Definition: Credential Stuffing

A hacking technique where login credentials are obtained (often stolen) from one site and used to attempt to log into one or more other services – typically higher value sites like banks, credit cards, etc.

This is why we recommend that you never re-use passwords.

The video below gives a pretty clear explanation of the problem, and offers some ways around it (password managers, multi-factor authentication, passwordless login). We’ll be covering passwordless login soon…

Experian API Exposed Credit Scores of Most Americans (again)

Big-three consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned. Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau.

Security Researcher Bill Demirkapi found the Experian API could be accessed directly without any sort of authentication, and that entering all zeros in the “date of birth” field let him then pull a person’s credit score. He even built a handy command-line tool to automate the lookups, which he dubbed “Bill’s Cool Credit Score Lookup Utility.”

In addition to credit scores, the Experian API returns for each consumer up to four “risk factors,” indicators that might help explain why a person’s score is not higher.

Source: https://krebsonsecurity.com/2021/04/experian-api-exposed-credit-scores-of-most-americans/

Severe Vulnerabilities Patched in Redirection for Contact Form 7 Plugin

The WordFence Threat Intelligence team discovered and responsibly disclosed several vulnerabilities in Redirection for Contact Form 7, a WordPress plugin used by over 200,000 sites in early February. One of these flaws made it possible for unauthenticated attackers to generate arbitrary nonces for any function. The second flaw made it possible for authenticated attackers to install arbitrary plugins and inject PHP Objects. The third flaw made it possible for authenticated attackers to delete arbitrary posts on a site running the plugin causing a loss of availability.

These are considered severe vulnerabilities. Therefore, we highly recommend updating to the latest patched version available immediately.

Full details at https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin

Severe Unpatched Vulnerabilities Leads to Closure of Store Locator Plus Plugin

Store Locator Plus is a plugin designed to add a store locator to a WordPress site and makes it very simple to do so. Unfortunately, there was functionality in the plugin that made it possible for authenticated users to update their user meta data to become an administrator on any site using the plugin. This could allow attackers to gain administrative access to a site and completely take it over.

WordFence strongly recommends deactivating and removing this plugin immediately and finding a replacement. We do not know at this point if the plugin will be patched.

In addition to the privilege escalation vulnerability, WordFence found several endpoints in the plugin that could allow unauthenticated attackers the ability to inject malicious JavaScript into pages. These could be used by an attacker to inject backdoors or add new administrative user accounts, ultimately leading to complete site compromise.

We strongly recommend deactivating and removing the Store Locator Plus plugin and finding a replacement, as this plugin may not be patched in the foreseeable future. If you must keep the plugin installed on your site until you find a replacement, you should also be using WordFence’s Web Application Firewall, which has rules in place to mitigate attacks.

Source: https://www.wordfence.com/blog/2021/04/severe-unpatched-vulnerabilities-leads-to-closure-of-store-locator-plus-plugin

Widespread Attacks Continue Targeting Vulnerabilities in The Plus Addons for Elementor Pro

From WordFence:

Over the past 10 days, Wordfence has blocked over 14 million attacks targeting Privilege Escalation Vulnerabilities in The Plus Addons for Elementor Pro on over 75% of sites reporting attacks during this period. By April 13, 2021, this campaign was targeting more sites than all other campaigns put together.

Despite only having an estimated install count of roughly 30,000 sites, nearly 60% of which should now be running a patched version of the plugin, over 2.8 million sites protected by Wordfence have been targeted by this campaign since April 8, 2021. It is likely that these numbers are reflected by the larger WordPress ecosystem as a whole and that millions of sites that are not protected by Wordfence are also being attacked.

The original vulnerability was already being actively attacked when it was reported by hosting company Seravo, making it a 0-day at the time. This vulnerability allowed attackers to login as an administrator or to create new administrative accounts on any site with the plugin installed. While analyzing the plugin, the Wordfence Threat Intelligence team found additional vulnerabilities and notified the plugin’s developer. A firewall rule protecting against these vulnerabilities was released to our premium users on March 8, 2021, and became available to free users on April 7, 2021.

Source: https://www.wordfence.com/blog/2021/04/widespread-attacks-continue-targeting-vulnerabilities-in-the-plus-addons-for-elementor-pro

Vulnerabilities Patched in WP Page Builder

On February 15, 2021, the Wordfence Threat Intelligence team began the responsible disclosure process for several vulnerabilities in WP Page Builder, a plugin installed on over 10,000 sites. These vulnerabilities allowed any logged-in user, including subscribers, to access the page builder’s editor and make changes to existing posts on the site by default. Additionally, any logged-in user could add malicious JavaScript to any post, potentially resulting in site takeover.

Wordfence Premium users received a firewall rule protecting against these vulnerabilities on February 15, 2021. Sites still running the free version of Wordfence received the same protection 30 days later, on March 17, 2021.

Full article: https://www.wordfence.com/blog/2021/04/vulnerabilities-patched-in-wp-page-builder