Episode 77: WordPress 5.4.2 Released, Fake Ransomware Bitcoin Scams

This week, we look at the WP 5.4.2 release and a ransomware bitcoin scam targeting site owners with a “You’ve Been Hacked” email. We also look at an FBI warning about online banking app malware, the Verizon data breach report and what is says about WordPress, and how some white hat hackers are becoming millionaires responsibly disclosing vulnerabilities via HackerOne.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:20 WordPress 5.4.2 security release fixes multiple XSS vulnerabilities
1:47 High Severity Vulnerabilities in PageLayer Plugin Affect Over 200,000 WordPress Sites
3:05 Ransomware Bitcoin scam claiming sites are hacked
5:40 FBI warns of increased hacking risk if using mobile banking apps
8:08 $100 million in bounties paid by HackerOne to ethical hackers
10:00 Verizon data breach report: Web application attacks rise to account for almost half of all data breaches
11:17 Owners of DDoS for hire service get community service

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 77 Transcript

Welcome to Think Like a Hacker, the podcast about WordPress, security, and innovation. It’s been a few weeks, a lot going on here at Wordfence, including a couple of very well attended live events on YouTube. More on that later. First let’s get into the news.

Our top story, WordPress 5.4.2 was released on Wednesday, June 10th. WordPress’ latest release contains 23 fixes and enhancements, including patches for six moderate-risk cross site scripting and other security bugs.

Wordfence Threat Analyst and Senior QA Engineer Ram Gall took a deeper look at the release. He found that most of the security patches were fixing vulnerabilities only exploitable in rather specialized cases. One of the cross-site scripting issues addressed by the update meant authenticated users with low privileges were able to add JavaScript to posts in the block editor. A separate issue gave authenticated users with upload permissions, the ability to add JavaScript to media files. And the release also had another bug, not cross site scripting, that resolved an open redirect issue in the wp_validate_redirect function. An issue where comments from password protected posts and pages could be displayed under certain conditions was also resolved. Special shout out and a thank you to the security researchers that found these vulnerabilities and responsibly disclosed them to the core team, and a shout out, of course, to the core team who got this release out.

Our next story is about high severity vulnerabilities that were patched in the Page Layer plugin. This affected over 200,000 WordPress sites. Chloe Chamberland posted this on the Wordfence official blog a few weeks ago. At the time of this writing, these vulnerabilities have already been patched. If you’re using Wordfence, the firewall is protecting against exploits. Both free and premium users are protected against this being exploited. One of the flaws allowed any authenticated user with subscriber level and above permissions, the ability to update and modify posts with malicious content amongst other things.

The second flaw allowed attackers to forge requests on behalf of a site administrator to modify the settings of the plugin, which could allow for a malicious JavaScript injection. Chloe demonstrated this both on the video that is included on the blog post, as well as during Wordfence Office Hours on June 9th. These are available on the Wordfence YouTube channel. I suggest checking those out. There are links in the show notes. Chloe really makes understanding these exploits easy and makes it easy for all of us to understand how to protect our sites better.

Our next story is about fake ransomware Bitcoin scams. Now I’m sure we’ve all received one of these at one point or another. We have been seeing these in email inboxes for quite a while. Last year, they were claiming to have video of people accessing rather questionable and embarrassing content, and were basically trying to get people to pay Bitcoin so that those videos would not be exposed. Of course, it was all a scam. Now they’re taking aim at site owners, claiming that your site is hacked, and the only way to save the personally identifiable information from your site’s database is to pay a ransom. So the scammer sends an email to the site owner with the subject “your site has been hacked” and the body of the email claims hackers have exploited vulnerabilities to gain access to the site’s database, and that they have “moved to the information to an offshore server.”

The email then threatens to ruin the site owners reputation by selling the site database or notifying customers that their information was compromised, and they are also threatening to de-index the site from the search engines by using black hat techniques. Now, this is all stuff that could happen, but much like the previous scams that we have seen in inboxes, it’s a scam and it’s not true, and you may be receiving these emails without your site actually hacked.

There is actually a Bitcoin abuse database on what you can look up what’s happening with an individual Bitcoin address. So you can enter in that Bitcoin address and it will report what the owner of that address has been up to. So if you put in the Bitcoin address of any of these email scams that people are getting, you’ll see that other people are receiving similar types of email scams trying to target sites, even some sites that don’t even have a database. So far, it appears that these campaigns have not been very successful. Yay. People are deleting them and they are not convincing site owners to pay the ransom. I’m sure these scammers will move on to another scam. We just need to be aware that anything that shows in your inbox may or may not be true, and if anyone ever threatens you online requesting Bitcoin or any other cryptocurrency, or even money, to really look deeper at those types of ransom types of requests, because they are most likely a scam.

Our next story comes from Bleeping Computer. They are reporting that the FBI is warning of increased hacking risks if you are using mobile banking apps on your smartphone. So the FBI is reporting that financial technology providers are estimating more than 75% of Americans are using mobile banking in some form, and the studies of U.S. financial data are indicating a 50% surge in mobile banking since the beginning of 2020, most likely due to all of the lockdowns and COVID-19. So the FBI is anticipating that these malicious actors will try to exploit new mobile banking customers who are unaware of how these banking apps work, and they may be using things such as fake banking apps and app based banking trojans. One thing that is important to remember is if you download an app, it is going to ask you to give it permissions that it will require an order to steal your information, to steal your usernames and passwords.

This malware does not go snooping around in Android or iOS, but it will actually stay dormant and only surface when you open a legitimate banking app and then it will ask for information. So then these Trojans will create a false version of the bank’s login page and overlays it on top of a legitimate app. Once you enter your credentials into that Trojan app, obviously you are exposing your credentials to an attacker.

So what can we do? Obviously be very careful when you’re on your smartphone. In the cryptocurrency space, security has been an issue for a very long time. And I’ve known people who are big into trading cryptocurrency, and they actually have a separate laptop, a separate machine, that they do all of their banking on, and that’s the only thing they do with that specific laptop. Maybe it’s time for us to start applying some of these more stringent controls for our other financial institutions and only have one browser, for an example, that you use for banking or transferring of funds or cryptocurrency trading, or stock trading, whatever you’re doing with your money. And just functionally isolate what you’re doing with your financial institutions in order to mitigate these types of risks.

Our next story is from PortSwigger, portswigger.net, and they are reporting on the Verizon 2020 data breach investigation report, and they are stating that web application attacks rise to account for almost half of all data breaches. So the actual number is 43% of breaches trace back to attacks against web applications. Of course, your WordPress website is a web application. This is double the results from last year, and the vast majority of those data breaches were motivated, of course, by the prospect of illicit financial gain. This is up from 71% in 2019.

Now, how does this affect WordPress? Attacks on content management systems that include WordPress, Joomla, Drupal, NoneCMS accounted for about 20% of all cyber attacks. And more than 28% of attacks targeted technology platforms supporting websites, such as ColdFusion and Apache Struts. Now, what can we take from this data? I mean, I don’t find this to be entirely too surprising.

Your website is the easiest thing for an attacker to attack. It is your front door on the internet for your business. It’s much easier for them to target your website than say your email systems or your accounting systems, though if they had that kind of information, they’d probably target that as well. Obviously with any front door, it’s good to have a lock and key and maybe a security camera or security system preventing these types of attacks on the front door, which is why Wordfence exists. Good to have a firewall on that front door and make sure those malicious attacks cannot occur, and a malware scanner to tell you if indeed it happened.

Our next story is also from Bleeping Computer and this was published on May 27th. They reported that a hundred million dollars in bounties had been paid via HackerOne to ethical hackers. This is a feel good story, hacking being profitable, white hat hacking being profitable. Always good to put some attention on that. They’re reporting that over 700,000 ethical hackers are using the bug bounty platform to get paid for security bugs in the products of over 1900 HackerOne customers. Of course, it’s impossible for us to know how many cyber breaches have been averted by responsible disclosure of security vulnerabilities, but with the average cost of breaches around $8 million, the savings to businesses who are running websites and other applications are probably in the tens of billions.

So HackerOne announced that eight of the hackers using their platform had become millionaires with 19-year-old Santiago Lopez being the first white hat hacker to earn over a million dollars by reporting security vulnerabilities responsibly to HackerOne. Kind of exciting.

Our final story from June 7th, from Krebs on Security is about a DDoS for hire service that got six months of community service. This company was called vDOS and the co-owners operated this for four years, basically taking money from customers and launching over 2 million DDoS or distributed denial of service attacks, knocking many internet users and websites offline. They’ve been sentenced to six months of community service by an Israeli court. Now it looks like vDOS was responsible for a majority of the DDoS attacks that had clogged up the internet between 2012 and 2016. Their subscription packages were sold on how many seconds the DDoS attack would last, and in four months between April and July 2016, vDOS was responsible for launching over 277 million seconds of attack time. It was kind of hard to get all of this data because after they would perform these attacks, they would wipe their servers. Pretty scary stuff.

Now, obviously, operating this type of service is illegal in numerous municipalities; purchasing these types of services is also illegal in numerous jurisdictions. A commenter on Krebs article stated that one of the defendants had actually turned his life around and is working for a legitimate company now. Let’s hope that both of them do and let’s hope more of the malicious attackers that exist out on the web find ways to maybe become ethical hackers, go look for vulnerabilities on applications and submit their bugs to places like HackerOne for bug bounties. There are ways that some of this cyber crime can get turned around.

The news for today. I would like to invite you to join us for Office Hours on YouTube. You can find us on the Wordfence channel every Tuesday at noon Eastern time on the East coast of the United States, and 9:00 AM Pacific time. Next week, we will be fixing a hack. So we’ve been doing some live hacking over the past couple of weeks with Chloe Chamberland, and now we’re going to take one of those hacked sites and show you how to use Wordfence to clean it up. So join us over there.

As always, thank you for listening to Think Like a Hacker. Might have a couple of weeks where I am off doing some interesting things in my life that I’ll talk about later, but we will come back with all of the news in WordPress security and innovation, just as soon as we can. Stay safe and we will talk to you soon.

Go ahead and give us a like or give us a review on Apple podcasts. Definitely join us over on YouTube. Follow me on Twitter and I’ll let you know what the whole Wordfence team is up to. Of course, if you’re not following Wordfence on your favorite social media, we are Wordfence everywhere, whether it is Instagram or Facebook or Twitter.

The post Episode 77: WordPress 5.4.2 Released, Fake Ransomware Bitcoin Scams appeared first on Wordfence.

WordPress 5.4.2 Patches Multiple XSS Vulnerabilities

WordPress Core version 5.4.2 has just been released. Since this release is marked as a combined security and bug fix update, we recommend updating as soon as possible. With that said, most of the security fixes themselves are for vulnerabilities that would require specific circumstances to exploit. All in all this release contains 6 security fixes, 3 of which are for XSS (Cross-Site Scripting) vulnerabilities. Both the free and Premium versions of Wordence have robust built-in XSS protection which will protect against potential exploitation of these vulnerabilities.

A Breakdown of each security issue

An XSS issue where authenticated users with low privileges are able to add JavaScript to posts in the block editor

This flaw would have made it possible for an attacker to inject JavaScript into a post by manipulating the attributes of Embedded iFrames. This would be exploitable by users with the edit_posts capability, meaning users with the Contributor role or higher in most configurations.

The changeset in question is:

This issue was discovered and reported by Sam Thomas (jazzy2fives)

An XSS issue where authenticated users with upload permissions are able to add JavaScript to media files

This flaw would have made it possible for an attacker to inject JavaScript into the “Description” field of an uploaded media file. This would be exploitable by users with the upload_files capability, meaning users with the Author role or higher in most configurations.

The changeset in question is:

This issue was discovered and reported by Luigi – (gubello.me)

An open redirect issue in wp_validate_redirect()

For this flaw, the wp_validate_redirect function failed to sufficiently sanitize URLs supplied to it. As such it would have been possible under certain circumstances for an attacker to craft a link to an impacted site that would redirect visitors to a malicious external site. This would not require specific capabilities, but it would typically require either social engineering or a separate vulnerability in a plugin or theme to exploit.

The changeset in question is:

This issue was discovered and reported by Ben Bidner of the WordPress Security Team.

An authenticated XSS issue via theme uploads

This flaw would have made it possible for an attacker to inject JavaScript into the stylesheet name of a broken theme, which would then be executed if another user visited the Appearance->Themes page on the site. This would be exploitable by users with the install_themes or edit_themes capabilities, which are only available to administrators in most configurations.

The changeset in question is:

This issue was discovered and reported by Nrimo Ing Pandum

An issue where set-screen-option can be misused by plugins leading to privilege escalation

For this flaw, a plugin incorrectly using the set-screen-option filter to save arbitrary or sensitive options could potentially be used by an attacker to gain administrative access. We are not currently aware of any plugins that are vulnerable to this issue.

The changeset in question is:

This issue was discovered and reported by Simon Scannell of RIPS Technologies

An issue where comments from password-protected posts and pages could be displayed under certain conditions

For this flaw, comment excerpts on password-protected posts could have been visible on sites displaying the “Recent Comments” widget or using a plugin or theme with similar functionality.

The changeset in question is:

This issue was discovered and reported by Carolina Nymark

Note: This is unrelated to an issue where unmoderated spam comments were briefly visible and indexable by search engines.

What should I do?

Most of these vulnerabilities appear to be exploitable only under limited circumstances or by trusted users, but we recommend updating as soon as possible. Attackers may find ways to exploit them more easily, or the researchers who discovered these vulnerabilities may publish Proof of Concept code that allows simpler exploitation. This is a minor WordPress release, so most sites will automatically update to the new version.


We’d like to thank the WordPress core team and the researchers who discovered and responsibly reported these vulnerabilities for making WordPress safer for everyone.

You can find the official announcement of the WP 5.4.2 release on this page. If you have any questions or comments, please don’t hesitate to post them below and we’ll do our best to answer them in a timely manner. If you are one of the researchers whose work is included above and would like to provide additional detail or corrections, we welcome your comments.

Special thanks to QA Lead Matt Rusnak for helping to identify the changesets associated with these fixes.

The post WordPress 5.4.2 Patches Multiple XSS Vulnerabilities appeared first on Wordfence.

What is the Gibberish Hack?

Discovering some random folder with numbers and letters you don’t remember on your website would make any website owner put on their detective cap. At first, you may think, “Did I leave my FTP client open and my cat ran across the keyboard?”

But when you open the folder, you find a series of HTML files, each named with some kind of nonsensical phrases like “cheap-cool-hairstyles-photos.html.” If you open one of these files on the browser, you’ll likely be redirected to something you’re not expecting, such as a suspicious ecommerce site or an error page.

Continue reading What is the Gibberish Hack? at Sucuri Blog.

Experience + Technology: How We Clean Infected Websites at Sucuri

Our malware removal service is particularly effective because it combines automated and human elements. The process gets off to a quick start thanks to cleanup scripts developed by our threat researchers.

Real people also get their hands dirty handling tough work that shouldn’t be automated.

The automated scripts identify and remove a lot of website malware using the same threat definitions that power our Web Application Firewall (WAF) and SiteCheck website scanner.

Continue reading Experience + Technology: How We Clean Infected Websites at Sucuri at Sucuri Blog.

Evasion Tactics in Hybrid Credit Card Skimmers

The most common type of Magento credit card stealing malware is client-side JavaScript that grabs data entered in a checkout form and sends it to a third-party server controlled by the attackers.

Though popular with bad actors, one of the drawbacks of this approach is that it’s possible to track requests to suspicious servers if you monitor the traffic generated by checkout pages — or any other infected pages.

A lesser-known, but still very popular, type of skimmer can instead be found harvesting information server-side.

Continue reading Evasion Tactics in Hybrid Credit Card Skimmers at Sucuri Blog.

Large Scale Attack Campaign Targets Database Credentials

Large Scale Attack Campaign Targets Database Credentials

Between May 29 and May 31, 2020, the Wordfence Firewall blocked over 130 million attacks intended to harvest database credentials from 1.3 million sites by downloading their configuration files.

The peak of this attack campaign occurred on May 30, 2020. At this point, attacks from this campaign accounted for 75% of all attempted exploits of plugin and theme vulnerabilities across the WordPress ecosystem.

We were able to link these attacks to the same threat actor previously targeting XSS vulnerabilities at a similar scale. All Wordfence users, including Wordfence Premium and those still using the free version of Wordfence, are protected by our firewall’s built-in directory traversal protection.

Different vulnerabilities, same IPs

The previously reported XSS campaigns sent attacks from over 20,000 different IP addresses. The new campaign is using the same IP addresses, which accounted for the majority of the attacks and sites targeted. This campaign is also attacking nearly a million new sites that weren’t included in the previous XSS campaigns.

As with the XSS campaigns, almost all of the attacks are targeted at older vulnerabilities in outdated plugins or themes that allow files to be downloaded or exported. In this case the attackers are attempting to download wp-config.php, a file critical to all WordPress installations which contains database credentials and connection information, in addition to authentication unique keys and salts. An attacker with access to this file could gain access to the site’s database, where site content and users are stored.

Indicators of Compromise

Attacks by this campaign should be visible in your server logs. Look for any log entries containing wp-config.php in the query string that returned a 200 response code.

The top 10 attacking IP addresses in this campaign are listed below.

What should I do?

Sites running Wordfence are protected against this campaign. If your site is not running Wordfence, and you believe you have been compromised, change your database password and authentication unique keys and salts immediately.

If your server is configured to allow remote database access, an attacker with your database credentials could easily add an administrative user, exfiltrate sensitive data, or delete your site altogether. Even if your site does not allow remote database access, an attacker who knows your site’s authentication keys and salts may be able to use them to more easily bypass other security mechanisms.

If you’re not comfortable making the changes above, please contact your host, since changing your database password without updating the wp-config.php file can temporarily take down your site.


In today’s post, we covered another large-scale attack campaign against WordPress sites by a threat actor we have been tracking since February. All Wordfence users, including sites running the free version of Wordfence, and Wordfence Premium, are protected against these attacks. Nonetheless, we urge you to make sure that all plugins and themes are kept up to date, and to share this information with any other site owners or administrators you know. Attacks by this threat actor are evolving and we will continue to share additional information as it becomes available.

The post Large Scale Attack Campaign Targets Database Credentials appeared first on Wordfence.

Pin It on Pinterest