XSS Vulnerability in NextScripts: Social Networks Auto-Poster Plugin Impacts 100,000 Sites

Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List.

On August 19, 2021, the Wordfence Threat Intelligence team began the disclosure process for a reflected Cross-Site Scripting(XSS) vulnerability we found in NextScripts: Social Networks Auto-Poster, a WordPress plugin with over 100,000 installations.

The plugin’s developer responded, so we confidentially provided the full disclosure the next day, on August 20, 2021. After several weeks without updates, we followed up with the developer on September 27, 2021, and a patched version of the plugin, 4.3.21, was released on October 4, 2021.

All Wordfence users, including Wordfence Premium customers as well as those still using the free version of Wordfence, are protected against this vulnerability by our firewall’s built-in cross-site scripting protection.


Description: Reflected Cross-Site Scripting(XSS)
Affected Plugin: NextScripts: Social Networks Auto-Poster
Plugin Slug: social-networks-auto-poster-facebook-twitter-g
Affected Versions: <= 4.3.20
CVE ID: CVE-2021-38356
CVSS Score: 6.1(Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Ramuel Gall
Fully Patched Version: 4.3.21

The nxs_ReposterListTable::column_title function in inc/nxs_class_snap.php echoed out the value of $_REQUEST[‘page’] when an administrator was visiting the plugin administration page at wp-admin/admin.php?admin.php?page=nxssnap-post.

    function column_post_title($item){        
        //Build row actions
        $actions = array(
            'edit'      => sprintf('<a href="?page=%s&action=%s&item=%s">Edit</a>',$_REQUEST['page'],'edit',$item->ID),
            'delete'    => sprintf('<a href="?page=%s&action=%s&item=%s">Delete</a>',$_REQUEST['page'],'delete',$item->ID),
        );        
        //Return the title contents
        return sprintf('%1$s <span style="color:silver">(id:%2$s)</span>%3$s',
            /*$1%s*/ $item->post_title,
            /*$2%s*/ $item->ID,
            /*$3%s*/ $this->row_actions($actions)
        );
    }

WordPress uses the value of the $_GET[‘page’] parameter in order to determine which administrative page to serve content for. It is also common practice for developers to use $_REQUEST for values stored in either $_GET or $_POST, as the $_REQUEST superglobal contains everything set in both $_GET and $_POST. As such, $_REQUEST[‘page’] might be expected to be set to the same value as $_GET[‘page’].

However, thanks to a quirk of how PHP orders parameters that are present in multiple superglobal variables, it was possible to perform a reflected cross-site scripting attack.

In most PHP configurations, depending on the request_order (or the variables_order if request_order is not set), $_POST takes precedence over $_GET when populating $_REQUEST. In other words, if both $_GET[‘page’] and $_POST[‘page’] are set, $_REQUEST[‘page’] will be set to the contents of $_POST[‘page’], rather than $_GET[‘page’].

This meant that it was possible to execute JavaScript in the browser of a logged-in administrator by tricking them into visiting a self-submitting form that sent a POST request to their site, for example,  hxxps://victimsite.site/wp-admin/admin.php?page=nxssnap-post, with the $_POST[‘page’] parameter set to malicious JavaScript.

The $_GET[‘page’] parameter could be set to nxssnap-post, so that WordPress would route the victim to the correct page, and then the malicious JavaScript in $_POST[‘page’] would be echoed out on that page.

As with all XSS attacks, malicious JavaScript running in an administrator’s session could be used to add malicious administrative users or insert backdoors into a site, and thus be used for site takeover.

Timeline

August 19, 2021 – We finish our investigation and begin the disclosure process for NextScripts: Social Networks Auto-Poster.
August 20, 2021 – We send over full disclosure to the plugin developer.
September 27, 2021 – We follow up with the plugin developer as the plugin has not yet been patched.
October 4, 2021 – A patched version of the plugin, 4.3.21, becomes available.

Conclusion

In today’s post, we covered a reflected Cross-Site Scripting(XSS) vulnerability that relied on a relatively obscure quirk of how PHP handles superglobal variables.

All Wordfence users, including Wordfence Premium customers and free Wordfence users are protected by our firewall’s built-in XSS protection. Nonetheless, we strongly recommend updating to the latest version of the plugin available, which is 4.3.23 at this time.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a serious vulnerability that can lead to complete site takeover.

If your site has been compromised by an attack on this or any other plugin, our Professional Site Cleaning services can help you get back in business.

The post XSS Vulnerability in NextScripts: Social Networks Auto-Poster Plugin Impacts 100,000 Sites appeared first on Wordfence.

PSA: Widespread Remote Working Scam Underway

PSA: Widespread Remote Working Scam Underway

I’ve just gotten off the phone with a victim of the scam that I’m about to describe. This is impacting a lot of folks, so please do spread the word. It’s infuriating. I’ll be around to reply to your comments below, but please do not engage in victim-blaming, because until you’ve actually been hit by one of these scams, you don’t know how convincing attackers can be.

As you already know, Defiant is a 100% remote company. We have been remote since 2015 when we first started hiring. Thanks to COVID, a lot of brick-and-mortar companies are now hiring for remote positions. There is a remote hiring scam that has rapidly gained popularity and works as follows:

The Attack

An attacker will post a job ad on a job board for a position. We have seen “Data Capturing” as one of the roles, but the roles vary. An interview is conducted. In the cases we’ve seen, it has been done via Skype direct message and there were two attackers who had a conversation with the victim. The first attacker posed as a kind of coordinator and went by “Jennifer Udin”. The second posed as a manager named “Antonio Wheeler”.

The victim gets the job. The “employer” (attacker) congratulates them and says that they will provide all required furniture and office supplies. The attacker then sends the victim a check which they are told to cash, and they’re asked to immediately buy furniture from the attacker’s preferred supplier. In the case we investigated, the amount paid was several thousand US dollars.

The victim’s bank will put a hold on cashing the check until it passes fraud checks. The victim spends the money out of pocket, on the furniture, in a non-refundable way. The victim is out of pocket thousands of dollars. And the “furniture company” is actually the attacker who now has the money.

There are several variations of this attack. The goal is to either get personally identifiable information (PII) from a victim or to get money. In all cases, the scam is based around an employment opportunity and a legitimate company is used as a vehicle for the attacker to scam the victim.

How To Avoid This Scam

We recommend you take the following steps to avoid this scam:

  • Go to the employer website and confirm that the job you’re applying for is actually an open position on their site.
  • Contact the hiring company using the published contact information on their website – either an email address or phone number – and verify that the role exists and that you are in the hiring queue.
  • As far as possible, do not apply on job boards. Instead, apply by navigating to the hiring company’s website and proceed from there. You may be directed to external HR sites like Workable.com, but you will be following links from the hiring company’s own website.
  • Never spend money out of pocket for a job application or for a new job you have just started. You may need to spend money out of pocket in the future because reimbursement has become standard practice among many companies, but this should be unacceptable for a position you have just started.
  • I have not encountered a company that only does interviews via direct message. COVID has changed the way we do business, so it is understandable that victims are assuming that direct-message interviews are part of that change.

Please share this information as widely as you can. This has had a significant financial impact on folks I have talked to, and their stories are heartbreaking. If you have been affected by this, please visit IC3.gov and report the crime.

Data We Have Gathered

The following screenshots and data were kindly provided to us by several victims of this scam. We have redacted sensitive information.

An introductory chat session:

 

An authoritative-sounding Jennifer gives instructions on visiting the “hiring company’s” website which is a real website. They add a time limit to add legitimacy.

 

Once the victim has been hired, they’re referred to a “training supervisor”.

This is the profile of one of the scammers. Probably a stock photo and plausible-sounding name.

One of the checks received by a victim:

 

The following is a transcript of a Skype direct message conversation between one of the victims and an attacker. Stacy is the attacker and Mary (not her real name) is the victim. Asterisks represent redacted information.

Stacy, 2:14 PM
Good afternoon

Stacy, 2:15 PM
How are you doing?

Mary, 2:26 PM
Good Afternoon

Mary, 2:26 PM
I am fine thank you

Mary, 2:26 PM
and you?

Stacy, 2:28 PM
I’m great

Stacy, 2:28 PM
I believe you are here and ready for the job briefing/interview?

Mary, 2:51 PM
Yes I am

Stacy, 2:57 PM
I am Mrs Stacy Morgan. The Interview manager for ******. Please introduce yourself and indicate your location.

Mary, 2:58 PM
Ms. Morgan, are you there?

Stacy, 3:00 PM
Yes we can proceed.

Mary, 3:21 PM
I am Mary ***** and I am located in ********.

Stacy, 3:23 PM
Next would be the briefing about the Job and the company. I advise you read with care. Just follow the briefing and you can ask questions when i am through. Let me know when you have finished reading and understanding every line. You will be allowed to ask questions later. With each line just respond with i’m through.

Mary, 3:30 PM
I’m through

Stacy, 3:31 PM
Here’s the company website www.******.com. You are required to use (Five) minutes of your time to glance through the website and read more about the company. let me know as soon as you are done so we can proceed with the briefing..Okay ?

Mary, 3:32 PM
Okay

Mary, 3:34 PM
I’m through

Stacy, 3:35 PM
Alright

Stacy, 3:35 PM
Primary Responsibilities are to perform general clerical duties to include but not limited to: Resolve customer complaints via phone, email, mail, or social media.

Use telephones to reach out to customers and verify account information.
Assist with placement of orders, refunds, or exchanges.

Take payment information and other pertinent information such as addresses and phone numbers.

Place or cancel orders. Inform customer of deals and promotions.
Utilize computer technology to handle high call volumes.

Can you handle that with appropriate training ?

Mary, 3:36 PM
Yes I can handle that appropriate training
I’m through

Stacy, 3:38 PM
The pay is $28 per hour, training is $18 per hour and will get payment bi weekly via direct deposit or paycheck, the maximum hour  you can work a week is 45 hours. If you are employed you are going to be working as a full employee.

You will undergo training from your training supervisor, The first phase of your training will be centered on your mini-office set up and handling of tasks/assignments which will be done intermittently.

In the second phase, trainees will imbibe a direct-stringent approach in getting themselves acquainted with their office equipment (software & hardware) and company’s payroll system. Also will they be assigned special projects to work on.

I believe that will not be a problem for you ?

Mary, 3:39 PM
No this will not be a problem
I’m through

Stacy, 3:40 PM
What means of payment do you prefer ? Direct deposit , Check , Wire Transfer ?

What Bank Do you Operate with to see if it tallies with the company’s official salary payment account ?
Note: I am not asking for your banking information.

Mary, 3:42 PM
Wire transfer…JMMB
I’m through

Stacy, 3:43 PM
BENEFITS : Benefits for eligible worker include: Health, Dental, Life and AD&D Insurance, Employee Wellness and 401k plans.Paid Time Off and Holidays with Generous Company Discounts.That counts after working 30days with the Company.

Mary, 3:44 PM
I’m through

Stacy, 3:45 PM
We are now on question and answer interview section. As soon as you are done answering any question, you are to write DONE…Understood?

Mary, 3:46 PM
Understood

Stacy, 3:47 PM
Alright good

Stacy, 3:47 PM
(1.) Are you seeking a part time or full time job and  are you currently employed ?

(2.) Do you have a printer, scanner and fax machine and what is your mobile carrier?

(3.) How would you describe yourself during work ?

(4.) Do you have an idea of how to use ms excel and  what is your typing speed?

(5.) At this company, we like to think of ourselves as a team that works together towards the same goals. How do you feel about working in a team environment?

Mary, 3:50 PM
1. Part-Time with the possibility of turning into Full-time. Yes I currently employed, but need something flexible. DONE

Mary, 3:51 PM
2. Yes I have a printer and scanner. ******* is my mobile carrier. DONE

Mary, 3:53 PM
3. I would describe myself as friendly, easy to get along with, laid back yet hard working. DONE

Mary, 3:54 PM
4. Yes I know basic MS Excel, would like to learn more and 40wpm. DONE

Mary, 3:55 PM
5. Working in a team environment is great, I would love working in a team. It allows for growth. DONE

Stacy, 3:57 PM
Very good

Stacy, 3:57 PM
(6.) What computer skills do you have and what programs are you comfortable using?

(7.) Do you prefer to work independently or on a team?

(8.) What is it like working for your supervisor?

(9.) How would you feel supervising two or three other employees?

(10.) What do you understand by privacy & code of conduct?

Mary, 4:03 PM
6. I am skilled with power point presentations, email communication, spreadsheets and research. I am comfortable with Ms power point, ms word, and I have recently started learning SQL. DONE

Mary, 4:03 PM
7. I do not have a preference. DONE

Mary, 4:04 PM
8. Working with my supervisor is great actually. He encourages growth and allows me to work independently when he sees it necessary. DONE

Mary, 4:05 PM
9. I have no problem supervising 2 or 3 employees, I would consider that support them rather than supervising. DONE

Mary, 4:08 PM
10. Privacy is important because this is respecting persons and company information by not divulging information,it goes hand in hand with trust. And code of conduct is how I would represent myself , my place of employment and treat my fellow team members.

Mary, 4:08 PM
DONE

Stacy, 4:12 PM
Brilliant

Stacy, 4:12 PM
I really hope the company can depend on you. You  have performed quite impressive.

I need you to hold back on online, while i go through  your answers to my question and discuss with the  rest of the recruiting team. Okay ?

I want you to keep an eye on your IM (simply  be alert). I will get back to you soon with the result of  the interview.

Mary, 4:15 PM
Yes I am okay with that. And I will be looking out

Stacy, 4:30 PM
I’m back

Mary, 4:31 PM
I am here

Stacy, 4:33 PM
Congratulations, your performance ensured you had a good score eligible for enrollment into our weekly routine training program. You scored 9.0 out of a possible 10. , you have just been confirmed qualified for this position
You are now offered the job position…you are HIRED!
You are welcome to ********
You are now given a chance to show your commitment,charisma,diligence and be a productive employee.

How do you feel now ?

I believe the company can count on your devotion?

Mary, 4:34 PM
I am happy, excited and nervous!

Mary, 4:34 PM
Yes the company can count on my devotion

Mary, 4:35 PM
Thank you and thanks to the recruitment team for choosing me!!!!

Stacy, 4:35 PM
You’re welcome

Stacy, 4:36 PM
To enable you sit for this job and position there are working equipment and software’s which are required for this job and position this is because you will be working from home as all expenses are handle by the company, so there for the company will be sending you a check, this check will be for the purchase of all the working equipment that you need as you will be purchasing them from the company local vendor, method of purchase and means of payment will be made known to you when the check get to you, as you will be getting the check asap. The check will include your advance training pay and sign on bonus. I believe you understand?

Mary, 4:36 PM
I understand

Stacy, 4:37 PM
In the mean time i need you to provide me with these information to enable the company’s secretary’s department put you into register. Full names, state, city, address, zip code and cell #

Mary, 4:38 PM
Full Name: Mary ***** ******

Mary, 4:38 PM
Our address layout is a bit different

Mary, 4:39 PM
Street: ******** Road

Mary, 4:39 PM
City: ******

Mary, 4:39 PM
Zipcode: ******

Mary, 4:39 PM
Cell#: ******

Stacy, 4:41 PM
Got it

Mary, 4:42 PM
Great

Stacy, 4:42 PM
That will be all for today, make sure you are prompt online 8am tomorrow morning so i can connect you to your training supervisor. Have a Great Day and Stay Bless.

Mary, 4:43 PM
Okay…no problem. And same to you

This attack is having an impact on real victims applying for roles that tend to be less senior. Please do spread the word. Let’s try to make this scam common knowledge, along with how to avoid falling for it.

Thanks to all the victims of this scam who kindly shared data with us and those who spoke with me on the phone.

Mark Maunder – Defiant Inc Founder and CEO.

The post PSA: Widespread Remote Working Scam Underway appeared first on Wordfence.

1,000,000 Sites Affected by OptinMonster Vulnerabilities

Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List.

On September 28, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities we discovered in OptinMonster, a WordPress plugin installed on over 1,000,000 sites. These flaws made it possible for an unauthenticated attacker, meaning any site visitor, to export sensitive information and add malicious JavaScript to WordPress sites, among many other actions.

Wordfence Premium users received a firewall rule to protect against any exploits targeting these vulnerabilities on September 28, 2021. Sites still using the free version of Wordfence will receive the same protection on October 28, 2021.

We sent the full disclosure details to OptinMonster on September 28, 2021, after confirming the appropriate channel to handle communications.The OptinMonster team quickly acknowledged the report by releasing a patch the next day. We followed up to let them know some improvements were needed on the patch and a fully patched version was released as 2.6.5 on October 7, 2021.

We strongly recommend validating that your site has been updated to the latest patched version of OptinMonster which is 2.6.5 at the time of this publication.

Description: Unprotected REST-API to Sensitive Information Disclosure and Unauthorized app.optinmonster.com API access
Affected Plugin: OptinMonster
Plugin Slug: optinmonster
Affected Versions: <= 2.6.4
CVE ID: CVE-2021-39341
CVSS Score: 7.2 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Chloe Chamberland
Fully Patched Version: 2.6.5

OptinMonster is an incredibly intuitive and easy to use plugin designed to create sales campaigns on WordPress sites through the use of dialogs. The vast majority of the plugin’s functionality as well as the OptinMonster app site rely on the use of API endpoints to allow seamless integration and a streamlined design process.

Unfortunately, the majority of the REST-API endpoints were insecurely implemented, making it possible for unauthenticated attackers to access many of the various endpoints on sites running a vulnerable version of the plugin.

The most critical of the REST-API endpoints was the /wp-json/omapp/v1/support endpoint, which disclosed sensitive data like the site’s full path on the server, along with the API key needed to make requests on the OptinMonster site. With access to the API key, an attacker could make changes to any campaign associated with a site’s connected OptinMonster account and add malicious JavaScript that would execute anytime a campaign was displayed on the exploited site.

Worse yet, an attacker did not need to be authenticated to the site in order to access the API endpoint due to the functionality implemented within the logged_in_or_has_api_key function used as the permissions_callback. For instance, if a request to an API endpoint had the Referer header set to https://wp.app.optinmonster.test and the HTTP request type set to OPTIONS then the function would return `true` thereby passing the capability check. An attacker could simply meet these requirements and set the X-HTTP-Method-Override HTTP header to the method required for the REST-API endpoint, such as GET or POST, to successfully make the request.

	public function logged_in_or_has_api_key( $request ) {
		if (
			! empty( $_SERVER['HTTP_REFERER'] )
			&& false !== strpos( $_SERVER['HTTP_REFERER'], 'https://wp.app.optinmonster.test' )
			&& 'OPTIONS' === $_SERVER['REQUEST_METHOD']
		) {
			return true;
		}

		return is_user_logged_in() || true === $this->has_valid_api_key( $request );
	}

This meant that any unauthenticated attacker could add malicious JavaScript to a site running OptinMonster, which could ultimately lead to site visitors being redirected to external malicious domains and sites being completely taken over in the event that JavaScript was added to inject new administrative user accounts or overwrite plugin code with a webshell to gain backdoor access to a site.

Fortunately, the OptinMonster team invalidated all API keys to force site owners to generate new keys in the off chance that a key had been previously compromised, and implemented restrictions that inhibited API keys associated with WordPress sites from being able to make campaign changes using the OptinMonster app which prevents successful exploitation of this vulnerability chain.

Not the Only Endpoint Affected
In addition to the /wp-json/omapp/v1/support endpoint, nearly every other REST-API endpoint registered in the plugin was vulnerable to authorization bypass due to insufficient capability checking allowing unauthenticated visitors, or in some cases authenticated users with minimal permissions, to perform unauthorized actions. Attackers could do things like change settings, view campaign data, enable/disable debug mode, and more.

Disclosure Timeline

September 28, 2021 6:07 PM UTC – Conclusion of the plugin analysis that led to the discovery of multiple vulnerabilities in the OptinMonster WordPress plugin. We develop a firewall rule to protect Wordfence customers and release it to Wordfence Premium users.
September 28, 2021 6:12 PM UTC – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
September 28, 2021 6:19 PM UTC – The vendor confirms the inbox for handling the discussion.
September 28, 2021 7:06 PM UTC – We send over the full disclosure details.
September 29, 2021 7:48 AM UTC – The first version of an update is released. We follow up to provide them with additional recommendations.
October 7, 2021 – A fully patched version of the plugin, 2.6.5, is released.
October 28, 2021 – Wordfence free users receive the firewall rule.

Conclusion

In today’s post, we detailed a flaw in the OptinMonster plugin that enabled a dangerous exploit chain which made it possible for unauthenticated attackers to retrieve a site’s sensitive data and gain unauthorized access to OptinMonster user accounts, which could be used to add malicious scripts to vulnerable sites. These flaws have been fully patched in version 2.6.5.

We recommend that WordPress users immediately verify that their site has been updated to the latest patched version available, which is version 2.6.5 at the time of this publication.

Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on September 28, 2021. Sites still using the free version of Wordfence will receive the same protection on October 28, 2021.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as these are serious vulnerabilities that can lead to complete site takeover.

If your site has been compromised by an attack on this or any other plugin, our Professional Site Cleaning services can help you get back in business.

The post 1,000,000 Sites Affected by OptinMonster Vulnerabilities appeared first on Wordfence.

Site Deletion Vulnerability in Hashthemes Plugin

Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List.

On August 25, 2021, the Wordfence Threat Intelligence team initiated the disclosure process for a vulnerability in Hashthemes Demo Importer, a WordPress plugin with over 7,000 installations.

This vulnerability allowed any authenticated user to completely reset a site, permanently deleting nearly all database content as well as all uploaded media.

As we did not receive a response from the developer for nearly a month, we contacted the WordPress plugins team with our disclosure on September 20, 2021. The plugin was temporarily removed from the repository the same day, and a patched version, 1.1.2, was made available on September 24, 2021, though it was not mentioned in the developer changelog.

Wordfence Premium customers received a firewall rule protecting against this vulnerability on August 25, 2021. Sites running the free version of Wordfence received the same rule 30 days later, on September 24, 2021.


Description: Improper Access Control allowing content deletion
Affected Plugin: Hashthemes Demo Importer
Plugin Slug: hashthemes-demo-importer
Plugin Vendor: Hashthemes
Affected Versions: <= 1.1.1
CVE ID: CVE-2021-39333
CVSS Score: 8.1(High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:H
Researcher/s: Ramuel Gall

The Hashthemes demo importer plugin failed to perform capability checks for many of its AJAX actions. While it did perform a nonce check, the AJAX nonce was visible in the admin dashboard for all users, including low-privileged users such as subscribers. The most severe consequence of this was that a subscriber-level user could reset all of the content on a given site.

Any logged-in user could trigger the hdi_install_demo AJAX function and provide a reset parameter set to true, resulting in the plugin running it’s database_reset function. This function wiped the database by truncating every database table on the site except for wp_options, wp_users, and wp_usermeta. Once the database was wiped, the plugin would then run its clear_uploads function, which deleted every file and folder in wp-content/uploads.

Timeline

August 25, 2021 – Wordfence Threat Intelligence finishes our investigation and attempts to initiate disclosure for a vulnerability in HashThemes Demo Importer. We release a firewall rule to Wordfence Premium customers.
September 20, 2021 – We contact the WordPress plugins team as we have not received a response from the plugin developer. The plugin is temporarily removed from the WordPress.org repository.
September 24, 2021 – A patched version of the plugin, 1.1.2, becomes available. The firewall rule becomes available to free Wordfence users.

Conclusion

In today’s post, we discussed a vulnerability in HashThemes Demo Importer that allowed any logged-in user to completely and permanently destroy all of the content on a website.

We’ve discussed the importance of backups in the past, and this vulnerability serves as an important reminder of how critical backups are to your site’s security. While most vulnerabilities can have destructive effects, it would be impossible to recover a site where this vulnerability was exploited unless it had been backed up.

Wordfence Premium users have been protected against this vulnerability since August 25, 2021, while those still running the free version of Wordfence have been protected since September 24, 2021. If you are running a vulnerable version of this plugin, we urge you to update to the latest version available, 1.1.4, as soon as possible.

If you know a friend or colleague who is using this plugin on their site, please forward this advisory to them to help keep their sites protected as these vulnerabilities can lead to complete site takeover.

The post Site Deletion Vulnerability in Hashthemes Plugin appeared first on Wordfence.

Vulnerability Patched in Sassy Social Share Plugin

Note: To receive disclosures like this in your inbox the moment they’re published, you can subscribe to our WordPress Security Mailing List.

In 2010, Steffan Esser gave a presentation in Las Vegas that rocked the PHP world. He had discovered a new kind of vulnerability that today we call a “PHP Object Injection” vulnerability. This kind of vulnerability allows an attacker to send a PHP application some data that is turned into an object that lives in memory. If the application then assumes that object and its data is secure, and does things with that object, it could lead to a compromised website.

In technical terms, the way an object injection vulnerability works is as follows. A developer writes code that uses the unserialize() function. This function is a way to take an object that has been stored somewhere, and turn it from it’s stored form, which looks like text, back into an object that lives in memory. Developers do this when using object oriented programming in PHP. Objects are just data structures that logically represent things within the application. The serialize() and unserialize() functions are ways to store and retrieve objects. While serialize() turns an object into text, ready for storage, unserialize() takes the text and turns it back into an object that you can use in the application.

What Steffan discovered is that many developers were assuming that their objects, once unserialized in memory, were safe. And if he could send malicious data to the unserialize function, that is later used by the application and assumed to be safe, he could gain remote code execution on a website or in any PHP application. He had discovered a whole new way to hack into many websites across the globe.

Today we are disclosing an object injection vulnerability in a popular WordPress plugin. This vulnerability allows an attacker to submit data that is unserialized by PHP, and could contain malicious data. This malicious data is used by code in the application that trusts that the data is safe, creating a vulnerability that allows an attacker to take over a WordPress website.

PHP Object Injection Vulnerability in Sassy Social Share

On August 31, 2021 the Wordfence Threat Intelligence team discovered a vulnerability in “Sassy Social Share”, a WordPress plugin installed on over 100,000 sites. The vulnerability provided a way for subscriber level users to gain remote code execution and take over a vulnerable site. Sites that have open registration allow anyone to create a “subscriber” level account, and are particularly vulnerable to this vulnerability.

Wordfence Premium users received a firewall rule to protect against exploits targeting this vulnerability on August 31, 2021. Sites still using the free version of Wordfence received the same protection on September 30, 2021.

In this case, the flaw made it possible for an attacker to import plugin settings and potentially inject PHP Objects that could be used as part of a POP Chain – a code execution sequence in the application that is exploited by the attacker.

On August 31, 2021, we initiated the responsible disclosure process. The vendor responded the next day, on September 1, 2021 after which we sent over the full disclosure details.

After working with the developer over a couple of weeks, a patch was released on September 17, 2021 in version 3.3.24. As per our responsible disclosure policy, we are now disclosing the vulnerability details because the plugin has been fully patched for some time.

If you have not already done so, we strongly recommend updating to the latest patched version of Sassy Social Share, which is version 3.3.25 at the time of this publication, as soon as possible, especially if you are running the vulnerable version of the plugin, which is version 3.3.23.

Description: Missing Authorization Controls to PHP Object Injection
Affected Plugin: Sassy Social Share
Plugin Slug: sassy-social-share
Plugin Vendor: Team Heateor
Affected Versions: 3.3.23
CVE ID: CVE-2021-39321
CVSS Score: 6.3 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Researcher/s: Chloe Chamberland

Sassy Social Share is an easy to use plugin designed to enhance a site’s social media presence. One of the plugin’s recent updates introduced the ability to import and export the settings for the plugin. Unfortunately, this was insecurely implemented making it possible for authenticated users to import the plugin’s settings along with arbitrarily injecting PHP objects.

In order to provide this functionality the plugin registered the wp_ajax_heateor_sss_import_config AJAX action which is hooked to the import_config function. Unfortunately, this function had no capability checks, nor any nonce protection which meant that any authenticated user could trigger the AJAX action.

In this vulnerability’s simplest form it could be used to import and override the plugin’s settings, however, it didn’t stop there. Due to the fact that the plugin used the unserialize function on the user-supplied contents of the config parameter for the import, an attacker could craft a special payload that could call other PHP classes and potentially perform other actions if a vulnerable magic method was present in another piece of software installed on the same site. This is referred to as PHP Object Injection, and we have detailed this type of vulnerability more extensively in the past.

	public function import_config() {
		
		if ( isset( $_POST['config'] ) && strlen( trim( $_POST['config'] ) ) > 0 ) {
			$config = maybe_unserialize( base64_decode( trim( $_POST['config'] ) ) );
			if ( is_array( $config ) && count( $config ) > 0 ) {
				update_option( 'heateor_sss', $config );
				header( 'Content-Type: application/json' );
				die( json_encode(
					array(
						'success' => 1
					)
				) );
			}
		}
		die;

If another plugin or theme with a vulnerable magic method was installed on the same site with a vulnerable version of the Sassy Social Share plugin, then an attacker could potentially have the ability to create new files, delete existing files, execute remote commands, and more. This would make it possible for an attacker to take over a vulnerable WordPress site.

Disclosure Timeline

August 31, 2021 – Conclusion of the plugin analysis that led to the discovery of a vulnerability in the Sassy Social Share WordPress plugin. We develop a firewall rule to protect Wordfence customers and release it to Wordfence Premium users.
September 1, 2021 – The vendor confirms the inbox for handling the discussion.
September 2, 2021 – We send over full disclosure details. The vendor responds confirming they will begin working on a fix.
September 2-17, 2021 – We work closely with the vendor to ensure an optimal security patch is released by verifying the implemented fixes before they are released to customers.
September 17, 2021 – The patched version is released as 3.3.24.
September 30, 2021 – Wordfence free users receive the firewall rule.

Conclusion

In today’s post, we described a flaw in the Sassy Social Share WordPress plugin that grants attackers the ability to update the plugin’s settings and inject PHP Objects. This flaw has been fully patched in version 3.3.24 of Sassy Social Share. We recommend that WordPress users immediately update to the latest version available, which is version 3.3.25 at the time of this publication.

Please do let others in the WordPress community know about this issue to help them stay safe.

Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on August 31, 2021. Sites still using the free version received the same protection on September 30, 2021.

If your site has been compromised as a result of this or any other vulnerability, we offer Professional Site Cleaning services to help undo the damage. If you know a friend or colleague who is using this plugin on their site, please forward this advisory to them to help keep their sites protected as these vulnerabilities can lead to complete site takeover.

The post Vulnerability Patched in Sassy Social Share Plugin appeared first on Wordfence.

It’s Not You. It’s Them. On Hacking and Responsible Disclosure.

A story was recently posted to Hacker News celebrating a hack of IoT devices at a school that let a student and their friends rickroll the school via a video system. On the one hand, this guy is my personal hero and I want to be them. But I’m a cybersecurity professional, I run a team that has the ability to hack into any system they take an interest in, and I’ve studied cybersecurity ethics and am familiar with the consequences of hacking in 2021. I’m also aware of the fallibility of humans. So I was obliged to reply on HN.

The short version is this: In the United States, hacking crimes are governed by the CFAA – the Computer Fraud and Abuse Act. The criminal penalties are extremely harsh, and many cybercrimes are handled in federal court. If you do access a computer system without authorization, or exceed the authorization you have been given – which are both criminal offenses under CFAA – you’ve given yourself a pretty good shot at ruining your life. Being charged with a crime and having to deal with court dates is stressful enough. Even if you’re lucky to get probation, you still have a criminal record which severely limits your job opportunities and travel options.

Responsible disclosure is challenging enough. But actually hacking systems – even if you think you’re being playful – can lead to disaster. As I said in my comment: “Overzealous prosecutors have been given a huge amount of power, and all you need is one embarrassed systems administrator, school board, or management team to trigger a disastrous outcome in stories like this.

For the most part, my comment on HN was upvoted and supported in the replies. But I did get a certain amount of pushback. And wouldn’t you know it, in the news this morning is a fine example of the kind of idiocy out there that demonstrates why researchers and explorers need to be very careful to avoid violating the CFAA.

A journalist at the St Louis Post Dispatch discovered a data disclosure issue with a website that allowed the public to look up teacher credentials. Encoded in the HTML source code of the site were the social security numbers of teachers, counselors, and administrators. It’s worth noting that the data was encoded, not encrypted, which means it was easily readable by any attacker or software developer.

The St Louis Post Dispatch and their journalist did exactly the right thing: They confidentially disclosed the issue to the website operator. The website operator fixed the problem. And then St Louis Post Dispatch disclosed the details in an article, which is exactly how the cybersecurity industry works. That final disclosure step is so that the public has full transparency on the issue – in other words, teachers should know that their socials were exposed. And so that other researchers, vendors, and operations staff can learn from this mistake.

What should have happened at this point? Nothing. Because absolutely nothing was awry. The discovery helped secure a system. The journalist never breached any cybersecurity ethical boundaries. The school system has a more secure website. Apparently, that wasn’t enough for Missouri Governor Mike Parson who has announced that the Cole County Prosecutor and the Missouri Highway Patrol [I’m not joking] will investigate the matter.

And the governor is rolling out the red carpet. Extracts from his statement: “We are coordinating state resources to respond and utilize all legal methods available. My administration has notified the Cole County prosecutor of this matter. The Missouri State Highway Patrol’s digital forensic unit will also be conducting an investigation of all of those involved. We will not let this crime against Missouri teachers go unpunished. And we refuse to let them be a pawn in the news outlet’s political vendetta. Not only are we going to hold this individual accountable, but we will also be holding accountable all those who aided this individual and the media corporation that employs them. This incident alone may cost Missouri taxpayers as much as $50 million and divert workers and resources from other state agencies.

All because a journalist spotted that social security numbers were easily accessible in HTML source code, responsibly disclosed the issue, and helped secure the school system, exactly the way every ethical and responsible cybersecurity organization on this planet operates.

Let’s revisit the school hacking story I started with. What you have here is exactly what I warned folks about just days ago. An embarrassed governor and embarrassed school administrators are framing this as a malicious act to try to protect their reputations. And they have the full force of the CFAA to back them up. They’re most likely going to try to frame reading HTML source code as accessing a system beyond the authorization given, which is a crime under the CFAA.

So if you are a cybersecurity researcher or simply curious and love exploring our global Internet, please be careful. Read the Wikipedia entry for the CFAA so that you understand it. The Responsible Disclosure article on Wikipedia is also a great start. Every major cybersecurity certification also contains a section on ethics, so consider gaining a Security+, CEH, CISSP, or similar. After working in ops and development for over 20 years, I became a CISSP and even with my experience and knowledge, I found that I have benefited greatly from the certification.

Understand that responsible disclosure is still very much an industry insider concept. People who operate systems and their employers are often unsophisticated and uneducated in the field of cybersecurity – and they are human and are easily embarrassed. It’s very tempting for them to shoot the messenger, even when the messenger delivers the bad news within a globally accepted framework.

And when it comes to hacking your school network or other systems that you don’t have the authorization to hack? Don’t do it. We aren’t living in the 80s or early 90s anymore, where hackers are seen as adorable Matthew Broderick characters from the movie Wargames. When Kevin Mitnick was hunted down by Janet Reno for over 2 years, under the Clinton Administration in 1995, and eventually arrested, the game changed. Hackers were rebranded as evil, malicious, dangerous, and bound for prison, and Kevin was sentenced to 5 years. In South Africa where I was “exploring”, my friends started getting raided, one was arrested, and I was fortunate enough to only get a nasty letter. Childhood’s end had arrived for cybersecurity.

If you’re a researcher, take care, even when disclosing responsibly. If you think you’re being playful by accessing systems you’re not allowed to, or exceeding the access you’ve been given, stop. Back away from the keyboard. And sign up for a cybersecurity certification that will give you opportunities to do the kind of exploring you want to do, legally, and will teach you about the ethical frameworks that our industry has. And give your adventurous friends and family the same advice.

It’s not you. It’s them.

Mark Maunder – Defiant Inc Founder & CEO. (We make Wordfence)

The post It’s Not You. It’s Them. On Hacking and Responsible Disclosure. appeared first on Wordfence.

Pin It on Pinterest