Beware: new IRS rules will lead to a wave of phishing frauds

Thanks to new legislation that went into place at the beginning of this year, I predict that a lot of unsuspecting small business owners are about to fall victim to a fresh scam.

The scam will relate to legislation around new tax reporting rules that will affect millions of freelancers and small businesses. As explained in an earlier column, beginning for the 2022 tax year, if you receive more than $600 in total payments during the course of the year from a payment service like PayPal, Venmo (which is owned by PayPal), Square, Stripe or online sales of your products made through Amazon, Etsy and other marketplaces – regardless of how many customers are paying – that payment service is required to report that amount to the IRS and to you by sending a Form 1099-K – used for reporting payments via these third parties – in early 2023.

Full story: https://www.theguardian.com/money/2022/feb/27/beware-phising-fraud-new-irs-rules-online-payment-service-receipts

Stored Cross-Site Scripting Vulnerability Patched in a WordPress Photo Gallery Plugin

A cross-site scripting (XSS) vulnerability was discovered in “Photoswipe Masonry Gallery”, a WordPress plugin that is installed on over 10,000 sites. This flaw makes it possible for an authenticated attacker to inject malicious JavaScript that executes whenever a site administrator accesses the PhotoSwipe Options page or a user accesses a page with a gallery created by the plugin.

We strongly recommend ensuring that your site has been updated to the latest patched version of “Photoswipe Masonry Gallery”, which is version 1.2.18 at the time of this publication.

Photoswipe Masonry Gallery is a plugin designed to enhance gallery creation using the default WordPress gallery builder which can be added to WordPress pages and posts. As with many other plugins available in the WordPress repository, this plugin has the ability to set general options for the plugin. These settings translate over to any gallery that a site owner chooses to create and includes things like thumbnail width and height for images along with many other settings. Unfortunately, this plugin had a vulnerability that made it possible for attackers to modify these settings.

Source: https://www.wordfence.com/blog/2022/02/stored-cross-site-scripting-vulnerability-patched-in-a-wordpress-photo-gallery-plugin

Reflected XSS in Header Footer Code Manager

Header Footer Code Manager is a WordPress plugin designed to allow administrators to add code snippets to the header or footer of a website. One of the admin panel pages added by the plugin allows administrators to view a list of code snippets that had been added to the site, which included links to edit or delete these existing code snippets. The plugin’s column_name function used the $_REQUEST[‘page’] parameter to construct this link.

WordPress uses the value of the $_GET[‘page’] parameter in order to determine which page the user is currently visiting, and will block unauthorized users if they’re not allowed to access the current page set in $_GET[‘page’]. This means that $_REQUEST[‘page’] might be expected to just contain the admin page used to display the list of code snippets, hfcm-list. However, due to a quirk of how PHP handles superglobal variables, $_REQUEST parameters can be overloaded.

The upshot is that this can be used to execute JavaScript in the browser of a logged-in administrator, for instance, by tricking them into visiting a self-submitting form that sends a POST request to e.g. hxxps://victimsite.site/wp-admin/admin.php?page=hfcm-list, with the $_POST[‘page’] parameter set to malicious JavaScript.

Full explanation: https://www.wordfence.com/blog/2022/02/reflected-xss-in-header-footer-code-manager

UpdraftPlus WordPress plugin update forced for million sites

WordPress has forced the update of the UpdraftPlus plugin around three million sites to address a high-severity vulnerability, tracked as CVE-2022-0633 (CVSS v3.1 score of 8.5) that can allow website subscribers to download the latest database backups, which could potentially contain sensitive data.

“The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 do not properly validate a user has the required privileges to access a backup’s nonce identifier, which may allow any users with an account on the site (such as subscriber) to download the most recent site & database backup.” reads the advisory for this issue.

The flaw was discovered Marc Montpas during an internal audit of the plugin.

“The plugin uses custom “nonces” and timestamps to securely identify backups. Given the knowledge of said nonce and timestamp can give someone access to quite a few of the plugin’s features, making sure this info is only accessible to those who legitimately need it is crucial.” reported the analysis. “Unfortunately, as we’ll demonstrate, it wasn’t the case.”

The issue impacts versions 1.16.7 to 1.22.2 of the plugin, the development team addressed it with the release of 1.22.3 or 2.22.3 for the (paid) Premium version.

Source: https://securityaffairs.co/wordpress/128170/hacking/updraftplus-forced-update.html

Elementor WordPress plugin has a gaping security hole – update now

If you run a WordPress site and you use the Elementor website creation toolkit, you could be at risk of a security hole that combines data leakage and remote code execution.

That’s if you use a plugin called Essential Addons for Elementor, which is a popular tool for adding visual features such as timelines, image galleries, ecommerce forms and price lists.

An independent threat researcher called Wai Yan Myo Thet recently discovered what’s known as a file inclusion vulnerability in the product.

This security hole made it possible for attackers to trick the plugin into accessing and including a server-side file…

…using a filename supplied in the incoming web request.

Simply put, a malicious visitor could trick an unpatched server into serving up a file it’s not supposed to, such as the server’s own username database, or coerce the server into running a script it shouldn’t, thus creating a remote code execution (RCE) hole.

As you probably know, web server RCE bugs are typically abused to implant malware that allows the attackers to do something to your immediate, and often costly, detriment.

Clients of ProtectYourWP.com have already been updated, of course.

Source and more details: https://nakedsecurity.sophos.com/2022/02/02/elementor-wordpress-plugin-has-a-gaping-security-hole-update-now/

https://www.darkreading.com/vulnerabilities-threats/tens-of-thousands-of-websites-vulnerable-to-rce-flaw-in-wordpress-plugin