PHP 8: What WordPress Users Need to Know

PHP 8.0 is set to be released on November 26, 2020. As the programming language powering WordPress sites, PHP’s latest version offers new features that developers will find useful and improvements that promise to greatly enhance security and performance in the long run. It also fully removes a number of previously deprecated functions. PHP 8 is a massive change from previous versions.

In this article, we hope to provide insights detailing what this means for WordPress site owners, including recommended adoption strategies.

Should I upgrade right away?

No. The upcoming major version of WordPress, 5.6, is intended to be “beta compatible with PHP 8” according to the November 18 WordPress dev chat. This means that most core WordPress functionality will work, but unexpected bugs may still occur for some time, even without the presence of additional plugins or themes. WordPress has called for additional testing with PHP 8 in order to find and fix as many remaining bugs as possible.

At Wordfence, our Quality Assurance team is working to ensure that our plugin is compatible with PHP 8 in a variety of environments. Upcoming Wordfence versions will offer a similar level of partial support, though we have additional testing planned to reach full compatibility.

A vast number of WordPress plugins and themes will not be immediately compatible with PHP 8. Those that do not run into fatal errors during normal usage may still show unexpected behavior for some time.

What breaking changes does this include?

Some developers have long argued that PHP is insecure by default. While this is up for debate, it’s true that versions of PHP prior to PHP 8 are more fault tolerant and try very hard to ensure that code will run even if minor errors are present.

PHP 8 uses much stricter typing than previous versions. Many built-in functions are now pickier about the input they accept, and PHP 8 itself is more stringent about how input is passed to functions. Issues that previously resulted in notices now result in warnings, and issues that previously resulted in warnings now result in errors.

In other words, PHP 8 is not as lenient as previous versions. It will not try quite as hard to make code work no matter what.

Some functions and features that were deprecated in PHP 7.x have been completely removed. These include:

  • The $php_errormsg variable
  • The create_function() function
  • The mbstring.func_overload ini directive
  • The real type
  • The allow_url_include ini directive
  • The restore_include_path() function
  • The each() function

While most of these are no longer widely used, we have identified that create_function is still used in over 5,500 WordPress plugins, including extremely popular plugins with millions of installations. In some cases use of these deprecated functions may be intended for backwards compatibility with older versions of PHP. Many plugins, however, will need extensive refactoring as PHP 8 becomes more utilized.

Quite a few plugins and themes also depend heavily on third party libraries. WordPress developers may need to wait until these are updated for compatibility. If these libraries are not maintained or updated for compatibility with PHP 8, it may be necessary to fork these libraries, find alternatives, or even rewrite plugins and themes from the ground up.

For more in-depth information about what’s changed, our friends at Yoast have produced an excellent compatibility report intended for developers looking to ensure their software is compatible.

What security concerns are there?

PHP allows something called “Type Juggling.” This means that it can treat strings containing numbers the same way it treats integers or floats, and can perform math and do comparisons between these different types as long as the loose comparison operator == is used instead of the strict comparison operator ===. For developers, Type Juggling can be very useful and save time when writing code, but it can sometimes lead to unusual behavior.

A classic example of how Type Juggling can cause issues is that comparing 0==”blah” will return true. PHP 8 fixes this type of behavior so that these and similar comparisons (e.g., 0==”0blah”) will return false.

By and large, this will actually improve security. There are a number of exploits that can take advantage of PHP’s Type Juggling behavior to bypass nonstandard cookie, nonce, or password checks. Nonetheless, a large number of plugins use these loose comparisons, sometimes for critical functions. In most cases these will continue to work correctly when using PHP 8, but a few of them might actually rely on incorrect behavior in order to function properly. In a few rare circumstances, this might open up new security holes.

The onus of updating code for compatibility with PHP 8 could prove to be too much for some developers, and many plugins and themes may end up abandoned, though this is less likely to happen for plugins and themes with a large install base. Any security issues in these abandoned plugins and themes would go unpatched, which could prove disastrous.

Likewise, many websites may remain on an insecure version of PHP in order to keep their legacy plugins running.

Finally, certain strains of malware rely on deprecated functions as well as PHP’s fault tolerance in order to obfuscate their intentions. These strains will cease to function or become more noticeable in a PHP 8 environment, but malware authors will adapt in time.

What performance changes are coming?

One potentially exciting feature coming to PHP 8 is JIT, or “Just In Time” compilation. PHP is an interpreted language, meaning that it is translated into machine code as it runs. JIT keeps track of code that’s frequently used and attempts to optimize the machine code translation so that it can be reused. This can result in a massive performance improvement for specific functionality.

The addition of JIT to other languages, such as JavaScript, has historically led to an explosion of new applications. For example, virtual machines running in JavaScript would have been unimaginable in the early days of the web. Certain tasks that would have required a module to be installed on the server in the past will become practical using pure PHP libraries.

For the time being, however, the actual performance improvement for web applications such as WordPress is minimal, and it will take a long time before the average WordPress user or developer reaps the benefits of this new feature.

While there are many other new features to make developers’ lives easier, it is unlikely that these will be used in WordPress plugins and themes for the foreseeable future, as most would break backwards compatibility with earlier versions of PHP still in use by many WordPress sites.

How long do developers have to update?

Each version of PHP has a life cycle of 2 years during which bugs are fixed, and an additional year during which security issues are patched. PHP 7.4 came out in November 2019. As the final version of PHP 7, this means that bugs in PHP 7.4 will be fixed until November of 2021, and security issues will be patched until November of 2022, at which point it will reach its “End of Life”. This means that November 2022 can be considered a hard cutoff date: all PHP code should be compatible with PHP 8.0 at minimum by this time, or risk being stuck on a potentially vulnerable version of PHP.

Conclusion

The transition to PHP 8 is one of the broadest and most impactful changes the language has ever seen. While it will be worth it in the long run, WordPress site owners and developers may be in for a rough ride in the short term. If you’re a website owner, start keeping a watchful eye on which of your plugins and themes are being updated or tested for compatibility and make a plan to replace the ones that aren’t. If you’re a developer, start testing your code and any dependencies on PHP 8, if you’re not already, and start making a plan to fork or replace any libraries that aren’t being updated. The WordPress ecosystem has been through difficult transitions in the past, and our open-source community has always grown and adapted.

Special thanks to QA Lead Matt Rusnak and Lead Developer Matt Barry for their assistance with this article.

The post PHP 8: What WordPress Users Need to Know appeared first on Wordfence.

Episode 96: Hosting Provider Failures and Incident Response Preparedness

Two hosting providers experienced outages this week. GoDaddy had a brief outage affecting numerous systems on Tuesday, November 17. Managed.com had an extensive outage due to ransomware that affected all systems. We discuss what types of incident response preparations site owners should consider when events beyond their control occur.

We also discuss a large-scale attack targeting themes using the Epsilon Framework, the new head of security at Twitter, and an Android chat app exposing private messages.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:26 Large-Scale Attacks Target Epsilon Framework Themes
3:04 Ransomware attack forces web hosting provider Managed.com to take servers offline
6:51 GoDaddy had an outage
11:21 Twitter Hires Mudge as head of security
14:45 Android chat app exposes private messages

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 96 Transcript

Ram Gall:
Hello and welcome to episode 96 of Think Like a Hacker, the Wordfence podcast where we tell you about security, hacking, and other stuff related to security and hacking. I’m QA Engineer and Threat Analyst Ramuel Gall, and my co-host here is Kathy Zant.

Kathy Zant:
It is Kathy Zant, the Director of Marketing here at Wordfence. We’re really happy to be here. We have a number of stories about security and WordPress this week. Ram, you noticed this first story about this large scale attack targeting Epsilon Framework Themes. Tell us more.

Ram:
Maybe a couple of months ago, it was disclosed that I want to say maybe 15 themes all using the Epsilon Framework were vulnerable to what we call a function injection vulnerability.

Kathy:
What’s a function injection vulnerability?

Ram:
We’ve talked about object injection vulnerabilities in the past. Function injection vulnerabilities are kind of like a more powerful version of that. Basically with this an attacker could execute any public static function in a loaded class and provide parameters to it. So it’s a little bit more limited than a full remote code execution (RCE) since they can’t execute completely arbitrary code, but it wouldn’t rely on magic methods.

Ram:
For instance, if they were aware of a static function already loaded in most WordPress installations that could provide full RCE, they could take advantage of that and gain full RCE.

Kathy:
Okay. Were these attackers actually getting RCE on any of these sites?

Ram:
So there were about 1.6 million sites attacked on Tuesday, that was the 17th, in a single day. We had about 7.8 million attacks overall. But for the time being, it looks like they were just probing attacks. They were basically sending out requests against the vulnerable AJAX actions to see if a vulnerable theme was installed. Because if a vulnerable theme was installed, it would reply with a specific response saying that, hey, you need to provide the function you want to execute, rather than just a 400 bad request.

Ram:
We actually tracked it, and we’ve had attacks against 2.3 million sites at this point. That’s a majority of our user base. And I mean, clearly these attackers are not only attacking sites with Wordfence installed. The actual number of sites attacked is probably significantly larger than that because not everyone has Wordfence yet.

Kathy:
Okay. So if they’re just doing probing attacks, they’re basically collecting data maybe for another attack in the future?

Ram:
Yeah, that does sound like the case. And here’s the good news, Wordfence, even the free version of Wordfence, does protect you against these attacks. However, we still strongly recommend heading over to the article, checking to see if you have any of the themes mentioned there installed on your site, and updating it as soon as possible.

Kathy:
Good plan. And we will have a link to that blog post with the list of all of those themes in our show notes. So head to wordfence.com/podcast and find episode 96, which is this episode, and we’ll have links right there for you. Next, we saw a hosting provider, Managed.com, that has basically been down it looks like all week, hasn’t it?

Ram:
Yeah, I think so. Let’s check if it’s still down. Kind of looks like they’re still down.

Kathy:
What’s going on with this?

Ram:
Well, apparently it was ransomware by the REvil, REvil. Is that REvil or REvil operation?

Kathy:
I’d say REvil.

Ram:
REvil! In case you don’t know, ransomware is where an attacker gets into your system and encrypts all your data so that you can’t use it or access it and then demands a ransom in some kind of cryptocurrency, usually Bitcoin or Monero. REvil is a ransomware as a service. I guess they got their start back in April of 2019, and they’re currently one of the largest ransomware operations. They claim to have earned over a hundred million dollars a year in extortion payments, which means that some people are definitely paying their ransom. It looks like about a quarter of victims do.

Kathy:
Yeah. I saw an article on ZDNet when I was researching ransomware why it’s still so successful and how a hundred million dollars a year in extortion payments could have been collected by this one ransomware service. It looks like about a quarter of victims opt to pay the ransom in order to get their data unencrypted. Now, people are using Managed.com not only for website hosting, but they’re using it for DNS service. They’re using it for their email. And this attack started on it looks like Monday, November 16th.

Kathy:
So people have basically been down all week and don’t know what’s going to happen or how this ransomware got in there, but it’s definitely something that we’re watching.

Ram:
Yeah. It does look like the attackers are actually asking for under the market rates. They’re only asking for $500,000 when I guess the average payout is a million dollars.

Kathy:
Wow. What a bargain.

Ram:
Ah. Yeah. So how do you defend against ransomware? We keep on bringing up backups and specifically offsite backups.

Kathy:
Yes. You don’t want to back up to the same system that could be encrypted by ransomware. Definitely you want to have backups somewhere else. But I mean, these attackers are getting in with ransomware somehow. This means that they’re either exploiting vulnerabilities, socially engineering someone to exploit the human element of security. Either way, what would be your recommendation to protect against ransomware like this, Ram?

Ram:
Realistically, it could also be breached credentials, by the way. Those are extremely common. But on a just basic small host, small business level, it’s not likely to happen to your WordPress site. I mean, it can. I’ve seen it happen to WordPress sites, but it’s not that likely. But on an enterprise level, make sure that you have your users trained against social engineering. Make sure you require two-factor authentication for any accounts that have any real level of access.

Ram:
Make sure you have someone in charge of security at your company who understands these things and knows how to set policies to help prevent them. And make sure that person also believes in backups.

Kathy:
Backups, backups, backups.

Ram:
Yes.

Kathy:
So just basic security. You cannot operate any business in the world right now without having some basic security protections in place. And that goes for your systems and making sure everything’s updated, as well as your people and making sure that their systems in their heads are updated so that they’re thinking with a security mindset.

Ram:
Also, one of the things about ransomware is that it typically doesn’t happen all at once. Typically, it takes some time for them to get through enough of the network to make a difference. Which is why it’s a good idea to have a good incident response plan. And speaking of which, I hear GoDaddy had an outage and that was-

Kathy:
Ah, they did.

Ram:
…on the 17th. So yeah, that was-

Kathy:
Tuesday.

Ram:
Yeah, Tuesday.

Kathy:
It looked like it happened at the evening, about 7:00 PM Pacific Time. Even their homepage was down. So it looks like it affected a number of different systems. It affected hosting customers, as well as GoDaddy’s forward-facing systems. What do you know about this, Ram?

Ram:
So disclosure, I used to actually work at GoDaddy. They have a really good incident response team. I mean, that’s not to say that things weren’t pretty much always on fire, but that’s why they have a really good incident response team.

Kathy:
They’re the largest hosting provider I think in the world right now, aren’t they? In terms of number of sites that they host. I mean, they…

Ram:
It’s got to be either of them or AWS, but I think they’re probably the largest shared hosting provider in the world.

Kathy:
Yeah, definitely. They are a behemoth. So there are a lot of websites, WordPress and otherwise, that are hosted on GoDaddy systems. So with GoDaddy being down, a lot of customers were affected. Now, I’ve lived through a lot of internet companies who have gone through growing pains. I’ve had sites down for days at a time, and it’s incredibly frustrating for an end user. I mean, what would we recommend to our customers who are like hosted somewhere, that you have a site that’s receiving a lot of traffic and your customers are wondering what’s going on?

Kathy:
And this is beyond your control because your hosting provider is down and there’s not much you can do. What can someone do in that kind of situation?

Ram:
Having some degree of redundancy is a good idea. We’ll talk about things like having a hot site or a warm site backup. And although these usually refer to being able to move offices, you can sort of use that as an analogy. If you have backups in place, if you’ve got those backups collected somewhere safe and you think the outage is going to last awhile, and you still have access to your domain’s DNS, you can temporarily basically restore everything to a separate host.

Ram:
If your site is critical enough, if your site is mission critical, having that kind of redundancy in place is a really good idea.

Kathy:
Sure. Also, just having a place where you can communicate with your customers that isn’t dependent upon that site, isn’t depending upon that hosting provider, that you have social media in a number of places, that you have maybe a status dot your domain.com subdomain, as long as your DNS is not down, right?

Ram:
There’s sort of an in-joke in security and I think operations circles as well, and that’s that anything that goes wrong, it’s always DNS.

Kathy:
It’s always DNS. Yeah.

Ram:
It is always DNS.

Kathy:
Right.

Ram:
I mean, I’m kind of surprised that Managed.com wasn’t DNS. That time was actually attackers. That time was actually ransomware and not DNS.

Kathy:
Yeah. Yeah. But I mean, if somebody has an incident response plan in place for their business for an incident like this, something goes down that you have no control over, an intrusion occurs, you think through these types of events ahead of time so that you have written down somewhere, “this is what you do” so that you don’t have to like have clear thinking when everybody’s running around with their hair on fire, right?

Ram:
You follow the plan. You know who is supposed to be in charge of executing the plan. You know who to contact. You have phone numbers where people can be reached who are responsible for doing different parts of the plan. You have a way to set up a bridge call so that everyone can communicate and talk over what they’re doing to make the incident response plan happen.

Kathy:
Right. And also have a piece of that incident response plan be “how do you communicate to customers?” How do you communicate to the media if it’s a high profile type of attack.

Ram:
When do you communicate to customers.

Kathy:
Yes.

Ram:
How long does the outage have to go on before you’re like, we should tell people.

Kathy:
Exactly. Exactly. There’s a bunch of guides I found online that talk about incident response and best practices in developing incident response. So maybe we’ll throw some of that in the show notes as well.

Ram:
Yes. Are you going to be able to wake up your developers at 2:00 in the morning to fix stuff. And I mean, do you have an on-call rotation? That kind of thing.

Kathy:
Yes. All important things to consider. Hey, I bet Twitter’s got something like that now. What do you think?

Ram:
I’m sure Twitter has had something like that for a while, but it looks like their security is about to get a lot better. Famed hacker Mudge, Peiter Zatko… Here’s the thing, the names always sounded kind of familiar, but I actually had to look him up because he doesn’t really have a cult of personality going around and he’s just, by all accounts, just a super standup guy. I keep on looking at what he’s done. It’s like, oh, hey, I totally read his like buffer overflow exploit intro thing back in the day. And oh, he’s the guy who wrote L0phtcrack.

Ram:
And it’s just like, wow, this guy has been behind a lot of the like really interesting security innovations of the last few decades.

Kathy:
And security education. Twitter has hired Mudge as head of security, which I think is incredibly newsworthy for the security world. And I don’t think a lot of people… I mean, I was the same way as like, L0phtcrack? I remember using that way back in the day. It’s been around forever. I mean, he is a legend in the security world. But this is going to have a huge impact not just on the security at Twitter, which I think needs a little help. They’ve had a high profile intrusion that seems to have been from social engineering earlier this year.

Kathy:
I think it was this summer, July maybe. And now that he’s going to be head of security there, what are some of the things that you think that we can look forward to with Twitter and security there?

Ram:
Improving policy is honestly one of the biggest ways that you can make a difference. Improving user education. But he did propose confusing bad actors by manipulating the data they receive from Twitter about how people interact with their posts. If you’ve got a bunch of bots, maybe you might, for some reason, not want to suspend their accounts. But at the very least, if you can identify them, you can prevent them from getting decent analytics on how their posts are doing.

Kathy:
He’s definitely going to make security at Twitter… And that’s going to have sort of a trickle down like anything on Twitter. I mean, it’s sort of the behemoth of social media at this point of anything that is happening in the world. I always call it like earthquake Twitter. When I lived in California and there was an earthquake, it was like, okay, hit Twitter. Where was this? That was the first place we would look. It is such a touchpoint of what’s happening in the world, whether it be politics or an earthquake or anything else.

Kathy:
So having Mudge be the head of security there is definitely going to have an effect in how conversations are happening. In this article on Reuters, he definitely praised a recent change at Twitter where people are now being encouraged to add to the conversation rather than just re-tweeting something without providing some kind of commentary themselves. Those types of things, I think it’s going to be a good thing for Twitter. What do you think?

Ram:
I think it’s definitely going to be an improvement. Twitter is a large company that grew extremely quickly, so I’m sure that there are still things that are held together with duct tape and bubble gum in a few critical places. But having someone who’s used to working with that and finding those things is definitely going to go a ways towards getting them improved.

Kathy:
Definitely something to watch. Hey, I bet you that GO SMS has some bubble gum and toothpicks somewhere.

Ram:
Oh, okay. There’s Android app called GO SMS Pro, and I guess it’s installed on a hundred million phones.

Kathy:
Yeah.

Ram:
I want it to say sites for a second, because we’re always talking about this being installed on 5 million websites or a hundred thousand websites. This is not sites. This is phones.

Kathy:
And what’s going on?

Ram:
Android phones. This is actually really bad. If a user sent a media message to someone else that wasn’t using the app, it would generate a shortened URL linking to that media on their CDN. You just click the shortened link to view the image or the voice recording or the whatever. And this is something known as an IDOR, an insecure direct object reference, where you can just sort of go through a bunch of like ID equals one, ID equals two, ID equals three to see what’s related to each ID being referenced.

Ram:
In this case, the content was sequentially stored in hexadecimal format on their CDN. And basically it was possible to just go through all the links on the CDN to scoop up some pretty scary stuff. Things like photos of user’s cars, screenshots of other messages and Facebook posts, explicit photos, videos, audio recordings, and photos of sensitive documents. So like basically all this stuff you don’t really want to be public, period.

Kathy:
So it looks like this vulnerability was discovered by Trustwave and they disclosed the vulnerability on August 18th and did not receive a reply. After 90 days of their initial responsible disclosure to the GO SMS Pro developers, they did not receive anything back. So now it is a public… I wonder if anybody else other than the security researchers at Trustwave has discovered this and found anything sensitive.

Ram:
Here’s the thing, the longer you wait… Responsible disclosure is important, because you absolutely do want to give developers time to fix something. But the longer you wait, the bigger the chance of someone independently discovering this and exploiting this in the wild. And for something like this where it’s a pretty simple hack. You can just… I’m not going to tell you how to do it, but I’m fairly sure that pretty much everyone we work with could look at that article and go, “I know how to do this.”

Kathy:
Yeah, exactly.

Ram:
So something like that, it’s almost definitely being exploited in the wild already. And we still haven’t heard from them. No one has heard anything from them in 90 days. Uninstall that app, please, as soon as possible if you have it installed on your Android phone. Is it Android? Yeah. It’s Android.

Kathy:
Yeah, it’s just Android. A hundred million people are using this. If you are using GO SMS Pro, it’s time to stop. I don’t have this app. I don’t have Android, so I don’t know if there’s any way to delete your previous messages. But if there is, you might want to.

Ram:
Yeah. I mean, I use Signal. Telegram is supposed to be really good. But honestly, this is less secure than standard SMS or MMS. This is less secured than just plain old over the phone messages.

Kathy:
Right, and there are problems with SMS messages as it is. Signal. Signal is my favorite. Except every time I have a contact, like someone I haven’t even talked to in 10 years, but they’re still on my contacts list, it’s like, hey, this person that you probably don’t want to talk to, they’re now on Signal. Just thought we’d let you know.

Ram:
I’ve gotten so many of those. Oh man. It’s like now I know which of my friends are paranoid. But in the interest of paranoia, one of the downsides to just about any SMS application is that the built-in keyboard on your phone can read what you’re typing into it even if it’s end-to-end encrypted. If your phone does get infected with any kind of malware or anything like that, information leakage, then an end-to-end encrypted messaging app is not going to really help that much.

Kathy:
Right. Right. It’s just another reminder. Be careful with the apps you’re using, but also keep your phones updated. And if something is highly sensitive, just maybe don’t send things over the wires or the air.

Ram:
I mean, don’t necessarily shame people, but yeah, security breaches happen.

Kathy:
All the time.

Ram:
Way too often.

Kathy:
Just expect them and make your behavior or adjust your behavior accordingly, I suppose. So that’s all the news we have this week. We are hiring. Head over to Wordfence.com. Scroll to the bottom. See careers. If you are not on our mailing list, you might want to get on our mailing list. There is a link down there as well. Because whenever we find a vulnerability in WordPress, we make sure that our users are the first to know about that. There’s no cost to being on that mailing list to sign up.

Kathy:
We don’t send a lot of marketing emails at all, and we might have some stuff in the footer, but perhaps that would be good for you to know if you have a WordPress site. And of course, subscribe to the podcast as well while you’re over there if you want to get notified when we post a new podcast. That’s all we’ve got this week. Anything else, Ram?

Ram:
It’s been a pleasure as always.

Kathy:
It’s always a pleasure, isn’t it?

Ram:
It is.

Kathy:
And next week, I think we’re going to take next week off because it is Thanksgiving. So we will be back the week after that. Have a good one and thanks for listening.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 96: Hosting Provider Failures and Incident Response Preparedness appeared first on Wordfence.

Wordfence Site Cleaning Guarantee Extended to 1 Year

Today, we’re pleased to announce that all customers of Wordfence site cleaning services receive an 1-year clean site guarantee. If your site is compromised again after our team has cleaned and secured your WordPress site, we’ll clean it again for free. Additionally, we’re expanding our Security Services Team coverage to 24/7 effective immediately.

The Wordfence Security Services Team is a group of highly experienced and deeply technical individuals from around the world who help Wordfence customers recover and secure their sites after their WordPress sites are hacked. They’ve helped thousands of customers thwart hackers, protect their WordPress sites, and deepen their security understanding after a compromise.

We’re so confident in our processes, the protection afforded by Wordfence, and the support provided to our customers, we’re willing to put our guarantee on your site’s protection for a full year, as long as you follow our recommendations.

That means that if your site goes through our site cleaning process and you follow the recommendations detailed in the final report, we’ll clean your site again for free if the unthinkable happens and your site gets hacked again within a year.

With this change to our guarantee, our Security Services Team is expanding coverage and readiness for handling site cleaning requests. We now have team members in the USA, Europe and Australia providing around the clock coverage.

If you have requested a VIP Priority site cleaning, our team will be in contact in less than 4 hours, no matter the time of day or night, 24/7/365. This coverage includes weekends and holidays.

As WordPress matures and more sites require mission critical protection, Wordfence has your back. With these enhancements you can rest assured that a site cleaning gives you one year of coverage from our team, and if your site does get reinfected after following our recommendations, we are available any time, day or night, to help you and your team.

The post Wordfence Site Cleaning Guarantee Extended to 1 Year appeared first on Wordfence.

Large-Scale Attacks Target Epsilon Framework Themes

On November 17, 2020, our Threat Intelligence team noticed a large-scale wave of attacks against recently reported Function Injection vulnerabilities in themes using the Epsilon Framework, which we estimate are installed on over 150,000 sites. So far today, we have seen a surge of more than 7.5 million attacks against more than 1.5 million sites targeting these vulnerabilities, coming from over 18,000 IP addresses. While we occasionally see attacks targeting a large number of sites, most of them target older vulnerabilities.

This wave of attacks is targeting vulnerabilities that have only been patched in the last few months. All Wordfence users are protected against these attacks, including Wordfence Premium customers and sites still running the free version of Wordfence.

Vulnerable Themes

The following versions of the following themes are vulnerable to these attacks:

Shapely <=1.2.7
NewsMag <=2.4.1
Activello <=1.4.0
Illdy <=2.1.4
Allegiant <=1.2.2
Newspaper X <=1.3.1
Pixova Lite <=2.0.5
Brilliance <=1.2.7
MedZone Lite <=1.2.4
Regina Lite <=2.0.4
Transcend <=1.1.8
Affluent <1.1.0
Bonkers <=1.0.4
Antreas <=1.0.2
NatureMag Lite <=1.0.5

Probing attacks – For now

For the time being, the vast majority of these attacks appear to be probing attacks, designed to determine whether a site has a vulnerable theme installed rather than to perform an exploit chain, though full Remote Code Execution(RCE) leading to site takeover is possible with these vulnerabilities. Even though all Wordfence users are protected, we strongly recommend updating as soon as possible. We are not providing additional detail on the attacks at this time, as the exploit does not yet appear to be in a mature state and a large number of IP addresses are in use. These attacks use POST requests to admin-ajax.php and as such do not leave distinct log entries, though they will be visible in Wordfence Live Traffic.

What should I do?

If your website is running one of these themes, it is critical to update to a patched version if one is available. If no patched version is available you will want to temporarily switch to another theme or use a firewall like Wordfence, either Premium or free, that blocks these attacks. If you have made customizations to these themes without the use of a child theme, you will want to download a backup copy of the current version before updating. If anyone you know is running any of these themes, please share this article to ensure they update their site as well.

The post Large-Scale Attacks Target Epsilon Framework Themes appeared first on Wordfence.

Episode 95: Critical Privilege Escalation Vulnerabilities Affect Over 100K WordPress Sites

Three critical privilege escalation vulnerabilities in the Ultimate Member plugin put over 100,000 sites at risk. We also talk about the Page Experience metric to be added as a ranking signal for Google search in May 2021 and what this means for WordPress sites using page builders or Gutenberg.

Microsoft warns against using telephone/SMS-based multi-factor authentication, and two zero-day vulnerabilities were patched in Google Chrome. Microsoft Windows patches over 111 vulnerabilities as a part of November’s Patch Tuesday.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:44 Critical Privilege Escalation Vulnerabilities in the Ultimate Member Plugin
4:42 Are WordPress Websites Ready for Page Experience as a Ranking Signal?
10:40 Google Patches 2 More Chrome Zero Days
12:39 Intel SGX defeated yet again—this time thanks to on-chip power meter
16:09 Microsoft urges users to stop using phone-based multi-factor authentication
20:37 Microsoft November 2020 Patch Tuesday Arrives with Fix for Windows Zero Day

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 95 Transcript

Kathy Zant:
Welcome to Think Like a Hacker, the podcast about WordPress, security, and innovation. I’m Kathy Zant, Director of Marketing here at Wordfence. And with me, my cohost-

Ram Gall:
Ramuel Gall. I am a QA Engineer and Threat Analyst at Wordfence, and yes, we are hiring. Would you like to work with us? Because we’re awesome.

Kathy:
We are awesome. And we have a number of positions available. If you go to wordfence.com, scroll to the footer and click on careers, you can see them. I think our most desired position right now that we are hiring for is a security operations, senior engineer type of person. So if you like operations and playing with servers and all of that fun stuff, and you think security is awesome, we would love to talk to you. We have some interesting stories. What’s our first one, Ram?

Ram:
Well, this one was one of Chloe Chamberland’s finds. It was a critical, or actually three critical privilege escalation vulnerabilities, in the Ultimate Member plugin, which is installed on 100,000 sites.

Kathy:
It is. It looks like she discovered this on October 23rd, and that’s when Wordfence Premium customers received their firewall rules. Tell me a little bit about some of these vulnerabilities. It looks like a user registration form lacked some checks.

Ram:
Yeah. So effectively for two of them, the main problem was that by default, Ultimate Member creates a registration page where people can sign up to your website. Unfortunately, it also used a function that just grabbed whatever you submitted for the role selected, or the capabilities selected, or the user level you selected, and just added that into the new user’s information. So if you sent it a request, if you basically capture the request when you registered the forum, and just added, “Hey, I want to be an administrator,” to that request, then it would make you an administrator.

Kathy:
Oh. So just anyone running Ultimate Member, you could just sign up for a new account and say, “Hey, I’d like to be an administrator.” That sounds fun.

Ram:
Yeah, I want to be in charge of this site now.

Kathy:
Scary. It also looks like attackers could enumerate current custom Ultimate Members’ roles. So they have some custom roles available with this membership plugin, and they could figure out what those were.

Ram:
They could. Now I mean, bear in mind that a lot of the roles would have to be created by the site administrator first.

Kathy:
Sure.

Ram:
So if the site administrator created the custom role, then the user could register as that role. But in a lot of cases, even without that, even if the site owner didn’t actually create these custom roles, an attacker could still change their capabilities to whatever they wanted. So I feel like that’s something that would be a lot more widely exploited.

Kathy:
Yeah. Yeah, definitely.

Ram:
The other one is that if you’re updating your profile, you could also change your role there, which I think was kind of a bigger deal as once you created a user, even if you didn’t sign up as an administrator, from there, you could then change yourself to an administrator. So.

Kathy:
Yikes. That sounds pretty scary. So it looks like they patched this on October 29th, which fixed all of these vulnerabilities, right?

Ram:
Correct. If you are running this plugin, please update. Free users won’t get this rule until November 22nd. If you’re updated, you’re safe. If you’re not updated, please update. I mean, even if you’re using Wordfence Premium, still update. But especially if you’re not, update that plugin.

Kathy:
Especially, yeah. It’s always important. One of the greatest benefits of using Wordfence is the fact that it helps you stay on top of all of these updates, because if you’re running any kind of software, whether it is your computer at home, Google Chrome, which we have a story about that coming up, or Windows, whatever you’re using, you have to make sure that your software is continuously updated because there’s always going to be vulnerabilities, bug fixes, patches. Update, update, update.

Ram:
I know it feels like a lot to handle, but if your business is literally relying on your website, then it’s definitely worth the investment of time and effort because you can’t afford not to.

Kathy:
Right. Unless you’re trying to do the whole passive income, right?

Ram:
Well, there’s no such thing as passive income. It’s like a garden.

Kathy:
It is. It is. I mean, there’s a lot of people out there on the internet who are pushing these ideas of passive income. “Just set up a WordPress website and all the money will just come in.” But still, you still have an asset of a WordPress website that you have to maintain like same way you’d maintain your car or your house or-

Ram:
Yeah, spend an hour a week on it, maybe even less depending. But if you get an alert that you have an update ready, like Wordfence Central will tell you if you’ve got some plugins that needed to be updated on one of your sites, then maybe you should go in and update it sooner.

Kathy:
Yes, indeed. So we have another story from WPTavern, and this is about Google adding a new metric as a ranking signal for search. What’s this all about?

Ram:
So the new metric is called Page Experience and it’s a composite metric of three things that they’ve figured matter to users. And each of these three things are actually composite metrics, which means they’re made up of smaller metrics themselves. So these are three different metrics. One of them is Largest Contentful Paint, which is basically a proxy for how fast your site loads, like just data-wise. And basically that measures when the largest chunk of stuff on your site gets rendered, and it should happen within two and a half seconds of the page first loading. Second one is First Input Delay, which is something that measures interactivity like whether or not you can click on a site and mess around in it or do things on that site fairly quickly after it loads. And that should be less than 100 milliseconds after it’s really starting to appear loaded.

Ram:
The last is Cumulative Layout Shift, which measures visual stability, and this is honestly the one that I care about the most. If you ever had that thing where you were on a mobile phone and you go to a website and it’s loading and it’s not finished loading, but you’ve already read part of it and you start to scroll and oops, you clicked on an ad because it just shifted around and made it so the ad was right where your finger was going to be. That’s Cumulative Layout Shift. If the shift is too big, then you run into that kind of problem. So, I mean, that’s the one I care about the most.

Kathy:
I care about that, too. Yeah, that sounds like a bad page experience. So this is very interesting. So this is another boosting… If your site is handling these types of things well and creating a good user experience, Google is going to give you more preference in the search engine result pages, you’ll have a higher ranking, partially. This will feed into that. Then someone who is doing those types of things and making Ram inadvertently click on ads, please don’t do that.

Ram:
And I mean, we do have our site performance tool, Fast Or Slow, and we do plan on incorporating these metrics in the near future. So, look forward to that.

Kathy:
Yeah. And Fast Or Slow is completely free, so great tool to start using to monitor what’s happening with your site, and make sure that your site is performing well across what is it? 18 different locations now?

Ram:
I think so. I’ll have to double-check. Don’t quote me on that.

Kathy:
I can quote you on that. I did look it up. It’s usually 18, unless a location is unavailable for some reason. But always we’re aiming for 18. So on WPTavern comments, I like to read comments. I’m one of those weirdos who reads comments on blog posts, because there’s some interesting discussion happening here. So people are asking whether or not page builders that are incredibly popular on WordPress sites like Divi or Elementor are affecting the page experience metric. What’s your take on this, Ram?

Ram:
In my experience, a lot of page builders, I don’t know if you remember the FrontPage or Dreamweaver days, but a lot of what you see is what you get page builders introduce extra complexity and they do slow things down. In this case, a lot of it’s because JavaScript needs to render the pages, so that’ll largely contribute to things like First Input Delay, where the JavaScript has to finish rendering before you can really interact with the site. I know they probably have some mitigations in place to make that a little bit less bad, but it is a concern. And Cumulative Layout Shift, you run into that as well. Whenever part of the page is rendered immediately, another part of the page is positioned programmatically after it’s started loading.

Kathy:
Interesting, yeah. I’ve used page builders a few times on a number of sites. And so I try to analyze, because I started back in the day of… The first thing I was ever given to build a site was FrontPage, and then immediately after learning HTML and learning CSS and learning all of JavaScript realized that that was awful. But these page builders that WordPress users are using like Elementor or Divi, they use a lot of different CSS classes in order to handle what is being laid out on the site. And some of it gets so complex that I can’t read it. And I can read HTML and I can read CSS and I can read JavaScript. I understand what it’s doing, but it’s so complex. And so I can only imagine that browsers have a difficult time making determinations of where everything is going to go, because there’s just so much code there, right?

Ram:
Yeah. I mean, this is sort of an ongoing debate. Just the idea that if you need to load say two to three megabytes of resources, just in order to determine the page layout and styling, then that’s not necessarily going to be a very mobile-friendly experience. But it’s an ongoing debate and I feel like Google incorporating this into their page experience metrics is a step towards sort of clamping down on that.

Kathy:
Excellent. Okay. Well, this will be definitely interesting, something to watch for. And it looks like they are going to be implementing this Page Experience as a ranking factor in May of 2021. So I guess our takeaway is that the more simple you can make your page layout, the more simple your code can be, the better it’s going to be for not only your users, but your search engine rank as well.

Ram:
Yeah. And by the way, Gutenberg apparently appears to score fairly well on this metric despite being intended as a sort of compromise between what you see is what you get and the traditional blog post editor style.

Kathy:
Excellent. Good to know.

Ram:
Yeah, apparently they’re doing okay.

Kathy:
Excellent. So a lightweight theme and Gutenberg, probably the best way to go going forward.

Ram:
Most likely yeah.

Kathy:
All right. So what’s this story now about Google patching a couple more Chrome zero-days. We’ve had a few of these recently, huh?

Ram:
Yeah. Apparently this is five zero-days in like three weeks. And the first three were discovered internally by Google security researchers. The newest two ones were externally reported by anonymous sources. They don’t have a lot of details, just described as inappropriate implementation in V8, which is the Chrome component that renders JavaScript. And then there’s a Use After Free memory corruption bug in the site isolation, which is the Chrome component that isolates each site’s data from one another. Which definitely since there’s zero-days, that means that people are already trying to exploit these, which means that someone’s found a way to make them work, which is kind of interesting.

Ram:
I know we mentioned Use After Free vulnerabilities in a previous podcast, and I didn’t really want to go into them, but they keep on coming up so I guess I’m going to have to. Basically, when you have, say, a program that has a function that says, “Hey, I’m going to set this variable to blah.” That actually allocates memory and says, “The memory here contains ‘blah’.” Then the program, it goes, “I don’t need that anymore. Forget it.” That frees up that memory. But if it says, “Nevermind, I want whatever was there again.” Blah’s not there anymore, and instead it’s something different. And if you can predict or change, whatever’s going to be there, you can end up with things like code execution, or retrieving sensitive data.

Ram:
Now, the good news is that modern operating systems do have some pretty decent protections against this, something called ASLR, Address Space Layout Randomization, where they kind of don’t stick everything into predictable areas in a computer’s memory. It’ll just be like, “I’m going to put this here, I’m going to put that over there, and attackers then have to do a lot more work to figure out where the thing they want to target is.” However, that brings us to our next story, which is… Basically it’s Intel SGX, which is their software guard extension, which they use to store and handle secret data like encryption keys.

Ram:
Researchers have come up with an attack named Platypus, which is not as cute as it sounds. But yeah, they basically found out that Intel chips and apparently AMD chips too, though they didn’t actually go in depth on those, have built in power meters. And at least on Linux systems, users with minimal privileges can check out how much power a chip is using for doing different things. And that’s what we call a side channel, which means that you can steal cryptographic keys by studying how much power it takes for a chip to do different encryption and decryption functions. And more interestingly, it can also basically get around that Address Space Layout Randomization we just mentioned earlier. It can basically de-randomize that. Which I feel like that’s impactful because it can be done remotely, which means that it would work really well in combination with Use After Free memory corruption bugs.

Kathy:
Got you. Okay. So what’s the deal with the story. So researchers have found this vulnerability with Intel chips. Now I remember the Meltdown and Spectre vulnerabilities, how does this compare to that?

Ram:
This hasn’t really gotten a ton of attention, but I feel like because this is remote and it doesn’t require a lot of privileges, it’s pretty comparable, I’d say, or possibly worse. The only mitigating factor is that by default, only Linux boxes have the components built in that let lower-privileged users do this. You have to intentionally install the drivers on Windows to actually use this functionality. It’s not something that you should be worried about as an individual user. But if you’re a hosting provider and you’ve got a data center, this is something you want to get patched as soon as possible.

Kathy:
Right. And you have a data center full of Linux servers hosting everybody’s WordPress site.

Ram:
Pretty much.

Kathy:
Yeah. So as a WordPress site owner, this is relevant to you. This is something that you might want to keep an eye on, make sure that your hosting provider is applying the patches or whatever is going to be needed in order to make sure these types of vulnerabilities cannot be exploited. So that cryptographic keys on all these servers are nice and safe, right?

Ram:
Yeah. And so the buffer overflow exploits and Use-After-Free vulnerabilities don’t work quite as well or as easily.

Kathy:
Yeah. I mean, we’ve got to keep Ram on his toes here on this podcast somehow, but-

Ram:
I’m not going to lie. I had to do a bunch of research on all of these things because there’s always more to keep up with, but

Kathy:
Sure. Sure. Well, I mean, security’s important. It’s not just researchers like yourself who have to stay up on this kind of stuff. I mean, I am not going deeply into all of these vulnerabilities much in the same way that you are, but I need to be aware of them as a WordPress owner, as someone who’s interested in WordPress security, it’s just good to be aware of it. It doesn’t mean you have to like go deep diving.

Ram:
Yeah. I don’t necessarily have to know how to personally decrypt your encrypted data, but what I do need to know is the implications of different vulnerabilities as they relate to other vulnerabilities, which we’ll get to at the end of the podcast actually.

Kathy:
Right. Right. Now, here’s another story. This one I think is very relatable, because we’ve talked this a lot on the podcast, we’ve talked about it on Wordfence Live. It is a favorite topic of mine at WordCamps. This is about encouraging people to stop using phone-based multi-factor authentication. So no more SMS 2FA. Microsoft is now urging users to stop using phone-based multi-factor authentication for many of the same reasons that we encourage that. We’ve been saying this forever. Now this warning came from the Director of Identity Security at Microsoft, Alex Weinert, and he’s been advocating on Microsoft’s behalf urging users to embrace MFA, and he’s taking it a step further and saying, “No more SMS.” What happens with SMS that makes it so concerning for us, Ram?

Ram:
First of all, I do want to bear in mind that when they say no phone-based, they mean no telephone system base, no SMS, no voice calls, and an app on your phone is still going to be a secure way to do this, assuming that there’s no vulnerabilities on your phone.

Kathy:
Yeah. Some people still use their phones for telephone calls and also SMS.

Ram:
I mean, I don’t use them for telephone calls ever since robocalls became a thing, but that’s another can of worms. Anyways, one of the main problems with especially SMS based two-factor authentication is that it’s entirely possible to phish someone using that. You go onto a phishing site, you enter in a username and password and their software can actually forward on that request and then send the SMS and get you to input the second factor code. It’s also possible to conduct a SIM-swapping attack where they socially engineer your mobile network company who are pretty easy to socially engineer, even now, from what I’ve been seeing at various DEFCONs. And just call them up, get them to say, “Hey, I want this phone number ported to this new SIM card I got.” And a lot of the time they’ll just do it.

Kathy:
Right. Yeah. And just the underlying network that our telephone system, not your mobile device, but the telephone systems, SMS based systems, the underlying networks were not developed with the type of security required for what we’re doing with our phones these days. I mean, talking to grandma’s one thing, but logging into your bank account or your cryptocurrency account, something completely and totally different, right?

Ram:
If the police can deploy a stingray to intercept voice and SMS calls, then attackers can, too.

Kathy:
Exactly. So use your Google authenticator. LastPass has a great authentica- I was using Google authenticator for the longest time, and then of course I get a new phone and bye-bye two-factor codes, they’re all gone.

Ram:
So Google Authenticator did have a problem and that’s that it didn’t prevent screenshots-

Kathy:
Oh, really?

Ram:
… of the Authenticator interface. So if you had malware running on your phone, it could steal that second factor code.

Kathy:
Interesting. Does LastPass’ app have that same problem?

Ram:
I think it blocks screenshots on the page itself.

Kathy:
Okay. Yeah. I know when you copy a code, it doesn’t hold it in memory for more than I think 30 seconds or something too, so that it can’t be, I don’t know, Tik-Toked into China. So definitely start using your Google authenticator. What other ones do we have? There’s OFI, LastPass-

Ram:
Yeah, I think there’s some open source ones that are pretty decent as well.

Kathy:
Okay, excellent.

Ram:
And you have your choice.

Kathy:
Yes. There are many different ways to do your two-factor authentication, and Wordfence, we encourage you to use those app-based authenticator codes as well. One cool thing that I like about what 1pass does, one password is that you can have those two factor codes integrated with your one… So you have your password and it also has that time-based code within the app or within the application on your computer. So that’s also very handy. So there’s no more excuses, right?

Ram:
No more excuses, though I do recommend if you’re going to set up two-factor authentication using more than one device, say one password and a phone, that you do them both at the time of setup, otherwise you’re going to have to undo it and then redo it to add them both later.

Kathy:
Yeah. Important. Cool. Well, it looks like we have some patches for Windows Patch Tuesday. What does this look like, Ram?

Ram:
This is what I was mentioning earlier. It includes a fix for a Windows zero-day vulnerability that was exploited in the wild, and it’s a privilege escalation vulnerability. And the reason this was kind of a big deal is that they found it used in conjunction with Chrome Zero-Day we mentioned a couple of podcasts ago, the one with the free type library, which was yes, a Use-After-Free vulnerability, I believe. Or was it some other kind of memory corruption?

Kathy:
I think it was Use-After-Free. I think that was the one that we were talking about [crosstalk 00:21:09].

Ram:
It was the heap buffer overflow.

Kathy:
Was it? Okay.

Ram:
Yeah. Okay. So it was a buffer overflow. So something else that ASLR would make harder to pull off.

Kathy:
Got you.

Ram:
But yeah, I guess they found it being attacked in conjunction with that one, and basically it would be an exploit chain where they’d attack the free type vulnerability to gain some degree of local access and then attack the kernel zero-day to gain privilege escalation, which once you have remote privilege escalation, that’s kind of a big deal. Google Project Zero, which finds pretty much all of these, it sounds like, to disclose it on October 30th.

Kathy:
Again, the big takeaway is, well, there were 111 other vulnerabilities patched within this as well. I mean, that’s the most interesting one, obviously, the fact that it was being exploited in the wild. But still over a hundred vulnerabilities that are patched in Patch Tuesday, so it’s like, maybe that should be just like a national holiday, Every patch Tuesday. Everybody just-

Ram:
Every Patch, I mean-

Kathy:
Take a national holiday, everybody in every country, patch your computers, please.

Ram:
Or just turn on the automatic updates. They don’t seem to interrupt important things nearly as often anymore. Usually they’ll just pop up and say, “Hey, we’re going to update you after 7:00 PM.” Which is, unless you work night shift, in which case you may want to change that timing.

Kathy:
Yeah. Well that’s all we have this week on Think Like a Hacker. If you’d like a notification, when we have a new episode, you can subscribe on wordfence.com/podcast. There’s a form there. So you can get alerted when we have a new episode. If you have a story that you’d like us to cover, you can write to us at press@wordfence.com. I get all of those, and we can cover any story that you’d like us to look at. Make sure you follow Ram at… Was it @RamuelGall on Twitter?

Ram:
I’m very boring on Twitter, but yes.

Kathy:
I’m boring on Twitter these days, too. There’s so many other people who are doing exciting things that I’m just like, “Oh my gosh.” I even don’t want to talk about all these crazy things. But yeah, we’re on Twitter, and we share security news there as well. Make sure you’re following the Wordfence account, and make sure that you come visit us on Tuesdays at noon Eastern, 9:00 on the West Coast, we have Wordfence Live that’s on YouTube. You can find those links on our website somewhere. We’ll put it in the show notes too, because we have lots of interesting topics to discuss there, where we’re really looking at the best ways that you can handle your WordPress site. Well, this past week we talked about best practices in updating and maintenance, right?

Ram:
Yep. We just did discuss how to handle updates that go wrong to some extent, how to avoid updates going wrong in the first place, how you should handle updates depending on the size of your site, whether or not automatic updates are a good idea.

Kathy:
Yeah. And I’m sure we’ll be talking about automatic updates for some time. We’ve got some interesting news coming up. We’ll probably talk next week about automatic updates in WordPress 5.6, so there’s a little teaser for you.

Ram:
Yep.

Kathy:
Awesome. Well, thanks for joining me here again, Ram. This is a lot of fun, and we’ll be back again next week to talk about more security, WordPress and innovation news.

Ram:
Thanks for having me. And I guess I have to do more studying before next week, too.

Kathy:
We all do. It’s always… Studying.

Ram:
Yeah, never stops.

Kathy:
Never stops, does it? That’s what makes it fun.

Ram:
It does.

Kathy:
All right. See you next week. Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 95: Critical Privilege Escalation Vulnerabilities Affect Over 100K WordPress Sites appeared first on Wordfence.

Critical Privilege Escalation Vulnerabilities Affect 100K Sites Using Ultimate Member Plugin

On October 23, 2020, our Threat Intelligence team responsibly disclosed several vulnerabilities in Ultimate Member, a WordPress plugin installed on over 100,000 sites. These flaws made it possible for attackers to escalate their privileges to those of an administrator and take over a WordPress site.

We initially reached out to the plugin’s developer on October 23, 2020. After establishing an appropriate communication channel, we provided the full disclosure details on October 26, 2020. The developer provided us with a copy of the first intended patch on October 26, 2020 for us to test. We confirmed the patch fixed one of the vulnerabilities, however, two still remained. On October 29, 2020, the plugin’s developer provided us with an updated copy which fully addressed all vulnerabilities. The plugin’s developer released a patched version of Ultimate Member, 2.1.12, on October 29, 2020.

These are critical and severe vulnerabilities that are easy to exploit. Therefore, we highly recommend updating to the patched version, 2.1.12, immediately.

Wordfence Premium users received a firewall rule to protect against any exploits targeting these vulnerabilities on October 23, 2020. Sites still using the free version of Wordfence will receive the same protection on November 22, 2020.


Unauthenticated Privilege Escalation via User Meta

Description: Privilege Escalation
Affected Plugin: Ultimate Member
Plugin Slug: ultimate-member
Affected Versions: <= 2.1.11
CVE ID: Pending
CVSS Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Fully Patched Version: 2.1.12

Ultimate Member is a popular plugin designed to enhance user registration and account control on WordPress sites. It allows site owners to create custom roles and manage the privileges of site members. As part of its functionality, the plugin automatically creates three forms: user registration, user login, and user profile management.

We discovered that the user registration form lacked some checks on submitted user data. This oversight made it possible for an attacker to supply arbitrary user meta keys during the registration process that would update those meta keys in the database. This meant that an attacker could supply an array parameter for sensitive meta data such as the wp_capabilities user meta which defines a user’s role. During the registration process, submitted registration details were passed to the update_profile function, and any respective metadata that was submitted, regardless of what was submitted, would be updated for that newly registered user.

do_action( 'um_before_save_registration_details', $this->id, $submitted );

			update_user_meta( $this->id, 'submitted', $submitted );

			$this->update_profile( $submitted );
function update_profile( $changes ) {

			$args['ID'] = $this->id;
$changes = apply_filters( 'um_before_update_profile', $changes, $args['ID'] );

			foreach ( $changes as $key => $value ) {
				if ( ! in_array( $key, $this->update_user_keys ) ) {
					if ( $value === 0 ) {
						update_user_meta( $this->id, $key, '0' );
					} else {
						update_user_meta( $this->id, $key, $value );
					}
				} else {
					$args[ $key ] = esc_attr( $changes[ $key ] );
				}
			}

This meant that an attacker simply needed to supply wp_capabilities[administrator] as part of a registration request, and that attacker would effectively update the wp_capabilities field with the administrator role. This simple request would grant administrator access upon registration.

This vulnerability is considered very critical as it makes it possible for originally unauthenticated users to easily escalate their privileges to those of an administrator. Once an attacker has administrative access to a WordPress site, they have effectively taken over the entire site and can perform any action, from taking the site offline to further infecting the site with malware.


Unauthenticated Privilege Escalation via User Roles

Description: Privilege Escalation
Affected Plugin: Ultimate Member
Plugin Slug: ultimate-member
Affected Versions: <= 2.1.11
CVE ID: Pending.
CVSS Score: 10.0 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Fully Patched Version: 2.1.12

This vulnerability is related to the previously detailed vulnerability. Due to the lack of filtering on the role parameter that could be supplied during the registration process, an attacker could supply the role parameter with a WordPress capability or any custom Ultimate Member role and effectively be granted those privileges. After updating the user meta, the plugin checked if the role parameter was supplied. If so, a few checks were processed to verify the role being supplied.

// update user
			if ( count( $args ) > 1 ) {
				//if isset roles argument validate role to properly for security reasons
				if ( isset( $args['role'] ) ) {
					global $wp_roles;
					$um_roles = get_option( 'um_roles' );

					if ( ! empty( $um_roles ) ) {
						$role_keys = array_map( function( $item ) {
							return 'um_' . $item;
						}, get_option( 'um_roles' ) );
					} else {
						$role_keys = array();
					}

					$exclude_roles = array_diff( array_keys( $wp_roles->roles ), array_merge( $role_keys, array( 'subscriber' ) ) );

					if ( in_array( $args['role'], $exclude_roles ) ) {
						unset( $args['role'] );
					}
				}

				wp_update_user( $args );
			}

		}

Fortunately, the plugin blocked default WordPress roles from being supplied in the role parameter making it more difficult for attackers to be able to exploit this vulnerability to gain escalated privileges. In addition, if the role selector was enabled for the registration form, then only the roles specified by the site administrator could be selected and supplied during registration.

However, it did not stop custom Ultimate Member roles from being supplied or individual WordPress capabilities prior to updating the user role. Therefore, despite the initial protections, an attacker could still easily gain elevated privileges.

Attackers could enumerate the current custom Ultimate Members roles and supply a higher privileged role while registering in the role parameter. Or, an attacker could supply a specific capability and then use that to switch to another user account with elevated privileges. In either case, if wp-admin access was enabled for that user or role, then this vulnerability could be used in conjunction with the final vulnerability detailed below.

Again, this vulnerability is considered critical as it allows originally unauthenticated users to escalate their privileges with some conditions. Once an attacker has elevated access to a WordPress site, they can potentially take over the entire and further infect the site with malware.


Authenticated Privilege Escalation via Profile Update

Description: Privilege Escalation
Affected Plugin: Ultimate Member
Plugin Slug: ultimate-member
Affected Versions: <= 2.1.11
CVE ID: Pending.
CVSS Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Fully Patched Version: 2.1.12

This final vulnerability was introduced due to a lack of capability checks on a profile update. Due to the fact that Ultimate Member allowed the creation of new roles, this plugin also made it possible for site administrators to grant secondary Ultimate Member roles for all users. This was intended to allow a user to have default privileges for a built-in role, such as editor, but also have additional secondary privileges to extend capabilities of a membership site using Ultimate Member. The plugin uses a function, profile_update which runs whenever a user’s profile is updated to update the Ultimate Member role for any given user. This function used is_admin() alone without a capability check, making it possible for any user to supply the um-role post field and set their role to one of their choosing.

			function profile_update( $user_id, $old_data ) {
			// Bail if no user ID was passed
			if ( empty( $user_id ) ) {
				return;
			}

			$old_roles = $old_data->roles;
			$userdata  = get_userdata( $user_id );
			$new_roles = $userdata->roles;

			if ( is_admin() ) {
				if ( ! empty( $_POST['um-role'] ) ) {
					$new_roles = array_merge( $new_roles, array( $_POST['um-role'] ) );
					if ( ! user_can( $user_id, $_POST['um-role'] ) ) {
						UM()->roles()->set_role( $user_id, $_POST['um-role'] );
					}
				}
			}
}
			}

This meant that any user with wp-admin access to the profile.php page, whether explicitly allowed or via another vulnerability used to gain that access, could supply the parameter um-role with a value set to any role including `administrator` during a profile update and effectively escalate their privileges to those of that role.

As with the previous vulnerabilities outlined above, this vulnerability is considered critical as it makes it possible for authenticated users to escalate their privileges with very little difficulty. Once an attacker has administrator privileges on a WordPress site, they have effectively taken over the entire site.


Disclosure Timeline

  • October 19-23, 2020 – Initial discovery of one vulnerability and further investigation of the plugin which leads to discovery of two more vulnerabilities.
  • October 23, 2020 – We develop a firewall rule to protect Wordfence customers and release it to Wordfence Premium users. We initiate contact with the plugin’s developer.
  • October 26, 2020 – The plugin’s developer confirms the inbox for handling discussion. We send full disclosure.
  • October 26, 2020 – The plugin’s developer confirms the vulnerability and provides us with a patched copy to verify the fixes. We inform them that some flaws still exist.
  • October 29, 2020 – The plugin’s developer provides us with a second patched copy to verify the additional fixes. We verify that all has been patched.
  • October 29, 2020 – The patch is released in version 2.1.12.
  • November 22, 2020 – Free Wordfence users receive firewall rule.

Conclusion

In today’s post, we detailed several critical privilege escalation flaws in Ultimate Member that granted attackers the ability to escalate their privileges in various different ways. These flaws have been fully patched in version 2.1.12. We recommend that users immediately update to the latest version available, which is version 2.1.12 at the time of this publication.

Wordfence Premium users received firewall rules protecting against these vulnerabilities on October 23, 2020, while those still using the free version of Wordfence will receive the same protection on November 22, 2020.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as these are high severity vulnerabilities that are trivial to exploit.

The post Critical Privilege Escalation Vulnerabilities Affect 100K Sites Using Ultimate Member Plugin appeared first on Wordfence.

Pin It on Pinterest