PHP_SELFish: UnderContruction, Easy Social Icons

Part 1 – Reflected XSS in underConstruction Plugin

This post examines a cross site scripting vulnerability that exploits the PHP_SELF variable. Below describes another plugin suffering from a similar vulnerability related to the use of PHP_SELF.

On August 16, 2021, the Wordfence Threat Intelligence team attempted to initiate disclosure for a reflected Cross-Site Scripting vulnerability in underConstruction, a WordPress plugin with over 80,000 installations.

A patched version, 1.19, was released on August 31, 2021.

A firewall rule protecting against this vulnerability was released to Wordfence Premium users on August 16, 2021, and became available to sites using the free version of Wordfence on September 15, 2021.

If you aren’t running Wordfence, and are a user of this plugin, we recommend you immediately upgrade to version 1.19 of underConstruction which contains the patch.

Original source and technical explanation:

Part 2 – Reflected XSS in Easy Social Icons

On August 16, 2021, the Wordfence Threat Intelligence team attempted to initiate disclosure for a reflected Cross-Site Scripting vulnerability in Easy Social Icons, a WordPress plugin with over 40,000 installations.

An initial patch, version 3.0.9, was released on August 31, 2021.

A firewall rule protecting against this vulnerability was released to Wordfence Premium users on August 16, 2021, and became available to sites using the free version of Wordfence on September 15, 2021.

Newer versions of the plugin also contain patches for additional XSS vulnerabilities, and all Wordfence users are protected against these vulnerabilities by our firewall’s built-in XSS protection. If you’re not using Wordfence, we recommend that you immediately upgrade to version 3.1.3 of the Easy Social Icons plugin.

Original source and technical explanation:

Phishing attacks: Police make 106 arrests as they break up online fraud group

Organised crime operation used phishing and business email compromise attacks.

Police have dismantled an organised crime group linked to the Italian mafia that defrauded hundreds of victims through phishing attacks and other types of online fraud.

The joint operation was led by the Spanish National Police (Policía Nacional), with support from the Italian National Police (Polizia di Stato), Europol and Eurojust and has resulted in 106 arrests across Spain and Italy. 

According to Europol, the crime operation used phishingSIM swapping and business email compromise (BEC) attacks and it’s estimated that this led to profits of around €10 million ($11.7 million) during last year alone. 

Described as “very well organised”, the group included a number of experts in computer crime tasked with creating phishing domains and carrying out cyber fraud. Other individuals involved in the criminal network included money mules and money-laundering experts, including experts in cryptocurrency. 

Working out of the Canary Islands, Spain, the criminals tricked victims – mostly from Italy – into sending large sums of money to bank accounts they controlled, before laundering the proceeds through money mules and shell companies. 

More at:

Recently Patched Vulnerabilities in Ninja Forms Plugin Affect Over 1 Million Site Owners

On August 3, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for two vulnerabilities that were discovered in Ninja Forms, a WordPress plugin installed on over 1,000,000 sites. These flaws made it possible for an attacker to export sensitive information and send arbitrary emails from a vulnerable site that could be used to phish unsuspecting users.

Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on August 2, 2021. Sites still using the free version of Wordfence received the same protection on September 1, 2021.

We sent the full disclosure details to Ninja Forms on August 3, 2021, as per the security disclosure policy listed on Ninja Forms website. Ninja Forms quickly acknowledged the report the same day and informed us that they would start working on a patch immediately. A patch was released on September 7, 2021 in version 3.5.8.

We strongly recommend updating immediately to the latest patched version of Ninja Forms to patch these security issues, which is version of Ninja Forms at the time of this publication.

Original source and technical explanation:

CSRF Vulnerability Found in Software License Manager Plugin

Versions before 4.5.1 of the Software License Manager plugin for WordPress have an exploitable Cross-Site Request Forgery (CSRF) vulnerability. Any user logged in to a site with the vulnerable extension can, by clicking a link, be tricked to delete an entry in the plugin’s registered domain database table. The link can be distributed in an email, or on a website the victim user is likely to visit.

The good news is, there’s not much else that can be done by exploiting this weakness. And the attacker needs to know the id of the domain they wish to delete from the database beforehand. 

Still, we recommend anybody running version 4.5.0 or earlier of the plugin to upgrade as soon as possible.



WordPress 5.8.1 Security and Maintenance Release

WordPress 5.8.1 was released earlier this evening.

This security and maintenance release features 60 bug fixes in addition to 3 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 5.4 have also been updated.

WordPress 5.8.1 is a short-cycle security and maintenance release. The next major release will be version 5.9.

3 security issues affect WordPress versions between 5.4 and 5.8. If you haven’t yet updated to 5.8, all WordPress versions since 5.4 have also been updated to fix the security issues.

Full details at

Apple Delays Plans to Scan Devices for Child Abuse Images After Privacy Backlash

Apple is temporarily hitting the pause button on its controversial plans to screen users’ devices for child sexual abuse material (CSAM) after receiving sustained blowback over worries that the tool could be weaponized for mass surveillance and erode the privacy of users.

“Based on feedback from customers, advocacy groups, researchers, and others, we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features,” the iPhone maker said in a statement on its website.

The announcement, however, doesn’t make it clear as to the kind of inputs it would be gathering, the nature of changes it aims to devise, or how it intends to implement the system in a way that mitigates the privacy and security concerns that could arise once it’s deployed.

The changes were originally slated to go live with iOS 15 and macOS Monterey later this year, starting with the U.S.

Full article:

Over 1 Million Sites Affected by Gutenberg Template Library & Redux Framework Vulnerabilities

Two vulnerabilities were discovered in the Gutenberg Template Library & Redux Framework plugin, which is installed on over 1 million WordPress sites. One vulnerability allowed users with lower permissions, such as contributors, to install and activate arbitrary plugins and delete any post or page via the REST API. A second vulnerability allowed unauthenticated attackers to access potentially sensitive information about a site’s configuration.

A patched version of the plugin, 4.2.13, was released on August 11, 2021.


US govt warns orgs to patch massively exploited Confluence bug

US Cyber Command (USCYBERCOM) has issued a rare alert today urging US organizations to patch a massively exploited Atlassian Confluence critical vulnerability immediately.

“Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate,” said Cyber National Mission Force (CNMF). 

The USCYBERCOM unit also stressed the importance of patching vulnerable Confluence servers as soon as possible: “Please patch immediately if you haven’t already— this cannot wait until after the weekend.”

This warning comes after Deputy National Security Advisor Anne Neuberger encouraged organizations “to be on guard for malicious cyberactivity in advance of the holiday weekend” during a Thursday White House press briefing.

It’s the second alert of this kind in the last 12 months, the previous one (from June) notifying that CISA was aware that threat actors might attempt to exploit a remote code execution vulnerability affecting all vCenter Server installs.

CISA also urged users and admins today to immediately apply the Confluence security updates recently issued by Atlassian.

Original article: