we’re improving how we handle images in our schema. If you want the proper pictures to show on your different output channels, you must be sure that search engines can find the right ones. We’ve changed the way we handled this.

At first, we relied on the OpenGraph image and Twitter image. The thing is, these often contain text to help them stand out on social media. On Google Discover, text on an image is not helpful and might hinder the performance of your post. Now, we output the textless featured image as the initial image for search engines to use. The main benefit is that services like Google Discover can use the right image — making your content shine! It increases the chance that your content will do well on Google Discover.

More robust handling of the webpage’s schema id

Yoast SEO comes with a thorough structured data implementation. From the start, we’ve been advocating using the id to tie all the different parts of a site together in one schema graph. In Yoast SEO 19.3, we’re improving how we handle the @id of the main schema WebPage node to be just the permalink for the current page. Doing this makes it easier for other plugins to build on our work.

Read our schema developer documentation to learn about our schema philosophy and best practices.

Yoast SEO Premium: New word complexity assessment to grade content

The readability analysis in Yoast SEO helps you to write content that is easy to read and quick to understand. We see excellent readability as a fundamental human right online. Sometimes, people accuse us of dumbing down content, but we like to turn that around — by making your content easier to read, you open it up for a lot more people.

For years, we used the Flesch Reading Easy score to give you a sense of how difficult a text would be to understand for users of different levels. This reading score works well, but it’s hard to make it more actionable. We’re introducing a new word complexity analysis that scans your content to see if you use too many complex words in your text.

Go Premium and get access to all our features!

Premium comes with lots of features and free access to our SEO courses!

Get Yoast SEO Premium »Only €99 EUR / year (ex VAT)

Word complexity is in beta and English only for now

One of the advantages of the complex word assessment is that it’s actionable. We can mark words that are complex according to our definition. The words we recognize as complex are, for the most part, complicated words that you might want to reconsider. By marking them in the text, you can easily change these to a more common alternative.

Of course, some words aren’t that difficult, but we still highlight them. Also, you might be in a situation where your keyphrase is considered a complex word. In rare cases, you might get a bit of duality in the feedback. That is one of the reasons we’re releasing the word complexity feature in Yoast SEO Premium beta and for English only.

The word complexity feature can highlight difficult words in your text

Flesch Reading Ease score moved to Insights tab

In Yoast SEO 19.3, you’ll notice that the Flesch Reading Ease score is no longer available in the readability section as it’s been replaced by the word complexity feedback. We haven’t removed it, but we’ve moved it to the Insights tab. Here, you’ll find the score and some other excellent insights into your content, like the word count, reading time, and the prominent words feature.

In the Yoast SEO Insights tab, you can find more information about your article

Enhancement to the crawl settings

The past two releases of Yoast SEO Premium saw the introduction and expansion of our new crawl settings. With these crawl settings, you can get better control over what search engines crawl and don’t crawl on your site. This is designed to help you decrease the baggage that WordPress comes with out of the box.

We’re not done with the crawl settings because we have many ideas to improve and expand these. In Yoast SEO Premium 18.9, we’re improving the handling of RSS feeds. We now add canonical HTTP headers from RSS feeds to their parent URLs (for instance, your homepage or specific categories or tags), so the feeds are less likely to appear in search results.

Update now to Yoast SEO 19.3

This is just a sampling of the changes and fixes to Yoast SEO 19.3. We have structured data updates, a new word complexity assessment in Yoast SEO Premium 18.9, improvements to the crawl settings, and more. Go download it now!

Source :
https://yoast.com/yoast-seo-july-12-2022/

Spectre and Meltdown Attacks Against OpenSSL

The OpenSSL Technical Committee (OTC) was recently made aware of several potential attacks against the OpenSSL libraries which might permit information leakage via the Spectre attack.1 Although there are currently no known exploits for the Spectre attacks identified, it is plausible that some of them might be exploitable.

Local side channel attacks, such as these, are outside the scope of our security policy, however the project generally does introduce mitigations when they are discovered. In this case, the OTC has decided that these attacks will not be mitigated by changes to the OpenSSL code base. The full reasoning behind this is given below.

The Spectre attack vector, while applicable everywhere, is most important for code running in enclaves because it bypasses the protections offered. Example enclaves include, but are not limited to:

The reasoning behind the OTC’s decision to not introduce mitigations for these attacks is multifold:

  • Such issues do not fall under the scope of our defined security policy. Even though we often apply mitigations for such issues we do not mandate that they are addressed.
  • Maintaining code with mitigations in place would be significantly more difficult. Most potentially vulnerable code is extremely non-obvious, even to experienced security programmers. It would thus be quite easy to introduce new attack vectors or fix existing ones unknowingly. The mitigations themselves obscure the code which increases the maintenance burden.
  • Automated verification and testing of the attacks is necessary but not sufficient. We do not have automated detection for this family of vulnerabilities and if we did, it is likely that variations would escape detection. This does not mean we won’t add automated checking for issues like this at some stage.
  • These problems are fundamentally a bug in the hardware. The software running on the hardware cannot be expected to mitigate all such attacks. Some of the in-CPU caches are completely opaque to software and cannot be easily flushed, making software mitigation quixotic. However, the OTC recognises that fixing hardware is difficult and in some cases impossible.
  • Some kernels and compilers can provide partial mitigation. Specifically, several common compilers have introduced code generation options addressing some of these classes of vulnerability:
    • GCC has the -mindirect-branch-mfunction-return and -mindirect-branch-register options
    • LLVM has the -mretpoline option
    • MSVC has the /Qspectre option
  1. Nicholas Mosier, Hanna Lachnitt, Hamed Nemati, and Caroline Trippel, “Axiomatic Hardware-Software Contracts for Security,” in Proceedings of the 49th ACM/IEEE International Symposium on Computer Architecture (ISCA), 2022.

Posted by OpenSSL Technical Committee May 13th, 2022 12:00 am

Source :
https://www.openssl.org/blog/blog/2022/05/13/spectre-meltdown/

Your Guide to WordPress Favicons

Recognition is crucial for your website to succeed. From creating a great logo to developing key messaging and delivering great content, the easier it is for visitors to recognize your brand, the better the chances they’ll remember your site and make the move from content curiosity to sales conversion.

But reliable recognition isn’t just about the big things — done well, even the smallest details of your WordPress website can help it stand out from the crowd and attract customer notice. This is the role of the favorite icon or “favicon” that’s used in web browser tabs, bookmarks, and on mobile devices as the app image for your site.

Not sure how favicons work or how to get them up and running on your site? We’ve got you covered with our functional guide to favicons — what they are, why they matter, and how to enable them in WordPress.

Grow Your Business With HubSpot’s Tools for WordPress Websites

If you would rather follow along with a video, here’s a walkthrough created by Elegant Themes:

https://youtube.com/watch?v=B4pmaGumOWY%3Ffeature%3Doembed

What is a WordPress Favicon?

The official WordPress support page defines a favicon as “an icon associated with a particular website or web page.” This description doesn’t do the term justice — in fact, favicons are everywhere and are intrinsically associated with your brand.

Let’s take a closer look at how favicons look and why they matter below. 

WordPress Favicon Size

The typical size of a WordPress favicon is 512 x 512 pixels. These icons are stored as .ico files in the root directory of your WordPress server.

But what does a favicon look like in real life? For a quick example, take a look at the browser tab of this webpage if you’re on a desktop or the area just under the address bar on your mobile device. Notice anything? That orange symbol with lines and circles is HubSpot’s favicon — and it shows up anytime you’re on our site.

In most cases, favicons are the same as brand logos scaled down to fit web and mobile browsers. Where this isn’t possible — such as cases where your logo is too complex or detailed — site owners typically opt for similar color schemes and thematic elements to ensure brand consistency.

Once you start seeing favicons you can’t unsee them; from webpages to tabs to bookmarks and mobile applications, the icon you choose for your favicon is inextricably linked to your site and your brand — so make sure you choose wisely.

Why Favicons Matter

Favicons are the visual currency of your brand. They’re everywhere — from browsers to bookmarks to mobile apps — and become an integral part of your site’s overall branding strategy.

As result, effective favicon design and deployment offers three broad benefits:

Improved Brand Recognition

Think of your favicon like your calling card — the icon needs to be simple, recognizable and consistent. The more places your favicon appears, the better, since this makes it easy for users to connect your WordPress site with your icon image.

Consistency is also key as users open multiple browser tabs and the available space for text descriptions naturally shrinks. Open enough tabs and all that’s left is — you guessed it — room for the favicon.

Increased Consumer Confidence

While visitors may not be able to define what a favicon is or how it works, these icons are inherently familiar. So familiar, in fact, that sites without favicons often stand out from the crowd for all the wrong reasons.

Much like relevant social media content and secure site connections, favicons are critical to boosting consumer confidence in the products or services you offer on your site.

Integrated Mobile Consistency

The impact of mobile devices can’t be ignored, with smartphones and tablets now outpacing desktops as the primary means of consumer online interaction. Favicons make it possible to ensure your brand easily translates to mobile — when users create website bookmarks on mobile home screens, your favicon stands in for the link.

Favicon Creation Guidelines

Not sure how to get started creating your site’s favicon? Let’s break down some best-practice guidelines.

1. Get the size right.

As noted above, favicons are typically 512 x 512 pixels in size. While it’s possible to use a larger WordPress favicon size, the platform will often ask you to crop the image down.

2. Keep it simple.

While it’s possible to add background colors and other customization to your favicon, keeping it simple is often the best choice. Here, simplicity includes opting for transparency over background colors and keeping the number of foreground colors in your favicon to one or two at most.

Ideally, your favicon will look almost identical to your brand’s logo — if that’s not possible, try to pull elements from your logo such as shapes or color schemes that help tie in your new favicon.

3. Choose wisely.

Site owners can update their favicon at any time, but it’s a good idea to keep the number of changes to a minimum. Here’s why: If users see a different favicon every time they log on to your website, they won’t have an opportunity to associate a specific image with your brand.

Bottom line? Better to go without a favicon until you find one that works for your site and that you don’t plan on changing.

How to Enable WordPress Favicons

To get your favicon up and running on your WordPress site, you’ve got three options:

  1. Use the Site Icon feature
  2. Install a favicon plugin
  3. Upload the new favicon yourself

Let’s break down each method in more detail.

1. Use the site icon feature.

As of WordPress version 4.3, the content management system (CMS) includes a Site Icon function that enables favicons. Simply prepare your image file — which can be a .jpeg, .ico, .gif or .png file — and head to the Administration page of your WordPress Site.

Next, click on “Appearance” and then “Customize”, then click “Site Identity.” Now, click “Select Image” under the Site Icon subheading and upload the file you’ve prepared. You should see a screen like this:

Using site icon feature in WordPress dashboard to create favicon

If you like the favicon you’ve created, no further action is required. If not, you can easily remove the file or upload a new image.

2. Install a favicon plugin.

You can also use a plugin — such as Favicon by RealFaviconGenerator — to create and deploy your favicon. This must-have WordPress plugin not only lets you customize your favicon but also ensures that multiple versions are created to satisfy the requirements of different operating systems and device versions.

As long as the image you upload to the plugin is at least 70 x 70 pixels, the RealFaviconGenerator will take care of the rest.

3. Upload the new favicon yourself.

If you’d rather do the legwork yourself, you can create and upload your own favicon to your WordPress site.

First, create an image that’s at least 16 x 16 pixels and is saved as a .ico file. Then, use an FTP client to upload this file to the main folder of your current WordPress theme — typically the same place as your wp-admin and wp-content folders.

While this should display your favicon in most web browsers, some older browser versions will require you to edit WordPress header HTML code. The result? DIY favicons aren’t recommended unless you’re familiar with more technical WordPress functions.

Final Favicon Thoughts

Whie favicons form only a small part of your WordPress website build, they’re critical for website recognition. Consistent and clear favicons make it easy for visitors to remember your site and carry this mental connection across desktop, tablet, and mobile devices.

Source :
https://blog.hubspot.com/website/wordpress-favicon#:~:text=WordPress%20Favicon%20Size&text=These%20icons%20are%20stored%20as,directory%20of%20your%20WordPress%20server.

Exit mobile version