Vulnerable Plugin Exploited in Spam Redirect Campaign

Some weeks ago a critical unauthenticated privilege escalation vulnerability was discovered in old, unpatched versions of the wp-user-avatar plugin. It also allows for arbitrary file uploads, which is where we have been seeing the infections start. This plugin has over 400,000 installations so we have seen a sustained campaign to infect sites with this plugin installed. In this post I will review a common infection seen as a result of this vulnerability in the wp-user-avatar plugin.

Continue reading Vulnerable Plugin Exploited in Spam Redirect Campaign at Sucuri Blog.

Nulled WordPress Plugins – Dangers and Downsides

In our 2020 Threat Report, the Wordfence Threat Intelligence Team identified malware distributed via nulled, pirated, or counterfeit plugins and themes as one of the largest threats facing the WordPress ecosystem.

Many site owners are unaware of the risks associated with using nulled plugins, and in many cases, they may not even be aware that a nulled plugin is installed on their site.

During our recent investigation into the prevalence of nulled plugins, we found that over 23,000 sites are running nulled versions of the Wordfence plugin. Site owners with these installations may not be aware that their Wordfence installation is a nulled plugin, so we will be alerting these site owners of the risks, and to take action to protect their sites.

Wordfence is not alone. Our investigation shows that numerous popular plugins, both paid and freemium, are often nulled and redistributed, often with malware included. In order to elevate awareness of this troubling trend, we have compiled a list of frequently asked questions about nulled plugins and themes.

What is a nulled plugin?

A nulled plugin is a copy of a paid premium plugin that has been modified to provide some degree of premium functionality without paying for a license. In most cases, nulled plugins and themes fail to provide full premium functionality and often contain backdoors and other malware.

Nulled plugins usually retain the same brand name and logo as the original, creating the impression that the customer is receiving a paid version of the original plugin. However, when the customer opens a support request with the original vendor, they discover the vendor has no idea who they are.

How do I know if I’m using a nulled version of Wordfence?

If you have purchased a “lifetime license” or a copy of Wordfence Premium at a discounted price or for free from a third party and not directly through the Wordfence website, you are using a nulled version. Although the plugin dashboard may indicate that you have Wordfence Premium activated, these installations do not include a valid license key needed to activate premium features and are not fully functional.

Sites running a nulled copy of Wordfence are still only receiving freely available signatures and firewall rules, which are delayed by 30 days, and these sites do not receive the real-time data that Wordfence Premium receives. Additionally, sites using nulled Wordfence plugins do not have access to the Real-Time IP Blocklist.

What are some of the risks of using nulled plugins and themes?

Nulled plugins and themes frequently contain backdoors and other malware that is used to distribute SEO spam, perform attacks on other websites, steal sensitive information, and redirect site visitors to malvertising websites, all of which can put your site visitors at risk and ruin your website reputation.

Many nulled plugins and themes also inject hidden administrator users into your site’s database, effectively allowing malicious actors to take over control of your WordPress site. In reviewing the terms of service for nulled plugin distribution sites, several include provisions stating that, by downloading and installing one of their nulled plugins, you agree to let them modify your site whenever they want.

Although nulled versions of the Wordfence plugin might not include malware, we’ve found that sites running a nulled version of Wordfence are more than twice as likely to have unrelated infections compared to the average site running the free version of Wordfence.

Do all nulled plugins contain malware?

No. In fact, we’ve seen a recent shift away from malware distribution and towards subscriptions and paid downloads as a primary business model on websites that offer nulled WordPress plugins and themes.

Despite this fact, malware is still extremely prevalent in nulled plugins and themes distributed for free via forums and social media groups, and infections from nulled plugins and themes are still incredibly common.

Bear in mind that, by installing a nulled plugin, you are effectively giving that plugin complete control over your website. While this is true of any software, plugins and themes distributed via the WordPress directory are vetted for malicious code, while those distributed by nulled sites, on forums, and in social media groups are not.

Regardless of whether they contain malware, the vast majority of nulled plugins and themes fail to deliver the premium features they appear to provide, and may actually offer reduced functionality compared to legitimate versions freely available on the WordPress plugin directory.

What about discounted plugins?

We’re seeing an increasing number of nulled plugins being distributed via “discount” sites that charge a monthly subscription fee, or that offer “premium” versions of plugins for a reduced price. While these plugins and themes are less likely to contain malware than nulled software offered for “free”, they still do not offer full premium features, and in many cases are simply repackaged or slightly modified versions of code that is freely available on the WordPress directory.

Many premium plugins, including Wordfence Premium, include SaaS (Software as a Service) functionality. This means that the most critical Wordfence Premium features, including the Real-Time IP Blocklist, immediate firewall rule updates, and up-to-date malware signatures, cannot be made available to a nulled plugin since they rely on having a valid Wordfence license that authorizes Wordfence to send the latest data to your site.

It is trivial to modify the code of most plugins so that they appear to be fully licensed, but these modifications rarely unlock the full functionality of a plugin and can have real negative impacts while providing a false sense of security.

What about free versions of GPL-Licensed premium plugins?

The GPL (General Public License) license allows other developers to fork a plugin, modify the code and redistribute it to others under the same terms. Trouble arises when a plugin is forked and the new developer doesn’t change the name or logo. Customers think they’re getting the same plugin from the same source, but that is not the case, and it violates the original developer’s trademark on their name and logo.

Another issue arises when the redistributable code is licensed under GPL, but the plugin contains Software as a Service (SaaS) technology that is proprietary. Wordfence is an example of this, where the Wordfence plugin receives proprietary data from our servers and those servers also contain proprietary code that performs additional computation. Accessing this data and capability requires a paid license. It is not possible to redistribute a plugin that contains this functionality without purchasing a Wordfence license from us. Buying a nulled Wordfence plugin results in a customer paying for the plugin and getting the free version of Wordfence.

The GPL is truly amazing because it helps foster innovation by making code available to others for reuse. It also allows the examination of source code by others, like security researchers, which helps us identify vulnerabilities and make the web safer. But abusing it to pretend that you are someone you are not while omitting functionality that a customer expects to get, is not what the GPL was intended for.

Can I get support for nulled plugins and themes?

Plugin and theme publishers that offer support to their paid customers will not provide support to customers who did not pay them and paid another vendor instead. This can leave customers confused when they open a support ticket and the vendor has no idea who the customer is.

Additionally, the unpredictable and frequently malicious modifications made to nulled plugins make them impossible to support even for publishers that offer support to their free users.

What should I do if I have a nulled plugin or theme installed?

If you find that you have a nulled plugin or theme installed, we recommend deleting it immediately.  Then, we recommend scanning your site with Wordfence, either the free version available on the WordPress plugin directory, or Wordfence Premium, which provides additional functionality that is unlocked by entering a license key into the free version, rather than via a separate download.

We also recommend checking your database for unauthorized administrator users, since these are frequently added by nulled plugins and themes and can be hidden from other administrators. If you are not comfortable cleaning your own site, or if it continues to show symptoms of infection even after you have removed any nulled plugins or themes, the Wordfence Site Cleaning team will be happy to help.

Conclusion

In today’s article, we covered some frequently asked questions about nulled WordPress plugins and themes, including some of the risks involved, common misunderstandings, and what to do if you have a nulled plugin or theme installed on your site.

Using nulled plugins always has a cost, whether it’s the trust of your users when your site is hacked, or simply the monetary cost of a discounted copy that fails to deliver on its promises.

At Wordfence, we work hard to make sure that even the free version of Wordfence provides best-in-class protection for WordPress sites. We’d like to thank all of our Premium users for making this possible and for helping to protect the WordPress community as a whole with their support.

The post Nulled WordPress Plugins – Dangers and Downsides appeared first on Wordfence.

Episode 125: Critical SQL Injection Vulnerability Patched in WooCommerce

A critical SQL injection vulnerability was discovered in WooCommerce, the most popular e-Commerce plugin used by over 5 million WordPress sites. The WordPress.org team pushed a forced security update ensuring that over 90 versions of WooCommerce were patched. The REvil ransomware gang targeted a zero-day vulnerability in Kaseya, used by many in the banking industry, before going dark. A new SolarWinds zero-day was found in their Serv-U FTP platform. WordPress 5.8 will be released next week with many new features, as well as removing support for Internet Explorer 11. Microsoft released a number of patches, including those patching 3 zero-day vulnerabilities.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:14 Critical SQL Injection Vulnerability Patched in WooCommerce, WooCommerce announcement
5:50 Kaseya Patches Zero-Days Used in REvil Attacks
9:14 SolarWinds patches critical Serv-U vulnerability exploited in the wild
10:33 WordPress 5.8 release next week
12:22 Microsoft Crushed 116 Bugs
15:00 Defiant is hiring

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 125 Transcript

Ram:
Welcome to Think Like A Hacker, the podcast about WordPress, security, and innovation. I’m Ram Gall, Threat Analyst at Wordfence. And with me is Director of Marketing, Kathy Zant. How are you, Kathy?

Kathy:
I am doing very well, Ram. We’ve had a busy couple of days, hey?

Ram:
Why, yes we have. So the first thing on our list is a critical unauthenticated SQL injection vulnerability in WooCommerce, which you actually tipped me off to, because you apparently monitor the secret, dark hacking web of scum and villainy known as Twitter.

Kathy:
That’s it. Exactly. Hey hackers, black-hat hackers, any hackers, I’m watching you. If you have the intel on all of the vulnerabilities in WordPress, and you’re talking about it, I’m on it. And I’m alerting Ram and Chloe, and we are right behind you.

Ram:
The guy who actually found it was not a black-hat hacker in this case. He responsibly disclosed it to Automattic, but Kathy caught wind of it a few hours ahead of time. So I started looking through our logs and through the WooCommerce code base. WooCommerce is kind of enormous, but-

Kathy:
It is enormous. Well, it’s doing a lot, right?

Ram:
Yeah. Well, I didn’t find it until the patch dropped, but hey, all that time pouring over WooCommerce made it a lot faster for me to actually figure out a proof of concept once the patch dropped. So…

Kathy:
Excellent. Great. So tell me about what vulnerability was actually found. This was unauthenticated SQL injection vulnerability, which means unauthenticated means anyone could exploit this on a vulnerable site and SQL injection has to do with the database. So what exactly did you find once we identified this vulnerability?

Ram:
Well, I found a time-based blind and a Boolean based blind SQL injection. At least that’s what I was able to make proofs of concept for. The bad news is that you can use this to extract anything you want from a site’s database, even if you’re not logged in, even if you’re just a visitor.

Kathy:
Okay. Okay. Okay. So in the database includes any user password, correct? So it’s obviously salted, but you can get usernames, you could get personally identifiable information about the customers that are buying things off of that WooCommerce storefront. You could get user passwords, all sorts of fun things, couldn’t you?

Ram:
Oh yes. Yes. There’s a lot of sensitive information and personally identifiable information in a website database, especially if it’s an e-commerce storefront. So yeah, this could have been really bad, but we did manage to get a firewall rule deployed to our customers within a few hours. We also figured out that there is more than one way to do this. So we actually had to make a new firewall rule the next day, which is today, the day we’re recording. Push that out as well.

Ram:
And it looks like WooCommerce also took some drastic action. We’ve discussed how, in the past WordPress can force auto updates. In this case, I think it was completely warranted. I think it was the right decision. WooCommerce is installed on more than 5 million sites, and they basically backed ported this one patch that wouldn’t really break anything to all the minor versions so that you auto update just to the next minor version up. So if you were on 5.3, you’d get updated to 5.3.1. If you were on like 4.3, you get updated to 4.3.1. The reason for that is that way that you could get patched without breaking compatibility, which is really cool.

Kathy:
Right. That was great that they did that. It looked like from their announcement that there were 90 vulnerable versions of WooCommerce that they patched. And it was great to see. I’m always a little concerned with auto updating and pushing out auto updates, but with a vulnerability of this level, and given the types of transactions that are taking place on WooCommerce sites, completely and totally warranted to push out a fix in order to ensure everybody is protected as soon as possible. But of course, our Wordfence Premium customers get some additional protection with the firewall rules that we put together. You said that we’re already starting to see some malicious actors poking around, looking for vulnerable sites?

Ram:
Yes. It’s not a lot of actors yet. Just a few IP’s so far, but we are actually seeing functional attacks, attacks that would, at the very least, count as a valid proof of concept from these attackers. So someone’s at least figured out the basics of how to do this.

Kathy:
Okay. Okay. And we’ll probably start seeing a lot of copycat attacks in the days to come?

Ram:
Yes. Yes. I would expect that. I don’t expect it to be exploited on a large scale for a while just because it’s not a super complicated vulnerability, but it’s a little bit tricky to take it from patch to proof of concept. And again, it’s also a little tricky to take it from proof of concept to automated attack.

Kathy:
Okay. Understood. All right. So no matter when you’re listening, you might be listening to this and it’s a couple of days after we’ve recorded. This means you have some time to make sure that your site is updated. We’ll have a link to WooCommerce’s security advisory that they put out. And on that list, they actually detail out every single version of WooCommerce that was updated. It would make sense, if you haven’t logged into your WooCommerce site recently, it’s time to log in and make sure that you’re updated. It’s just something to double check. If you do think that your site has been compromised, say you’re listening to this a few months in the future, we do have some indications of compromise on that blog post that we pulled together that might be helpful for you to look for in your log files. So definitely take a look at both WooCommerce’s security advisory, as well as the post our threat intel team led by Ram on this particular case, that they put together in order to basically get the word out about what could possibly happen going forward. What do we have up next?

Ram:
He actually missed this last week because we didn’t run a podcast for the holiday, so we didn’t end up covering the massive REvil attack on Kaseya.

Kathy:
Right. That was crazy. It hit right before the 4th of July holiday weekend. REvil, who we’ve talked about a number of times on this podcast, a Russian based ransomware gang… Should we call them a gang?

Ram:
They are a gang. If this is not the first time they’ve pulled off something like this, hitting a big target right before a holiday. Yeah.

Kathy:
One of their favorite timeframes, I guess. And so now what exactly is Kaseya and how prevalent is it used by enterprises?

Ram:
So Kaseya is a managed service provider and they offer a virtual system or a virtual server administrator platform, actually a lot like SolarWinds. They use it to monitor network traffic, configure and lockdown systems. So there’s a little bit more emphasis on the configuration and locking down, though it does also do network monitoring and it’s used by a lot of banks and credit unions. So this has a lot of supply chain attack potential. There’s a lot of potential downstream consequences for this.

Kathy:
I see. Interesting. Now, since this attack started, some odd things have happened with REvil?

Ram:
Their site went down not only their public website, but their onion site on the dark web also went down where they actually collect ransoms and do business with other malicious operators. This might or might not be related to the Biden administration’s rewards of up to $10 million for information leading to the identification of malicious cyber activity. So they might’ve just done a rebrand or they might’ve been hacked back. Either is basically a speculation at this point.

Kathy:
Sure, sure. That’s understood. But yeah, it looks like the Biden administration is getting serious about ransomware and some of these large scale attacks, I think just because of the dollar values that are being bandied about. Millions and millions of dollars are being requested by these ransomware gangs. And it’s having definite effects on life as we know it in the United States, gas stations being closed because there’s no gasoline to put into the pumps, tons of effects here. So it should be interesting. Obviously, we’re in a state where we have malicious actors who are making money at ransomware. And so law enforcement and government officials are stepping up their defenses. So this will definitely be interesting to continue watching. Do you have any bets on what REvil might rebrand to?

Ram:
Not really, but I really hope that it’s less confusing to pronounce. I’m still not sure if it’s REvil or R-evil, but if two months down the line that some new ransomware game called Weevil comes out, I’ll be like, “I know who you are.”

Kathy:
Exactly. Exactly. Okay. Well, we’ll keep you posted if we figure out what the rebrand is. Maybe we’ll do like a brand evaluation, see how well they’re doing on to stay on brand.

Ram:
Yeah. Exactly. We don’t want brand dilution. There’ll be like a bunch of REvil knockoffs. There’ll be Weevil and BEvil and…

Kathy:
Exactly. Well, hackers are definitely creative, even if they are on the malicious side of things. So it looks like SolarWinds has a zero-day that has just been patched, right?

Ram:
A new zero-day in a SolarWinds product. This time, the Serv-U FTP, which is basically just an FTP server that’s a specialized for securely transferring larger files, since FTP can totally do that. But it’s not necessarily set up for that. It looks like a single threat actor was exploiting this. And according to Microsoft, who’s been researching this, it was a Chinese APT or advanced persistent threat.

Kathy:
Oh, interesting.

Ram:
Don’t have that much more info about it, but it looks like this was only vulnerable if the SSH service was enabled on the Serv-U FTP server. So…

Kathy:
Got you. Okay.

Ram:
Yeah.

Kathy:
Well still, I mean, these are kind of scary vulnerabilities to have an FTP service that is vulnerable because once somebody has access to FTP, you can put any file on a server. You can put malware, you can put backdoors, all sorts of things. You basically get control of that server, at least for that particular user on that server, correct?

Ram:
Yeah. And it looks like they were able to actually execute code on the server so that would have likely allowed them to completely take it over. Actually it does look like that was the case. So, yeah.

Kathy:
Interesting. Okay, cool. Well, in better news, it looks like next week, we’re going to get a new version of WordPress. What’s happening?

Ram:
Well, I’m actually kind of excited about this. For one thing, there are media library changes, template editor changes. Gutenberg is continuing to get better, or less bad. Actually. I think at this point it actually counts as getting better. I think we reached the less bad point a little while back and now it’s actually pretty cool. I like it. But there’s something that I’m actually pretty excited about and that’s no more support for Internet Explorer 11.

Kathy:
Oh my gosh. The angels sing.

Ram:
And there’s going to be a bunch of quality of life tweaks. Oh, there’s also going to be some things that will improve core web vitals.

Kathy:
Oh, excellent.

Ram:
It looks like it’s automatically doing source set for images, so that should improve your cumulative layout shifts.

Kathy:
Nice.

Ram:
And you can also sepia tone or do some other kind of duotone for your cat photos, which I will potentially be demonstrating in a future Wordfence Live episode.

Kathy:
Exciting. Does it only work for cat photos or could I do it for my dog?

Ram:
You could do it for your dog. You’re not allowed to use sepia tone though.

Kathy:
Oh. Oh, well sad. Well, he’s a golden retriever. He’s already kind of in that realm anyway.

Ram:
Exactly. If you use sepia tone on him, he’d basically just disappear into the background.

Kathy:
Yes, exactly. Awesome. Well, it looks like this is going to be a great update for WordPress 5.8. It’s definitely leading us further along that path of full-site editing, which core team has dedicated this year to making happen. And I’m very excited about that. I think this is going to really solidify WordPress as the platform of choice for websites, and that’s a good thing. I’m excited about it. It looks like Microsoft is crushing bugs left and right. What do we see with this?

Ram:
Microsoft smash! So I guess there were three zero-days in Windows that they just patched on patch Tuesday, including it looks like an extra patch for that PrintNightmare vulnerability, which I guess took a few patches to really completely tank. So yeah, it’s not your imagination. There have been a lot of zero-days this year or a lot of impactful zero-days this year. Google’s project zero, which tracks… Well, they’re not really tracking WordPress zero-days, but they’re tracking impactful zero-days in browsers and Android and Windows and OSX. They found that there’s been 33 0days exploited in the wild just so far this year. And there were only 22 exploited in the wild for all of 2020. So yeah. It’s not your imagination that whole thing we were joking about how there’s a Chrome zero-day every other week, yeah, it’s kind of-

Kathy:
There really is. Yeah. Yeah. So I think there’s a lot of security research that’s happening. There’s a lot of, obviously, malicious attacks that are happening. But I think the great thing is that more and more people, not just in the WordPress community, but the world as a whole, is becoming much more aware of what is happening with security online. And people are taking it to heart. I’m having more and more people ask me the question. Obviously this is very anecdotal and I didn’t really research this, but more and more people are asking me questions about what do I need to do about my own personal security? Because they’re seeing the ransomware, they’re seeing all of these attacks that are happening. They’re hearing about Chrome zero-days. So security education is becoming forefront for a lot of people. And I’m actually excited about what’s happening in the security landscape. What about you?

Ram:
I mean, I definitely am. I feel like awareness is definitely at an all time high. My mom texts me security articles now, and I don’t think she’s quite gets what’s going on for a lot of them, but yeah, it’s pretty cool. There’s more people interested and more people aware than there ever have been.

Kathy:
You’re actually becoming a hero instead of the security nerd, right? But we’re still security nerds.

Ram:
We are always going to be security nerds.

Kathy:
Always, always, always going to have a little bit of tinfoil hat going on, especially after some of the things we’ve seen. But we’re heartened to have more and more people who are elevating their security knowledge. It’s really great to see.

Kathy:
I’d like to talk a little bit about some of the open positions that we have here at Defiant. We’re hiring for a number of positions, including Senior Researcher for Website Performance related to our FastOrSlow website performance profiler, QA Engineer. We have a Senior Operations and Security Engineer position open, and we’re looking for a number of Senior PHP developers. And that particular role has some additional benefits to it in terms of a signing bonus. We’ll have a link to our appointment page in our show notes. On that employment page, our CEO, Mark Maunder, actually wrote up a little piece that I’d recommend that you read as well. He kind of wrote up a document that basically talks about what makes Defiant different. What makes Defiant work, what makes Defiant a great place to work. And he goes over all of the things that make this remote-first organization really do what we do and do what we do best.

Kathy:
And I really recommend reading it because it’s not just about “you get to work from home.” It’s about sort of this corporate culture that we have, where everyone in this organization is working together, actualizing their own potential towards a greater good and towards a greater mission of helping secure WordPress and serving our customers. So, anyway, I’m not going to put words into Mark’s mouth. He’s got enough words on that page that you can read, and it’s really a good read. So definitely take a look at that. And if any of these positions look interesting to you, we would love to talk to you. And send us your resume.

Ram:
Yeah. I will say that you get to work with some really amazing people here. So that’s one of the things that is best about working here is the people I get to work with every day.

Kathy:
Yeah. The people here are one of a kind and it is a great place to work. So definitely take a look at that. We’d love to invite you into the fold, into the team. Anyway, that’s all I’ve got this week. Ram?

Ram:
That’s all I’ve got. Thanks for listening.

Kathy:
Thanks for listening. And we’d love to hear from you. Hey, go follow Ram on Twitter and say thanks to him for his hard work on this WooCommerce post because-

Ram:
And send me cat pictures.

Kathy:
Cat pictures.

Ram:
And then I will sepia tone them on WordPress.

Kathy:
Excellent. Perfect. We’ll leave it there. Thanks for listening.

Ram:
Bye.

Kathy:
Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

The post Episode 125: Critical SQL Injection Vulnerability Patched in WooCommerce appeared first on Wordfence.

Critical SQL Injection Vulnerability Patched in WooCommerce

Update: The article originally credited Tommy DeVoss (dawgyg) for the discovery. We’ve since been contacted by Tommy, who let us know that the credit should go to another researcher, Josh from DOS (Development Operations Security)

On July 14, 2021, WooCommerce released an emergency patch for a SQL Injection vulnerability reported by a security researcher, Josh from DOS (Development Operations Security), based in Richmond Virginia. This vulnerability allowed unauthenticated attackers to access arbitrary data in an online store’s database.

WooCommerce is the leading e-Commerce platform for WordPress and is installed on over 5 million websites. Additionally, the WooCommerce Blocks feature plugin, installed on over 200,000 sites, was affected by the vulnerability and was patched at the same time.

The Wordfence Threat Intelligence team was able to develop proofs of concept for time-based and boolean-based blind injections and released an initial firewall rule to our Premium customers within hours of the patch. We released an additional firewall rule to cover a separate variant of the same attack the next day, on July 15, 2021.

Sites still running the free version of Wordfence will receive the same protection after 30 days, on August 13 and August 14, 2021.

We strongly recommend updating to a patched version of WooCommerce immediately if you have not been updated automatically, as this will provide the best possible protection.

The vulnerability affects versions 3.3 to 5.5 of the WooCommerce plugin and WooCommerce Blocks 2.5 to 5.5 plugin.

WooCommerce Responded Immediately

In the announcement by WooCommerce, Beau Lebens, the Head of Engineering for WooCommerce stated, “Upon learning about the issue, our team immediately conducted a thorough investigation, audited all related codebases, and created a patch fix for every impacted version (90+ releases) which was deployed automatically to vulnerable stores.”

Due to the critical nature of the vulnerability, the WordPress.org team is pushing forced automatic updates to vulnerable WordPress installations using these plugins. Store owners using older versions can update to the latest version in their branch. For example, if your storefront is using WooCommerce version 5.3, you can update to version 5.3.1 to minimize the risk of compatibility issues. Within the security announcement from WooCommerce, there is a table detailing the 90 patched versions of WooCommerce. Additionally, WooCommerce has a helpful guide for WooCommerce updates.

Has This Been Exploited in the Wild?

While the original researcher has indicated that this vulnerability has been exploited in the wild, Wordfence Threat Intelligence has found extremely limited evidence of these attempts and it is likely that such attempts were highly targeted.

If you think you have been exploited due to this vulnerability, the WooCommerce team is recommending administrative password resets after updating to provide additional protection. If you do believe that your site may have been affected, a review of your log files may show indications.

Look for any requests to /wp-json/wc/store/products/collection-data or ?rest_route=/wc/store/products/collection-data in your log files that appear to contain SQL statements. Query strings which include %2525 are also an indicator that this vulnerability may have been exploited on your site.

Update: We’re starting to see attack data trickle in. So far, all of the attacks are coming from just a few IP addresses:

107.173.148.66
84.17.37.76
122.161.49.71

Additionally, it appears that UNION-based SQL injection may be possible with this vulnerability, meaning that an attacker could retrieve information from the database much more quickly than is possible with blind injection.

Improving Security of the WordPress Ecosystem

Sites with e-Commerce functionality are a high-value target for many attackers, so it is critical that vulnerabilities in e-Commerce platforms are addressed promptly to minimize the potential damage that can be caused. With the growth of both WordPress and WooCommerce, more security researchers have turned attention to WordPress related products. The rapid and deep response that the WooCommerce team performed in protecting WooCommerce users is a great sign for the ongoing security of e-Commerce in the open source WordPress ecosystem.

The post Critical SQL Injection Vulnerability Patched in WooCommerce appeared first on Wordfence.

An Overview of Basic WordPress Hardening

We have discussed in the past how out-of-the-box security configurations tend to not be very secure. This is usually true for all software and WordPress is no exception.

While there are a plethora of different ways that site owners can lock down their website, in this post we are going to review the most basic hardening mechanisms that WordPress website owners can employ to improve their security. We will also review the pros and cons of these different tactics.

Continue reading An Overview of Basic WordPress Hardening at Sucuri Blog.

Pin It on Pinterest