Multiple Reflected Cross-Site Scripting Vulnerabilities in Three WordPress Plugins Patched

Mar 23, 2023 | WordFence Security, WordPress Security

The Wordfence Threat Intelligence Team recently disclosed several Reflected Cross-Site Scripting vulnerabilities that we discovered in three different plugins – Watu Quiz (installed on 5,000 sites), GN-Publisher (installed on 40,000 sites), and Japanized For WooCommerce (installed on 10,000 sites). As with all Reflected Cross-Site Scripting vulnerabilities, these could be leveraged for a complete site takeover as long as an unauthenticated attacker could successfully trick a site administrator into performing an action, such as clicking on a link or visiting a website under the attacker’s control.

All Wordfence customers, including Wordfence Premium, Wordfence Care, and Wordfence Response customers as well as those still using the free version of our plugin, are protected against any exploits targeting these vulnerabilities by the Wordfence firewall’s built-in Cross-Site Scripting protection.

Vulnerability Summaries

Description: Reflected Cross-Site Scripting
Affected Plugin: Watu Quiz
Plugin Slug: watu
Affected Versions: <= 3.3.9
CVE ID: CVE-2023-0968
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Marco Wotschka
Fully Patched Version: 3.3.9.1
Description: Reflected Cross-Site Scripting
Affected Plugin: GN Publisher: Google News Compatible RSS Feeds
Plugin Slug: gn-publisher
Affected Versions: <= 1.5.5
CVE ID: CVE-2023-1080
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Marco Wotschka
Fully Patched Version: 1.5.6
Description: Reflected Cross-Site Scripting
Affected Plugin: Japanized For WooCommerce
Plugin Slug: woocommerce-for-japan
Affected Versions: <= 2.5.4
CVE ID: CVE-2023-0942
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N
Researcher/s: Marco Wotschka
Fully Patched Version: 2.5.5

Vulnerability Details

Watu Quiz is a plugin that offers site owners the ability to create exams, quizzes and surveys. It allows administrators to review quiz submissions and filter search results by username, email, date taken and quiz score. Unfortunately, the search terms – provided as URL parameters – were not properly sanitized before being echoed on the search form.

Visiting a URL containing a malicious payload sufficed to trigger the execution of malicious JavaScript code in the context of the visiting user’s session. Since the exploitable page was an administrative page, this code could be used to create new administrator users or to perform other similarly severe actions potentially resulting in site takeover.

A vulnerable line of code in the plugin used the user-provided parameter and output it directly:

<input name="dn" type="text" value="<?php echo @$_GET['dn']?>" />

The dn parameter can be used to close out the value attribute, add an onmouseover event (or an onfocus event combined with the autofocus attribute) and execute JavaScript in the context of the victim’s browser.

/wp-admin/admin.php?page=watu_takings&exam_id=1&dn="%2Fonmouseover%3Dalert(123)%2F%2F

Versions up to 3.3.9 of this plugin are vulnerable. The issue is fixed in version 3.3.9.1 as of March 3, 2023.

GN Publisher is a plugin that makes RSS feeds which comply with Google News RSS feed technical requirements – necessary for inclusion in the Google News Publisher Center. The plugin addresses some common RSS compatibility issues publishers typically experience.

On its main configuration page It offers a tabbed form where administrators can change plugin-specific settings. However, the plugin does not properly escape the tab name before outputting it.

The software features a button in the top right corner that offers an upgrade to the PRO version. The code for the button in the vulnerable version is shown below (slightly reformatted for legibility):

As can be seen, the button element contains a php echo statement that outputs the tab parameter as a button class attribute. An unauthenticated attacker can take advantage of this and inject attribute-based JavaScript that executes on an event of the attacker’s choosing such as onmouseover, or onfocus in combination with autofocus, assuming they can also successfully trick a site administrator into performing an action.

/wp-admin/options-general.php?page=gn-publisher-settings&tab=hans%22%2F+onmouseover%3Dalert%281%29%3B%2F%2F

Versions up to, and including, 1.5.5 are vulnerable. Version 1.5.6 addressed this issue and was released on February 24, 2023.

The plugin Japanized for WooCommerce adds additional features to WooCommerce that make it more user-friendly for a Japanese audience, such as honorific titles and custom payment options geared towards the Japanese market. Similarly to the other two plugins discussed above, Japanized for WooCommerce outputs unsanitized user input provided via URL parameter.

As long as a tab parameter is provided, it will be output as part of the provided JavaScript that follows. A malicious piece of code can be used to close the script tag, open a new one, and include code to be executed on behalf of the visiting user.

/wp-admin/admin.php?page=wc4jp-options&tab=hans%27%3C%2Fscript%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E

Just like the other two vulnerabilities discussed above, this vulnerability can be exploited by unauthenticated attackers as long as an administrator of a vulnerable site can be tricked into performing an action such as clicking on a link leading them to the vulnerable form.

This issue is patched as of version 2.5.6, which was released on February 28, 2023.

As a final reminder, as is typical for Reflected Cross-Site Scripting vulnerabilities, these attacks can be carried out by unauthenticated users. However, the interaction of a site user is a requirement. Furthermore, the malicious injection does not persist as it is not stored in the database.

Conclusion

In today’s post, we detailed flaws in three plugins that made it possible for attackers to inject malicious JavaScript into a vulnerable site. While the exploitation of these vulnerabilities requires some degree of social engineering, they all could be used for site takeover.

All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites still running the free version of Wordfence, are fully protected against this vulnerability.

If you believe your site has been compromised as a result of these vulnerabilities or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

If you have any friends or colleagues who are using one of these plugins, please share this announcement with them and encourage them to update to the latest version as soon as possible.

If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard.

The post Multiple Reflected Cross-Site Scripting Vulnerabilities in Three WordPress Plugins Patched appeared first on Wordfence.

WooCommerce Credit Card Skimmer Reveals Tampered Gateway Plugin

Mar 22, 2023 | Sucuri, WordPress Security

Disclaimer: The malware infection described in this article does not affect the software plugin or payment gateway as a whole, and does not indicate any vulnerabilities or security flaws within Authorize.net itself nor WooCommerce or any associated WooCommerce plugin extensions. Overall they are both robust and secure payment platforms that are perfectly safe to use. Instead, this article highlights the importance of maintaining good security posture and keeping environments locked down to prevent tampering from threat actors.

Continue reading WooCommerce Credit Card Skimmer Reveals Tampered Gateway Plugin at Sucuri Blog.

What is a Headless CMS?

Mar 17, 2023 | Sucuri, WordPress Security

Running a website isn’t easy, but modern content management systems (CMS) like WordPress have revolutionized the way you can manage your website.

Headless CMS solutions take this a step further, decoupling the back-end source of the website content from its presentation on the front end. This makes for faster, safer, and more flexible sites that can handle rapid scaling and pivoting.

But is headless CMS better than traditional approaches? We’ll help you decide by breaking down what sets it apart and walk you through whether it’s a good fit for your project.

Continue reading What is a Headless CMS? at Sucuri Blog.

Wordfence Intelligence Weekly WordPress Vulnerability Report (Mar 6, 2023 to Mar 12, 2023)

Mar 17, 2023 | WordFence Security, WordPress Security

Last week, there were 60 vulnerabilities disclosed in 40 WordPress Plugins and 1 WordPress theme that have been added to the Wordfence Intelligence Vulnerability Database, and there were 16 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface and vulnerability API are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status Number of Vulnerabilities
Unpatched 3
Patched 57

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating Number of Vulnerabilities
Low Severity 0
Medium Severity 53
High Severity 6
Critical Severity 1

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE Number of Vulnerabilities
Cross-Site Request Forgery (CSRF) 24
Missing Authorization 17
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’) 9
Improper Limitation of a Pathname to a Restricted Directory (‘Path Traversal’) 2
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’) 1
Server-Side Request Forgery (SSRF) 1
Incorrect Privilege Assignment 1
Improper Neutralization of Special Elements in Output Used by a Downstream Component (‘Injection’) 1
Reliance on Untrusted Inputs in a Security Decision 1
Improper Authorization 1
Deserialization of Untrusted Data 1
Information Exposure 1

Researchers That Contributed to WordPress Security Last Week

Researcher Name Number of Vulnerabilities
Marco Wotschka
(Wordfence Vulnerability Researcher)		 15
Mika 5
Erwan LR 3
Rafshanzani Suhada 3
Rafie Muhammad 2
yuyudhn 2
Nguyen Xuan Chien 1
Nicholas Ferreira 1
Lana Codes 1
FearZzZz 1
Rio Darmawan 1
Omar Badran 1
thiennv 1
Daniel Ruf 1
Alex Sanford 1
Abdi Pranata 1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

Vulnerability Details

LeadSnap <= 1.23 – Unauthenticated PHP Object Injection via AJAX

CVE ID: CVE Unknown
CVSS Score: 9.8 (Critical)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/aefbebce-9433-455d-b27c-93088b0c8494

Multiple E-plugins (Various Versions) – Authenticated (Subscriber+) Privilege Escalation

CVE ID: CVE-2020-36666
CVSS Score: 8.8 (High)
Researcher/s: Omar Badran
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/629d4809-1dd2-4b67-8d8d-9c55f5240f94

WP Dark Mode <= 4.0.7 – Authenticated (Subscriber+) Local File Inclusion via ‘style’

CVE ID: CVE-2023-0467
CVSS Score: 8.8 (High)
Researcher/s: Alex Sanford
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d43234d0-5f44-4484-a8d6-16d43d1db51e

GiveWP <= 2.25.1 – Unauthenticated CSV Injection

CVE ID: CVE-2023-22719
CVSS Score: 8.3 (High)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/6368c397-0570-4304-a764-869bacc526c7

WP Statistics <= 13.2.16 – Authenticated (Admin+) SQL Injection

CVE ID: CVE-2023-0955
CVSS Score: 7.2 (High)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/0ffd60d2-ae8d-4738-a4f4-6df6e0ffa8c6

Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘create_mollie_account’

CVE ID: CVE Unknown
CVSS Score: 7.1 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d4491b89-2120-4edb-a396-e45ba09b3b99

Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘create_mollie_profile’

CVE ID: CVE Unknown
CVSS Score: 7.1 (High)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/fbbd3209-7ed6-4409-a24e-9f6225cf10f5

Complianz – GDPR/CCPA Cookie Consent <= 6.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

CVE ID: CVE-2023-1069
CVSS Score: 6.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7397898c-8d43-4399-9c2b-22f9287aa12d

Weaver Xtreme Theme Support <= 5.0.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

CVE ID: CVE Unknown
CVSS Score: 6.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7431ee0f-f485-48a4-9cdd-8fb2ac43e216

Cookie Notice & Compliance for GDPR / CCPA <= 2.4.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘cookies_revoke_shortcode’ Shortcode

CVE ID: CVE-2023-0823
CVSS Score: 6.4 (Medium)
Researcher/s: Erwan LR
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/914de8f3-e052-4256-af14-4a08eaa464b8

Daily Prayer Time <= 2023.03.08 – Authenticated (Contributor+) Stored Cross-Site Scripting

CVE ID: CVE-2023-27631
CVSS Score: 6.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/95691873-a16a-4e41-9456-41fa07efd6ce

GiveWP <= 2.25.1 – Authenticated (Author+) Stored Cross-Site Scripting

CVE ID: CVE-2022-40211
CVSS Score: 6.4 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b30261e0-1fa1-4794-98f6-851532b7615c

GiveWP <= 2.25.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via give_form_grid shortcode

CVE ID: CVE-2023-23668
CVSS Score: 6.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cc5f7a07-8117-4305-a72c-6afed80b6bcf

W4 Post List <= 2.4.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via ‘w4pl[no_items_text]’

CVE ID: CVE-2023-27413
CVSS Score: 6.4 (Medium)
Researcher/s: Abdi Pranata
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/feb9af10-7df2-4eb1-8546-debaa925df42

GiveWP <= 2.25.1 – Cross-Site Request Forgery to Cross-Site Scripting via render_dropdown

CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2a0381b1-9b63-41cb-8125-d22274b98867

Webmention <= 4.0.8 – Reflected Cross-Site Scripting via ‘replytocom’

CVE ID: CVE Unknown
CVSS Score: 6.1 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/3d12d692-231b-4e15-a119-80fd74566af4

Real Estate 7 Theme <= 3.3.4 – Unauthenticated Arbitrary Email Sending

CVE ID: CVE Unknown
CVSS Score: 5.8 (Medium)
Researcher/s: FearZzZz
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5778ba3d-6670-47ad-ae65-50b6fb8e5db0

Popup box <= 3.4.4 – Reflected Cross-Site Scripting via ‘ays_pb_tab’ Parameter

CVE ID: CVE-2023-27414
CVSS Score: 5.4 (Medium)
Researcher/s: Nguyen Xuan Chien
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/01f60df7-0602-4a00-9905-a91348811dfe

Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘pt_cancel_subscription’

CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/060f31ab-cfa4-4ca8-846a-de76848b28fb

Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘update_profile_preference’

CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2e9bee86-f491-4f68-b10b-051e0fb1a67b

HT Easy GA4 ( Google Analytics 4 ) <= 1.0.6 – Cross-Site Request Forgery via plugin_activation

CVE ID: CVE-2023-23802
CVSS Score: 5.4 (Medium)
Researcher/s: Lana Codes
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2fa2fcda-69f4-4095-b23c-6e6f1613adb0

Updraft Plus <= 1.22.24 – Cross-Site Request Forgery via updraft_ajaxrestore

CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/343cbdda-2ec5-437f-b563-96c61663314d

Daily Prayer Time <= 2023.03.08 – Cross-Site Request Forgery

CVE ID: CVE-2023-27632
CVSS Score: 5.4 (Medium)
Researcher/s: yuyudhn
Patch Status: Unpatched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/9060bb2a-b9d9-466d-bb8d-14173a51d145

Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘paytium_sw_save_api_keys’

CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a92beff1-3bc6-459e-aeca-5cbdf2152388

GiveWP <= 2.25.1 – Cross-Site Request Forgery via process_bulk_action

CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a9939ffe-a5d5-45cb-b673-665acf1ff09d

GiveWP <= 2.25.1 – Authenticated (Contributor+) Arbitrary Content Deletion

CVE ID: CVE-2023-23672
CVSS Score: 5.4 (Medium)
Researcher/s: Rafshanzani Suhada
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a9af1429-32c5-4907-acf4-83efc6727bb8

Mass Delete Unused Tags <= 2.0.0 – Cross-Site Request Forgery via plugin_mass_delete_unused_tags_init

CVE ID: CVE-2023-27430
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/abf4cfb9-745a-4b4f-8862-54ef561904d6

Mass Delete Taxonomies <= 3.0.0 – Cross-Site Request Forgery via mp_plugin_mass_delete_tags_init

CVE ID: CVE Unknown
CVSS Score: 5.4 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ce060989-ce70-49ac-921c-a687bc944090

Auto Prune Posts <= 1.8.0 – Cross-Site Request Forgery via admin_menu

CVE ID: CVE-2023-27423
CVSS Score: 5.4 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f15af4eb-5752-4a85-babd-cee7e89c329d

Drag and Drop Multiple File Upload PRO <= 2.10.9 – Directory Traversal

CVE ID: CVE-2023-1112
CVSS Score: 5.3 (Medium)
Researcher/s: Nicholas Ferreira
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1add47ea-6a7b-443a-b31d-3bb6c0d5d72d

Formidable Forms <= 6.0.1 – IP Spoofing via HTTP header

CVE ID: CVE-2023-0816
CVSS Score: 5.3 (Medium)
Researcher/s: Daniel Ruf
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/909b5421-210d-427a-94a0-e1ea25880cec

CMP – Coming Soon & Maintenance Plugin by NiteoThemes <= 4.1.6 – Information Exposure

CVE ID: CVE-2023-1263
CVSS Score: 5.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/e01b4259-ed8d-44a4-9771-470de45b14a8

RapidLoad Power-Up for Autoptimize <= 1.7.1 – Cross-Site Request Forgery via ‘attach_rule’

CVE ID: CVE-2023-1343
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/11f74b86-a050-4247-b310-045bf48fd4bd

RapidLoad Power-Up for Autoptimize <= 1.7.1 – Missing Authorization in ‘uucss_update_rule’

CVE ID: CVE-2023-1339
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/19f126f8-1d59-44b5-8e0e-c37f1fbedf5a

RapidLoad Power-Up for Autoptimize <= 1.7.1 – Missing Authorization in ‘attach_rule’

CVE ID: CVE-2023-1338
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/1bb55b22-a0d0-424f-8e4f-57d3f239c149

301 Redirects – Easy Redirect Manager <= 2.72 – Cross-Site Request Forgery via dismiss_notice

CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2253cb38-3688-4e4d-afd1-582c8743c89a

RapidLoad Power-Up for Autoptimize <= 1.7.1 – Cross-Site Request Forgery via ‘uucss_update_rule’

CVE ID: CVE-2023-1344
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/263153c9-61c5-4df4-803b-8d274e2a5e35

RapidLoad Power-Up for Autoptimize <= 1.7.1 – Missing Authorization in ‘clear_page_cache’

CVE ID: CVE-2023-1333
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2cba74f7-7183-4297-8f04-4818c01358ef

Clone <= 2.3.7 – Cross-Site Request Forgery via wp_ajax_tifm_save_decision

CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/314d3e0c-ba29-4795-a646-40e0acfc3405

RapidLoad Power-Up for Autoptimize <= 1.7.1 – Cross-Site Request Forgery via ‘clear_uucss_logs’

CVE ID: CVE-2023-1340
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/488e26e2-d4d7-4036-a672-53c2d4c9d39b

Popup Maker <= 1.18.0 – Cross-Site Request Forgery via init

CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/533f71d5-823d-45eb-8ecf-76afafd2a5d3

Affiliate Super Assistent <= 1.5.1 – Cross-Site Request Forgery to Settings Update and Cache Clearing

CVE ID: CVE-2023-27417
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/54dbd2f4-717c-4e01-afe4-c8cceca52650

cformsII <= 15.0.4 – Cross-Site Request Forgery leading to Settings Updates

CVE ID: CVE-2023-25449
CVSS Score: 4.3 (Medium)
Researcher/s: Rio Darmawan
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/5798de72-b589-4474-82b2-df6ef26325a3

Side Menu Lite <= 4.0 – Cross-Site Request Forgery to Item Deletion

CVE ID: CVE-2023-27418
CVSS Score: 4.3 (Medium)
Researcher/s: thiennv
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/799b1f12-05f3-4b8b-9e1f-45c676e4f2a0

Clone <= 2.3.7 – Missing Authorization via wp_ajax_tifm_save_decision

CVE ID: CVE-2023-25486
CVSS Score: 4.3 (Medium)
Researcher/s: Mika
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7b6db928-f8ff-4e78-bfc7-51f1d1ccd1fa

RapidLoad Power-Up for Autoptimize <= 1.7.1 – Cross-Site Request Forgery via ‘ucss_connect’

CVE ID: CVE-2023-1342
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/7c66894a-8d0f-4946-ae4d-bffd35f3ffb7

RapidLoad Power-Up for Autoptimize <= 1.7.1 – Missing Authorization in ‘clear_uucss_logs’

CVE ID: CVE-2023-1337
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/a52325f9-51b5-469c-865e-73a22002d46f

External Links <= 2.57 – Cross-Site Request Forgery via action_admin_action_wpel_dismiss_notice

CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/ae7d54a5-3952-4206-a5f4-be60aac27767

Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘check_for_verified_profiles’

CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/af55c470-b94d-49ee-8b72-44652dcccd73

RapidLoad Power-Up for Autoptimize <= 1.7.1 – Cross-Site Request Forgery via ‘clear_page_cache’

CVE ID: CVE-2023-1346
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b228f8b1-dd68-41ee-bc49-6a62e5267233

RapidLoad Power-Up for Autoptimize <= 1.7.1 – Missing Authorization in ‘ajax_deactivate’

CVE ID: CVE-2023-1336
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/b2296800-93d6-48fa-aa09-3d28fa6371d7

GiveWP <= 2.25.1 – Cross-Site Request Forgery via give_cache_flush

CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/c820003b-8f30-4557-a282-e3ad7e403062

GiveWP <= 2.25.1 – Cross-Site Request Forgery via save

CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/cb7ec7ad-797b-4a5c-9b1c-31284083faef

RapidLoad Power-Up for Autoptimize <= 1.7.1 – Cross-Site Request Forgery via ‘queue_posts’

CVE ID: CVE-2023-1345
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d16fa590-1409-4f04-b8b7-0cce17412a5f

RapidLoad Power-Up for Autoptimize <= 1.7.1 – Cross-Site Request Forgery via ‘ajax_deactivate’

CVE ID: CVE-2023-1341
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/d95b01c3-5db4-40ac-8787-0db58a9cc3a6

Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘paytium_notice_dismiss’

CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eb6642c0-9011-419b-bef6-5aa594993c01

RapidLoad Power-Up for Autoptimize <= 1.7.1 – Missing Authorization in ‘ucss_connect’

CVE ID: CVE-2023-1335
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/eba48c51-87d9-4e7e-b4c1-0205cd96d033

Paytium: Mollie payment forms & donations <= 4.3.7 – Missing Authorization in ‘check_mollie_account_details’

CVE ID: CVE Unknown
CVSS Score: 4.3 (Medium)
Researcher/s: Unknown
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f065648a-436a-459c-8ab1-c948c78b43c9

RapidLoad Power-Up for Autoptimize <= 1.7.1 – Missing Authorization in ‘queue_posts’

CVE ID: CVE-2023-1334
CVSS Score: 4.3 (Medium)
Researcher/s: Marco Wotschka
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/f3108ef4-f889-4ae1-b86f-cedf46dcea19

GiveWP <= 2.25.1 – Authenticated (Admin+) Server-Side Request Forgery via give_get_content_by_ajax_handler

CVE ID: CVE-2022-40312
CVSS Score: 4.1 (Medium)
Researcher/s: Rafie Muhammad
Patch Status: Patched
Vulnerability Details: https://wordfence.com/threat-intel/vulnerabilities/id/2379a029-cc0d-4fa2-9aeb-47a4abd6b51a

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (Mar 6, 2023 to Mar 12, 2023) appeared first on Wordfence.

How to Find & Fix: WordPress Pharma Hack

Mar 15, 2023 | Sucuri, WordPress Security

Finding bogus content and unexpected links for prescription drugs on your WordPress website can be a frustrating experience. But don’t blame your site: it just got caught up in a bad crowd of black hat SEO spammers and fell victim to a pharma hack.

Pharma spam occurs when bad actors inject a website with keywords for pharmaceutical products. Their end goal is to use an innocent site’s good reputation to lure traffic to a scam.

Continue reading How to Find & Fix: WordPress Pharma Hack at Sucuri Blog.

Vulnerability Patched in Cozmolabs Profile Builder Plugin – Information Disclosure Leads to Account Takeover

Mar 15, 2023 | WordFence Security, WordPress Security

Hundreds, if not thousands of WordPress plugins are conceived with the idea of making site building and maintenance easier for site owners. They add features not available in WordPress Core that would otherwise require site owners to write their own code to extend functionality. However, these well-intentioned plugins may sometimes contain seemingly innocuous bugs that can lead to catastrophic consequences.

On Tuesday, February 7th, 2023, prominent WordPress vulnerability researcher István Márton, also known as Lana Codes, reached out to the Wordfence Threat Intelligence team to responsibly disclose an information disclosure vulnerability in Cozmolabs Profile Builder, a WordPress plugin designed to enhance the user profile and registration experience with a reported 60,000+ active installations. If exploited, this vulnerability allows threat actors to gain elevated privileges by taking over arbitrary accounts.

Wordfence researchers quickly assessed the vulnerability and deployed a firewall rule to protect customers from exploitation. Premium, Care, and Response customers received that protection on February 13, 2023 as well as an additional firewall rule for extended protection on February 14, 2023. Sites still running the free version of Wordfence will receive the same protection 30 days later on March 14 and March 15, 2023, respectively.

In coordination with Márton, Cozmolabs quickly released a fix in Profile Builder version 3.9.1 on February 13, 2023, only 6 days after the vulnerability’s discovery.

Vulnerability Summary

Description: Profile Builder – User Profile & User Registration Forms <= 3.9.0 – Sensitive Information Disclosure via Shortcode
Affected Plugin: Profile Builder – User Profile & User Registration Forms
Plugin Slug: profile-builder
Affected Versions: <= 3.9.0
CVE ID: CVE-2023-0814
CVSS Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Researcher/s: Lana Codes
Fully Patched Version: 3.9.1

Vulnerability Analysis

The vulnerability, assigned CVE-2023-0814, exists due to missing authorization within the wppb_toolbox_usermeta_handler() function. The affected function is defined as a callback function to the ‘user_meta’ shortcode, which is registered via the WordPress add_shortcode() function in usermeta.php.

As with all shortcode callback functions, wppb_toolbox_usermeta_handler() takes an array of attributes. In particular, the ‘user_id’ attribute is used to create a new user object. Then, the ‘key’ attribute is used in a call to ‘$user->get()’. Finally, the function returns the value of the retrieved ‘key’ for the given ‘user_id’. During this process, capability checks are not properly implemented to ensure that the user executing the function is authorized to retrieve the given ‘key’ value.

The wppb_toolbox_usermeta_handler() function creates a user object and performs a $user->get() with threat actor-supplied values.

Prerequisites

Vulnerable instances of Profile Builder need the ‘Enable Usermeta shortcode’ setting enabled within the ‘Shortcodes’ section of the ‘Advanced Settings’ tab of the plugin’s ‘Settings’ page.

‘Enable Usermeta shortcode’ setting activated

Exploitation

Information Disclosure

Any authenticated user, with subscriber-level permissions or greater, can send a specially-crafted HTTP POST request to the ‘wp-admin/admin-ajax.php’ endpoint with the ‘action’ parameter set to ‘parse-media-shortcode’ and the ‘shortcode’ parameter containing the ‘user_meta’ shortcode with the ‘user_id’ and ‘key’ attributes set.

POST to admin-ajax.php to retrieve the username of the user with a user ID of 1

As explained earlier, the value of the ‘key’ attribute is passed to a $user->get() call. Since the get() method of the WP_User class is designed to retrieve user information, any column of the ‘wp_users’ table can be passed via this attribute, including:

  • ID
  • user_login
  • user_pass
  • user_nicename
  • user_email
  • user_url
  • user_registered
  • user_activation_key
  • user_status
  • display_name

Password Reset to Privilege Escalation

The Profile Builder plugin provides the shortcode ‘[wppb-recover-password]’ to embed a password recovery form into a page on a WordPress site. The form allows users to submit their username or email address to receive an email with a password reset link containing a user activation key. When generated, this key is stored in the ‘user_activation_key’ column in the ‘wp_users’ table of the WordPress database. Using CVE-2023-0814, this key can be retrieved for any user.

First, the threat actor must generate the user activation key by entering the username or email address of the targeted user in the password recovery form and clicking the ‘Get New Password’ button.

Profile Builder password recovery form

Next, the threat actor will make a similar POST request to our previous user enumeration proof-of-concept, but this time ensuring the ‘user_id’ is set to the user ID of the username or email address entered into the password recovery form and setting the ‘key’ attribute to ‘user_activation_key’.

POST to admin-ajax.php to retrieve the user activation key for the admin account

Once the threat actor has retrieved the user activation key, they can navigate back to the password recovery form page, but this time with the ‘key’ query parameter set to the retrieved user activation key.

Password Recovery page with ‘key’ query parameter set to retrieved value

At this point, the threat actor simply needs to enter a new password and click the ‘Reset Password’ button. The threat actor will then be able to login using the targeted username and new password.

Timeline

February 7th, 2023 – Lana Codes responsibly discloses the vulnerability to the plugin vendor and our Vulnerability Disclosure program.
February 13th, 2023 – The vendor releases a patch in version 3.9.1 and Wordfence releases a firewall rule to address the vulnerability. Wordfence Premium, Care, and Response users receive this rule.
February 14th, 2023 – Wordfence releases an additional firewall rule to provide extended protection against exploitation. Wordfence Premium, Care, and Response users receive this rule.
March 14th, 2023 – Wordfence free users receive the first firewall rule.
March 15th, 2023 – Wordfence free users receive the second firewall rule.

Conclusion

In today’s post, we covered an Information Disclosure vulnerability that could lead to the takeover of an administrative account in Cozmolabs Profile Builder, a plugin used by over 60,000 WordPress installations. The Wordfence Threat Intelligence team issued a firewall rule providing protection against the vulnerability on February 13th and 14th, 2023. This rule has been protecting our Wordfence Premium, Wordfence Care, and Wordfence Response users since that date, while those still using our free version will receive this rule on March 14 and March 15, 2023.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance. If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of Profile Builder as soon as possible.

If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard.

The post Vulnerability Patched in Cozmolabs Profile Builder Plugin – Information Disclosure Leads to Account Takeover appeared first on Wordfence.

Pin It on Pinterest