PSA: Wordfence Brand Being Actively Used in Phishing Campaigns

Earlier this week we became aware that malicious actors are using Wordfence brand image to run a phishing scam on WordPress and Wordfence users, posing as unknown login notifications from their own website while linking to a fake login page, clearly aiming to steal WordPress login credentials.

If you have received a suspicious email like this you may want to ensure it is legitimate by checking a couple of telltale signs:

  • Wordfence notifications from your website will be sent from an email address matching your website (usually wordfence[@]your-website-domain).
  • Messages sent through our mailing list are sent exclusively from list@wordfence.com, and will display an unsubscribe link at the end of the message.
  • Wordfence login notifications from your website are not signed by our CEO and founder, Mark Maunder.

Details

This phishing campaign appears to be running via several custom domains, usually posing as Wordfence (or the Wordfence Team); for example:

  • From: Wordfence <matteo.fish[@]germanrottweillerpuppies.net>
  • From: Wordfence Team <jamir.bahhar[@]acmesecurityconcepts.com>
  • From: Wordfence <thea.santana[@]iznacquisitions.com>

The most important thing to be aware of for WordPress site owners is that in this phishing campaign, the WordPress login link found in the email will not direct to their own site. We have seen these emails link to several legitimate, but vulnerable, websites as part of their campaign, using open redirect vulnerabilities to minimize the risk of being detected as spam/phishing messages by mail security software.

Source and more details: https://www.wordfence.com/blog/2023/07/psa-wordfence-brand-being-actively-used-in-phishing-campaigns

“Never Assume Anything” – Unauthenticated Stored Cross-Site Scripting Vulnerability Exposed in 14 Email Logging Plugins

“Never Assume Anything” – that is the 4th Guiding Principle written in the Security section of the WordPress Common APIs Handbook for developers. When it comes to WordPress plugin security, assumptions can be dangerous. This became evident when the Wordfence Threat Intelligence team discovered an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in 14 different email logging plugins. The common thread? An assumption that the contents of emails generated within a WordPress instance could not be influenced by external actors. This oversight potentially exposed over 600,000 users to significant security risks.

We contacted all affected vendors after initial discovery between June 4, 2023 and June 11, 2023. Some developers were responsive while others were not, however all plugins except for one received updates to address these vulnerabilities.

All WordFence users are protected against any exploits targeting these vulnerabilities by the Wordfence firewall’s built-in Cross-Site Scripting protection.

Affected Plugins

Below is a table detailing the affected plugins, along with their respective slugs, CVEs, links, reported dates, disclosed dates, and fixed versions.

Plugin NamePlugin SlugCVEReported DateDisclosed DateFixed Version
WP Mail Catcherwp-mail-catcherCVE-2023-3080June 4, 2023June 8, 20231.11.1
WP Mail Loggingwp-mail-loggingCVE-2023-3081June 1, 2023June 7, 20231.11.1
Post SMTPpost-smtpCVE-2023-3082June 1, 2023July 10, 20232.5.8
WP Mail Logwp-mail-logCVE-2023-3088June 1, 2023July 4, 20231.1.2
FluentSMTPfluent-smtpCVE-2023-3087June 2, 2023July 5, 20232.2.5
SMTP Mailsmtp-mailCVE-2023-3092June 2, 2023July 4, 2023Plugin closed. Awaiting fixed release.
YaySMTPyaysmtpCVE-2023-3093June 2, 2023June 11, 20232.4.6
GD Mail Queuegd-mail-queueCVE-2023-3122June 5, 2023June 8, 20234.0
Mailtree Log Mailmailtree-log-mailCVE-2023-3135June 5, 2023June 19, 20231.0.1
MailArchivermailarchiverCVE-2023-3136June 5, 2023July 11, 20232.11.0
Mail Controlmail-controlCVE-2023-3158June 6, 2023July 9, 2023Plugin closed. No fix.
Lana Email Loggerlana-email-loggerCVE-2023-3166June 6, 2023June 7, 20231.1.0
Mail Queuemail-queueCVE-2023-3167June 6, 2023June 21, 20231.2
WP Reroute Emailwp-reroute-emailCVE-2023-3168June 7, 2023July 4, 20231.5.0

Source and more details: https://www.wordfence.com/blog/2023/07/never-assume-anything-unauthenticated-stored-cross-site-scripting-vulnerability-exposed-in-14-email-logging-plugins/

Massive Targeted Exploit Campaign Against WooCommerce Payments Underway

The Wordfence Threat Intelligence team has been monitoring an ongoing exploit campaign targeting a recently disclosed vulnerability in WooCommerce Payments, a plugin installed on over 600,000 sites. Large-scale attacks against the vulnerability, assigned CVE-2023-28121, began on Thursday, July 14, 2023 and continued over the weekend, peaking at 1.3 million attacks against 157,000 sites on Saturday, July 16, 2023.

The exploit allows unauthenticated attackers to obtain administrative privileges on vulnerable websites, rating it a Critical CVSS score of 9.8. This makes it an appealing target, and this attack campaign confirms the original coverage of the vulnerability that predicted large-scale attacks.

All Wordfence users have been protected against this vulnerability since April 22, 2023 via a Firewall rule we developed to block exploit attempts. Versions 4.8.0 – 5.6.1 of the WooCommerce Payments plugin are vulnerable.

The Wordfence Intelligence Dashboard showing attacks against WooCommerce Payments

Readers can continue watching this and other trends on the Wordfence Intelligence dashboard, where it is currently the most heavily-attacked unique WordPress vulnerability.

Unlike many other large-scale campaigns which typically attack millions of sites indiscriminately, this one seems to be targeted against a smaller set of websites. What’s particularly interesting is that we began seeing early warning signs several days before the main wave of attacks – an increase in plugin enumeration requests searching for a readme.txt file in the wp-content/plugins/woocommerce-payments/ directory of millions of sites.

Source and more details: https://www.wordfence.com/blog/2023/07/massive-targeted-exploit-campaign-against-woocommerce-payments-underway/

Unauthenticated Stored Cross-Site Scripting Vulnerability Exposed in 14 Email Logging Plugins

“Never Assume Anything” – that is the 4th Guiding Principle written in the Security section of the WordPress Common APIs Handbook for developers. When it comes to WordPress plugin security, assumptions can be dangerous. This became evident when the Wordfence Threat Intelligence team discovered an Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in 14 different email logging plugins. The common thread? An assumption that the contents of emails generated within a WordPress instance could not be influenced by external actors. This oversight potentially exposed over 600,000 users to significant security risks.

We contacted all affected vendors after initial discovery between June 4, 2023 and June 11, 2023. Some developers were responsive while others were not, however all plugins except for one received updates to address these vulnerabilities.

All Wordfence users are protected against any exploits targeting these vulnerabilities by the Wordfence firewall’s built-in Cross-Site Scripting protection.

Affected Plugins

Below is a table detailing the affected plugins, along with their respective slugs, CVEs, links, reported dates, disclosed dates, and fixed versions.

Plugin NamePlugin SlugCVEReported DateDisclosed DateFixed Version
WP Mail Catcherwp-mail-catcherCVE-2023-3080June 4, 2023June 8, 20231.11.1
WP Mail Loggingwp-mail-loggingCVE-2023-3081June 1, 2023June 7, 20231.11.1
Post SMTPpost-smtpCVE-2023-3082June 1, 2023July 10, 20232.5.8
WP Mail Logwp-mail-logCVE-2023-3088June 1, 2023July 4, 20231.1.2
FluentSMTPfluent-smtpCVE-2023-3087June 2, 2023July 5, 20232.2.5
SMTP Mailsmtp-mailCVE-2023-3092June 2, 2023July 4, 2023Plugin closed. Awaiting fixed release.
YaySMTPyaysmtpCVE-2023-3093June 2, 2023June 11, 20232.4.6
GD Mail Queuegd-mail-queueCVE-2023-3122June 5, 2023June 8, 20234.0
Mailtree Log Mailmailtree-log-mailCVE-2023-3135June 5, 2023June 19, 20231.0.1
MailArchivermailarchiverCVE-2023-3136June 5, 2023July 11, 20232.11.0
Mail Controlmail-controlCVE-2023-3158June 6, 2023July 9, 2023Plugin closed. No fix.
Lana Email Loggerlana-email-loggerCVE-2023-3166June 6, 2023June 7, 20231.1.0
Mail Queuemail-queueCVE-2023-3167June 6, 2023June 21, 20231.2
WP Reroute Emailwp-reroute-emailCVE-2023-3168June 7, 2023July 4, 20231.5.0

Source and more details: https://www.wordfence.com/blog/2023/07/never-assume-anything-unauthenticated-stored-cross-site-scripting-vulnerability-exposed-in-14-email-logging-plugins/

Massive Targeted Exploit Campaign Against WooCommerce Payments Underway

The Wordfence Threat Intelligence team has been monitoring an ongoing exploit campaign targeting a recently disclosed vulnerability in WooCommerce Payments, a plugin installed on over 600,000 sites. Large-scale attacks against the vulnerability, assigned CVE-2023-28121, began on Thursday, July 14, 2023 and continued over the weekend, peaking at 1.3 million attacks against 157,000 sites on Saturday, July 16, 2023.

The exploit allows unauthenticated attackers to obtain administrative privileges on vulnerable websites, rating it a Critical CVSS score of 9.8. This makes it an appealing target, and this attack campaign confirms our original coverage of the vulnerability that predicted large-scale attacks.

All Wordfence users, including Wordfence free users, have been protected against this vulnerability since April 22, 2023 via a Firewall rule we developed to block exploit attempts. Wordfence Premium, Care, and Response sites received protection even earlier, on March 23, 2023. Versions 4.8.0 – 5.6.1 of the WooCommerce Payments plugin are vulnerable.

The Wordfence Intelligence Dashboard showing attacks against WooCommerce Payments

Readers can continue watching this and other trends on the Wordfence Intelligence dashboard, where it is currently the most heavily-attacked unique WordPress vulnerability.

Unlike many other large-scale campaigns which typically attack millions of sites indiscriminately, this one seems to be targeted against a smaller set of websites. What’s particularly interesting is that we began seeing early warning signs several days before the main wave of attacks – an increase in plugin enumeration requests searching for a readme.txt file in the wp-content/plugins/woocommerce-payments/ directory of millions of sites.

Source and more details: https://www.wordfence.com/blog/2023/07/massive-targeted-exploit-campaign-against-woocommerce-payments-underway

Interesting Arbitrary File Upload Vulnerability Patched in User Registration WordPress Plugin

On June 19, 2023, the Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Arbitrary File Upload vulnerability in WPEverest’s User Registration plugin, which is actively installed on more than 60,000 WordPress websites. This vulnerability makes it possible for an authenticated attacker with minimal permissions, such as a subscriber, to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server.

All users of Wordfence received a firewall rule to protect against any exploits targeting this vulnerability by July 20, 2023.

We contacted WPEverest on June 19, 2023, and received a response the same day. After we provided full disclosure details, the developer released the first patch, which did not fully address the vulnerability, in version 3.0.2 on June 29, 2023. A fully patched version, 3.0.2.1, was released on July 4, 2023. We would like to commend the WPEverest development team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of User Registration, which is version 3.0.2.1 at the time of this writing, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2023/07/interesting-arbitrary-file-upload-vulnerability-patched-in-user-registration-wordpress-plugin

Arbitrary User Password Change Vulnerability in LearnDash LMS WordPress Plugin

On June 5, 2023, the Wordfence Threat Intelligence team identified, and began the responsible disclosure process, for an Arbitrary User Password Change vulnerability in LearnDash LMS plugin, a WordPress plugin that is actively installed on more than 100,000 WordPress websites according to our estimates. This vulnerability makes it possible for any user with an existing account to reset arbitrary user passwords, including user accounts with administrative-level access.

Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on June 5, 2023. Sites still using the free version of Wordfence received the same protection on July 5, 2023.

Wordfence contacted the LearnDash team on June 5, 2023, and received a response the same day. After providing full disclosure details, the developer released a patch on June 6, 2023. We would like to commend the LearnDash support and development team for their prompt response and timely patch, which was released in just one day.

We urge users to update their sites with the latest patched version of LearnDash LMS, version 4.6.0.1 at the time of this writing, as soon as possible considering this is a vulnerability with a critical impact.

Source and details: https://www.wordfence.com/blog/2023/06/arbitrary-user-password-change-vulnerability-in-learndash-lms-wordpress-plugin

PSA: Unpatched Critical Privilege Escalation Vulnerability in Ultimate Member Plugin Being Actively Exploited

On June 29, 2023, the Wordfence Threat Intelligence Team became aware of an unpatched privilege escalation vulnerability being actively exploited in Ultimate Member, a WordPress plugin installed on over 200,000 sites, through our vulnerability changelog monitoring we do to ensure the Wordfence Intelligence Vulnerability Database has the most up to date and accurate information. Upon further investigation, we discovered that this vulnerability is being actively exploited and it hasn’t been adequately patched in the latest version available, which is 2.6.6 at the time of this writing.

Once we determined the root cause, we released a firewall rule to help protect our Wordfence Premium customers. Wordfence free users will receive the same protection in 30 days on July 29th, 2023. As the latest version of the plugin, 2.6.6, is not fully patched, we recommend uninstalling the plugin until a complete patch has been released.

Source and details: https://www.wordfence.com/blog/2023/06/psa-unpatched-critical-privilege-escalation-vulnerability-in-ultimate-member-plugin-being-actively-exploited

miniOrange Addresses Authentication Bypass Vulnerability in WordPress Social Login and Register WordPress Plugin

On May 28, 2023, the Wordfence Threat Intelligence team identified and began the responsible disclosure process for an Authentication Bypass vulnerability in miniOrange’s WordPress Social Login and Register plugin, which is actively installed on more than 30,000 WordPress websites. The vulnerability makes it possible for an unauthenticated attacker to gain access to any account on a site including accounts used to administer the site, if the attacker knows, or can find, the associated email address.

Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on June 2, 2023. Sites still using the free version of Wordfence received the same protection on July 2, 2023.

Wordfence contacted miniOrange on May 30, 2023, and received a response on June 2, 2023. After they provided full disclosure details, the developer released the first patch, which still contained a vulnerability, in version 7.6.4 on June 12, 2023. A fully patched version, 7.6.5, was released on June 14, 2023.

We urge users to ensure their sites have been updated with the latest patched version of WordPress Social Login and Register, which is version 7.6.5 at the time of this writing, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2023/06/miniorange-addresses-authentication-bypass-vulnerability-in-wordpress-social-login-and-register-wordpress-plugin