Unauthenticated XSS Vulnerability Patched in HTML Email Template Designer Plugin

On December 23, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “WordPress Email Template Designer – WP HTML Mail”, a WordPress plugin that is installed on over 20,000 sites. This flaw made it possible for an unauthenticated attacker to inject malicious JavaScript that would execute whenever a site administrator accessed the template editor. This vulnerability would also allow them to modify the email template to contain arbitrary data that could be used to perform a phishing attack against anyone who received emails from the compromised site.

Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on December 23, 2021. Sites still using the free version of Wordfence will receive the same protection on January 22, 2022.

We sent the full disclosure details to the developer on January 10, 2022, after multiple attempts to contact the developer and eventually receiving a response. The developer quickly acknowledged the report and released a patch on January 13, 2022.

We strongly recommend ensuring that your site has been updated to the latest patched version of “WordPress Email Template Designer – WP HTML Mail”, which is version 3.1 at the time of this publication.

Description: Unprotected REST-API Endpoint to Unauthenticated Stored Cross-Site Scripting and Data Modification
Affected Plugin: WordPress Email Template Designer – WP HTML Mail
Plugin Slug: wp-html-mail
Plugin Developer: codemiq
Affected Versions: <= 3.0.9
CVE ID: CVE-2022-0218
CVSS Score: 8.3 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Chloe Chamberland
Fully Patched Version: 3.1

WP HTML Mail is a WordPress plugin developed to make designing custom emails simpler for WordPress site owners. It is compatible with various WordPress plugins like WooCommerce, Ninja Forms, BuddyPress, and more. The plugin registers two REST-API routes which are used to retrieve email template settings and update email template settings. Unfortunately, these were insecurely implemented making it possible for unauthenticated users to access these endpoints.

More specifically, the plugin registers the /themesettings endpoint, which calls the saveThemeSettings function or the getThemeSettings function depending on the request method. The REST-API endpoint did use the permission_callback function, however, it was set to __return_true which meant that no authentication was required to execute the functions. Therefore, any user had access to execute the REST-API endpoint to save the email’s theme settings or retrieve the email’s theme settings.

	public function rest_api_init() {
		register_rest_route( $this->api_base, '/themesettings', array(
            'methods' => 'GET',
			'callback' => [ $this, 'getThemeSettings' ],
			'permission_callback' => '__return_true'
		));
		
		register_rest_route( $this->api_base, '/themesettings', array(
            'methods' => 'POST',
			'callback' => [ $this, 'saveThemeSettings' ],
			'permission_callback' => '__return_true'
		));
	}

As this functionality was designed to implement setting changes for the email template, an unauthenticated user could easily make changes to the email template that could aid in phishing attempts against users that receive emails from the targeted site. Worse yet, unauthenticated attackers could inject malicious JavaScript into the mail template that would execute anytime a site administrator accessed the HTML mail editor.

As always, cross-site scripting vulnerabilities can be used to inject code that can add new administrative users, redirect victims to malicious sites, inject backdoors into theme and plugin files, and so much more. Combined with the fact that the vulnerability can be exploited by attackers with no privileges on a vulnerable site, this means that there is a high chance that unauthenticated attackers could gain administrative user access on sites running the vulnerable version of the plugin when successfully exploited. As such, we strongly recommend that you verify that your site is running the most up to date version of the plugin immediately.

Timeline

December 23, 2021 – Conclusion of the plugin analysis that led to the discovery of a Stored Cross-Site Scripting Vulnerability in the “WordPress Email Template Designer – WP HTML Mail” plugin. We develop and release a firewall rule to protect Wordfence users. Wordfence Premium users receive this rule immediately. We attempt to initiate contact with the developer.
January 4, 2022 – We send an additional outreach attempt to the developer.
January 10, 2022 – The developer confirms the inbox for handling the discussion. We send over the full disclosure details.
January 11, 2022 – The developer acknowledges the report and indicates that they will work on a fix.
January 13, 2022 – A fully patched version of the plugin is released as version 3.1.
January 22, 2022 – The firewall rule becomes available to free Wordfence users.

Conclusion

In today’s post, we detailed a flaw in the “WordPress Email Template Designer – WP HTML Mail” plugin that made it possible for unauthenticated attackers to inject malicious web scripts that would execute whenever a site owner accessed the mail editor area plugin, which could lead to complete site compromise. This flaw has been fully patched in version 3.1.

We recommend that WordPress site owners immediately verify that their site has been updated to the latest patched version available, which is version 3.1 at the time of this publication.

Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on December 23, 2021. Sites still using the free version of Wordfence will receive the same protection on January 22, 2022.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a serious vulnerability that can lead to complete site takeover.

If your site has been compromised by an attack on this or any other plugin, our Professional Site Cleaning services can help you get back in business.

The post Unauthenticated XSS Vulnerability Patched in HTML Email Template Designer Plugin appeared first on Wordfence.

84,000 WordPress Sites Affected by Three Plugins With The Same Vulnerability

On November 5, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Login/Signup Popup”, a WordPress plugin that is installed on over 20,000 sites. A few days later we discovered the same vulnerability present in two additional plugins developed by the same author: “Side Cart Woocommerce (Ajax)”, installed on over 60,000 sites, and “Waitlist Woocommerce ( Back in stock notifier )”, installed on over 4,000 sites. This flaw made it possible for an attacker to update arbitrary site options on a vulnerable site, provided they could trick a site’s administrator into performing an action, such as clicking on a link.

All Wordfence users, including Wordfence Premium customers and free Wordfence users are protected against any attackers attempting to exploit this vulnerability. Wordfence Premium users received a firewall rule to protect against any exploits targeting these vulnerabilities on November 5, 2021. Sites still using the free version of Wordfence received the same protection on December 5, 2021.

We sent the full disclosure details on November 5, 2021, after the developer confirmed the appropriate channel to handle communications. After several follow-ups a patched version of “Login/Signup Popup” was released on November 24, 2021, while patched versions of “Side Cart Woocommerce (Ajax)” and “Waitlist Woocommerce ( Back in stock notifier )” were released on December 17, 2021.

We strongly recommend ensuring that your site has been updated to the latest patched version of any of these plugins, which is version 2.3 for “Login/Signup Popup”, version 2.5.2 for “Waitlist Woocommerce ( Back in stock notifier )”, and version 2.1 for “Side Cart Woocommerce (Ajax)” at the time of this publication.

Description: Cross-Site Request Forgery to Arbitrary Options Update
Affected Plugins: Login/Signup Popup | Waitlist Woocommerce ( Back in stock notifier ) | Side Cart Woocommerce (Ajax)
Plugin Slugs: easy-login-woocommerce | waitlist-woocommerce | side-cart-woocommerce
Plugin Developer: XootiX
Affected Versions: <= 2.2 | <= 2.5.1 | <= 2.0
CVE ID: CVE-2022-0215
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Versions: 2.3 | 2.5.2 | 2.1

All three of the affected plugins by XootiX are designed to provide enhanced features to WooCommerce sites. The Login/Signup Popup plugin was designed to add login and signup pop-ups to both standard sites and WooCommerce powered sites, while the Waitlist WooCommerce plugin was designed to add a product waitlist and notifier for out of stock items and Side Cart Woocommerce was designed to make shopping carts available from anywhere on a site all powered via AJAX.

The vulnerability is simple. All three plugins register the save_settings function which is initiated via a wp_ajax action. This function was missing a nonce check which meant that there was no validation on the integrity of who was conducting the request.

	public function save_settings(){

		if( !current_user_can( $this->capability ) ) return;

		$formData = array();

		$parseFormData = parse_str( $_POST['form'], $formData );

		foreach ( $formData as $option_key => $option_data ) {

			$option_data = array_map( 'sanitize_text_field', stripslashes_deep( $option_data ) );

			update_option( $option_key, $option_data );
			
		}

		wp_send_json(array(
			'error' 	=> 0,
			'notice' 	=> 'Settings Saved',
		));
	}

This made it possible for an attacker to craft a request that would trigger the AJAX action and execute the function. If the attacker could successfully trick a site’s administrator into performing an action like clicking on a link or browsing to a certain website, while the administrator was authenticated to the target site, then the request would be successfully sent and trigger the action which would allow the attacker to update arbitrary options on that website.

Arbitrary Options Update vulnerabilities make it possible for attackers to update any option on the WordPress website. Attackers frequently abuse these to set the user_can_register option to true and the default_role option to administrator so that they can register on the vulnerable site as an administrator and completely take it over.

Though this Cross-Site Request Forgery (CSRF) vulnerability is less likely to be exploited due to the fact that it requires administrator interaction, it can have a significant impact to a successfully exploited site and, as such, it serves as an incredibly important reminder to remain aware when clicking on links or attachments and to ensure that you are regularly keeping your plugins and themes up to date.

Timeline

November 5, 2021 – Conclusion of the plugin analysis that led to the discovery of a CSRF to Arbitrary Option Update vulnerability in the Login/Signup Popup plugin. We develop and release a firewall rule to protect Wordfence users. Wordfence Premium users receive this rule immediately. We initiate contact with the developer and provide full disclosure on the same day.
November 10, 2021 – We follow-up with the developer to inform them that both “Side Cart Woocommerce (Ajax)” and “Waitlist Woocommerce ( Back in stock notifier )” plugins are also affected by the same vulnerability.
November 19, 2021 – We follow-up with the developer to check on the status of the patches.
November 24, 2021 – A patched version of “Login/Signup Popup” is released as version 2.3.
November 24, 2021 – December 13, 2021 – We attempt to follow up with the developer about patches for the remaining two plugins.
December 5, 2021 – The firewall rule becomes available to free Wordfence users.
December 17, 2021 – A patched version of “Waitlist Woocommerce ( Back in stock notifier )” is released as 2.5.2, and a patched version of “Side Cart Woocommerce (Ajax)” is released as version 2.1.

Conclusion

In today’s post, we detailed a flaw present in three plugins developed by the same developer that would make it possible for attackers to gain administrative access to sites when successfully exploited. This flaw has been fully patched in all three plugins.

We recommend that WordPress users immediately verify that their site has been updated to the latest patched version available for each of these plugins, which is version 2.3 for “Login/Signup Popup”, version 2.5.2 for “Waitlist Woocommerce ( Back in stock notifier )”, and version 2.1 for “Side Cart Woocommerce (Ajax)” at the time of this publication.

All Wordfence users, including Wordfence Premium customers and free Wordfence users are protected against this vulnerability. Wordfence Premium users received a firewall rule to protect against any exploits targeting these vulnerabilities on November 5, 2021. Sites still using the free version of Wordfence received the same protection on December 5, 2021.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a serious vulnerability that can lead to complete site takeover.

If your site has been compromised by an attack on this or any other plugin, our Professional Site Cleaning services can help you get back in business.

The post 84,000 WordPress Sites Affected by Three Plugins With The Same Vulnerability appeared first on Wordfence.

WordPress 5.8.3 Security Release

On January 6, 2022, the WordPress core team released WordPress version 5.8.3, which contains security patches for 4 high-severity vulnerabilities. These patches were backported to every version of WordPress since 3.7.

WordPress has supported automatic core updates for security releases since WordPress 3.7, and the vast majority of WordPress sites will have received these patches automatically and are no longer vulnerable.

Let me repeat that. Most WordPress sites are not in danger from these vulnerabilities, thanks to the WordPress core team deploying patches to all sites that allow automatic core updates for security patches, which is the default behavior.

Sites on read-only filesystems as well as sites that have explicitly disabled automatic core updates via setting define( 'WP_AUTO_UPDATE_CORE', false ); in wp-config.php may not yet have updated, and we urge owners of these sites to do so as soon as possible.

Vulnerability Analysis

As with every WordPress core release containing security fixes, the Wordfence Threat Intelligence team analyzed the code changes in detail to evaluate the impact of these vulnerabilities on our customers, and to ensure our customers remain secure. Wordfence protects against all vulnerabilities addressed in this release of WordPress core, and as an additional precaution we have released a new firewall rule to protect against the cross site scripting vulnerability that was fixed in this release. This rule has been deployed to Wordfence Premium users.

Even if you are running Wordfence Premium, we encourage you to update WordPress core on all your sites at your earliest convenience, if you have not already been automatically updated.


Description: SQL Injection via WP_Query
Affected Versions: WordPress Core < 5.8.3
CVE ID: 2022-21661
CVSS Score: 8.0 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Fully Patched Version: 5.8.3
Researcher/s: ngocnb and khuyenn from GiaoHangTietKiem JSC

This vulnerability is not exploitable directly via WordPress core, but some plugins and themes may use WP_Query in a way that allows SQL injection. The Wordfence firewall’s built-in SQL injection blocks attempts to exploit this vulnerability.


Description: Author+ Stored XSS via Post Slugs
Affected Versions: WordPress Core < 5.8.3
CVE ID: 2022-21662
CVSS Score: 8.0 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:L/UI:R/S:C/C:H/I:H/A:H
Fully Patched Version: 5.8.3
Researcher/s: Karim El Ouerghemmi and Simon Scannell of SonarSource

As with most XSS vulnerabilities, this vulnerability could be used to completely take over a site, or to add a malicious backdoor. However, it can only be exploited by users with the ability to publish posts.

This vulnerability allows Authors and WooCommerce Shop Owner to add scripts to a site, but both roles are relatively trusted.

Contributors or most other custom roles are not able to exploit the vulnerability, and it does not meaningfully increase the attack surface on a site with only Administrator or Editor users, as both already have the unfiltered_html capability and can add JavaScript to posts.

Nonetheless, the Wordfence Threat Intelligence team has released a firewall rule protecting against this exploit to our Premium users. This firewall rule will become available to free Wordfence users after 30 days, on February 7, 2022.


Description: Blind SQL Injection via WP_Meta_Query
Affected Versions: WordPress Core 4.1 – 5.8.2
CVE ID: 2022-21664
CVSS Score: 7.4 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:L
Fully Patched Version: 5.8.3
Researcher/s: Ben Bidner from the WordPress security team

As with the SQL Injection via WP_Query, the Wordfence firewall’s built-in SQL injection protection blocks attempts to exploit this vulnerability.


Description: Super Admin Object Injection in Multisites
Affected Versions: WordPress Core < 5.8.3
CVE ID: 2022-21663
CVSS Score: 6.6 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:U/C:H/I:H/A:H
Fully Patched Version: 5.8.3
Researcher/s: Simon Scannell of SonarSource

This issue requires Super Administrator privileges to exploit, and only Multisite WordPress sites are vulnerable. Because this is only exploitable by the website super admin, which is the root user of a Multisite installation, we don’t currently consider this a vulnerability for practical purposes. This issue would only impact sites that are extremely locked down, where even Super Administrators are not allowed to execute arbitrary code, which is extremely rare. As with all Object Injection vulnerabilities, it would also require the presence of a separate POP chain in order to exploit. While the impact of an Object Injection vulnerability can be critical, this issue, in our view, impacts very few sites because the configuration that makes it exploitable is extremely rare.

Conclusion

In today’s article, we covered four vulnerabilities patched in the WordPress 5.8.3 security release. The vast majority of actively used WordPress sites have already been patched via automatic updates, and any sites that remain vulnerable would only be exploitable under very specific circumstances. The Wordfence firewall provides protection against these vulnerabilities.

Despite this, we strongly recommend updating your site to a patched version of WordPress if it hasn’t been updated automatically. As long as you are running a version of WordPress greater than 3.7, an update is available to patch these vulnerabilities while keeping you on the same major version, so you should not have to worry about compatibility issues.

The post WordPress 5.8.3 Security Release appeared first on Wordfence.

1.6 Million WordPress Sites Hit With 13.7 Million Attacks In 36 Hours From 16,000 IPs

1.6 Million WordPress Sites Hit With 13.7 Million Attacks In 36 Hours From 16,000 IPs

Today, on December 9, 2021, our Threat Intelligence team noticed a drastic uptick in attacks targeting vulnerabilities that make it possible for attackers to update arbitrary options on vulnerable sites. This led us into an investigation which uncovered an active attack targeting over a million WordPress sites. Over the past 36 hours, the Wordfence network has blocked over 13.7 million attacks targeting four different plugins and several Epsilon Framework themes across over 1.6 million sites and originating from over 16,000 different IP addresses.

Wordfence Premium Users are protected against any exploit attempts targeting all of these vulnerabilities. Wordfence free users are protected against attacks targeting all of the vulnerabilities except for the recently disclosed vulnerability in PublishPress Capabilities. Wordfence Premium users received a firewall rule for the Unauthenticated Arbitrary Options Update vulnerability in PublishPress Capabilities on December 6th, 2021, and sites still running the free version of Wordfence will receive the firewall rule on January 6, 2021.

A Closer Look at the Attack Data

Attackers are targeting 4 individual plugins with Unauthenticated Arbitrary Options Update Vulnerabilities. The four plugins consist of ​​Kiwi Social Share, which has been patched since November 12, 2018, ​​WordPress Automatic and Pinterest Automatic which have been patched since August 23, 2021, and PublishPress Capabilities which was recently patched on December 6, 2021. In addition, they are targeting a Function Injection vulnerability in various Epsilon Framework themes in an attempt to update arbitrary options.

In most cases, the attackers are updating the users_can_register option to enabled and setting the default_role option to `administrator.` This makes it possible for attackers to register on any site as an administrator effectively taking over the site.

Our attack data indicates that there was very little activity from attackers targeting any of these vulnerabilities until December 8, 2021. This leads us to believe that the recently patched vulnerability in PublishPress Capabilities may have sparked attackers to target various Arbitrary Options Update vulnerabilities as part of a massive campaign.

The top 10 offending IPs over the past 36 hours include:

  • 144.91.111.6 with 430,067 attacks blocked.
  • 185.9.156.158 with 277,111 attacks blocked.
  • 195.2.76.246 with 274,574 attacks blocked.
  • 37.187.137.177 with 216,888 attacks blocked.
  • 51.75.123.243 with 205,143 attacks blocked.
  • 185.200.241.249 with 194,979 attacks blocked.
  • 62.171.130.153 with 192,778 attacks blocked.
  • 185.93.181.158 with 181,508 attacks blocked.
  • 188.120.230.132 with 158,873 attacks blocked.
  • 104.251.211.115 with 153,350 attacks blocked.

How Can I Keep My Site Protected?

Due to the severity of these vulnerabilities and the massive campaign targeting them, it is incredibly important to ensure your site is protected from compromise. If your site is running Wordfence Premium then it is already protected against any exploit attempts targeting any of these vulnerabilities. If your site is running the free version of Wordfence then it is protected against any exploits targeting any of the vulnerabilities, with the exception of the recently patched vulnerability in PublishPress Capabilities. Sites running Wordfence Free will receive the firewall rule for PublishPress Capabilities on January 6, 2021, which is 30 days after Wordfence Premium users.

Regardless of the protection that Wordfence provides, we strongly recommend ensuring that any sites running one of these plugins or themes has been updated to the patched version. We have the affected versions of each product outlined below. Please ensure that your sites are running a version higher than any of the ones listed. Simply updating the plugins and themes will ensure that your site stays safe from compromise against any exploits targeting these vulnerabilities.

The following are the affected plugins and their versions:

The following are the affected Epsilon Framework theme versions:

How Do I Know If My Site Has Been Infected and What Should I do?

As previously stated, the attackers are updating the users_can_register option to enabled and setting the default_role option to `administrator` in most cases.

To determine if a site has been compromised by these vulnerabilities, we recommend reviewing the user accounts on the site to determine if there are any unauthorized user accounts. If the site is running a vulnerable version of any of the four plugins or various themes, and there is a rogue user account present, then the site was likely compromised via one of these plugins. Please remove any detected user accounts immediately.

It is also important to review the settings of the site and ensure that they have been set back to their original state. You can find these settings by going to the http://examplesite[.]com/wp-admin/options-general.php page. Please make sure the `Membership` setting is correctly set to enabled or disabled, depending on your site, and validate that the `New User Default Role` is appropriately set. We strongly recommend not using `Administrator` for the new user default role as this can lead to inevitable site compromise.

Please review this guide to cleaning a hacked site with Wordfence to complete the clean of the site once the intrusion vector has been determined and the immediate issues have been resolved. If the entire site is not scanned and cleaned to ensure there are no additional backdoors, it may be possible for an attacker to regain access to the site.

If you would like assistance in cleaning a site compromised by one of these plugins, we recommend using our Professional Site Cleaning services to help get your site back online.

Conclusion

In today’s post, we detailed an active attack campaign targeting various plugins and themes that make it possible for attackers to effectively take over the vulnerable sites through the use of arbitrary option updating. We strongly recommend ensuring that all of your sites have been updated to the patched versions of the plugins and themes.

We also recommend that you share this post within the WordPress community to create awareness among site owners about this attack campaign and how to defend against it.

We may update this post as we receive new information.

The post 1.6 Million WordPress Sites Hit With 13.7 Million Attacks In 36 Hours From 16,000 IPs appeared first on Wordfence.

Authentication Bypass Vulnerability Patched in User Registration Plugin

Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List.

On September 16, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “RegistrationMagic – Custom Registration Forms, User Registration and User Login”, a WordPress plugin that is installed on over 10,000 sites. This flaw made it possible for unauthenticated attackers to login as any user, including administrative users, on an affected site as long as a valid username or email address was known to the attacker and a login form created with the plugin existed on the site.

On September 15, 2021, we released a firewall rule to protect Wordfence Premium customers from any attacks trying to exploit this vulnerability. This rule became available to free Wordfence users 30 days later, on October 15, 2021.

We sent the full disclosure details on September 16, 2021, after the developer confirmed the appropriate channel to handle communications. On September 25, 2021, their team replied indicating that the issue was resolved, which unfortunately was not the case. We continued to work with them to get the issue fixed. The release of plugin version 5.0.1.6 on November 1, 2021 addressed the problem but did not result in a full fix. After informing the WordPress plugins team of this vulnerability, we continued to follow up with both teams to make sure a patched version would be released. The vulnerability has been fully fixed as of version 5.0.1.8 released on November 25, 2021.

We strongly recommend ensuring that your site has been updated to the latest patched version of “RegistrationMagic – Custom Registration Forms, User Registration and User Login Plugin,” which is version 5.0.1.8 at the time of this publication.

Description: Authentication Bypass
Affected Plugin: RegistrationMagic – Custom Registration Forms, User Registration and User Login Plugin
Plugin Slug: custom-registration-form-builder-with-submission-manager
Affected Versions: <= 5.0.1.7
CVE ID: CVE-2021-4073
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Marco Wotschka and Chloe Chamberland
Fully Patched Version: 5.0.1.8

RegistrationMagic – Custom Registration Forms, User Registration and User Login Plugin is a WordPress plugin designed to allow for the creation of login and registration forms, facilitate user management including roles, and provide bulk emailing and integration with third parties for login. The plugin registers various AJAX actions to assist with these functionalities.

Unfortunately, one of these actions, intended to facilitate user logins via third party social providers such as Facebook, was insecurely implemented, making it possible for unauthenticated attackers to gain administrative access to an affected site on the condition that a login form created with the plugin was actively published on the site and an administrator’s email or username was known to the attacker.

Vulnerability Details

In order to exploit this vulnerability, a valid nonce was required, which could easily be obtained by accessing a login/registration page with a form generated by RegistrationMagic. On pages that had the login or signup shortcodes added, the nonce needed to exploit this vulnerability could be found in the generated source code of the page. It can reasonably be assumed that most site owners have a registration or login form enabled given the functionality of the plugin so this condition would almost always be met on sites using the plugin.

Taking a closer look, the AJAX action wp_ajax_nopriv_rm_login_social_user used for social logins is mapped to the function social_login_using_email with the following code:

public function social_login_using_email($user_email = null, $user_fname = null,$type=null) {
	$ajax_check = check_ajax_referer('rm-social-login-security', 'security'); // Check referer validity
	if($ajax_check == false) {
		$resp = array('code' => 'denied', 'msg' => __('Request denied','custom-registration-form-builder-with-submission-manager'));
		echo json_encode($resp);
		die;
	}
	if (isset($_POST['email']))
		$user_email = $_POST['email'];
	if (isset($_POST['first_name']))
		$user_fname = $_POST['first_name'];
	else
		$user_fname = null;
	$type= isset($_POST['type']) ? $_POST['type'] : '';
	$user_model= new RM_User;
	$gopts = new RM_Options;
	$resp = array('code' => 'allowed', 'msg' => '');
	$login_service= new RM_Login_Service();
	// error_log($user_email); error_log($user_fname);
	$user = $user_email;
	if ($user_email != null) {
		if (email_exists($user_email)) { // user is a member
			$user = get_user_by('email', $user_email);
			$user_id = (int) $user->data->ID;
			$is_disabled = (int) get_user_meta($user_id, 'rm_user_status', true);


			if (!$is_disabled){
				//$login_service->insert_login_log(array('email'=>$user->user_email,'ip'=> $_SERVER['REMOTE_ADDR'],'time'=> current_time('timestamp'),'status'=>1,'type'=>'social:'.$type,'result'=>'success'));
				$login_service->insert_login_log(array('email'=>$user->user_email,'username_used'=>$user_email,'ip'=> $_SERVER['REMOTE_ADDR'],'time'=> current_time('timestamp'),'status'=>1,'type'=>'social','result'=>'success','social_type'=>$type));
				wp_set_auth_cookie($user_id, true);
			}

This function accepted an email address or username as input along with a type, which was used later in the function for logging purposes. A quick nonce check was performed as a security measure and if the nonce was present in the POST request and valid, the check would pass. The lines that follow stored the email, username and type in variables for later use in the function.

If the $user_email variable was not empty, the function checked that the email address belonged to a user on the site. If the user existed, it would obtain the user’s id and ensure that the user account had not been disabled. If it wasn’t disabled, then wp_set_auth_cookie would set a cookie for that user, effectively logging in as the user identified by the provided email.

Unfortunately, there was no authentication of the user-supplied identity which made it possible for users to supply arbitrary email addresses and assume the identity of any user account present on the affected site. This included administrative user accounts which would allow attackers to completely takeover affected WordPress instances.

An attacker could therefore send a POST request to a vulnerable site, for example https://example.com/wp-admin/admin-ajax.php with the “action” parameter set to “rm_login_social_user”, the ”email” parameter set to ”admin@example.com” and the ”security” parameter containing the proper nonce and be logged in as the user identified by the email address admin@example.com, provided such a user account exists and is not disabled.

In WordPress it can be relatively easy to enumerate usernames if security measures have not been put in place, like using the option to “Prevent discovery of usernames through ‘/?author=N’ scans, the oEmbed API, the WordPress REST API, and WordPress XML Sitemaps” in Wordfence. In addition, if a vulnerable site was running with a default or easy to guess administrative username like ‘admin’ or ‘administrator’ then it would be incredibly easy for an attacker to successfully exploit this to gain administrative access.

This serves as an important reminder to not use default usernames for administrative accounts and ensure that you have username enumeration protection in place so vulnerabilities like this become harder for attackers to exploit.

Timeline

September 15, 2021 – Conclusion of the plugin analysis that led to the discovery of the authentication bypass vulnerability. A firewall rule is deployed to protect premium users.
September 16, 2021 – We initiate the responsible disclosure process. The vendor confirms the inbox for handling the discussions and the details are fully disclosed to the developer.
September 25, 2021 – The developer indicates the issue has been resolved, but after our analysis of the patch we determine the underlying security issues were not addressed properly.
September 26 – November 1, 2021 – We continue working with the developer to ensure a fix is released.
October 15, 2021 – The firewall rule becomes available to free Wordfence users.
November 1, 2021 – Version 5.0.1.6 is released, which provides a partial fix.
November 9 – November 25, 2021 – We continue to ask for updates to ensure that the developer continues to work on a patch. We involve the WordPress plugin team in our efforts.
November 25, 2021 – Version 5.0.1.8 is released and addresses the security issue.

Conclusion

In today’s post, we detailed a flaw in the “RegistrationMagic – Custom Registration Forms, User Registration and User Login Plugin” plugin that made it possible for attackers to bypass authentication and gain administrative user access. This flaw has been fully patched in version 5.0.1.8.

We recommend that WordPress site owners immediately verify that their site has been updated to the latest patched version available, which is version 5.0.1.8 at the time of this publication.

Wordfence Premium customers received a firewall rule for protection against any attacks targeting this exploit on September 15, 2021. This rule became available to free Wordfence users 30 days later, on October 15, 2021.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a serious vulnerability that can lead to complete site takeover.

If your site has been compromised by an attack on this or any other plugin, our Professional Site Cleaning services can help you get back in business.

The post Authentication Bypass Vulnerability Patched in User Registration Plugin appeared first on Wordfence.

XSS Vulnerability Patched in Plugin Designed to Enhance WooCommerce

Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List.

On November 11, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Variation Swatches for WooCommerce”, a WordPress plugin that is installed on over 80,000 sites and acts as an extension for WooCommerce. This flaw made it possible for an attacker with low-level permissions, such as a subscriber or a customer, to inject malicious JavaScript that would execute when a site administrator accessed the settings area of the plugin.

All Wordfence users, including Wordfence Premium customers as well as those still using the free version of Wordfence, are protected against this vulnerability by our firewall’s built-in cross-site scripting protection. For added protection, we released an additional firewall rule to protect Wordfence Premium customers on November 11, 2021, and this rule will become available to free Wordfence users 30 days later, on December 11, 2021.

We sent the full disclosure details on November 12, 2021, after the developer confirmed the appropriate channel to handle communications. The developer quickly acknowledged the report and released a patch on November 23, 2021.

We strongly recommend ensuring that your site has been updated to the latest patched version of “Variation Swatches for WooCommerce”, which is version 2.1.2 at the time of this publication.

Description: Stored Cross-Site Scripting
Affected Plugin: Variation Swatches for WooCommerce
Plugin Slug: variation-swatches-for-woocommerce
Plugin Developer: Woosuite
Affected Versions: <= 2.1.1
CVE ID: CVE-2021-42367
CVSS Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Chloe Chamberland
Fully Patched Version: 2.1.2

Variation Swatches for WooCommerce is a WordPress plugin designed to add variation swatches to products created with WooCommerce. This allows shop owners to easily sell and display multiple variations of a single product. The plugin registered various AJAX actions used to manage settings. Unfortunately, these were insecurely implemented making it possible for attackers with low-level permissions to arbitrarily update the plugin’s settings and inject malicious web scripts.

More specifically, the plugin registered the tawcvs_save_settings, update_attribute_type_setting, and update_product_attr_type functions, which were all hooked to various AJAX actions. These three functions were all missing capability checks as well as nonce checks, which provide Cross-Site Request Forgery protection.

This meant that any authenticated user, including those with minimal permissions such as customers and subscribers, could execute the AJAX actions associated with these functions. These AJAX actions were used to control the various settings of the plugins, and the tawcvs_save_settings function in particular could be used to update the plugin’s settings to add malicious web scripts, which makes the issue much more severe.

As always, malicious web scripts can be crafted to inject new administrative user accounts or even modify a plugin or theme file to include a backdoor which in turn would grant the attacker the ability to completely take over a site.

Timeline

November 11, 2021 – Conclusion of the plugin analysis that led to the discovery of a Stored Cross-Site Scripting Vulnerability in the “Variation Swatches for WooCommerce” plugin. We validate that the Wordfence Firewall provides protection and deploy an additional firewall rule for enhanced protection. We initiate contact with the developer.
November 12, 2021 – The developer confirms the inbox for handling the discussion. We send over the full disclosure details.
November 20 & 21, 2021 – The developer provides us with a copy of the updated plugin to test. We validate that the vulnerability has been patched.
November 23, 2021 – A fully patched version of the plugin is released as version 2.1.2.
December 11, 2021 – The firewall rule becomes available to free Wordfence users.

Conclusion

In today’s post, we detailed a flaw in the “Variation Swatches for WooCommerce” plugin that made it possible for attackers to inject malicious web scripts that would execute whenever a site owner accessed the settings area of the plugin. This flaw has been fully patched in version 2.1.2.

We recommend that WordPress users immediately verify that their site has been updated to the latest patched version available, which is version 2.1.2 at the time of this publication.

All Wordfence users, including Wordfence Premium customers and free Wordfence users are protected against XSS exploits targeting this vulnerability by the Wordfence firewall’s built-in XSS protection. In addition, we released a firewall rule for added protection against unauthorized settings changes to Wordfence Premium customers on November 11, 2021, and this rule will become available to free Wordfence users 30 days later, on December 11, 2021.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a serious vulnerability that can lead to complete site takeover.

If your site has been compromised by an attack on this or any other plugin, our Professional Site Cleaning services can help you get back in business.

The post XSS Vulnerability Patched in Plugin Designed to Enhance WooCommerce appeared first on Wordfence.

Pin It on Pinterest