Nulled WordPress Plugins – Dangers and Downsides

In our 2020 Threat Report, the Wordfence Threat Intelligence Team identified malware distributed via nulled, pirated, or counterfeit plugins and themes as one of the largest threats facing the WordPress ecosystem.

Many site owners are unaware of the risks associated with using nulled plugins, and in many cases, they may not even be aware that a nulled plugin is installed on their site.

During our recent investigation into the prevalence of nulled plugins, we found that over 23,000 sites are running nulled versions of the Wordfence plugin. Site owners with these installations may not be aware that their Wordfence installation is a nulled plugin, so we will be alerting these site owners of the risks, and to take action to protect their sites.

Wordfence is not alone. Our investigation shows that numerous popular plugins, both paid and freemium, are often nulled and redistributed, often with malware included. In order to elevate awareness of this troubling trend, we have compiled a list of frequently asked questions about nulled plugins and themes.

What is a nulled plugin?

A nulled plugin is a copy of a paid premium plugin that has been modified to provide some degree of premium functionality without paying for a license. In most cases, nulled plugins and themes fail to provide full premium functionality and often contain backdoors and other malware.

Nulled plugins usually retain the same brand name and logo as the original, creating the impression that the customer is receiving a paid version of the original plugin. However, when the customer opens a support request with the original vendor, they discover the vendor has no idea who they are.

How do I know if I’m using a nulled version of Wordfence?

If you have purchased a “lifetime license” or a copy of Wordfence Premium at a discounted price or for free from a third party and not directly through the Wordfence website, you are using a nulled version. Although the plugin dashboard may indicate that you have Wordfence Premium activated, these installations do not include a valid license key needed to activate premium features and are not fully functional.

Sites running a nulled copy of Wordfence are still only receiving freely available signatures and firewall rules, which are delayed by 30 days, and these sites do not receive the real-time data that Wordfence Premium receives. Additionally, sites using nulled Wordfence plugins do not have access to the Real-Time IP Blocklist.

What are some of the risks of using nulled plugins and themes?

Nulled plugins and themes frequently contain backdoors and other malware that is used to distribute SEO spam, perform attacks on other websites, steal sensitive information, and redirect site visitors to malvertising websites, all of which can put your site visitors at risk and ruin your website reputation.

Many nulled plugins and themes also inject hidden administrator users into your site’s database, effectively allowing malicious actors to take over control of your WordPress site. In reviewing the terms of service for nulled plugin distribution sites, several include provisions stating that, by downloading and installing one of their nulled plugins, you agree to let them modify your site whenever they want.

Although nulled versions of the Wordfence plugin might not include malware, we’ve found that sites running a nulled version of Wordfence are more than twice as likely to have unrelated infections compared to the average site running the free version of Wordfence.

Do all nulled plugins contain malware?

No. In fact, we’ve seen a recent shift away from malware distribution and towards subscriptions and paid downloads as a primary business model on websites that offer nulled WordPress plugins and themes.

Despite this fact, malware is still extremely prevalent in nulled plugins and themes distributed for free via forums and social media groups, and infections from nulled plugins and themes are still incredibly common.

Bear in mind that, by installing a nulled plugin, you are effectively giving that plugin complete control over your website. While this is true of any software, plugins and themes distributed via the WordPress directory are vetted for malicious code, while those distributed by nulled sites, on forums, and in social media groups are not.

Regardless of whether they contain malware, the vast majority of nulled plugins and themes fail to deliver the premium features they appear to provide, and may actually offer reduced functionality compared to legitimate versions freely available on the WordPress plugin directory.

What about discounted plugins?

We’re seeing an increasing number of nulled plugins being distributed via “discount” sites that charge a monthly subscription fee, or that offer “premium” versions of plugins for a reduced price. While these plugins and themes are less likely to contain malware than nulled software offered for “free”, they still do not offer full premium features, and in many cases are simply repackaged or slightly modified versions of code that is freely available on the WordPress directory.

Many premium plugins, including Wordfence Premium, include SaaS (Software as a Service) functionality. This means that the most critical Wordfence Premium features, including the Real-Time IP Blocklist, immediate firewall rule updates, and up-to-date malware signatures, cannot be made available to a nulled plugin since they rely on having a valid Wordfence license that authorizes Wordfence to send the latest data to your site.

It is trivial to modify the code of most plugins so that they appear to be fully licensed, but these modifications rarely unlock the full functionality of a plugin and can have real negative impacts while providing a false sense of security.

What about free versions of GPL-Licensed premium plugins?

The GPL (General Public License) license allows other developers to fork a plugin, modify the code and redistribute it to others under the same terms. Trouble arises when a plugin is forked and the new developer doesn’t change the name or logo. Customers think they’re getting the same plugin from the same source, but that is not the case, and it violates the original developer’s trademark on their name and logo.

Another issue arises when the redistributable code is licensed under GPL, but the plugin contains Software as a Service (SaaS) technology that is proprietary. Wordfence is an example of this, where the Wordfence plugin receives proprietary data from our servers and those servers also contain proprietary code that performs additional computation. Accessing this data and capability requires a paid license. It is not possible to redistribute a plugin that contains this functionality without purchasing a Wordfence license from us. Buying a nulled Wordfence plugin results in a customer paying for the plugin and getting the free version of Wordfence.

The GPL is truly amazing because it helps foster innovation by making code available to others for reuse. It also allows the examination of source code by others, like security researchers, which helps us identify vulnerabilities and make the web safer. But abusing it to pretend that you are someone you are not while omitting functionality that a customer expects to get, is not what the GPL was intended for.

Can I get support for nulled plugins and themes?

Plugin and theme publishers that offer support to their paid customers will not provide support to customers who did not pay them and paid another vendor instead. This can leave customers confused when they open a support ticket and the vendor has no idea who the customer is.

Additionally, the unpredictable and frequently malicious modifications made to nulled plugins make them impossible to support even for publishers that offer support to their free users.

What should I do if I have a nulled plugin or theme installed?

If you find that you have a nulled plugin or theme installed, we recommend deleting it immediately.  Then, we recommend scanning your site with Wordfence, either the free version available on the WordPress plugin directory, or Wordfence Premium, which provides additional functionality that is unlocked by entering a license key into the free version, rather than via a separate download.

We also recommend checking your database for unauthorized administrator users, since these are frequently added by nulled plugins and themes and can be hidden from other administrators. If you are not comfortable cleaning your own site, or if it continues to show symptoms of infection even after you have removed any nulled plugins or themes, the Wordfence Site Cleaning team will be happy to help.

Conclusion

In today’s article, we covered some frequently asked questions about nulled WordPress plugins and themes, including some of the risks involved, common misunderstandings, and what to do if you have a nulled plugin or theme installed on your site.

Using nulled plugins always has a cost, whether it’s the trust of your users when your site is hacked, or simply the monetary cost of a discounted copy that fails to deliver on its promises.

At Wordfence, we work hard to make sure that even the free version of Wordfence provides best-in-class protection for WordPress sites. We’d like to thank all of our Premium users for making this possible and for helping to protect the WordPress community as a whole with their support.

The post Nulled WordPress Plugins – Dangers and Downsides appeared first on Wordfence.

Episode 125: Critical SQL Injection Vulnerability Patched in WooCommerce

A critical SQL injection vulnerability was discovered in WooCommerce, the most popular e-Commerce plugin used by over 5 million WordPress sites. The WordPress.org team pushed a forced security update ensuring that over 90 versions of WooCommerce were patched. The REvil ransomware gang targeted a zero-day vulnerability in Kaseya, used by many in the banking industry, before going dark. A new SolarWinds zero-day was found in their Serv-U FTP platform. WordPress 5.8 will be released next week with many new features, as well as removing support for Internet Explorer 11. Microsoft released a number of patches, including those patching 3 zero-day vulnerabilities.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:14 Critical SQL Injection Vulnerability Patched in WooCommerce, WooCommerce announcement
5:50 Kaseya Patches Zero-Days Used in REvil Attacks
9:14 SolarWinds patches critical Serv-U vulnerability exploited in the wild
10:33 WordPress 5.8 release next week
12:22 Microsoft Crushed 116 Bugs
15:00 Defiant is hiring

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 125 Transcript

Ram:
Welcome to Think Like A Hacker, the podcast about WordPress, security, and innovation. I’m Ram Gall, Threat Analyst at Wordfence. And with me is Director of Marketing, Kathy Zant. How are you, Kathy?

Kathy:
I am doing very well, Ram. We’ve had a busy couple of days, hey?

Ram:
Why, yes we have. So the first thing on our list is a critical unauthenticated SQL injection vulnerability in WooCommerce, which you actually tipped me off to, because you apparently monitor the secret, dark hacking web of scum and villainy known as Twitter.

Kathy:
That’s it. Exactly. Hey hackers, black-hat hackers, any hackers, I’m watching you. If you have the intel on all of the vulnerabilities in WordPress, and you’re talking about it, I’m on it. And I’m alerting Ram and Chloe, and we are right behind you.

Ram:
The guy who actually found it was not a black-hat hacker in this case. He responsibly disclosed it to Automattic, but Kathy caught wind of it a few hours ahead of time. So I started looking through our logs and through the WooCommerce code base. WooCommerce is kind of enormous, but-

Kathy:
It is enormous. Well, it’s doing a lot, right?

Ram:
Yeah. Well, I didn’t find it until the patch dropped, but hey, all that time pouring over WooCommerce made it a lot faster for me to actually figure out a proof of concept once the patch dropped. So…

Kathy:
Excellent. Great. So tell me about what vulnerability was actually found. This was unauthenticated SQL injection vulnerability, which means unauthenticated means anyone could exploit this on a vulnerable site and SQL injection has to do with the database. So what exactly did you find once we identified this vulnerability?

Ram:
Well, I found a time-based blind and a Boolean based blind SQL injection. At least that’s what I was able to make proofs of concept for. The bad news is that you can use this to extract anything you want from a site’s database, even if you’re not logged in, even if you’re just a visitor.

Kathy:
Okay. Okay. Okay. So in the database includes any user password, correct? So it’s obviously salted, but you can get usernames, you could get personally identifiable information about the customers that are buying things off of that WooCommerce storefront. You could get user passwords, all sorts of fun things, couldn’t you?

Ram:
Oh yes. Yes. There’s a lot of sensitive information and personally identifiable information in a website database, especially if it’s an e-commerce storefront. So yeah, this could have been really bad, but we did manage to get a firewall rule deployed to our customers within a few hours. We also figured out that there is more than one way to do this. So we actually had to make a new firewall rule the next day, which is today, the day we’re recording. Push that out as well.

Ram:
And it looks like WooCommerce also took some drastic action. We’ve discussed how, in the past WordPress can force auto updates. In this case, I think it was completely warranted. I think it was the right decision. WooCommerce is installed on more than 5 million sites, and they basically backed ported this one patch that wouldn’t really break anything to all the minor versions so that you auto update just to the next minor version up. So if you were on 5.3, you’d get updated to 5.3.1. If you were on like 4.3, you get updated to 4.3.1. The reason for that is that way that you could get patched without breaking compatibility, which is really cool.

Kathy:
Right. That was great that they did that. It looked like from their announcement that there were 90 vulnerable versions of WooCommerce that they patched. And it was great to see. I’m always a little concerned with auto updating and pushing out auto updates, but with a vulnerability of this level, and given the types of transactions that are taking place on WooCommerce sites, completely and totally warranted to push out a fix in order to ensure everybody is protected as soon as possible. But of course, our Wordfence Premium customers get some additional protection with the firewall rules that we put together. You said that we’re already starting to see some malicious actors poking around, looking for vulnerable sites?

Ram:
Yes. It’s not a lot of actors yet. Just a few IP’s so far, but we are actually seeing functional attacks, attacks that would, at the very least, count as a valid proof of concept from these attackers. So someone’s at least figured out the basics of how to do this.

Kathy:
Okay. Okay. And we’ll probably start seeing a lot of copycat attacks in the days to come?

Ram:
Yes. Yes. I would expect that. I don’t expect it to be exploited on a large scale for a while just because it’s not a super complicated vulnerability, but it’s a little bit tricky to take it from patch to proof of concept. And again, it’s also a little tricky to take it from proof of concept to automated attack.

Kathy:
Okay. Understood. All right. So no matter when you’re listening, you might be listening to this and it’s a couple of days after we’ve recorded. This means you have some time to make sure that your site is updated. We’ll have a link to WooCommerce’s security advisory that they put out. And on that list, they actually detail out every single version of WooCommerce that was updated. It would make sense, if you haven’t logged into your WooCommerce site recently, it’s time to log in and make sure that you’re updated. It’s just something to double check. If you do think that your site has been compromised, say you’re listening to this a few months in the future, we do have some indications of compromise on that blog post that we pulled together that might be helpful for you to look for in your log files. So definitely take a look at both WooCommerce’s security advisory, as well as the post our threat intel team led by Ram on this particular case, that they put together in order to basically get the word out about what could possibly happen going forward. What do we have up next?

Ram:
He actually missed this last week because we didn’t run a podcast for the holiday, so we didn’t end up covering the massive REvil attack on Kaseya.

Kathy:
Right. That was crazy. It hit right before the 4th of July holiday weekend. REvil, who we’ve talked about a number of times on this podcast, a Russian based ransomware gang… Should we call them a gang?

Ram:
They are a gang. If this is not the first time they’ve pulled off something like this, hitting a big target right before a holiday. Yeah.

Kathy:
One of their favorite timeframes, I guess. And so now what exactly is Kaseya and how prevalent is it used by enterprises?

Ram:
So Kaseya is a managed service provider and they offer a virtual system or a virtual server administrator platform, actually a lot like SolarWinds. They use it to monitor network traffic, configure and lockdown systems. So there’s a little bit more emphasis on the configuration and locking down, though it does also do network monitoring and it’s used by a lot of banks and credit unions. So this has a lot of supply chain attack potential. There’s a lot of potential downstream consequences for this.

Kathy:
I see. Interesting. Now, since this attack started, some odd things have happened with REvil?

Ram:
Their site went down not only their public website, but their onion site on the dark web also went down where they actually collect ransoms and do business with other malicious operators. This might or might not be related to the Biden administration’s rewards of up to $10 million for information leading to the identification of malicious cyber activity. So they might’ve just done a rebrand or they might’ve been hacked back. Either is basically a speculation at this point.

Kathy:
Sure, sure. That’s understood. But yeah, it looks like the Biden administration is getting serious about ransomware and some of these large scale attacks, I think just because of the dollar values that are being bandied about. Millions and millions of dollars are being requested by these ransomware gangs. And it’s having definite effects on life as we know it in the United States, gas stations being closed because there’s no gasoline to put into the pumps, tons of effects here. So it should be interesting. Obviously, we’re in a state where we have malicious actors who are making money at ransomware. And so law enforcement and government officials are stepping up their defenses. So this will definitely be interesting to continue watching. Do you have any bets on what REvil might rebrand to?

Ram:
Not really, but I really hope that it’s less confusing to pronounce. I’m still not sure if it’s REvil or R-evil, but if two months down the line that some new ransomware game called Weevil comes out, I’ll be like, “I know who you are.”

Kathy:
Exactly. Exactly. Okay. Well, we’ll keep you posted if we figure out what the rebrand is. Maybe we’ll do like a brand evaluation, see how well they’re doing on to stay on brand.

Ram:
Yeah. Exactly. We don’t want brand dilution. There’ll be like a bunch of REvil knockoffs. There’ll be Weevil and BEvil and…

Kathy:
Exactly. Well, hackers are definitely creative, even if they are on the malicious side of things. So it looks like SolarWinds has a zero-day that has just been patched, right?

Ram:
A new zero-day in a SolarWinds product. This time, the Serv-U FTP, which is basically just an FTP server that’s a specialized for securely transferring larger files, since FTP can totally do that. But it’s not necessarily set up for that. It looks like a single threat actor was exploiting this. And according to Microsoft, who’s been researching this, it was a Chinese APT or advanced persistent threat.

Kathy:
Oh, interesting.

Ram:
Don’t have that much more info about it, but it looks like this was only vulnerable if the SSH service was enabled on the Serv-U FTP server. So…

Kathy:
Got you. Okay.

Ram:
Yeah.

Kathy:
Well still, I mean, these are kind of scary vulnerabilities to have an FTP service that is vulnerable because once somebody has access to FTP, you can put any file on a server. You can put malware, you can put backdoors, all sorts of things. You basically get control of that server, at least for that particular user on that server, correct?

Ram:
Yeah. And it looks like they were able to actually execute code on the server so that would have likely allowed them to completely take it over. Actually it does look like that was the case. So, yeah.

Kathy:
Interesting. Okay, cool. Well, in better news, it looks like next week, we’re going to get a new version of WordPress. What’s happening?

Ram:
Well, I’m actually kind of excited about this. For one thing, there are media library changes, template editor changes. Gutenberg is continuing to get better, or less bad. Actually. I think at this point it actually counts as getting better. I think we reached the less bad point a little while back and now it’s actually pretty cool. I like it. But there’s something that I’m actually pretty excited about and that’s no more support for Internet Explorer 11.

Kathy:
Oh my gosh. The angels sing.

Ram:
And there’s going to be a bunch of quality of life tweaks. Oh, there’s also going to be some things that will improve core web vitals.

Kathy:
Oh, excellent.

Ram:
It looks like it’s automatically doing source set for images, so that should improve your cumulative layout shifts.

Kathy:
Nice.

Ram:
And you can also sepia tone or do some other kind of duotone for your cat photos, which I will potentially be demonstrating in a future Wordfence Live episode.

Kathy:
Exciting. Does it only work for cat photos or could I do it for my dog?

Ram:
You could do it for your dog. You’re not allowed to use sepia tone though.

Kathy:
Oh. Oh, well sad. Well, he’s a golden retriever. He’s already kind of in that realm anyway.

Ram:
Exactly. If you use sepia tone on him, he’d basically just disappear into the background.

Kathy:
Yes, exactly. Awesome. Well, it looks like this is going to be a great update for WordPress 5.8. It’s definitely leading us further along that path of full-site editing, which core team has dedicated this year to making happen. And I’m very excited about that. I think this is going to really solidify WordPress as the platform of choice for websites, and that’s a good thing. I’m excited about it. It looks like Microsoft is crushing bugs left and right. What do we see with this?

Ram:
Microsoft smash! So I guess there were three zero-days in Windows that they just patched on patch Tuesday, including it looks like an extra patch for that PrintNightmare vulnerability, which I guess took a few patches to really completely tank. So yeah, it’s not your imagination. There have been a lot of zero-days this year or a lot of impactful zero-days this year. Google’s project zero, which tracks… Well, they’re not really tracking WordPress zero-days, but they’re tracking impactful zero-days in browsers and Android and Windows and OSX. They found that there’s been 33 0days exploited in the wild just so far this year. And there were only 22 exploited in the wild for all of 2020. So yeah. It’s not your imagination that whole thing we were joking about how there’s a Chrome zero-day every other week, yeah, it’s kind of-

Kathy:
There really is. Yeah. Yeah. So I think there’s a lot of security research that’s happening. There’s a lot of, obviously, malicious attacks that are happening. But I think the great thing is that more and more people, not just in the WordPress community, but the world as a whole, is becoming much more aware of what is happening with security online. And people are taking it to heart. I’m having more and more people ask me the question. Obviously this is very anecdotal and I didn’t really research this, but more and more people are asking me questions about what do I need to do about my own personal security? Because they’re seeing the ransomware, they’re seeing all of these attacks that are happening. They’re hearing about Chrome zero-days. So security education is becoming forefront for a lot of people. And I’m actually excited about what’s happening in the security landscape. What about you?

Ram:
I mean, I definitely am. I feel like awareness is definitely at an all time high. My mom texts me security articles now, and I don’t think she’s quite gets what’s going on for a lot of them, but yeah, it’s pretty cool. There’s more people interested and more people aware than there ever have been.

Kathy:
You’re actually becoming a hero instead of the security nerd, right? But we’re still security nerds.

Ram:
We are always going to be security nerds.

Kathy:
Always, always, always going to have a little bit of tinfoil hat going on, especially after some of the things we’ve seen. But we’re heartened to have more and more people who are elevating their security knowledge. It’s really great to see.

Kathy:
I’d like to talk a little bit about some of the open positions that we have here at Defiant. We’re hiring for a number of positions, including Senior Researcher for Website Performance related to our FastOrSlow website performance profiler, QA Engineer. We have a Senior Operations and Security Engineer position open, and we’re looking for a number of Senior PHP developers. And that particular role has some additional benefits to it in terms of a signing bonus. We’ll have a link to our appointment page in our show notes. On that employment page, our CEO, Mark Maunder, actually wrote up a little piece that I’d recommend that you read as well. He kind of wrote up a document that basically talks about what makes Defiant different. What makes Defiant work, what makes Defiant a great place to work. And he goes over all of the things that make this remote-first organization really do what we do and do what we do best.

Kathy:
And I really recommend reading it because it’s not just about “you get to work from home.” It’s about sort of this corporate culture that we have, where everyone in this organization is working together, actualizing their own potential towards a greater good and towards a greater mission of helping secure WordPress and serving our customers. So, anyway, I’m not going to put words into Mark’s mouth. He’s got enough words on that page that you can read, and it’s really a good read. So definitely take a look at that. And if any of these positions look interesting to you, we would love to talk to you. And send us your resume.

Ram:
Yeah. I will say that you get to work with some really amazing people here. So that’s one of the things that is best about working here is the people I get to work with every day.

Kathy:
Yeah. The people here are one of a kind and it is a great place to work. So definitely take a look at that. We’d love to invite you into the fold, into the team. Anyway, that’s all I’ve got this week. Ram?

Ram:
That’s all I’ve got. Thanks for listening.

Kathy:
Thanks for listening. And we’d love to hear from you. Hey, go follow Ram on Twitter and say thanks to him for his hard work on this WooCommerce post because-

Ram:
And send me cat pictures.

Kathy:
Cat pictures.

Ram:
And then I will sepia tone them on WordPress.

Kathy:
Excellent. Perfect. We’ll leave it there. Thanks for listening.

Ram:
Bye.

Kathy:
Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 125: Critical SQL Injection Vulnerability Patched in WooCommerce appeared first on Wordfence.

Critical SQL Injection Vulnerability Patched in WooCommerce

Update: The article originally credited Tommy DeVoss (dawgyg) for the discovery. We’ve since been contacted by Tommy, who let us know that the credit should go to another researcher, Josh from DOS (Development Operations Security)

On July 14, 2021, WooCommerce released an emergency patch for a SQL Injection vulnerability reported by a security researcher, Josh from DOS (Development Operations Security), based in Richmond Virginia. This vulnerability allowed unauthenticated attackers to access arbitrary data in an online store’s database.

WooCommerce is the leading e-Commerce platform for WordPress and is installed on over 5 million websites. Additionally, the WooCommerce Blocks feature plugin, installed on over 200,000 sites, was affected by the vulnerability and was patched at the same time.

The Wordfence Threat Intelligence team was able to develop proofs of concept for time-based and boolean-based blind injections and released an initial firewall rule to our Premium customers within hours of the patch. We released an additional firewall rule to cover a separate variant of the same attack the next day, on July 15, 2021.

Sites still running the free version of Wordfence will receive the same protection after 30 days, on August 13 and August 14, 2021.

We strongly recommend updating to a patched version of WooCommerce immediately if you have not been updated automatically, as this will provide the best possible protection.

The vulnerability affects versions 3.3 to 5.5 of the WooCommerce plugin and WooCommerce Blocks 2.5 to 5.5 plugin.

WooCommerce Responded Immediately

In the announcement by WooCommerce, Beau Lebens, the Head of Engineering for WooCommerce stated, “Upon learning about the issue, our team immediately conducted a thorough investigation, audited all related codebases, and created a patch fix for every impacted version (90+ releases) which was deployed automatically to vulnerable stores.”

Due to the critical nature of the vulnerability, the WordPress.org team is pushing forced automatic updates to vulnerable WordPress installations using these plugins. Store owners using older versions can update to the latest version in their branch. For example, if your storefront is using WooCommerce version 5.3, you can update to version 5.3.1 to minimize the risk of compatibility issues. Within the security announcement from WooCommerce, there is a table detailing the 90 patched versions of WooCommerce. Additionally, WooCommerce has a helpful guide for WooCommerce updates.

Has This Been Exploited in the Wild?

While the original researcher has indicated that this vulnerability has been exploited in the wild, Wordfence Threat Intelligence has found extremely limited evidence of these attempts and it is likely that such attempts were highly targeted.

If you think you have been exploited due to this vulnerability, the WooCommerce team is recommending administrative password resets after updating to provide additional protection. If you do believe that your site may have been affected, a review of your log files may show indications.

Look for any requests to /wp-json/wc/store/products/collection-data or ?rest_route=/wc/store/products/collection-data in your log files that appear to contain SQL statements. Query strings which include %2525 are also an indicator that this vulnerability may have been exploited on your site.

Update: We’re starting to see attack data trickle in. So far, all of the attacks are coming from just a few IP addresses:

107.173.148.66
84.17.37.76
122.161.49.71

Additionally, it appears that UNION-based SQL injection may be possible with this vulnerability, meaning that an attacker could retrieve information from the database much more quickly than is possible with blind injection.

Improving Security of the WordPress Ecosystem

Sites with e-Commerce functionality are a high-value target for many attackers, so it is critical that vulnerabilities in e-Commerce platforms are addressed promptly to minimize the potential damage that can be caused. With the growth of both WordPress and WooCommerce, more security researchers have turned attention to WordPress related products. The rapid and deep response that the WooCommerce team performed in protecting WooCommerce users is a great sign for the ongoing security of e-Commerce in the open source WordPress ecosystem.

The post Critical SQL Injection Vulnerability Patched in WooCommerce appeared first on Wordfence.

Common WordPress Vulnerabilities and Prevention Through Secure Coding Best Practices

WordPress has experienced exponential growth in the past several years and now holds over 42% of the CMS market share for all major sites. There are over 50,000 plugins available to download in the WordPress repository. That does not include the thousands of premium or open source plugins available outside of the repository, along with the thousands of themes that site owners can use to customize their WordPress site.

With the vast assortment of plugins and themes, there are thousands of developers with unique backgrounds, coding styles, and preferences contributing to the WordPress ecosystem. The vast differences in developers’ styles contributes to what makes WordPress the dominant CMS, as this creativity in code is what gives WordPress a diverse and uniquely customizable platform. However, with that diverse contribution to the possibilities with WordPress, it is important to make sure that developers are aware of what type of code can introduce vulnerabilities, and how they can ensure they don’t create a product that has the potential to adversely affect thousands of WordPress users whose livelihoods may be running on WordPress.

This paper has been created as a resource for developers creating WordPress products to provide guidance as to what coding flaws can introduce some of the most common and significant WordPress vulnerabilities, in addition to providing recommendations on how to prevent the introduction of these vulnerabilities.

Further, we hope that this white paper serves as a tool for security researchers looking for vulnerabilities in WordPress core, themes, and plugins. This guide details what to look for when evaluating WordPress-related code and recommendations that should be supplied to a developer or vendor in the event that a vulnerability is discovered.

In this paper, you will find the most common vulnerabilities the Wordfence Threat Intelligence team discovers, along with what to look for when auditing themes or plugins for these vulnerabilities, and what measures can be taken to remediate or avoid them.

You can download the paper here, and be sure to share with colleagues who can benefit from a deeper dive into common vulnerabilities seen in the WordPress space.

Special thanks to Kathy Zant, Director of Marketing, and Ram Gall, Threat Analyst, for all of their contributions to this paper. 

The post Common WordPress Vulnerabilities and Prevention Through Secure Coding Best Practices appeared first on Wordfence.

Episode 124: PrintNightmare 0Day Exploit Accidentally Leaked Online

Security researchers accidentally leaked zero-day exploit code for a new Windows bug, now called PrintNightmare, while easily exploitable vulnerabilities in the ProfilePress plugin, previously called WP User Avatar, were patched quickly. An unprotected cloud database containing over 814 million DreamHost user records was found online. Google Chrome is getting a HTTPS-only feature in an upcoming version, and two bugs, one of which is a zero-day, are leading to attackers fighting over control of internet-connected Western Digital My Book Live devices.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:15 Researchers accidentally release exploit code for PrintNightmare, CISA Advisory
4:42 Easily Exploitable Critical Vulnerabilities Patched in ProfilePress Plugin
7:48 Cloud Database Exposes 800M+ WordPress Users’ Records
9:45 Google Chrome will get an HTTPS-Only Mode for secure browsing
12:18 Hackers exploited 0-day, not 2018 bug, to mass-wipe My Book Live devices

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 124 Transcript

Ram:
Welcome to Think Like A hacker, the podcast about WordPress, security, and innovation. I am Ram Gall, threat analyst at Wordfence. And with me is Director of Marketing, Kathy Zant. So it seems like this week we’ve got one of those endless scream situations again.

Kathy:
We do. What’s going on?

Ram:
So there’s this PrintNightmare, zero-day exploit, that allows domain takeover of any Windows Server running the Print Spooler service, which is a lot of them. It’s unpatched so far. It’s a zero day.

Kathy:
Oh my gosh. So, is this what network engineers are going to be doing over a holiday weekend, is turning off Print Spooler on all of their Windows Servers?

Ram:
Yeah. There’s no patch available for it yet. The only thing you can do is turn off the Print Spooler service, and it allows both remote code execution and local privilege escalation, which again between them mean that you can basically take over the domain controller. And once you have that, you basically have the entire Windows network.

Kathy:
So not just the server, you can take over the entire Windows network? Now, there was an interesting story of how this vulnerability became public. What happened here?

Ram:
So, this is interesting. It looks like two different security companies in China were both researching Print Spooler vulnerabilities. And one of them basically found a vulnerability in the Print Spooler, let Microsoft know responsibly, which is the right thing to do. And Microsoft patched it a few days back. And meanwhile, the other security company saw it and went, “oh, Hey, we’ve been working on that too. Here’s our proof of concept for that exploit.” And it turns out-

Kathy:
And they posted that on GitHub, right?

Ram:
Yeah. Only it wasn’t that exploit. It was a different exploit in the same thing and it wasn’t patched. And they deleted it as soon as they figured out what had happened. But by then the internet never forgets.

Kathy:
It doesn’t it. It got it, what? Cloned, forked and cached all over the internet.

Ram:
Yep.

Kathy:
And what are they calling this? PrintNightmare?

Ram:
It is PrintNightmare. And you know how we’ve talked some pretty big numbers. We’ve had like the Exchange Server thing, which was-

Kathy:
Yeah that was huge.

Ram:
This is bigger.

Kathy:
Bigger, yeah. Well, there’s more Windows Servers than there are Exchange Servers. So this is pretty much everywhere. Is this on Windows like desktop machines as well?

Ram:
The Print Spooler runs on Windows desktop machines. I don’t want to speculate and say write out that it’s invulnerable, but you know it’s the same service. It’s just that Windows desktop machines are probably not exposed to the internet at large and probably don’t have the same degree of permissions. They’re not as useful to take over as a natural Windows Server. The good news is that Windows Servers, you don’t usually need to print things off of a server unless it’s a print server. Usually you can just print off of the desktop. In some cases it might be disabled already on Windows Server. And the good news is that it’s a pretty simple group policy change. You can just push this to everything real quick, if you’re a domain administrator. So it’s not hard to turn this off. It’s just that, I really hope that everyone who needs to know, this knows this and is fixing it right now.

Kathy:
Right. Right. Yeah. So Rapid7 was one of the researchers that had confirmed that these public exploits work against fully patched Windows Server 2019 builds. And that this vulnerable service is enabled by default on Windows Server. So you need to be aware if you’re running any kind of Windows Server on your network at home, anywhere Windows server is default running, you’re going to need to go turn off Print Spooler because the proof of concept is out there. This will be under attack. And so this is important that you pay attention. Alarm bells are indeed ringing. So yeah, important.

Ram:
Yeah. The vast majority of enterprise controllers, all domain controllers, even those that are fully patched are vulnerable to remote code execution by authenticated attacker. So that does mean that they need like an “in” into the network. Given the number of ransomware attacks these days, one can basically assume… you don’t necessarily have to assume breach, but assume that an attacker has a foothold.

Kathy:
Sure. Definitely. And CISA it looks is like they have an alert out warning anyone to disable Windows Print Spooler as well. And we’ll have a link to that in the show notes. So even if you are not managing a Windows sServer, this might be one of those times that you call your friends that you used to work with that are running Windows Servers and let them know because this is like an all hands on deck, get the alarm bells ringing out there type of problem that could have wide ranging effects.

Ram:
Yep. Meanwhile, this is the second time we’ve mentioned this plugin in, I want to say, a couple of months.

Kathy:
Yeah. ProfilePress?

Ram:
Yeah. That was the one that used to be WP User Avatar, right? And there was kind of an uproar, right?

Kathy:
There was a little bit of an uproar. Recently WP User Avatar had 400,000 installations and they changed their name to ProfilePress and basically changed it into a fully functional membership type of plugin. Rather than just a user avatar plugin. So they introduced a ton of new features. People who were using WP User Avatar were like, wait a minute, this is not the functionality I had in mind, when they updated and found that they had somewhat of a different plugin installed. So when you’re introducing new functionality into a plugin, there’s a propensity for introducing bugs. Some of those may be security bugs. What did we find when we took a look, Ram?

Ram:
Well, I am really glad that Chloe decided to look at it pretty much as soon as she heard about all the new functionality, because, woo boy, she found some stuff.

Kathy:
She did.

Ram:
So this is kind of sad and at the same time hilarious, but literally every membership plugin in the repo has, at some point in its history, had this exact bug. Basically where anything that basically allows users to have custom roles or something, you can tell it that you want to become an administrator. And it’ll just make you an administrator if you pass it the right keys and values. And for some vulnerabilities, it’s just been at registration. For others it’s been from the profile update page. With this it was both. The good news is that it was introduced when it became ProfilePress so it’s only versions 3.0 to 3.1.3 that are vulnerable.

Kathy:
Okay. And Chloe contacted them and they responded she said, within minutes. They responded quickly and got a patch back to Chloe so that she could double check it and make sure that it dealt with some of these vulnerabilities very, very quickly. So everything is patched. Because of the severity of the vulnerabilities we determined that it would probably be best to ensure that firewall rules went out to everyone, including those using the free version of Wordfence. So those all went out by June 26, and we published shortly thereafter. So you can take a look on our blog and find out more details about these vulnerabilities patched in ProfilePress if you’re one of the 400,000 people using this.

Ram:
There were some file uploads, too.

Kathy:
File uploads. Oh those are always fun because that basically is just like ownership. Because any file upload vulnerability is going to be an upload of a shell that basically gives you access to anything on that server or that particular installation of that website, correct?

Ram:
Yep. Two privilege escalations and two arbitrary file uploads. And that’s just a lot.

Kathy:
That is a lot. Okay. Speaking of a lot, it looks like DreamHost had a lot of user records that were exposed. What happened with this cloud database?

Ram:
Well, security researcher Jeremiah Fowler found an unprotected trove online with no password protection containing 814 million DreamHost records dating back to 2018. Was 86 gigabytes of stuff containing their users’ WordPress configurations, including login URLs, first and last names, email addresses, usernames, roles, host IPS, which that actually doesn’t sound like a big of a deal but if you’re using a cloud-based WAF and you have the host IP, then you can bypass that cloud-based WAF a lot of the time. Which is why having multiple layers is so important.

Kathy:
Yes, definitely. So you can have a cloud-based WAF if you want, but it’s always good to have an end point WAF. Layer that security like a seven-layer cake. Protect your website. Now this only seems to have affected DreamHosts DreamPress users, not all of their users. So if you were using DreamPress, their specific managed WordPress installation, those are the customers that were affected here.

Ram:
Indeed. And they say it appears to date back to 2018, but they don’t actually know how long it’s been exposed. Just the data in there is from 2018.

Kathy:
Right. And they have no idea of knowing how many people may have accessed it, how long. Maybe it was known for a long time that this was a publicly available database in hacker circles or whatever. So no way of knowing. You just. have to assume that if it was public, that someone malicious may have found it.

Ram:
Yeah. And I mean, realistically, we always say that assume that your username is public knowledge.

Kathy:
Right. Right. Exactly. Because it very may well be. So Google Chrome, no Chrome zero days today?

Ram:
No Chrome zero days. We’ve got a two week streak.

Kathy:
Oh wow. Wow. Keep that streak going. But it looks like Google Chrome has a security update that looks to be rolling out by the end of August. What is this going to entail?

Ram:
So it looks like Google is going to add an HTTPS-only mode to protect your web traffic from eavesdropping. And that basically means that… there’s already plugins or extensions you can use to do this. But it will at least attempt to upgrade all connections to HTTPS. Now that is going to be dependent on the site you’re visiting having a certificate and being able to support that connection. Otherwise, it hasn’t been confirmed, but I don’t see any way this wouldn’t throw up a roadblock page if you’re trying to connect to a site that doesn’t have a certificate, if this is enabled.

Kathy:
Right. Right. So this doesn’t get you off the hook of having a secure certificate. Obviously Google has inspired all of us to add an SSL certificate to our website because it improves your search engine performance. So if you want to be found, it’s important to have that. But now with this new HTTPS-only mode… and Google, also Chrome has been showing “insecure” as a little alert up in the address bar of sites that did not have a certificate installed. So I imagine that the warning is going to be even more dire should someone be visiting a site that doesn’t have an SSL certificate.

Ram:
I very much suspect that this will effectively make having a TLS certificate mandatory if you want people to view your site with Chrome. At least if this is enabled. Though, I don’t know if it will be enabled by default for awhile, but it does seem like that’s the direction it’s heading of having a TLS certificate or non-technical users at least will not be able to visit your site at all.

Kathy:
Right. Okay. Interesting. So we’ll have a link to the article on Bleeping Computer in the show notes and there they have some specific instructions that can show you how you can test this now, so you can prepare for this to roll out end of August with Chrome 93. So you’ll want to test your site, make sure everything looks okay when this does roll.

Ram:
Indeed. In August, right?

Kathy:
Yeah. It says August 31st is when Chrome 93 is expected to be reaching stable status. So we’ll probably see it somewhere around then.

Ram:
Cool. For this next one, I actually have one of these or at least this line of product. So I had to double check it’s the Western Digital My Book devices or My Book Live devices.

Kathy:
Okay. It’s just a hard drive?

Ram:
Yeah. It’s basically a little network-attached hard drive. You plug it into your router with an ethernet cable and it gives you like a few terabytes of storage that you can access from anywhere on your network. It’s actually pretty cool. It turns out that I have the slightly later model that wasn’t impacted, which is why all my stuff is not gone.

Kathy:
Oh, nice. It looks like there was a bug, a security bug in 2018 that was patched. But a lot of people weren’t patching their My Book Lives?

Ram:
Yeah. I mean, this is a device that’s been around for a while. I think I got mine in like 2013 or something, and mine’s the newer revision. But it looks like there were two vulnerabilities in question, kind of like with that Print Spooler PrintNightmare thing. So there was one from 2018 and then there’s a zero day that attackers are also using to reset these devices. What we’re actually seeing is attackers password protecting the end points in question. It looks like more than one group of attackers that might be fighting over these devices and trying to use them for their botnets.

Kathy:
Oh, interesting. Wow. So if you are using one of these devices, what should someone do?

Ram:
Disconnect it from your network for the time being.

Kathy:
Gotcha. Okay. Because this is a zero day, this doesn’t have a patch?

Ram:
For the time being. Yeah.

Kathy:
Wow. Okay. Interesting. So, yeah, definitely if you are using one of these Western Digital My Book devices, it should not get to play on the internet or your home network. It just needs to go to sleep for a while, I guess. Keep it safe. Okay.

Ram:
Keep it secret.

Kathy:
Keep it secret. Keep it safe. Obscurity.

Ram:
Security through obscurity.

Kathy:
Yes, indeed. Okay. So, well that’s it for our July 2nd edition of Think Like A Hacker. We are going to take next week off because it is a holiday week here in the United States. So we will be celebrating all of the things, bombs going off. Not bombs.

Ram:
Fireworks!

Kathy:
Fireworks going off.

Ram:
Mostly illegal fireworks starting forest fires.

Kathy:
Yeah, yeah. It a little crazy here, but we will be celebrating and also just spending time with family and friends. So we hope that if you are celebrating that you have a safe 4th of July. And if you’re not, wherever you are in the world, we hope that it is a nice, peaceful first week of July. And we will talk to you again week after next. Thanks for listening.

Ram:
Bye.

Kathy:
Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 124: PrintNightmare 0Day Exploit Accidentally Leaked Online appeared first on Wordfence.

Easily Exploitable Critical Vulnerabilities Patched in ProfilePress Plugin

On May 27, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities that were discovered in ProfilePress, formerly WP User Avatar, a WordPress plugin installed on over 400,000 sites. These flaws made it possible for an attacker to upload arbitrary files to a vulnerable site and register as an administrator on sites even if user registration was disabled, all without requiring any prior authentication.

We initially reached out to the plugin’s developer on May 27, 2021. After receiving confirmation of an appropriate communication channel, we provided the full disclosure details the same day. An updated copy of the plugin was sent to our team on May 28, 2021, which we confirmed provided sufficient protection. The patch was quickly released on May 30, 2021 as version 3.1.4.

These are critical and easily exploitable security issues that have been patched, therefore, we highly recommend updating to the latest patched version available, 3.1.8, immediately if you are running a vulnerable version of this plugin (3.1 – 3.1.3).

Wordfence Premium users received a firewall rule to protect against any exploits targeting these vulnerabilities on May 27, 2021. Sites still using the free version of Wordfence received the same protection on June 26, 2021.

We waited 30 days before disclosing these issues to ensure both Wordfence Premium and free users were protected against any exploit attempts given the severity of the issues and size of the installation base. We have also intentionally minimized the details provided on how these vulnerabilities could be exploited to delay any efforts by malicious threat actors.


Description: Unauthenticated Privilege Escalation
Affected Plugin: User Registration, User Profiles, Login & Membership – ProfilePress (Formerly WP User Avatar)
Plugin Slug: wp-user-avatar
Affected Versions: 3.1 – 3.1.3
CVE ID: CVE-2021-34621
CVSS Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: 3.1.4

ProfilePress, formerly known as WP User Avatar, is a WordPress plugin that was originally designed to be used only to upload user profile photos. Recently, however, the plugin underwent a somewhat controversial revamp. The updated plugin introduced new features like user login and registration, while keeping the original profile photo uploading functionality, in order to create a robust user registration plugin. Unfortunately, the new features introduced several security issues.

The first issue discovered allowed users to escalate their privileges, which could lead to site takeover. During user registration, users could supply arbitrary user meta data that would get updated during the registration process. This included the wp_capabilities user meta that controls a user’s capabilities and role. This made it possible for a user to supply wp_capabilties as an array parameter while registering, which would grant them the supplied capabilities, allowing them to set their role to any role they wanted, including administrator.

       if (is_array($custom_usermeta)) {

            foreach ($custom_usermeta as $key => $value) {
                if ( ! empty($value)) {
                    update_user_meta($user_id, $key, $value);
                    // the 'edit_profile' parameter is used to distinguish it from same action hook in RegistrationAuth
                    do_action('ppress_after_custom_field_update', $key, $value, $user_id, 'registration');
                }
            }
        }

In addition, there was no check to validate that user registration was enabled on the site, making it possible for users to register as an administrator even on sites where user registration was disabled. This meant that attackers could completely take over a vulnerable WordPress site without much effort if a vulnerable version of this plugin was in use.


Description: Authenticated Privilege Escalation
Affected Plugin: User Registration, User Profiles, Login & Membership – ProfilePress (Formerly WP User Avatar)
Plugin Slug: wp-user-avatar
Affected Versions: 3.1 – 3.1.3
CVE ID: CVE-2021-34622
CVSS Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: 3.1.4

The same flaw was present within the user profile update functionality. The profile update functionality had the same feature that would take the key value pairs submitted during a profile update and update the user’s metadata in the database. The wp_capabilities user meta could be supplied as an array parameter set to administrator during a profile update which would allow attackers to escalate their privileges to that of an administrator.

      if (is_array($custom_usermeta)) {

            $user_id = self::get_current_user_id();

            foreach ($custom_usermeta as $key => $value) {

                update_user_meta($user_id, $key, $value);

                // the 'edit_profile' parameter is used to distinguish it from same action hook in RegistrationAuth
                do_action('ppress_after_custom_field_update', $key, $value, $user_id, 'edit_profile');
            }
        }

This did require the attacker to have an account on a vulnerable site to exploit. However, since the registration function did not validate if user registration was enabled, a user could easily sign up and exploit this vulnerability, if they were not able to exploit the privilege escalation vulnerability during registration.


Description: Arbitrary File Upload in Image Uploader Component
Affected Plugin: User Registration, User Profiles, Login & Membership – ProfilePress (Formerly WP User Avatar)
Plugin Slug: wp-user-avatar
Affected Versions: 3.1 – 3.1.3
CVE ID: CVE-2021-34623
CVSS Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: 3.1.4

In addition to the privilege escalation vulnerabilities, we found that arbitrary files, including PHP files, could be uploaded to a vulnerable WordPress site. The ability to upload profile and cover images to a user’s profile is a core part of the plugin’s functionality. Unfortunately, this function was insecurely implemented using the exif_imagetype function to determine a file’s type.

             // verify the file is a GIF, JPEG, or PNG
            $fileType = exif_imagetype($image["tmp_name"]);

            $allowed_image_type = apply_filters('ppress_allowed_image_type', array(
                IMAGETYPE_GIF,
                IMAGETYPE_JPEG,
                IMAGETYPE_PNG
            ));

The function exif_imagetype uses the first few bytes of a file, known as magic bytes, to determine a file’s type, and as such is considered an unsafe method to validate a file’s type. Any file can trivially be disguised to appear as a valid image file by adding these magic bytes to the beginning of the file. This made it possible for an attacker to upload a spoofed PHP file that would pass the exif_imagetype check during the user registration process or during a profile update.

This could be used to upload a webshell that would make it possible for an attacker to achieve remote code execution and run commands on a server to achieve complete site takeover. Due to the fact that users could register even without user registration enabled, any attacker could exploit this vulnerability without authentication by uploading a profile picture or cover image during a registration request.


Description: Arbitrary File Upload in File Uploader Component
Affected Plugin: User Registration, User Profiles, Login & Membership – ProfilePress (Formerly WP User Avatar)
Plugin Slug: wp-user-avatar
Affected Versions: 3.1 – 3.1.3
CVE ID: CVE-2021-34624
CVSS Score: 9.8 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Version: 3.1.4

In addition to the previous arbitrary file upload vulnerability, we discovered that another endpoint was also vulnerable to arbitrary file uploads. It appears that there was functionality in the plugin to upload files to a user’s profile account during user registration or during a profile update if a site was using the plugin’s “custom fields” extension.

This function performed a file extension check only if a set of extensions was supplied by a site administrator via a custom field on the registration and profile update page. This meant that if a site administrator didn’t configure file uploads for the user registration and profile page using custom fields, then any file type would be allowed due to the extensions field being empty.

This made it possible for attackers to upload arbitrary files to a site during the user registration process or during a profile update, as long as an administrator didn’t configure the file upload settings. Again, this could be used to upload a webshell and obtain remote code execution to take over a site.

Disclosure Timeline

May 27, 2021 – Conclusion of the plugin analysis that led to the discovery of several vulnerabilities in the ProfilePress plugin. We develop a firewall rule to protect Wordfence customers and release it to Wordfence Premium users.
May 27, 2021 6:27 PM UTC – We initiate contact with the plugin developer.
May 27, 2021 6:52 PM UTC – The plugin developer confirms the inbox for handling discussion.
May 27, 2021 9:23 PM UTC – We send over full disclosure details.
May 27, 2021 9:27 PM UTC – The plugin developer confirms they have received the details and will begin working on a fix.
May 28, 2021 7:16 AM UTC – The plugin developer sends us a copy of the proposed patches.
May 28, 2021 12:48 PM UTC – We inform the developer that we will review the patches and get back to them as soon as our analysis is complete.
May 28, 2021 3:44 PM UTC – We confirm the patches are sufficient and inform the developer.
May 30, 2021 – A newly updated version of the plugin containing the patches is released.
June 26, 2021 – Free Wordfence users receive firewall rules.

Conclusion

In today’s post, we detailed several critical flaws in ProfilePress that granted attackers the ability to upload malicious files to achieve remote code execution in addition to registering as an administrator. These flaws have been fully patched in version 3.1.4. We recommend that users immediately update to the latest version available, which is version 3.1.8 at the time of this publication, if they are running a vulnerable version of the plugin (3.1 – 3.1.3).

Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on May 27, 2021. Sites still using the free version of Wordfence received the same protection on June 26, 2021.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as these are critical severity vulnerabilities that can be easily exploited.

Special thanks to Collins at ProfilePress for working quickly to get a sufficient patch out to protect users.

The post Easily Exploitable Critical Vulnerabilities Patched in ProfilePress Plugin appeared first on Wordfence.

Pin It on Pinterest