PSA: Critical Vulnerability Patched in Ninja Forms WordPress Plugin

On June 16, 2022, the Wordfence Threat Intelligence team noticed a back-ported security update in Ninja Forms, a WordPress plugin with over one million active installations. As with all security updates in WordPress plugins and themes, our team analyzed the plugin to determine the exploitability and severity of the vulnerability that had been patched.

We uncovered a code injection vulnerability that made it possible for unauthenticated attackers to call a limited number of methods in various Ninja Forms classes, including a method that unserialized user-supplied content, resulting in Object Injection. This could allow attackers to execute arbitrary code or delete arbitrary files on sites where a separate POP chain was present.

There is evidence to suggest that this vulnerability is being actively exploited in the wild, and as such we are alerting our users immediately to the presence of this vulnerability.

This flaw has been fully patched in versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11.WordPress appears to have performed a forced automatic update for this plugin, so your site may already be using one of the patched version. Nonetheless, we strongly recommend ensuring that your site has been updated to one of the patched versions as soon as possible since automatic updates are not always successful.

Wordfence Premium, Wordfence Care, and Wordfence Response customers received a rule on June 16, 2022 to protect against active exploitation of this vulnerability. Wordfence users still using the free version will receive the same protection on July 16, 2022. Regardless of your protection status with Wordfence, you can update the plugin on your site to one of the patched versions to avoid exploitation.


Description: Code Injection
Affected Plugin: Ninja Forms Contact Form – The Drag and Drop Form Builder for WordPress
Plugin Slug: ninja-forms
Plugin Developer: Saturday Drive
Affected Versions: 3.6-3.6.10, 3.5-3.5.8.3, 3.4-3.4.34.1, 3.3-3.3.21.3, 3.2-3.2.27, 3.1-3.1.9, 3.0-3.0.34.1
CVE ID: Pending
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Fully Patched Version:  3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, 3.6.11

Ninja Forms is a popular WordPress plugin designed to enhance WordPress sites with easily customizable forms. One feature of Ninja Forms is the ability to add “Merge Tags” to forms that will auto-populate values from other areas of WordPress like Post IDs and logged in user’s names. Unfortunately, this functionality had a flaw that made it possible to call various Ninja Form classes that could be used for a wide range of exploits targeting vulnerable WordPress sites.

Without providing too many details on the vulnerability, the Merge Tag functionality does an is_callable() check on a supplied Merge Tags. When a callable class and method is supplied as a Merge Tag, the function is called and the code executed. These Merge Tags can be supplied by unauthenticated users due to the way NF_MergeTags_Other class handles Merge Tags.

We determined that this could lead to a variety of exploit chains due to the various classes and functions that the Ninja Forms plugin contains. One potentially critical exploit chain in particular involves the use of the NF_Admin_Processes_ImportForm class to achieve remote code execution via deserialization, though there would need to be another plugin or theme installed on the site with a usable gadget.

As we learn more about the exploit chains attackers are using to exploit this vulnerability, we will update this post.

Conclusion

In today’s post, we detailed a critical vulnerability in Ninja Forms Contact Form which allows unauthenticated attackers to call static methods on a vulnerable site that could be used for the site. This can be used to completely take over a WordPress site. There is evidence to suggest that this vulnerability is being actively exploited. 

This flaw has been fully patched in versions 3.0.34.2, 3.1.10, 3.2.28, 3.3.21.4, 3.4.34.2, 3.5.8.4, and 3.6.11. It appears as though WordPress may have performed a forced update so your site may already be on one of the patched versions. Nonetheless, we strongly recommend ensuring that your site has been updated to one of the patched versions as soon as possible.

Wordfence Premium, Wordfence Care, and Wordfence Response customers received a rule on June 16, 2022 to protect against active exploitation of this vulnerability. Wordfence users still using the free version will receive the same protection on July 16, 2022. Regardless of your protection status with Wordfence, you can update the plugin on your site to one of the patched versions to avoid exploitation.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that can lead to complete site takeover.

Special thanks to Ramuel Gall, a Wordfence Threat Analyst, for his work reverse engineering the vulnerability’s patches to develop a working Proof of Concept and for his contributions to this post. 

The post PSA: Critical Vulnerability Patched in Ninja Forms WordPress Plugin appeared first on Wordfence.

Top Five Attacking IPs This Month: Their Locations May Not Be Where You Think

At Wordfence, we see large amounts of threat actor data, and often that data tells unexpected stories. Taking a look at just the top five attacking IP addresses over a 30 day period, you might be surprised to find out where these attacks are originating, and what they are doing. When most people hear about threat actors, they think about countries like Russia, China, and North Korea. In reality, attacks originate from all over the world, with the top five attackers we have tracked over the past 30 days coming from Australia, Germany, the United States, Ukraine, and Finland.

The purpose of these attacks is nearly as varied as their locations. Each of the top five malicious IP addresses was found to be attempting unauthorized access to websites or file systems. In sixth place was an IP address that was attempting brute force attacks, but the remaining malicious IP addresses in the top ten were all found to be attempting malicious access by other means. Several of the addresses were seen scanning for vulnerabilities, downloading or uploading files, accessing web shells, and even viewing or writing custom wp-config.php files. While one of the malicious indicators was consistent across all of the top five IP addresses, there are also some actions that were unique to a specific attack source.

IP Threat #1 Originating From Australia

The IP address found in Australia, 20.213.156.164, which is owned by Microsoft, may seem like the most surprising one to make this list, let alone first on the list. In a 30 day period, we tracked 107,569,810 requests from this single IP address out of Sydney. The threat actor using this IP was primarily attempting to open potential web shells on victims’ websites which could indicate that the attacker was looking for left-over webshells from other attackers’ successful exploits.

This is a common technique for threat actors, as it can be automated and does not require actively uploading their own shells and backdoors to a potential victim’s website. This could help the attacker save time and money instead of launching their own attack campaign to compromise servers.

The following is an example of a request the offending IP tried to make to access a known shell. It was blocked by the Wordfence firewall.

IP Threat #2 Originating From Germany

The German IP address, 217.160.145.62, may have a tracked attack quantity that is around 35% lower than the Sydney IP address, with only 70,752,527 tracked events, but its actions are much more varied. In fact, this IP address triggered four different web application firewall (WAF) rules, including  attempts to upload zip files to the attacked websites. This is a common action performed as a first step to get malicious files onto the server. There were also attempts to exploit a remote code execution (RCE) vulnerability in the Tatsu Builder plugin, and access the wp-config.php file from a web-visible location.

Sample of an exploit targeting the Tatsu Builder plugin vulnerability from this IP Address.

IP Threat #3 Originating From The United States

The attacks originating from the IP address 20.29.48.70 in the United States were slightly lower in quantity than those from Germany, with 54,020,587 detected events. The logged events are similar to those found coming from Australia. Searching for previously installed shells and backdoors appears to be the main purpose of these attacks as well. It’s important to note that this does not indicate that a backdoor is actually present on the site. This is just a method attackers use in hopes of landing on a webshell that had been installed previously by another attacker to save time and resources.  One filename we saw the IP address attempting to access is commonly used to serve spam or redirect to potentially malicious e-commerce websites.

Example of a pharma website that was the end result of a redirect chain.

IP Threat #4 Originating from Ukraine

The attacks starting in Ukraine are from the IP address 194.38.20.161, and the purpose of these attacks is different from what we see from the IP addresses in the other entries in the top five. The majority of the 51,293,613 requests appear to be checking for jQuery upload capabilities on the affected websites. This is done with a web request that uses a JPEG image file in an attempted upload. Once they know an upload is possible, the attacker can upload malicious files that range from spam to backdoors, and everything in between.

IP Threat #5 Originating From Finland

Rounding out our top five with only 44,954,492 registered events is the IP address 65.108.195.44 from Helsinki, Finland. This one also attempts to access web shells and backdoors. The majority of requests from this IP address seem to be accessing previously uploaded malicious files, rather than trying to exploit vulnerabilities or activate code that was added to otherwise legitimate files, such as the example below.

The s_e.php file sample in its raw form: a file this IP was trying to access.

One Thing in Common: All IPs Made it on to the Wordfence IP Blocklist

While the threat actors behind these IP addresses may have tried a variety of methods to gain control of these WordPress sites, one thing all these IP addresses have in common is that their attempts were blocked by the Wordfence Network and made their way onto the Wordfence IP Blocklist, a Premium feature of Wordfence.

This means that due to the volume of attacks these IP addresses were initiating they ended up on the Wordfence Real-Time IP blocklist, which prevents these IP addresses from accessing your site in the first place.

Conclusion

While the top five locations may not be commonly thought of as locations that web attacks may originate from, these are areas where computers and the internet are common. Wherever you have both of these, you will have attack origins. What is not as surprising is that despite widely varied locations for attackers, the methods they use are typically common and often predictable. Hosting accounts that threat actors use to launch attacks can live anywhere in the world while a threat actor themselves may be in an entirely different location.

By knowing how an attacker thinks, and the methods they use, we can defend against their attacks. These top five offenders averaged more than 10 million access attempts per day in the reviewed period, but having a proper web application firewall with Wordfence in place meant the attackers had no chance of accomplishing their goals.

All Wordfence users with the Wordfence Web Application Firewall active, including Wordfence free customers, are protected against the types of attacks seen from these IP addresses, and the vulnerabilities they may be attempting to exploit.If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

The post Top Five Attacking IPs This Month: Their Locations May Not Be Where You Think appeared first on Wordfence.

Cross-Site Scripting Vulnerability In Download Manager Plugin

Cross-Site Scripting Vulnerability In Download Manager Plugin

On May 30, 2022, Security Researcher Rafie Muhammad reported a reflected Cross-Site Scripting (XSS) vulnerability to us that they discovered in Download Manager, a WordPress plugin installed on over 100,000 sites. On request, we assigned a vulnerability identifier of CVE-2022-1985.

All Wordfence users, including Free, Premium, Care, and Response, are protected from exploits targeting this vulnerability thanks to the Wordfence Firewall’s built-in Cross-Site Scripting protection.

Even though Wordfence provides protection against this vulnerability, we strongly recommend ensuring that your site has been updated to the latest patched version of Download Manager, which is version 3.2.43 at the time of this publication.


Description: Reflected Cross-Site Scripting
Affected Plugin: Download Manager
Plugin Slug: download-manager
Plugin Developer: codename065
Affected Versions: <= 3.2.42
CVE ID: CVE-2022-1985
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Rafie Muhammad (Yeraisci)
Fully Patched Version: 3.2.43

Download Manager is a file and document management plugin to help manage and control file downloads with various file download controls to restrict unauthorized file access. The plugin also provides a complete solution to sell digital products from WordPress sites, including checkout functionality to complete an order. One feature of the plugin is the ability to use a shortcode to embed files and other assets in a page or post. This function was found to be vulnerable to reflected Cross-Site Scripting.Secure coding practices would include checks to sanitize the input received by the page, and escaping that code on the output to ensure that only approved inputs and outputs are presented. Unfortunately, insufficient input sanitization and output escaping on the $_REQUEST[‘frameid’] parameter found in the ~/src/Package/views/shortcode-iframe.php file of the Download Manager plugin made it possible for an attacker to run arbitrary code in a victim’s browser by getting them to click on a specially crafted URL. This is because the ‘frameid’ parameter was echoed to the page without sufficient user input validation.

Cross-Site Scripting in Download Manager Plugin

Without proper sanitization and escaping in place on user-supplied inputs, JavaScript can be used to manipulate the page. Even an unsophisticated attacker could hijack the form and use it to trick a site administrator into unknowingly disclosing sensitive information, or to collect cookie values. 

More specialized attackers would use this capability to gain administrator access or add a backdoor and take over the site. If the attacker gains this access, they would have access to the same information the administrator would be able to access, including user details and customer information.

In the case of Download Manager, customer information and access to digital products would both be at risk. If an attacker were able to trick an administrator into clicking a link that has been designed to send session cookies to the attacker, add a malicious administrator account, or implement a backdoor on the website, the attacker would also have free reign in the administrator panel, giving them the ability to modify checkout settings and even add fake products to the website.

Conclusion

In today’s post, we discussed a reflected Cross-Site Scripting (XSS) vulnerability in Download Manager. While this would require tricking an administrator into clicking a link or performing some other action, it still offers the potential for site takeover. As such we urge you to update to the latest version of this plugin, 3.2.43 as of this writing, as soon as possible.

All Wordfence users, including Free, Premium, Care, and Response, are protected from exploits targeting this vulnerability.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that can lead to complete site takeover.

Congratulations to Ravie Muhammad for discovering and responsibly disclosing this vulnerability to the plugin’s developers. As a reminder, Wordfence is a CVE Numbering Authority (CNA) and we can assign CVE IDs to your vulnerability discoveries in WordPress Plugins, Themes, and Core. If you need a CVE for one of your WordPress finds, please fill out our form here. Your vulnerability discovery may be featured on our blog with your permission!

The post Cross-Site Scripting Vulnerability In Download Manager Plugin appeared first on Wordfence.

The Cybersecurity CIA Triad: What You Need to Know as a WordPress Site Owner

The Cybersecurity CIA Triad: What You Need to Know as a WordPress Site Owner

One of the core concepts of cybersecurity is known as the CIA Triad. There are three pillars to the triad, with each pillar being designed to address an aspect of securing data. These three pillars are Confidentiality, Integrity, and Availability.

The Confidentiality pillar is intended to prevent unauthorized access to data, while the Integrity pillar ensures that data is only modified when and how it should be modified. Finally, the Availability pillar assures access to data when it is needed. When employed in unison, these three pillars work together to build an environment where data is properly protected from any type of attack, compromise, or mishap.

While managing a website may not always feel like a cybersecurity role, a crucial purpose of any website is to maintain data, which calls for the use of the CIA Triad. Managing a WordPress site is no exception to the need for the CIA Triad, even if you are not actively writing any code for the website.

As you build or update a website, it is important to keep the CIA Triad in mind when determining which plugins and functionality to include on the website. While user experience is often the main consideration, it is important to research any plugins or themes you may be considering for your website to ensure you are only installing ones that are well-maintained, and do not have a track record of being an attack vector in website data breaches. Ignoring any of the three pillars of the CIA Triad can lead to a weakness in your website which could impact your site’s users or your business. This makes it important to understand how the Triad applies to management of a WordPress site.

Maintaining the Confidentiality of Privileged Data

The Confidentiality pillar of the CIA Triad is frequently in the public eye, especially when it fails. The basic concept is that any data that should be kept private is restricted to prevent unauthorized access. Privileged data on a WordPress site can vary, but includes administrator and user credentials as well as personally identifiable information (PII) like addresses and phone numbers. Depending on the purpose of the site, additional customer information may also be included, especially in scenarios where you might be running an e-commerce or membership website. Aside from personal data, you may also have business data that should be kept confidential as well, which means that the concept of Confidentiality needs to be employed properly in order to protect this data from unauthorized access.

One thing to keep in mind is that unauthorized access can easily be accidental. Each page on a WordPress website can be set to require specific permissions for access. If you are publishing restricted information, you will need to ensure that the page is not published publicly. Even when updating a page, a good best practice is to always check the post visibility prior to publishing any changes in order to ensure that restricted data cannot be accessed without a proper access level. This check is quick, and only takes a moment to correct if the visibility is set incorrectly.

Shows how to set post visibility in wordpress

Malicious access is also something that needs to be accounted for when managing a website. One of the most common types of attacks on web applications is cross-site scripting (XSS). A danger of XSS attacks is that they are often simple for an attacker to implement, simply by generating a specially crafted URL. If an XSS vulnerability is present on the website and an attacker can convince your users, or administrators, to click on a link they have generated, they can easily steal user cookies or perform actions using the victim’s session. If the vulnerability is stored XSS, a site administrator accessing the vulnerable page may be all that is needed in order for the attacker to obtain admin access to the site. If the attacker is able to obtain authentication cookies, then they will have the same access to information on the website as the user or administrator that they stole the cookie from. Further, when it comes to WordPress sites, XSS vulnerabilities can easily be exploited to inject new administrative users or add back-doors via specially crafted JavaScript that makes it incredibly easy for attackers to gain unauthorized access to sensitive information on your WordPress site.

image showing an example XSS alert

Unauthorized access to confidential information can have lasting negative effects on a business or website owner, but taking steps to secure this data goes a long way in mitigating these risks. Whether you’re running a personal blog that collects subscriber emails addresses, or an online retail site, there will be data that should be protected from accidental and malicious access. Keeping the concept of Confidentiality in mind while building and updating your WordPress website is a critical part of protecting this data. Even if it feels like a hassle to do the initial research and choose plugins that are known for their security, you will end up saving time and money by avoiding a potential data breach in the future.

When researching themes and plugins, one aspect you will want to consider is the developer’s transparency with any vulnerabilities. A few disclosed and patched vulnerabilities likely means the developer actively fixes any problems. A theme or plugin that does not list any patched vulnerabilities in the changelog may be just as much of a problem as one that has had too many vulnerabilities, especially when the theme or plugin has been around for a significant amount of time. This signifies the importance of not just relying on whether a plugin or theme has had any previously disclosed vulnerability, but rather focusing on the transparency and communication about security management from WordPress software developers.

Ensuring the Integrity of Site Data

Integrity is the pillar that defines how data is maintained and modified. The idea here is that data should only be modified by defined individuals, and any modification should be accurate and necessary as defined by the purpose of the data. Incorrect or unnecessary changes to data can cause confusion at a minimum, and can even have legal and financial consequences in some cases. While the Confidentiality pillar plays a role here, Integrity must be addressed independently to ensure that data being accessed has not been maliciously or accidentally compromised.

Capability checks are one way that WordPress not only protects Confidentiality, but also Integrity. Any plugins should be using capability checks to ensure that the user making a change to the site information, configuration, or contained data actually has the correct permissions to make those changes. From a site owner or maintainer perspective, researching any plugins and testing any that are being considered for the website to ensure that data can only be changed by its owner, or by an appropriate level of editor or administrator. If data is available on the website in any form, it will need to be checked because a vulnerable plugin could allow an attacker to change or delete data if they know how to exploit the vulnerability. Site settings and code are also data, and if their Integrity is impacted, it can result in a complete compromise of the Confidentiality and Availability of any other data on the site.

code showing a capability check

Due to the fact that not every plugin will properly use capability checks, it is the site maintainer’s responsibility to ensure the Integrity of data. In addition to testing plugins for access errors, all users should be properly maintained with appropriate access levels. In a business setting, this will also mean that user audits will need to be performed, and any employee who leaves the company should be immediately removed or disabled on the site. In many cases, having a policy of separating contributors and editors is a good practice as well. This will provide an environment where more than one set of eyes are seeing the changes to help catch any errors in the changes made to the data. Integrity is all about proper maintenance of data, but both malicious intent and unintentional errors must be taken into account to protect the Integrity of the data.

Guaranteeing the Availability of All Data

The final pillar in the Triad is Availability. In this sense, Availability means that data is available when requested. With a WordPress website, this means that the website is online, the database is accessible, and any data that should be available to a given user is available as long as they are logged in with the correct level of access. What Availability does not mean is that data will be available to everyone at any time. The first two pillars in the triad must be taken into account when determining Availability of data. Availability is the pillar that relies more heavily on infrastructure than on what most will consider to be security.

Availability may be the most obvious pillar to the end user, as it is clear to them when a website is not available, or the data they try to access on the website won’t load. The end user may not always be able to tell when confidential information is accessed without authorization or when data is incorrectly modified, but a lack of Availability is always going to be obvious. WordPress websites have a lot of working parts, and in order for data in a WordPress site to be available upon demand, all of those parts must work together flawlessly. This means that the website must be hosted somewhere reliable, fees associated with the domain name, hosting or other aspects of the infrastructure must be paid for in a timely manner, TLS certificates need to be renewed on time, and the website software must be updated regularly.

Countless articles have been written on the importance of updating WordPress components to protect Confidentiality and Integrity, but the topic of updating for Availability is just as important. Again, limiting access and ensuring Integrity play a role here, as data can be deleted maliciously or accidentally, but proper maintenance of the components of your website are just as critical. As technologies change on web servers, or new features are added to the website, older components may become incompatible and cease to function. Keeping a proper maintenance schedule, and testing functionality after each update is an imperative part of guaranteeing the Availability of your website and the data it contains.

I’m Not A Cybersecurity Expert, How Do I Use The CIA Triad?

Fortunately, you don’t need to be a cybersecurity expert in order to keep the CIA Triad concepts at the core of the work you do. Defining policies for maintenance schedules, how to address problems with plugins, and even procedures for publishing changes to data will guide your processes. Wordfence, including Wordfence Free, provides a number of tools to help you keep to these standards, including two-factor authentication (2FA) to protect user accounts, and alerts for outdated site components or suspicious activity. The Wordfence WAF blocks attacks that threaten your data’s Confidentiality and Integrity, and the Wordfence Scan detects malware and other indicators that your data’s Integrity may have been compromised. Wordfence Premium includes the most up to date WAF rules and malware signatures as well as country blocking, and our Real-Time IP Blocklist, which keeps track of which IPs are attacking our users and blocks them so they don’t even have a chance to threaten your site.

Wordfence also offers two additional services: Wordfence Care and Wordfence Response. Both services help maintain your site’s security by following the core principles of the CIA Triad. Our team of security experts review your site initially through a complete security audit to identify ways you can improve your WordPress site’s data Confidentiality, through things like TLS certificates & cryptographic standards. Our team also recommends best practices that can improve your WordPress site’s Integrity and Availability of data, such as performing regularly maintained back-ups and not using software with known vulnerabilities. Both Wordfence Care and Wordfence Response include monitoring of your WordPress site by our team of security professionals to ensure that your site’s Confidentiality, Integrity, and Availability are not compromised, and both services include security incident response and remediation. Wordfence Response offers the same service as Wordfence Care, but with 24/7/365 Availability and a 1-hour response time.

Conclusion

Employing the CIA Triad will help any website owner or maintainer to manage the security of the data on the site, even if they are not specifically in a cybersecurity role. No matter who the website is for, the data on it needs to be confidential, accurate, and available. The concepts covered by the CIA Triad are here to guide decisions that will ensure this need is met. Employing these concepts will help you breathe easier knowing that you have minimized the chances of your data being compromised in an attack or accident.

The post The Cybersecurity CIA Triad: What You Need to Know as a WordPress Site Owner appeared first on Wordfence.

Critical Privilege Escalation Vulnerability in Jupiter and JupiterX Premium Themes

On April 5, 2022, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a set of vulnerabilities in the Jupiter and JupiterX Premium themes and the required JupiterX Core companion plugin for WordPress, which included a critical privilege escalation vulnerability that allowed any user to become an administrator.

The plugin developers quickly replied and we sent over the full disclosure on the same day. Fully patched versions of all vulnerable components were made available on May 10, 2022.

Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule protecting against these vulnerabilities on April 5, 2022. Sites still running the free version of Wordfence received the same protection 30 days later, on May 4, 2022.

We strongly recommend updating to the latest patched version for your installation as soon as possible, since this will remove the vulnerabilities. If you are using the classic Jupiter theme, you should  update to at least version 6.10.2. If you are using the JupiterX theme, you should update to at least version 2.0.8 of the JupiterX Core plugin, and at least version 2.0.7 of the JupiterX Core theme, which are the latest versions available at the time of this writing.


Description: Authenticated Privilege Escalation and Post deletion
Affected Software: Jupiter Theme and JupiterX Core Plugin
Slug(s): jupiter (theme), jupiterx-core(plugin)
Developer: ArtBees
Affected Versions: Jupiter Theme <= 6.10.1 and JupiterX Core Plugin <= 2.0.7
CVE ID: CVE-2022-1654
CVSS score: 9.9 (Critical)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Researcher(s): Ramuel Gall
Fully Patched Versions: Jupiter Theme 6.10.2 and JupiterX Core Plugin 2.0.8

This vulnerability allows any authenticated attacker, including a subscriber or customer-level attacker, to gain administrative privileges and completely take over any site running either the Jupiter Theme or JupiterX Core Plugin. The JupiterX Core plugin is required for the JupiterX theme.

The classic Jupiter Theme contains a function, uninstallTemplate, which is intended to reset a site after a template is uninstalled, but has the additional effect of elevating the user calling the function to an administrator role. In JupiterX, this functionality has been migrated to the JupiterX Core plugin. Vulnerable versions register AJAX actions but do not perform any capability checks or nonce checks.

On a site with a vulnerable version of the Jupiter Theme installed, any logged-in user can elevate their privileges to those of an administrator by sending an AJAX request with the action parameter set to abb_uninstall_template. This calls the uninstallTemplate function, which calls the resetWordpressDatabase function, where the site is effectively reinstalled with the currently logged-in user as the new site owner.

On a site where a vulnerable version of the JupiterX Core plugin is installed, the same functionality can also be accessed by sending an AJAX request with the action parameter set to jupiterx_core_cp_uninstall_template.

Description: Insufficient Access Control leading to Authenticated Arbitrary Plugin Deactivation and Settings Modification
Affected Software: JupiterX Theme and JupiterX Core Plugin
Slug(s): jupiterx (theme), jupiterx-core(plugin)
Developer: ArtBees
Affected Versions: JupiterX Theme <= 2.0.6 and JupiterX Core <= 2.0.6
CVE ID: CVE-2022-1656
CVSS score: 6.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Researcher(s): Ramuel Gall
Fully Patched Versions: JupiterX Theme 2.0.7 and JupiterX Core Plugin 2.0.7

This vulnerability allows an attacker to reduce site security or damage functionality.

Vulnerable versions of the JupiterX Theme allow any logged-in user, including subscriber-level users, to access any of the functions registered in lib/api/api/ajax.php, which also grant access to the jupiterx_api_ajax_ actions registered by the JupiterX Core Plugin. This includes the ability to deactivate arbitrary plugins as well as update the theme’s API key.

Description: Authenticated Path Traversal and Local File Inclusion
Affected Software: JupiterX Theme and Jupiter Theme
Slug(s): jupiterx (theme), jupiter(theme)
Developer: ArtBees
Affected Versions: JupiterX Theme <= 2.0.6 and Jupiter Theme <= 6.10.1
CVE ID: CVE-2022-1657
CVSS score: 8.1 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Researcher(s): Ramuel Gall
Fully Patched Versions: JupiterX Theme 2.0.7 and Jupiter Theme 6.10.2

This vulnerability could allow an attacker to obtain privileged information, such as nonce values, or perform restricted actions, by including and executing files from any location on the site.

Vulnerable versions of the Jupiter and JupiterX Themes allow logged-in users, including subscriber-level users, to perform Path Traversal and Local File inclusion. In the JupiterX theme, the jupiterx_cp_load_pane_action AJAX action present in the lib/admin/control-panel/control-panel.php file calls the load_control_panel_pane function. It is possible to use this action to include any local PHP file via the slug parameter. The Jupiter theme has a nearly identical vulnerability which can be exploited via the mka_cp_load_pane_action AJAX action present in the framework/admin/control-panel/logic/functions.php file, which calls the mka_cp_load_pane_action function.

Description: Insufficient Access Control leading to Authenticated Arbitrary Plugin Deletion
Affected Software: Jupiter Theme
Slug(s): jupiter (theme)
Developer: ArtBees
Affected Versions: Jupiter Theme <= 6.10.1
CVE ID: CVE-2022-1658
CVSS score: 6.5 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Researcher(s): Ramuel Gall
Fully Patched Versions: Jupiter Theme 6.10.2

This vulnerability allows an attacker to reduce site security or damage functionality.

Vulnerable versions of the Jupiter Theme allow arbitrary plugin deletion by any authenticated user, including users with the subscriber role, via the abb_remove_plugin AJAX action registered in the framework/admin/control-panel/logic/plugin-management.php file. Using this functionality, any logged-in user can delete any installed plugin on the site.

Description: Information Disclosure, Modification, and Denial of Service
Affected Software: JupiterX Core Plugin
Slug(s): jupiterx-core (plugin)
Developer: ArtBees
Affected Versions: JupiterX Core Plugin <= 2.0.6
CVE ID: CVE-2022-1659
CVSS score: 6.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Researcher(s): Ramuel Gall
Fully Patched Versions: JupiterX Core Plugin 2.0.7

This vulnerability allows an attacker to view site configuration and logged-in users, modify post conditions, or perform a denial of service attack.

Vulnerable versions of the JupiterX Core plugin register an AJAX action jupiterx_conditional_manager which can be used to call any function in the includes/condition/class-condition-manager.php file by sending the desired function to call in the sub_action parameter.

Timeline

April 5, 2022 – The Wordfence Threat Intelligence team finishes our investigation of the Jupiter and JupiterX Themes. We release a firewall rule to protect Wordfence Premium, Wordfence Care, and Wordfence Response customers. We contact the theme developer and send over the full disclosure.
April 28, 2022 – A partially patched version of the JupiterX theme and JupiterX Core plugin is released.
May 3, 2022 – We follow up with the theme developer about additional patches and notify them of an additional vulnerability we found in the Jupiter Theme.
May 4, 2022 – Firewall rule becomes available to Wordfence free users.
May 10, 2022 – Fully Patched versions of the Jupiter Theme and JupiterX Core plugin are released. We verify that all vulnerabilities are addressed.

Conclusion

In today’s article, we covered a number of vulnerabilities present in the Jupiter and JupiterX themes and the JupiterX Core companion plugin. The most severe vulnerability allows any logged-in user to easily gain administrator privileges.

Wordfence Premium, Wordfence Care, and Wordfence Response customers have been protected from these vulnerabilities since April 5, 2022, and free Wordfence users received the same protection on May 4, 2022.

We strongly recommend updating to the latest versions of the impacted themes and plugins available immediately.

Since several versions across several slugs are impacted, we’ll reiterate what you should update:

If you are running the Jupiter Theme version 6.10.1 or below, you should immediately update to version 6.10.2 or higher.

If you are running the JupiterX Theme version 2.0.6 or below, you should immediately update to version 2.0.7 or higher.

If you are running the JupiterX Core Plugin version 2.0.7 or below, you should immediately update it to version 2.0.8 or higher.

If you know anyone using the Jupiter theme or the JupiterX theme, we urge you to forward this advisory to them as the most severe vulnerability allows complete site takeover.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

The post Critical Privilege Escalation Vulnerability in Jupiter and JupiterX Premium Themes appeared first on Wordfence.

Millions of Attacks Target Tatsu Builder Plugin

Millions of Attacks Target Tatsu Builder Plugin

The Wordfence Threat Intelligence team has been tracking a large-scale attack against a Remote Code Execution vulnerability in Tatsu Builder, which is tracked by CVE-2021-25094 and was publicly disclosed on March 24, 2022 by an independent security researcher. The issue is present in vulnerable versions of both the free and premium Tatsu Builder plugin. Tatsu Builder is a proprietary plugin that is not listed on the WordPress.org repository, so reliable installation counts are not available, but we estimate that the plugin has between 20,000 and 50,000 installations. Tatsu sent an urgent email notification to all of their customers on April 7th advising them to update, but we estimate that at least a quarter of remaining installations are still vulnerable.

All Wordfence users with the Wordfence Web Application Firewall active, including Wordfence free customers, are protected against attackers trying to exploit this vulnerability.

We began seeing attacks on May 10, 2022. The attacks are ongoing with the volume ramping up to a peak of 5.9 million attacks against 1.4 million sites on May 14, 2022. The attack volume has declined but the attacks are still ongoing at the time of publication.

The following is a graph showing the total volume of attacks targeting the vulnerability in Tatsu Builder.

Graph showing attack volume against CVE-2021-25094

While the following is a graph showing the total number of sites being targeted by attackers trying to exploit the vulnerability in Tatsu Builder.


Description: Unauthenticated Remote Code Execution
Affected Plugin: Tatsu Builder
Plugin Slug: tatsu
Plugin Developer: BrandExponents
Affected Versions: < 3.3.13
CVE ID: CVE-2021-25094
CVSS Score: 8.1 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
Researcher/s: Vincent Michel (darkpills)
Fully Patched Version: 3.3.13

Indicators of Attack

Most of the attacks we have seen are probing attacks to determine the presence of a vulnerable plugin. These may appear in your logs with the following query string:

/wp-admin/admin-ajax.php?action=add_custom_font

The vast majority of attacks are the work of just a few IP addresses.

The top 3 attacking IPs have each attacked over 1 million sites:

148.251.183.254
176.9.117.218
217.160.145.62

An additional 15 IPs have each attacked over 100,000 sites:

65.108.104.19
62.197.136.102
51.38.41.15
31.210.20.170
31.210.20.101
85.202.169.175
85.202.169.71
85.202.169.86
85.202.169.36
85.202.169.83
85.202.169.92
194.233.87.7
2.56.56.203
85.202.169.129
135.181.0.188

Indicators of Compromise

The most common payload we’ve seen is a dropper used to place additional malware located in a randomly-named subfolder of wp-content/uploads/typehub/custom/ such as wp-content/uploads/typehub/custom/vjxfvzcd.

The dropper is typically named .sp3ctra_XO.php and has an MD5 hash of 3708363c5b7bf582f8477b1c82c8cbf8.

Note the dot at the beginning as this indicates a hidden file, which is necessary to exploit the vulnerability as it takes advantage of a race condition.

This file is detected by the Wordfence scanner.

What Should I Do?

All Wordfence users with the Wordfence Web Application Firewall active, including Wordfence free customers, are protected against this vulnerability. Nonetheless, if you use the Tatsu Builder plugin, we strongly recommend updating to the latest version available, which is 3.3.13 at the time of this writing. Please note that version 3.3.12 contained a partial patch but did not fully address all issues.

If you know anyone using the Tatsu Builder plugin on their site, we urge you to forward this article to them as this is a large-scale attack and any vulnerable sites that are not updated and not using some form of a Web Application Firewall are at risk of complete site takeover.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

The post Millions of Attacks Target Tatsu Builder Plugin appeared first on Wordfence.

Pin It on Pinterest