Hackers exploit WordPress plugin flaw that gives full control of millions of sites

Elementor Pro fixed the vulnerability, but not everyone has installed the patch.

Hackers are actively exploiting a critical vulnerability in a widely used WordPress plugin that gives them the ability to take complete control of millions of sites, researchers said.

The vulnerability, which carries a severity rating of 8.8 out of a possible 10, is present in Elementor Pro, a premium plugin running on more than 12 million sites powered by the WordPress content management system. Elementor Pro allows users to create high-quality websites using a wide range of tools, one of which is WooCommerce, a separate WordPress plugin. When those conditions are met, anyone with an account on the site—say a subscriber or customer—can create new accounts that have full administrator privileges.

The vulnerability was discovered by Jerome Bruandet, a researcher with security firm NinTechNet. Last week, Elementor, the developer of the Elementor Pro plugin, released version 3.11.7, which patched the flaw. In a post published on Tuesday, Bruandet wrote:

An authenticated attacker can leverage the vulnerability to create an administrator account by enabling registration (users_can_register) and setting the default role (default_role) to “administrator”, change the administrator email address (admin_email) or, as shown below, redirect all traffic to an external malicious website by changing siteurl among many other possibilities:

MariaDB [example]> SELECT * FROM `wp_options` WHERE `option_name`='siteurl';
+-----------+-------------+------------------+----------+
| option_id | option_name | option_value     | autoload |
+-----------+-------------+------------------+----------+
|		 1 | siteurl     | https://evil.com | yes 	 |
+-----------+-------------+------------------+----------+
1 row in set (0.001 sec)

Now, researchers with a separate security firm, PatchStack, report that the vulnerability is under active exploitation. Attacks are coming from a variety of IP addresses, including:

  • 193.169.194.63
  • 193.169.195.64
  • 194.135.30.6

Files uploaded to compromised sites often have the following names:

  • wp-resortpack.zip
  • wp-rate.php
  • lll.zip

URLs of compromised sites are often being changed to:

  • away[dot]trackersline[dot]com

The broken access control vulnerability stems from Elementor Pro’s use of the “elementor-pro/modules/woocommerce/module.php” component. When WooCommerce is running, this script registers the following AJAX actions:

/**
 * Register Ajax Actions.
 *
 * Registers ajax action used by the Editor js.
 *
 * @since 3.5.0
 *
 * @param Ajax $ajax
 */
public function register_ajax_actions( Ajax $ajax ) {
   // `woocommerce_update_page_option` is called in the editor save-show-modal.js.
   $ajax->register_ajax_action( 'pro_woocommerce_update_page_option', [ $this, 'update_page_option' ] );
   $ajax->register_ajax_action( 'pro_woocommerce_mock_notices', [ $this, 'woocommerce_mock_notices' ] );
}

and

/**
 * Update Page Option.
 *
 * Ajax action can be used to update any WooCommerce option.
 *
 * @since 3.5.0
 *
 * @param array $data
 */
public function update_page_option( $data ) {
   update_option( $data['option_name'], $data['editor_post_id'] );
}

The update_option function “is supposed to allow the Administrator or the Shop Manager to update some specific WooCommerce options, but user input aren’t validated and the function lacks a capability check to restrict its access to a high privileged user only,” Bruandet explained. He continued:

Elementor uses its own AJAX handler to manage most of its AJAX actions, including pro_woocommerce_update_page_option, with the global elementor_ajax action. It is located in the “elementor/core/common/modules/ajax/module.php” script of the free version (which is required to run Elementor Pro) :

/**
 * Handle ajax request.
 *
 * Verify ajax nonce, and run all the registered actions for this request.
 *
 * Fired by `wp_ajax_elementor_ajax` action.
 *
 * @since 2.0.0
 * @access public
 */
public function handle_ajax_request() {
   if ( ! $this->verify_request_nonce() ) {
  	$this->add_response_data( false, esc_html__( 'Token Expired.', 'elementor' ) )
     	->send_error( Exceptions::UNAUTHORIZED );
   }
   ...

Anyone using Elementor Pro should ensure they’re running 3.11.7 or later, as all previous versions are vulnerable. It’s also a good idea for these users to check their sites for the signs of infection listed in the PatchStack post.

Source: https://arstechnica.com/information-technology/2023/03/hackers-exploit-wordpress-plugin-flaw-that-gives-full-control-of-millions-of-sites

WiFi protocol flaw allows attackers to hijack network traffic

Cybersecurity researchers have discovered a fundamental security flaw in the design of the IEEE 802.11 WiFi protocol standard, allowing attackers to trick access points into leaking network frames in plaintext form.

WiFi frames are data containers consisting of a header, data payload, and trailer, which include information such as the source and destination MAC address, control, and management data.

These frames are ordered in queues and transmitted in a controlled matter to avoid collisions and to maximize data exchange performance by monitoring the busy/idle states of the receiving points.

The researchers found that queued/buffered frames are not adequately protected from adversaries, who can manipulate data transmission, client spoofing, frame redirection, and capturing.

“Our attacks have a widespread impact as they affect various devices and operating systems (Linux, FreeBSD, iOS, and Android) and because they can be used to hijack TCP connections or intercept client and web traffic,” reads the technical paper published yesterday by Domien Schepers and Aanjhan Ranganathan of Northeastern University, and Mathy Vanhoef of imec-DistriNet, KU Leuven.

Power-saving flaw

The IEEE 802.11 standard includes power-save mechanisms that allow WiFi devices to conserve power by buffering or queuing frames destined for sleeping devices.

When a client station (receiving device) enters sleep mode, it sends a frame to the access point with a header that contains the power-saving bit, so all frames destined for it are queued.

The standard, however, does not provide explicit guidance on managing the security of these queued frames and does not set limitations like how long the frames can stay in this state.

Once the client station wakes up, the access point dequeues the buffered frames, applies encryption, and transmits them to the destination.

An attacker can spoof the MAC address of a device on the network and send power-saving frames to access points, forcing them to start queuing frames destined for the target. Then, the attacker transmits a wake-up frame to retrieve the frame stack.

The transmitted frames are usually encrypted using the group-addressed encryption key, shared among all the devices in the WiFi network, or a pairwise encryption key, which is unique to each device and used to encrypt frames exchanged between two devices.

However, the attacker can change the security context of the frames by sending authentication and association frames to the access point, thus forcing it to transmit the frames in plaintext form or encrypt them with an attacker-provided key.

Attack diagram
Attack diagram (papers.mathyvanhoef.com)

This attack is possible using custom tools created by the researchers called MacStealer, which can test WiFi networks for client isolation bypasses and intercept traffic destined for other clients at the MAC layer.

The researchers report that network device models from Lancom, Aruba, Cisco, Asus, and D-Link are known to be affected by these attacks, with the complete list below.

Devices tested by the analysts
Tested devices found vulnerable (papers.mathyvanhoef.com)

The researchers warn that these attacks could be used to inject malicious content, such as JavaScript, into TCP packets.

“An adversary can use their own Internet-connected server to inject data into this TCP connection by injecting off-path TCP packets with a spoofed sender IP address,” warn the researchers.

“This can, for instance, be abused to send malicious JavaScript code to the victim in plaintext HTTP connections with as goal to exploit vulnerabilities in the client’s browser.”

While this attack could also be used to snoop on traffic, as most web traffic is encrypted using TLS, there would be a limited impact.

The technical details and research are available in USENIX Security 2023 paper, which will be presented at the upcoming BlackHat Asia conference on May 12, 2023. 

Cisco acknowledges flaw

The first vendor to acknowledge the impact of the WiFi protocol flaw is Cisco, admitting that the attacks outlined in the paper may be successful against Cisco Wireless Access Point products and Cisco Meraki products with wireless capabilities.

However, Cisco believes says that the retrieved frames are unlikely to jeopardize the overall security of a properly secured network.

“This attack is seen as an opportunistic attack, and the information gained by the attacker would be of minimal value in a securely configured network.” – Cisco.

Still, the firm recommends applying mitigation measures like using policy enforcement mechanisms through a system like Cisco Identity Services Engine (ISE), which can restrict network access by implementing Cisco TrustSec or Software Defined Access (SDA) technologies.

“Cisco also recommends implementing transport layer security to encrypt data in transit whenever possible because it would render the acquired data unusable by the attacker,” reads the Cisco security advisory.

Currently, there are no known cases of malicious use of the flaw discovered by the researchers.

Source: https://www.bleepingcomputer.com/news/security/wifi-protocol-flaw-allows-attackers-to-hijack-network-traffic/

PSA: Update Now! Critical Authentication Bypass in WooCommerce Payments Allows Site Takeover

The Wordfence Threat Intelligence team regularly monitors plugin updates and reviews any indicating that a potential security issue may have been addressed. Today, March 23, 2023, we noticed that the “WooCommerce Payments – Fully Integrated Solution Built and Supported by Woo” plugin had been updated to version 5.6.2 with a changelog entry marked simply “Security update.”

After reviewing the update we determined that it removed vulnerable code that could allow an unauthenticated attacker to impersonate an administrator and completely take over a website without any user interaction or social engineering required.

We developed a Proof of Concept and began writing and testing a firewall rule immediately.

Regardless of the version of Wordfence you are using, we urge you to update to the latest version of the WooCommerce Payments plugin, which is 5.6.2 as of this writing, immediately. WooCommerce Payments is installed on over 500,000 sites, and this is a critical-severity vulnerability.

[ed note: All clients of ProtectYourWP.com have already been updated]

Source and more details: https://www.wordfence.com/blog/2023/03/psa-update-now-critical-authentication-bypass-in-woocommerce-payments-allows-site-takeover

See also: https://developer.woocommerce.com/2023/03/23/critical-vulnerability-detected-in-woocommerce-payments-what-you-need-to-know/

Multiple Reflected Cross-Site Scripting Vulnerabilities in Three WordPress Plugins Patched

The Wordfence Threat Intelligence Team recently disclosed several Reflected Cross-Site Scripting vulnerabilities that we discovered in three different plugins – Watu Quiz (installed on 5,000 sites), GN-Publisher (installed on 40,000 sites), and Japanized For WooCommerce (installed on 10,000 sites). As with all Reflected Cross-Site Scripting vulnerabilities, these could be leveraged for a complete site takeover as long as an unauthenticated attacker could successfully trick a site administrator into performing an action, such as clicking on a link or visiting a website under the attacker’s control.

All Wordfence customers, including those using the free version of our plugin, are protected against any exploits targeting these vulnerabilities by the Wordfence firewall’s built-in Cross-Site Scripting protection.

Source and more details: https://www.wordfence.com/blog/2023/03/multiple-reflected-cross-site-scripting-vulnerabilities-in-three-wordpress-plugins-patched

Vulnerability Patched in Cozmolabs Profile Builder Plugin – Information Disclosure Leads to Account Takeover

Hundreds, if not thousands of WordPress plugins are conceived with the idea of making site building and maintenance easier for site owners. They add features not available in WordPress Core that would otherwise require site owners to write their own code to extend functionality. However, these well-intentioned plugins may sometimes contain seemingly innocuous bugs that can lead to catastrophic consequences.

On Tuesday, February 7th, 2023, prominent WordPress vulnerability researcher István Márton, also known as Lana Codes, reached out to the Wordfence Threat Intelligence team to responsibly disclose an information disclosure vulnerability in Cozmolabs Profile Builder, a WordPress plugin designed to enhance the user profile and registration experience with a reported 60,000+ active installations. If exploited, this vulnerability allows threat actors to gain elevated privileges by taking over arbitrary accounts.

Wordfence researchers quickly assessed the vulnerability and deployed a firewall rule to protect customers from exploitation. Premium WordFence customers received that protection on February 13, 2023 as well as an additional firewall rule for extended protection on February 14, 2023. Sites still running the free version of Wordfence will receive the same protection 30 days later on March 14 and March 15, 2023, respectively.

In coordination with Márton, Cozmolabs quickly released a fix in Profile Builder version 3.9.1 on February 13, 2023, only 6 days after the vulnerability’s discovery.

Source and more details: https://www.wordfence.com/blog/2023/03/vulnerability-patched-in-cozmolabs-profile-builder-plugin-information-disclosure-leads-to-account-takeover

Yoast SEO <= 20.2 – Authenticated (Contributor+) DOM-Based Cross-Site Scripting

Please note: The Wordfence team is still assessing this vulnerability, and will add more details as it becomes available. The Yoast SEO plugin for WordPress is vulnerable to DOM-based Cross-Site Scripting via individual post SEO details in versions up to, and including, 20.2 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers with contributor-level requirements and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

PYWP clients have already been updated to the latest (patched) version.

Source and more details: https://www.wordfence.com/threat-intel/vulnerabilities/wordpress-plugins/wordpress-seo/yoast-seo-202-authenticated-contributor-dom-based-cross-site-scripting