Last week, there were 107 vulnerabilities disclosed in 89 WordPress Plugins and 5 WordPress themes that have been added to the Wordfence Intelligence Vulnerability Database, and there were 36 Vulnerability Researchers that contributed to WordPress Security last week. Review those vulnerabilities in this report now to ensure your site is not affected.

Our mission with Wordfence Intelligence is to make valuable vulnerability information easily accessible to everyone, like the WordPress community, so individuals and organizations alike can utilize that data to make the internet more secure. That is why the Wordfence Intelligence user interface, vulnerability API and webhook notifications are completely free to access and utilize both personally and commercially, and why we are running this weekly vulnerability report.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

---

New Firewall Rules Deployed Last Week

The Wordfence Threat Intelligence Team reviews each vulnerability to determine impact and severity, along with assessing the likelihood of exploitation, to verify that the Wordfence Firewall provides sufficient protection.

The team rolled out enhanced protection via firewall rules for the following vulnerabilities in real-time to our Premium, Care, and Response customers last week:

• Form Maker by 10Web <= 1.15.19 – Unauthenticated Arbitrary File Upload
• Media Library Assistant <= 3.09 – Unauthenticated Local/Remote File Inclusion & Remote Code Execution

Wordfence Premium, Care, and Response customers received this protection immediately, while users still running the free version of Wordfence will receive this enhanced protection after a 30 day delay.

---

Total Unpatched & Patched Vulnerabilities Last Week

Patch Status	Number of Vulnerabilities
Unpatched	44
Patched	63

---

Total Vulnerabilities by CVSS Severity Last Week

Severity Rating	Number of Vulnerabilities
Low Severity	2
Medium Severity	89
High Severity	11
Critical Severity	5

---

Total Vulnerabilities by CWE Type Last Week

Vulnerability Type by CWE	Number of Vulnerabilities
Improper Neutralization of Input During Web Page Generation (‘Cross-site Scripting’)	35
Cross-Site Request Forgery (CSRF)	31
Missing Authorization	24
Unrestricted Upload of File with Dangerous Type	3
Authorization Bypass Through User-Controlled Key	2
Deserialization of Untrusted Data	2
Improper Neutralization of Special Elements used in an SQL Command (‘SQL Injection’)	2
External Control of File Name or Path	1
Improper Input Validation	1
Server-Side Request Forgery (SSRF)	1
Improper Privilege Management	1
Improper Neutralization of Formula Elements in a CSV File	1
Improper Encoding or Escaping of Output	1
Information Exposure	1
Improper Authorization	1

---

Researchers That Contributed to WordPress Security Last Week

Researcher Name	Number of Vulnerabilities
Rio Darmawan	11
Mika	10
Abdi Pranata	10
Rafshanzani Suhada	7
thiennv	5
yuyudhn	4
Rafie Muhammad	4
LEE SE HYOUNG	3
Le Ngoc Anh	3
NGÔ THIÊN AN	3
Nguyen Xuan Chien	3
Marco Wotschka (Wordfence Vulnerability Researcher)	2
Revan Arifio	2
Lana Codes (Wordfence Vulnerability Researcher)	2
Skalucy	2
Elliot	2
FearZzZz	2
qilin_99	2
Pepitoh	1
Shuning Xu	1
deokhunKim	1
DoYeon Park	1
spacecroupier	1
Nguyen Anh Tien	1
Debangshu Kundu	1
Arpeet Rathi	1
Ravi Dharmawan	1
Theodoros Malachias	1
Alexander Concha	1
Pedro José Navas Pérez	1
Alex Sanford	1
emad	1
Emili Castells	1
Pavitra Tiwari	1
Alex Concha	1
László Radnai	1

 

Are you a security researcher who would like to be featured in our weekly vulnerability report? You can responsibly disclose your WordPress vulnerability discoveries to us and obtain a CVE ID through this form. Responsibly disclosing your vulnerability discoveries to us will also get your name added on the Wordfence Intelligence leaderboard along with being mentioned in our weekly vulnerability report.

---

WordPress Plugins with Reported Vulnerabilities Last Week

Software Name	Software Slug
AcyMailing – Newsletter & mailing automation for WordPress	acymailing
All in One B2B for WooCommerce	all-in-one-b2b-for-woocommerce
Analytify – Google Analytics Dashboard For WordPress (GA4 made easy)	wp-analytify
Auto Amazon Links – Amazon Associates Affiliate Plugin	amazon-auto-links
Automatic YouTube Gallery	automatic-youtube-gallery
Back To The Top Button	back-to-the-top-button
BackupBliss – Backup Migration Staging	backup-backup
BitPay Checkout for WooCommerce	bitpay-checkout-for-woocommerce
Bulk NoIndex & NoFollow Toolkit	bulk-noindex-nofollow-toolkit-by-mad-fish
CP Blocks	cp-blocks
Carousel Slider	carousel-slider
Click To Tweet	click-to-tweet
Contact Form Plugin – Fastest Contact Form Builder Plugin for WordPress by Fluent Forms	fluentform
Cookie Notice & Consent	cookie-notice-consent
Customizable WordPress Gallery Plugin – Modula Image Gallery	modula-best-grid-gallery
Directorist – WordPress Business Directory Plugin with Classified Ads Listings	directorist
Duplicate Post Page Menu & Custom Post Type	duplicate-post-page-menu-custom-post-type
EWWW Image Optimizer	ewww-image-optimizer
Easy Form by AYS	easy-form
Easy WP Cleaner	easy-wp-cleaner
Email posts to subscribers	email-posts-to-subscribers
EmbedPress – Embed PDF, YouTube, Google Docs, Vimeo, Wistia Videos, Audios, Maps & Any Documents in Gutenberg & Elementor	embedpress
Export Import Menus	export-import-menus
Form Maker by 10Web – Mobile-Friendly Drag & Drop Contact Form Builder	form-maker
Goods Catalog	goods-catalog
Hide admin notices – Admin Notification Center	wp-admin-notification-center
Insert Estimated Reading Time	insert-estimated-reading-time
Laposta Signup Basic	laposta-signup-basic
Laposta Signup Embed	laposta-signup-embed
Leadster	leadster-marketing-conversacional
Live News	live-news-lite
Locations	locations
MailMunch – Grow your Email List	mailmunch
Media Library Assistant	media-library-assistant
My Account Page Editor	my-account-page-editor
MyCryptoCheckout – Bitcoin, Ethereum, and 100+ altcoins for WooCommerce	mycryptocheckout
Notice Bar	notice-bar
Order Delivery Date for WP e-Commerce	order-delivery-date
Outbound Link Manager	outbound-link-manager
POEditor	poeditor
Paid Membership Plugin, Ecommerce, Registration Form, Login Form, User Profile & Restrict Content – ProfilePress	wp-user-avatar
PeproDev CF7 Database	pepro-cf7-database
Poll Maker – Best WordPress Poll Plugin	poll-maker
Premium Starter Templates	astra-pro-sites
RSVPMaker	rsvpmaker
Realbig For WordPress	realbig-media
Regpack	regpack
Rescue Shortcodes	rescue-shortcodes
Restrict – membership, site, content and user access restrictions for WordPress	restricted-content
SAML Single Sign On – SSO Login Standard	miniorange-saml-20-single-sign-on
SIS Handball	sis-handball
SendPress Newsletters	sendpress
Simple Download Counter	simple-download-counter
Simple Membership	simple-membership
Slider Pro	sliderpro
Social Share, Social Login and Social Comments Plugin – Super Socializer	super-socializer
Staff / Employee Business Directory for Active Directory	ldap-ad-staff-employee-directory-search
StagTools	stagtools
Starter Templates — Elementor, WordPress & Beaver Builder Templates	astra-sites
Stock Quotes List	stock-quotes-list
Sunshine Photo Cart	sunshine-photo-cart
Swifty Bar, sticky bar by WPGens	swifty-bar
TelSender – Сontact form 7, Events, Wpforms and wooccommerce to telegram bot	telsender
Tilda Publishing	tilda-publishing
Travel Map	travelmap-blog
UniConsent CMP for GDPR CPRA GPP TCF	uniconsent-cmp
Use Memcached	use-memcached
User Feedback – Create Interactive Feedback Form, User Surveys, and Polls in Seconds	userfeedback-lite
User Submitted Posts – Enable Users to Submit Posts from the Front End	user-submitted-posts
VS Contact Form	very-simple-contact-form
WP Accessibility Helper (WAH)	wp-accessibility-helper
WP Crowdfunding	wp-crowdfunding
WP Custom Post Template	wp-custom-post-template
WP Directory Kit	wpdirectorykit
WP Gallery Metabox	wp-gallery-metabox
WP Project Manager – Task, team, and project management plugin featuring kanban board and gantt charts	wedevs-project-manager
WP iCal Availability	wp-ical-availability
WP-dTree	wp-dtree-30
WRC Pricing Tables – WordPress Responsive CSS3 Pricing Tables	wrc-pricing-tables
WiserNotify Social Proof & FOMO Notification, WooCommerce Sales Popup, Review Popups, Notification Bars & Urgency Widgets	wiser-notify
WooCommerce PensoPay	woo-pensopay
Woocommerce Support System	wc-support-system
WordPress Classifieds Plugin – Ad Directory & Listings by AWP Classifieds	another-wordpress-classifieds-plugin
WordPress File Sharing Plugin	user-private-files
WordPress Social Login	wordpress-social-login
iFolders – Ultimate Folder Manager for Media, Pages, Posts & etc	ifolders
rtMedia for WordPress, BuddyPress and bbPress	buddypress-media
wordpress publish post email notification	publish-post-email-notification
wpCentral	wp-central

---

WordPress Themes with Reported Vulnerabilities Last Week

Software Name	Software Slug
Attorney	attorney
Flatsome	flatsome
Raise Mag	raise-mag
Wishful Blog	wishful-blog
Woodmart	woodmart

---

Vulnerability Details

Please note that if you run the Wordfence plugin on your WordPress site, with the scanner enabled, you should’ve already been notified if your site was affected by any of these vulnerabilities.

Media Library Assistant <= 3.09 – Unauthenticated Local/Remote File Inclusion & Remote Code Execution

---

RSVPMaker <= 10.6.6 – Unauthenticated PHP Object Injection

---

All in One B2B for WooCommerce <= 1.0.3 – Unauthenticated Privilege Escalation

---

Flatsome <= 3.17.5 – Unauthenticated PHP Object Injection

---

Form Maker by 10Web <= 1.15.19 – Unauthenticated Arbitrary File Upload

---

WP Project Manager <= 2.6.0 – Authenticated (Subscriber+) SQL Injection

---

Export Import Menus <= 1.8.0 – Authenticated (Contributor+) Arbitrary File Upload

---

My Account Page Editor <= 1.3.1 – Authenticated (Subscriber+) Arbitrary File Upload

---

ProfilePress <= 4.13.2 – Limited Privilege Escalation via ‘acceptable_defined_roles’

---

Woocommerce Support System <= 1.2.0 – Missing Authorization

---

Woocommerce Support System <= 1.2.0 – Authenticated (Administrator+) SQL Injection via ‘orderby’

---

Travel Map <= 1.0.1 – Unauthenticated Cross-Site Scripting

---

Click To Tweet <= 2.0.14 – Unauthenticated Cross-Site Scripting

---

PeproDev CF7 Database <= 1.7.0 – Unauthenticated Stored Cross-Site Scripting via form submission

---

Simple Membership <= 4.3.5 – Reflected Cross-Site Scripting

---

User Feedback <= 1.0.7 – Unauthenticated Stored Cross-Site Scripting

---

All in One B2B for WooCommerce <= 1.0.3 – Cross-Site Request Forgery

---

Auto Amazon Links <= 5.3.1 – Authenticated (Contributor+) Stored Cross-Site Scripting via style

---

Goods Catalog <= 2.4.1 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Rescue Shortcodes <= 2.5 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Starter Templates <= 3.2.4 – Authenticated (Contributor+) Server-Side Request Forgery

---

Simple Download Counter <= 1.6 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

User Submitted Posts <= 20230901 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

WordPress Social Login <= 3.0.4 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

User Submitted Posts – Enable Users to Submit Posts from the Front End <= 20230811 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode

---

Notice Bar <= 3.1.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Locations <= 4.0 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Attorney <= 3 – Reflected Cross-Site Scripting

---

Restrict <= 2.2.4 – Reflected Cross-Site Scripting

---

WooCommerce PensoPay <= 6.3.1 – Reflected Cross-Site Scripting via ‘pensopay_action’

---

WoodMart <= 7.2.4 – Reflected Cross-Site Scripting

---

AcyMailing SMTP Newsletter <= 8.6.2 – Reflected Cross-Site Scripting

---

Stagtools <= 2.3.7 – Reflected Cross-Site Scripting

---

Poll Maker <= 4.7.0 – Reflected Cross-Site Scripting

---

Wishful Blog <= 2.0.1 & Raise Mag <= 1.0.7 – Unauthenticated Cross-Site Scripting

---

Stock Quotes List <= 2.9.9 – Authenticated (Contributor+) Stored Cross-Site Scripting

---

Tilda Publishing <= 0.3.21 – Missing Authorization

---

Staff / Employee Business Directory for Active Directory <= 1.2.1 – Insufficient Escaping of Stored LDAP Values

---

Easy WP Cleaner <= 1.9 – Cross-Site Request Forgery

---

Contact Form for Plugin by Fluent Forms <= 5.0.8 – Insecure Direct Object Reference

---

Sunshine Photo Cart <= 3.0.5 – Insecure Direct Object Reference to Order Manipulation

---

TelSender <= 1.14.7 – Missing Authorization

---

WP Directory Kit <= 1.2.6 – Missing Authorization

---

Email posts to subscribers <= 6.2 – Missing Authorization to Sensitive Information Exposure

---

WRC Pricing Tables <= 2.3.7 – Missing Authorization

---

WiserNotify Social Proof <= 2.5 – Missing Authorization

---

EWWW Image Optimizer <= 7.2.0 – Sensitive Information Exposure

---

VS Contact Form <= 13.9 – Missing Authorization

---

BitPay Checkout for WooCommerce <= 4.1.0 – Missing Authorization

---

UniConsent Cookie Consent CMP for GDPR / CCPA <= 1.4.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

WordPress File Sharing Plugin <= 2.0.3 – Authenticated (Admin+) Stored Cross-Site Scripting

---

Insert Estimated Reading Time <= 1.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Cookie Notice & Consent 1.6.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

SendPress Newsletters <= 1.22.3.31 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Swifty Bar, sticky bar by WPGens <= 1.2.10 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

wordpress publish post email notification <= 1.0.2.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

iFolders <= 1.5.0 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Order Delivery Date for WP e-Commerce <= 1.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Email posts to subscribers <= 6.2 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Back To The Top Button <= 2.1.5 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Regpack <= 0.1 – Authenticated (Administrator+) Stored Cross-Site Scripting

---

Backup Migration <= 1.2.9 – Cross-Site Request Forgery

---

Automatic YouTube Gallery <= 2.3.3 – Missing Authorization via AJAX actions

---

rtMedia for WordPress, BuddyPress and bbPress <= 4.6.14 – Missing Authorization via export_settings

---

Super Socializer <= 7.13.54 – Missing Authorization

---

Laposta Signup Embed <= 1.1.0 – Missing Authorization

---

CP Blocks <= 1.0.20 – Cross-Site Request Forgery to Settings Update

---

Leadster <= 1.1.2 – Cross-Site Request Forgery

---

EmbedPress <= 3.8.3 – Cross-Site Request Forgery

---

Live News <= 1.06 – Cross-Site Request Forgery

---

WP Gallery Metabox <= 1.0.0 – Cross-Site Request Forgery

---

wpCentral <= 1.5.7 – Cross-Site Request Forgery

---

Laposta Signup Embed <= 1.1.0 – Cross-Site Request Forgery

---

POEditor <= 0.9.4 – Cross-Site Request Forgery

---

Carousel Slider <= 2.2.2 – Missing Authorization

---

SIS Handball <= 1.0.45 – Cross-Site Request Forgery

---

Bulk NoIndex & NoFollow Toolkit <= 1.5 – Missing Authorization

---

rtMedia for WordPress, BuddyPress and bbPress <= 4.6.14 – Missing Authorization to Settings Update

---

WP-dTree <= 4.4.5 – Cross-Site Request Forgery

---

Realbig <= 1.0.2 – Cross-Site Request Forgery

---

Order Delivery Date for WP e-Commerce <= 1.2 – Cross-Site Request Forgery

---

Click To Tweet <= 2.0.14 – Missing Authorization

---

Outbound Link Manager <= 1.2 – Cross-Site Request Forgery

---

Analytify Dashboard <= 5.1.0 – Missing Authorization to Opt-In

---

AWP Classifieds <= 4.3 – Cross-Site Request Forgery

---

Use Memcached <= 1.0.5 – Cross-Site Request Forgery

---

WP Custom Post Template <= 1.0 – Cross-Site Request Forgery

---

Laposta Signup Basic <= 1.4.1 – Missing Authorization

---

WP Accessibility Helper (WAH) <= 0.6.2.4 – Missing Authorization via AJAX action

---

Hide admin notices – Admin Notification Center <= 2.3.2 – Cross-Site Request Forgery

---

WP iCal Availability <= 1.0.3 – Cross-Site Request Forgery

---

Super Socializer <= 7.13.54 – Cross-Site Request Forgery

---

rtMedia for WordPress, BuddyPress and bbPress <= 4.6.14 – Missing Authorization to Sensitive Information Exposure

---

SAML SP Single Sign On <= 5.0.4 – Missing Authorization to notice dismissal

---

WP Crowdfunding <= 2.1.4 – Missing Authorization via settings_reset

---

Laposta Signup Basic <= 1.4.1 – Cross-Site Request Forgery

---

Duplicate Post Page Menu & Custom Post Type <= 2.3.1 – Missing Authorization to Post Duplication

---

ProfilePress <= 4.13.1 Cross-Site Request Forgery via ‘admin_notice’

---

WP Crowdfunding <= 2.1.5 – Cross-Site Request Forgery

---

MyCryptoCheckout <= 2.125 – Cross-Site Request Forgery

---

Starter Templates <= 3.2.5 – Incorrect Authorization

---

Easy Form by AYS <= 1.3.8 – Cross-Site Request Forgery

---

MailMunch – Grow your Email List <= 3.1.2 – Cross-Site Request Forgery

---

Slider Pro <= 4.8.6 – Missing Authorization via AJAX actions

---

SendPress Newsletters <= 1.22.3.31 – Cross-Site Request Forgery

---

Directorist <= 7.7.1 – CSV Injection

---

Modula <= 2.7.4 – Incomplete Authorization via ‘save_image’ and ‘save_images’

---

As a reminder, Wordfence has curated an industry leading vulnerability database with all known WordPress core, theme, and plugin vulnerabilities known as Wordfence Intelligence.

This database is continuously updated, maintained, and populated by Wordfence’s highly credentialed and experienced vulnerability researchers through in-house vulnerability research, vulnerability researchers submitting directly to us using our CVE Request form, and by monitoring varying sources to capture all publicly available WordPress vulnerability information and adding additional context where we can.

Click here to sign-up for our mailing list to receive weekly vulnerability reports like this and important WordPress Security reports in your inbox the moment they are published.

The post Wordfence Intelligence Weekly WordPress Vulnerability Report (September 4, 2023 to September 10, 2023) appeared first on Wordfence.

Wordfence recently launched Wordfence CLI, a high performance command line malware scanner, which makes use of our extensive set of malware detection signatures to rapidly scan file systems for infections.

In recent years, the WordPress community has seen a shift in emphasis towards prevention, rather than detection, of security incidents. This reflects the increased adoption of best practices such as Multi-Factor authentication, vulnerability management, and configuration hardening.

While we agree that prevention is always better than detection or remediation, one important concept in Cybersecurity is defense-in-depth, so it’s important to have a well thought-out incident response plan and adequate security monitoring in place. No security solution provides perfect protection against zero-day vulnerabilities, and even a fully locked-down site can be compromised if it shares resources with other sites that remain vulnerable. In today’s article, we’ll discuss our philosophy for securing websites, including several key cybersecurity challenges and concepts and how they relate to the case for malware scanners.

---

Security Should Serve Users, Not the Other Way Around

There’s an old saying that the best camera is the one you have on you, and likewise, the best security solution is the solution you’ll actually use. Users add to the complexity of securing systems, and it is easy to secure a system that nobody wants to use because it’s locked down. Security that’s easy to use and difficult to bypass is far better than security that’s difficult to use and impossible to bypass, and one guiding philosophy to cybersecurity is that nothing is truly impossible to bypass.

That’s why Wordfence prioritizes the user experience and strives to incorporate as many layers of security as possible into a package that’s easy to use for the vast majority of WordPress site owners. Traditionally this has meant plugin-based offerings. Despite the limitations of running security as a plugin, our many features, including our Web Application Firewall, Two Factor Authentication, Real-Time IP Blocklist, and Malware and Vulnerability scanner help secure over 4 million sites, detect millions of malicious files, and block billions of attacks each year.

In our 2022 Wordfence State of WordPress Security Report, we reported that our firewall blocked more than 159 Billion credential stuffing attacks, 23 Billion configuration scans, and about 12 billion attacks against vulnerabilities. You can also get a real-time view of the volume of attacks we are blocking on the Wordfence Intelligence Dashboard.

---

Assume Breach Mindset

While it might seem pessimistic, “assume breach” is a critical mindset in cybersecurity that involves planning mitigations in case a site is compromised. For many sites, even the most locked down ones, compromise is a matter of when, not if, and rapid detection is key to minimizing the damage. If your site has been compromised, it is important to find out as soon as possible to prevent the attacker from gaining ground and elevating privileges throughout the system. A well thought-out incident response plan is useless if you’re unaware that an incident is occurring.

The Solarwinds breach, for instance, remained undetected for more than a year, allowing threat actors to infect thousands of critical systems via a supply-chain attack. With adequate security monitoring and detection in place, this year-long infection could have been detected much sooner and impacted far fewer systems if detected earlier. This also highlights how even those striving to put forth the best security may still have gaps in coverage where an attacker can breach defenses.

---

Layered Security

No single solution will ever be perfect, and it is not possible to completely eliminate risk, only manage it. One of the most effective ways to manage risk is to layer defenses so that bypassing any one layer does not allow an attacker to take complete control. This is why, for instance, it is important to use both strong passwords and multifactor authentication, and why backups are important but not a replacement for intrusion detection.

Another example of this is the contrast between Cloud-based solutions versus our Web Application Firewall – a Cloud solution would be well-suited to providing DDOS protection and blocking some generic attacks, while our WAF benefits from running with the plugin because it can block attacks specifically targeted against WordPress vulnerabilities without unnecessarily blocking legitimate administrative traffic.

Our team has deployed hundreds of firewall rules that take advantage of our Web Application Firewall’s unique capabilities. Many of the privilege escalation and authentication bypass vulnerabilities we see have parameters and values that require specialized experience and techniques to adequately block. For instance, many privilege escalation vulnerabilities, such as the one we found in the JupiterX Theme, make use of administrative functionality that has been accidentally exposed to low-level users, often via an AJAX action.

With a generic ruleset from ModSecurity, attacks of this type couldn’t be blocked without entirely breaking most site functionality. Even the most advanced cloud firewalls able to scan POST parameters by terminating TLS at the edge would still prevent administrative users from performing necessary tasks. Thanks to our custom firewall rules, the Wordfence firewall is able to easily block malicious traffic without impacting site functionality, and thanks to our in-house vulnerability research we’re often the first to release firewall rules for new critical vulnerabilities.

---

Trusting Trust

An often overlooked concept in cybersecurity is the problem of “trusting trust.” On any given system, an attacker that can run code can tamper with any other code running at the same privilege level. This is often used as an argument against plugin-based malware scanners and admittedly does present a challenge since any attacker able to compromise a site to the point where they can execute code can run that code at the same level as a plugin.

Many of our users install Wordfence after they have become aware of a breach and successfully use our scanner for remediation. Most malware is still not sophisticated enough to evade detection in this way, and even malware that is designed to do so often fails to fully hide its tracks from detection. Additionally, based on research our team has done on WordPress threat actors, many are unwilling or unable to develop their own evasion payloads or pay the premium for off-the-shelf solutions.

Nonetheless, such tampering is becoming more common, and no plugin-based scanner is immune to it, but our plugin-based scanner still reliably detects an enormous amount of malware and we have the telemetry to prove it – roughly 1 million sites successfully used Wordfence to clean malware in 2022, based on the total number of sites we saw infections on compared the number of sites that remained infected at the end of the year.

Fortunately, even the most cleverly designed file-based malware can’t successfully hide from a scanner it can’t tamper with, and Wordfence CLI is an effective solution for sites that need this extra layer of detection.

---

Responsible Remediation

When it comes to remediation, a one-size-fits-all approach simply doesn’t work. Many sites have unique needs, custom code, or technical debt. Replacing core WordPress files and plugins with known clean versions can fix many issues, and our scanner offers the option to do this, but many infections will simply reoccur if the root cause is not addressed. Tools to automate remediation can be incredibly useful, but fully automated remediation can cause more problems than it solves while providing a false sense of security – there should always be a human making final remediation decisions. This is why our Wordfence Care and Wordfence Response offerings use skilled analysts to clean your website and get it back into working order, and we highly recommend these services to less experienced site owners, or site owners who simply want to trust the experts to handle remediation.

---

Continuous Improvement

Our malware signatures are designed to detect not only active infections but also artifacts generated by malware and other indicators of compromise. Our team of specialists constantly monitors new malware variants and we release dozens of new signatures every month to keep up with attackers. Since our signatures use carefully crafted regular expressions, each signature can detect thousands and oftentimes even millions of unique malicious files.

In the spirit of continuous improvement, we’ve launched an additional, user-friendly layer of security with our Wordfence CLI scanner. While it is designed for power users and administrators, it unlocks new possibilities for detection that were not available with our plugin scanner.

---

More Flexibility with Wordfence CLI

One of the most frequent requests we’ve received over the years was the ability to run scans programmatically via the command line rather than via the plugin. Not only does this mitigate tampering concerns and result in a massive performance boost, but it also allows for extended use cases – you can use it to scan backups outside of the webroot to ensure their integrity before restoring them, or to more thoroughly scan for database infections by running it against database exports, since scanning live databases tends to be extremely resource-intensive. You can use it to quickly scan just files that were recently modified by piping the results from the Linux find command to the Wordfence cli scanner, or exclude signatures from the scan in the rare cases where your custom code is detected by one of our signatures.

Wordfence CLI is open-source and can be fully customized or forked, and while our basic Free signature set may not be used for commercial purposes, it is designed to detect the most widespread indicators of compromise found on more than 90% of all infected sites. Bear in mind that most infections involve multiple malicious components, so for more comprehensive scanning and remediation, we recommend our Commercial signature set which detects more than 18 million unique malware variants in the wild.

Conclusion

In today’s article, we discussed some key components of our strategy for securing websites, including user experience, layered security, the assumption of breach, the problem of trusting trust, responsible remediation, and our drive for continuous improvement. Our goal is to provide the best security possible for your website, and that means providing security you’ll actually use.

While no single solution offers perfect protection, Wordfence offers prevention, detection, and remediation packages that will significantly improve your security posture while remaining compatible with other solutions. With the launch of Wordfence CLI, it is now possible to scan hundreds or even thousands of sites with a single, competitively priced license, all while conserving server resources.

The post Malware Scanning: An Essential Layer of Website Security appeared first on Wordfence.

On August 24, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) and a Blind SQL Injection vulnerability in the Slimstat Analytics plugin, which is actively installed on more than 100,000 WordPress websites. The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages or execute SQL queries by appending them to an existing SQL query using the plugin’s shortcode.

All Wordfence Premium, Wordfence Care, and Wordfence Response customers, as well as those still using the free version of our plugin, are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Cross-Site Scripting and SQL Injection protection.

We contacted VeronaLabs on August 24, 2023, and we received a response on the same day. After providing full disclosure details, the developer released a patch on August 28, 2023. We would like to commend VeronaLabs for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of Slimstat Analytics, version 5.0.10 at the time of this writing, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

The Slimstat Analytics plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘slimstat’ shortcode in versions up to, and including, 5.0.9 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Slimstat Analytics plugin for WordPress is vulnerable to SQL Injection via the plugin’s shortcode in versions up to, and including, 5.0.9 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for authenticated attackers with contributor-level and above permissions to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.

Technical Analysis

Slimstat Analytics is a WordPress website traffic analytics plugin that offers several features for analyzing and monitoring traffic. It provides a shortcode ([slimstat]) that displays various types of statistics when added to a WordPress page or post.

Unfortunately, insecure implementation of the plugin’s shortcode functionality allows for the injection of arbitrary web scripts into these pages. Examining the code reveals that the shortcode has several types based on the ‘f’ parameter. In vulnerable versions, the ‘top-all’ type does not adequately sanitize the user-supplied ‘w’ attribute, and then fails to escape the ‘class’ output derived from the ‘w’ parameter when it displays the statistics. This makes it possible to inject attribute-based Cross-Site Scripting payloads via the ‘w’ attribute.

public static function slimstat_shortcode($_attributes = '', $_content = '')
{
	shortcode_atts(array(
		'f' => '',    // recent, popular, count, widget
		'w' => '',    // column to use (for recent, popular and count) or widget to use
		's' => ' ',    // separator
		'o' => 0    // offset for counters
	), $_attributes);
line 724

$output = '<ul class="slimstat-shortcode ' . $f . implode('-', $w) . '">' . implode('', $output) . '</ul>';

The slimstat_shortcode method snippet in the wp_slimstat class

This makes it possible for threat actors with contributor-level access to a site to carry out stored XSS attacks. Once a script is injected into a page or post, it will execute each time a user accesses the affected page. While this vulnerability does require that a trusted contributor account is compromised, or that a user be able to register as a contributor, successful threat actors could steal sensitive information, manipulate site content, inject administrative users, edit files, or redirect users to malicious websites which are all severe consequences.

Further examining the code, we also found a SQL Injection vulnerability within the same shortcode. Although the ‘w’ parameter will be converted into an array, it is not properly sanitized. This parameter is used for the column in the database query, and although the prepare function is used, the column is not specified as a placeholder, which makes it possible for an attacker to perform SQL injection attacks.

$w = self::string_to_array($w);

The slimstat_shortcode method snippet in the wp_slimstat class

public static function get_top($_column = 'id', $_where = '', $_having = '', $_use_date_filters = true, $_as_column = '')
{
	// This function can be passed individual arguments, or an array of arguments
	if (is_array($_column)) {
		$_where            = !empty($_column['where']) ? $_column['where'] : '';
		$_having           = !empty($_column['having']) ? $_column['having'] : '';
		$_use_date_filters = !empty($_column['use_date_filters']) ? $_column['use_date_filters'] : true;
		$_as_column        = !empty($_column['as_column']) ? $_column['as_column'] : '';
		$_column           = $_column['columns'];
	}

	$group_by_column = $_column;

	if (!empty($_as_column)) {
		$_column = "$_column AS $_as_column";
	} else {
		$_as_column = $_column;
	}

	$_where = self::get_combined_where($_where, $_as_column, $_use_date_filters);

	// prepare the query
	$sql = $GLOBALS['wpdb']->prepare("
		SELECT $_column, COUNT(*) counthits
		FROM {$GLOBALS['wpdb']->prefix}slim_stats
		WHERE $_where
		GROUP BY $group_by_column $_having
		ORDER BY counthits DESC
		LIMIT 0, %d", self::$filters_normalized['misc']['limit_results']);
	return self::get_results($sql, ((!empty($_as_column) && $_as_column != $_column) ? $_as_column : $_column),
		'counthits DESC', ((!empty($_as_column) && $_as_column != $_column) ? $_as_column : $_column),
		'SUM(counthits) AS counthits');
}

The get_top method in the wp_slimstat_db class

Since no data from the SQL query was returned in the response, an attacker would need to use a Time-Based blind approach to extract information from the database. This means that they would need to use SQL CASE statements along with the SLEEP() command while observing the response time of each request to steal information from the database. This is an intricate, yet frequently successful method to obtain information from a database when exploiting SQL Injection vulnerabilities.

Disclosure Timeline

August 24, 2023 – Wordfence Threat Intelligence team discovers the stored XSS and SQL Injection vulnerabilities in Slimstat Analytics.
August 24, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion.
August 26, 2023 – The vendor confirms the inbox for handling the discussion.
August 26, 2023 – We send over the full disclosure details for the XSS vulnerability.
August 27, 2023 – We send over the full disclosure details for the SQL injection vulnerability.
August 27, 2023 – The vendor acknowledges the report and begins working on a fix.
August 28, 2023 – The fully patched version, 5.0.10, is released.

Conclusion

In this blog post, we have detailed stored XSS and SQL Injection vulnerabilities within the Slimstat Analytics plugin affecting versions 5.0.9 and earlier. This vulnerability allows authenticated threat actors with contributor-level permissions or higher to inject malicious web scripts into pages that execute when a user accesses an affected page, and extract sensitive information from a database. These vulnerabilities have been fully addressed in version 5.0.10 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of Slimstat Analytics.

All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites still running the free version of Wordfence, are fully protected against this vulnerability.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

For security researchers looking to disclose vulnerabilities responsibly and obtain a CVE ID, you can submit your findings to Wordfence Intelligence and potentially earn a spot on our leaderboard.

The post Over 100,000 WordPress Websites Affected by XSS and SQLi Vulnerabilities in Slimstat Analytics Plugin appeared first on Wordfence.