AccessPress Themes Hit With Targeted Supply Chain Attack

Security researchers at Automattic recently reported that the popular WordPress plugin and theme authors AccessPress were compromised and their software replaced with backdoored versions. The compromise appears to have taken place in September of last year and was only recently made public. Users who used software obtained directly from the AccessPress website unknowingly provided attackers with backdoor access, resulting in an unknown number of compromised websites. The software from the official WordPress repository so far appears to have been unaffected, although the proactive measure has been taken to remove them until a proactive code review can be conducted.

Continue reading AccessPress Themes Hit With Targeted Supply Chain Attack at Sucuri Blog.

What Should You do if Your WordPress Site was Hacked?

These days WordPress infections are very common. In 2021, internetlivestats.com counted over 81 million websites hacked. If you’re one of the millions, you need to take action to fix and protect your site. Of course, a hacked site will put any site owner into panic mode. This article will provide insight on what to do if your website is hacked and how to move forward. WordPress sites can be hacked due to a variety of reasons, which we cover in Why are WordPress sites targeted by hackers?

Continue reading What Should You do if Your WordPress Site was Hacked? at Sucuri Blog.

Unauthenticated XSS Vulnerability Patched in HTML Email Template Designer Plugin

On December 23, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “WordPress Email Template Designer – WP HTML Mail”, a WordPress plugin that is installed on over 20,000 sites. This flaw made it possible for an unauthenticated attacker to inject malicious JavaScript that would execute whenever a site administrator accessed the template editor. This vulnerability would also allow them to modify the email template to contain arbitrary data that could be used to perform a phishing attack against anyone who received emails from the compromised site.

Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on December 23, 2021. Sites still using the free version of Wordfence will receive the same protection on January 22, 2022.

We sent the full disclosure details to the developer on January 10, 2022, after multiple attempts to contact the developer and eventually receiving a response. The developer quickly acknowledged the report and released a patch on January 13, 2022.

We strongly recommend ensuring that your site has been updated to the latest patched version of “WordPress Email Template Designer – WP HTML Mail”, which is version 3.1 at the time of this publication.

Description: Unprotected REST-API Endpoint to Unauthenticated Stored Cross-Site Scripting and Data Modification
Affected Plugin: WordPress Email Template Designer – WP HTML Mail
Plugin Slug: wp-html-mail
Plugin Developer: codemiq
Affected Versions: <= 3.0.9
CVE ID: CVE-2022-0218
CVSS Score: 8.3 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Chloe Chamberland
Fully Patched Version: 3.1

WP HTML Mail is a WordPress plugin developed to make designing custom emails simpler for WordPress site owners. It is compatible with various WordPress plugins like WooCommerce, Ninja Forms, BuddyPress, and more. The plugin registers two REST-API routes which are used to retrieve email template settings and update email template settings. Unfortunately, these were insecurely implemented making it possible for unauthenticated users to access these endpoints.

More specifically, the plugin registers the /themesettings endpoint, which calls the saveThemeSettings function or the getThemeSettings function depending on the request method. The REST-API endpoint did use the permission_callback function, however, it was set to __return_true which meant that no authentication was required to execute the functions. Therefore, any user had access to execute the REST-API endpoint to save the email’s theme settings or retrieve the email’s theme settings.

	public function rest_api_init() {
		register_rest_route( $this->api_base, '/themesettings', array(
            'methods' => 'GET',
			'callback' => [ $this, 'getThemeSettings' ],
			'permission_callback' => '__return_true'
		));
		
		register_rest_route( $this->api_base, '/themesettings', array(
            'methods' => 'POST',
			'callback' => [ $this, 'saveThemeSettings' ],
			'permission_callback' => '__return_true'
		));
	}

As this functionality was designed to implement setting changes for the email template, an unauthenticated user could easily make changes to the email template that could aid in phishing attempts against users that receive emails from the targeted site. Worse yet, unauthenticated attackers could inject malicious JavaScript into the mail template that would execute anytime a site administrator accessed the HTML mail editor.

As always, cross-site scripting vulnerabilities can be used to inject code that can add new administrative users, redirect victims to malicious sites, inject backdoors into theme and plugin files, and so much more. Combined with the fact that the vulnerability can be exploited by attackers with no privileges on a vulnerable site, this means that there is a high chance that unauthenticated attackers could gain administrative user access on sites running the vulnerable version of the plugin when successfully exploited. As such, we strongly recommend that you verify that your site is running the most up to date version of the plugin immediately.

Timeline

December 23, 2021 – Conclusion of the plugin analysis that led to the discovery of a Stored Cross-Site Scripting Vulnerability in the “WordPress Email Template Designer – WP HTML Mail” plugin. We develop and release a firewall rule to protect Wordfence users. Wordfence Premium users receive this rule immediately. We attempt to initiate contact with the developer.
January 4, 2022 – We send an additional outreach attempt to the developer.
January 10, 2022 – The developer confirms the inbox for handling the discussion. We send over the full disclosure details.
January 11, 2022 – The developer acknowledges the report and indicates that they will work on a fix.
January 13, 2022 – A fully patched version of the plugin is released as version 3.1.
January 22, 2022 – The firewall rule becomes available to free Wordfence users.

Conclusion

In today’s post, we detailed a flaw in the “WordPress Email Template Designer – WP HTML Mail” plugin that made it possible for unauthenticated attackers to inject malicious web scripts that would execute whenever a site owner accessed the mail editor area plugin, which could lead to complete site compromise. This flaw has been fully patched in version 3.1.

We recommend that WordPress site owners immediately verify that their site has been updated to the latest patched version available, which is version 3.1 at the time of this publication.

Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on December 23, 2021. Sites still using the free version of Wordfence will receive the same protection on January 22, 2022.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a serious vulnerability that can lead to complete site takeover.

If your site has been compromised by an attack on this or any other plugin, our Professional Site Cleaning services can help you get back in business.

The post Unauthenticated XSS Vulnerability Patched in HTML Email Template Designer Plugin appeared first on Wordfence.

Understanding Website SQL Injections

SQL injection is one of the most common types of web hacking techniques used today. As data breaches continue to happen to some of the most high-profile corporations and brands, it’s become more important for web users to adapt to these increased breaches with changes in behavior like system generated passwords and 2FA. 

In this post, we’ll be discussing SQL Injections in further detail, and why, as a website owner, you should care about this kind of attack.

Continue reading Understanding Website SQL Injections at Sucuri Blog.

How to Stop & Prevent DDoS Attacks

With DDoS attacks being an ever growing threat to servers across the globe, it’s become a fundamental part of website security. This impacts businesses both in terms of site presence, availability and profits. Over the last 8 or so years the web has had to evolve to respond to the increase in these attacks. For example, ​​back in 2014 a couple of teenagers were able to take the entire xbox live network offline during Christmas.

Continue reading How to Stop & Prevent DDoS Attacks at Sucuri Blog.

84,000 WordPress Sites Affected by Three Plugins With The Same Vulnerability

On November 5, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in “Login/Signup Popup”, a WordPress plugin that is installed on over 20,000 sites. A few days later we discovered the same vulnerability present in two additional plugins developed by the same author: “Side Cart Woocommerce (Ajax)”, installed on over 60,000 sites, and “Waitlist Woocommerce ( Back in stock notifier )”, installed on over 4,000 sites. This flaw made it possible for an attacker to update arbitrary site options on a vulnerable site, provided they could trick a site’s administrator into performing an action, such as clicking on a link.

All Wordfence users, including Wordfence Premium customers and free Wordfence users are protected against any attackers attempting to exploit this vulnerability. Wordfence Premium users received a firewall rule to protect against any exploits targeting these vulnerabilities on November 5, 2021. Sites still using the free version of Wordfence received the same protection on December 5, 2021.

We sent the full disclosure details on November 5, 2021, after the developer confirmed the appropriate channel to handle communications. After several follow-ups a patched version of “Login/Signup Popup” was released on November 24, 2021, while patched versions of “Side Cart Woocommerce (Ajax)” and “Waitlist Woocommerce ( Back in stock notifier )” were released on December 17, 2021.

We strongly recommend ensuring that your site has been updated to the latest patched version of any of these plugins, which is version 2.3 for “Login/Signup Popup”, version 2.5.2 for “Waitlist Woocommerce ( Back in stock notifier )”, and version 2.1 for “Side Cart Woocommerce (Ajax)” at the time of this publication.

Description: Cross-Site Request Forgery to Arbitrary Options Update
Affected Plugins: Login/Signup Popup | Waitlist Woocommerce ( Back in stock notifier ) | Side Cart Woocommerce (Ajax)
Plugin Slugs: easy-login-woocommerce | waitlist-woocommerce | side-cart-woocommerce
Plugin Developer: XootiX
Affected Versions: <= 2.2 | <= 2.5.1 | <= 2.0
CVE ID: CVE-2022-0215
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Researcher/s: Chloe Chamberland
Fully Patched Versions: 2.3 | 2.5.2 | 2.1

All three of the affected plugins by XootiX are designed to provide enhanced features to WooCommerce sites. The Login/Signup Popup plugin was designed to add login and signup pop-ups to both standard sites and WooCommerce powered sites, while the Waitlist WooCommerce plugin was designed to add a product waitlist and notifier for out of stock items and Side Cart Woocommerce was designed to make shopping carts available from anywhere on a site all powered via AJAX.

The vulnerability is simple. All three plugins register the save_settings function which is initiated via a wp_ajax action. This function was missing a nonce check which meant that there was no validation on the integrity of who was conducting the request.

	public function save_settings(){

		if( !current_user_can( $this->capability ) ) return;

		$formData = array();

		$parseFormData = parse_str( $_POST['form'], $formData );

		foreach ( $formData as $option_key => $option_data ) {

			$option_data = array_map( 'sanitize_text_field', stripslashes_deep( $option_data ) );

			update_option( $option_key, $option_data );
			
		}

		wp_send_json(array(
			'error' 	=> 0,
			'notice' 	=> 'Settings Saved',
		));
	}

This made it possible for an attacker to craft a request that would trigger the AJAX action and execute the function. If the attacker could successfully trick a site’s administrator into performing an action like clicking on a link or browsing to a certain website, while the administrator was authenticated to the target site, then the request would be successfully sent and trigger the action which would allow the attacker to update arbitrary options on that website.

Arbitrary Options Update vulnerabilities make it possible for attackers to update any option on the WordPress website. Attackers frequently abuse these to set the user_can_register option to true and the default_role option to administrator so that they can register on the vulnerable site as an administrator and completely take it over.

Though this Cross-Site Request Forgery (CSRF) vulnerability is less likely to be exploited due to the fact that it requires administrator interaction, it can have a significant impact to a successfully exploited site and, as such, it serves as an incredibly important reminder to remain aware when clicking on links or attachments and to ensure that you are regularly keeping your plugins and themes up to date.

Timeline

November 5, 2021 – Conclusion of the plugin analysis that led to the discovery of a CSRF to Arbitrary Option Update vulnerability in the Login/Signup Popup plugin. We develop and release a firewall rule to protect Wordfence users. Wordfence Premium users receive this rule immediately. We initiate contact with the developer and provide full disclosure on the same day.
November 10, 2021 – We follow-up with the developer to inform them that both “Side Cart Woocommerce (Ajax)” and “Waitlist Woocommerce ( Back in stock notifier )” plugins are also affected by the same vulnerability.
November 19, 2021 – We follow-up with the developer to check on the status of the patches.
November 24, 2021 – A patched version of “Login/Signup Popup” is released as version 2.3.
November 24, 2021 – December 13, 2021 – We attempt to follow up with the developer about patches for the remaining two plugins.
December 5, 2021 – The firewall rule becomes available to free Wordfence users.
December 17, 2021 – A patched version of “Waitlist Woocommerce ( Back in stock notifier )” is released as 2.5.2, and a patched version of “Side Cart Woocommerce (Ajax)” is released as version 2.1.

Conclusion

In today’s post, we detailed a flaw present in three plugins developed by the same developer that would make it possible for attackers to gain administrative access to sites when successfully exploited. This flaw has been fully patched in all three plugins.

We recommend that WordPress users immediately verify that their site has been updated to the latest patched version available for each of these plugins, which is version 2.3 for “Login/Signup Popup”, version 2.5.2 for “Waitlist Woocommerce ( Back in stock notifier )”, and version 2.1 for “Side Cart Woocommerce (Ajax)” at the time of this publication.

All Wordfence users, including Wordfence Premium customers and free Wordfence users are protected against this vulnerability. Wordfence Premium users received a firewall rule to protect against any exploits targeting these vulnerabilities on November 5, 2021. Sites still using the free version of Wordfence received the same protection on December 5, 2021.

If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a serious vulnerability that can lead to complete site takeover.

If your site has been compromised by an attack on this or any other plugin, our Professional Site Cleaning services can help you get back in business.

The post 84,000 WordPress Sites Affected by Three Plugins With The Same Vulnerability appeared first on Wordfence.

Pin It on Pinterest