Several Critical Vulnerabilities Patched in AI ChatBot Plugin for WordPress

On September 28, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for multiple vulnerabilities in AI ChatBot, a WordPress plugin with over 4,000 active installations.

After making their initial contact attempt on September 28th, 2023, they received a response on September 29, 2023 and sent over their full disclosure details. Receipt of the disclosure by the vendor was acknowledged the same day and a fully patched version of the plugin was released on October 19, 2023.

Wordfence issued a firewall rule to protect paid customers. Users of the free Wordfence plugin will receive the same protection on October 29, 2023.

Please note that these vulnerabilities were originally fixed in 4.9.1 (released October 10, 2023). However, some of them were reintroduced in 4.9.2 and then subsequently patched again in 4.9.3. We recommend that all Wordfence users update to version 4.9.3 or higher immediately.

Source and full details: https://www.wordfence.com/blog/2023/10/several-critical-vulnerabilities-patched-in-ai-chatbot-plugin-for-wordpress

‘Log in with…’ Feature Allows Full Online Account Takeover for Millions

Hundreds of millions of users of Grammarly, Vidio, and the Indonesian e-commerce giant Bukalapak are at risk for financial fraud and credential theft due to OAuth misfires — and other online services likely have the same problems.

Flaws in the implementation of the Open Authorization (OAuth) standard across three prominent online services could have allowed attackers to take over hundreds of millions of user accounts on dozens of websites, exposing people to credential theft, financial fraud, and other cybercriminal activity. 

Researchers from Salt Labs discovered critical API misconfigurations on the sites of several online companies — artificial intelligence (AI)-powered writing tool Grammarly, online streaming platform Vidio, and Indonesian e-commerce site Bukalapak — that lead them to believe that dozens of other sites are likely compromised in the same way, they revealed in a report published Oct. 24.

OAuth is a widely implemented standard for allowing for cross-platform authentication, familiar to most as the option to log in to an online site with another social media account, such as “Log in with Facebook” or “Log in with Google.” 

The recently-discovered implementation flaws are among a series of issues in OAuth that the researchers have discovered in recent months, stretching across prominent online platforms that put users at risk. Salt researchers already had discovered similar OAuth flaws in the Booking.com website and Expo — an open source framework for developing native mobile apps for iOS, Android, and other Web platforms using a single codebase — that could have allowed account takeover and full visibility into user personal or payment-card data. The Booking.com flaw also could have allowed log-in access to the website’s sister platform, Kayak.com.

The researchers refer broadly to the latest issue found in Vidio, Grammarly, and Bukalapak as a “Pass-The-Token” flaw, in which an attacker may use a token — the unique, secret site identifier used to verify the handoff — from a third party site typically owned by the attacker himself to login to another service.

“For example, if a user logged in to a site called mytimeplanner.com, which is owned by the attacker, the attacker could then use the users token and log in on his behalf to other sites, like Grammarly for instance,” Yaniv Balmas, vice president of research at Salt, explains to Dark Reading.

The researchers found the latest issues in Vidio, Bukalapak, and Grammarly between February and April, respectively, and notified the three companies in turn, which all responded in a timely way. The misconfigurations all have since been resolved in these particular services, but that’s not the end of the story. 

“Just these three sites are enough for us to prove our point, and we decided to not look for additional targets,” according to the report, “but we expect that thousands of other websites are vulnerable to the attack we detail in this post, putting billions of additional Internet users at risk every day,”

Various Ways to Misconfigure OAuth

The issue manifests itself uniquely on each of the three sites. On Vidio, an online streaming platform with 100 million monthly active users, the researchers found that when logging into the site through Facebook, the site did not verify the token — which the website developers and not OAuth must do. Because of this, an attacker could manipulate the API calls to insert an access token generated for a different application, the researchers found.

“This alternate token/AppID combination allowed the Salt Labs research team to impersonate a user on the Vidio site, which would have allowed massive account takeover on thousands of accounts,” the researchers wrote in the report.

Like Vidio, Bukalapak — which has more than 150 million monthly users — also didn’t verify the access token when users registered using a social login. In a similar way, the researchers could insert a token from another website to access a user’s credentials and completely take over that user’s account.

The OAuth issue discovered on Grammarly — which helps more than 30 million daily users improve their writing by offering grammar, punctuation, spelling checks, and other writing tips — manifested itself slightly differently.

The researchers found that by doing reconnaissance on the API calls and learning the terminology the Grammarly site uses to send the code, they could manipulate the API exchange to insert code used to verify users on a different site and, again, obtain the credentials of a user’s account and achieve full account takeover.

Secure OAuth From the Start

OAuth itself is well-designed, and the major OAuth providers such as Google and Facebook have secure servers protecting them on the back end. However, those developing the services and sites that leverage the standard to perform the authentication handoff often create issues that render the exchange inherently insecure even if the site appears to function properly, Balmas says.

“It is very easy for anyone to add social-login functionality to his website … and everything will actually work quite fine,” he says. “However, without the proper knowledge and awareness, it is very easy to leave cracks that the attacker will be able to abuse and achieve very serious impact on all the website users.”

For this reason, it’s essential to the security of sites and services that leverage OAuth to be secure from an implementation standpoint, which may require that developers do some homework before building the standard into the site.

“Web services who wish to implement social login or any other OAuth-related functionalities should make sure they have a solid understanding of how OAuth works and common pitfalls that may have potential for being abused,” he says.

Developers can also use third-party tools that monitor for anomalies and deviations from typical behavior and which may identify as-yet unknown attacks, providing a safety net for the site and thus all of its users, Balmas adds.

Source: ‘Log in with…’ Feature Allows Full Online Account Takeover for Millions (darkreading.com)

4 Million WordPress Sites affected by Stored Cross-Site Scripting Vulnerability in LiteSpeed Cache Plugin

On August 14, 2023, the Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) vulnerability in LiteSpeed Cache plugin, which is actively installed on more than 4,000,000 WordPress websites, making it the most popular cache plugin. The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using the plugin’s shortcode.

All WordFence customers are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Cross-Site Scripting protection.

WordFence contacted The LiteSpeed Cache Team on August 14, 2023, and we received a response on the same day. After providing full disclosure details, the developer team made a patch on August 16, 2023, and released it to the WordPress repository on October 10, 2023. We would like to commend the LiteSpeed Technologies for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of LiteSpeed Cache, version 5.7 at the time of this writing, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2023/10/4-million-wordpress-sites-affected-by-stored-cross-site-scripting-vulnerability-in-lightspeed-cache-plugin

4 Million WordPress Sites affected by Stored Cross-Site Scripting Vulnerability in LiteSpeed Cache Plugin

The popular LiteSpeed WordPress plugin patched a vulnerability that compromised over 4 million websites, allowing hackers to upload malicious scripts.

LiteSpeed was notified of the vulnerability two months ago on August 14th and released a patch in October.

Cross-Site Scripting (XSS) Vulnerability

Wordfence discovered a Cross-Site Scripting (XSS) vulnerability in the LiteSpeed plugin, the most popular WordPress caching plugin in the world.

XSS vulnerabilities are generally a type that takes advantage of a lack of a security process called data sanitization and escaping.

Sanitization is a technique that filters what kind of files can be uploaded via a legitimate input, like on a contact form.

In the specific LiteSpeed vulnerability, the implementation of a shortcode functionality allowed a malicious hacker to upload scripts they otherwise would not be able to had the proper security protocols of sanitization/escaping data been in place.

The WordPress developer page describes the sanitization security practice:

“Untrusted data comes from many sources (users, third party sites, even your own database!) and all of it needs to be checked before it’s used.

…Sanitizing input is the process of securing/cleaning/filtering input data.”

Another WordPress developer page describes the recommended process of escaping data like this:

“Escaping output is the process of securing output data by stripping out unwanted data, like malformed HTML or script tags.

This process helps secure your data prior to rendering it for the end user.”

This specific vulnerability requires that the hacker first obtain contributor level permissions in order to carry out the attack, which makes carrying out the attack more complicated than other kinds of threats that are unauthenticated (require no permission level).

According to Wordfence:

“This makes it possible for threat actors to carry out stored XSS attacks. Once a script is injected into a page or post, it will execute each time a user accesses the affected page.

While this vulnerability does require that a trusted contributor account is compromised, or a user be able to register as a contributor, successful threat actors could steal sensitive information, manipulate site content, inject administrative users, edit files, or redirect users to malicious websites which are all severe consequences.”

Which Versions of LiteSpeed Plugin Are Vulnerable?

Versions 5.6 or less of the LiteSpeed Cache plugin are vulnerable to the XSS attack.

Users of the LiteSpeed Cache are encouraged to update their plugin as soon as possible to the latest version, 5.7 which was released on October 10, 2023.

Source and more details: https://www.wordfence.com/blog/2023/10/4-million-wordpress-sites-affected-by-stored-cross-site-scripting-vulnerability-in-lightspeed-cache-plugin/

See also: https://www.searchenginejournal.com/wordpress-litespeed-plugin-vulnerability-affects-4-million-websites/499074/#close

WordPress 6.3.2 – Maintenance and Security release

This security and maintenance release features 19 bug fixes on Core, 22 bug fixes for the Block Editor, and 8 security fixes.

WordPress 6.3.2 is a short-cycle release. You can review a summary of the maintenance updates in this release by reading the Release Candidate announcement. Because this is a security release, it is recommended that you update your sites immediately. Backports are also available for other major WordPress releases, 4.1 and later.

The next major release will be version 6.4 planned for 7 November 2023.

If you have sites that support automatic background updates, the update process will begin automatically.

You can download WordPress 6.3.2 from WordPress.org, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”.

For more information on this release, please visit the HelpHub site.

Security updates included in this release

The security team would like to thank the following people for responsibly reporting vulnerabilities, and allowing them to be fixed in this release:

  • Marc Montpas of Automattic for finding a potential disclosure of user email addresses.
  • Marc Montpas of Automattic for finding an RCE POP Chains vulnerability.
  • Rafie Muhammad and Edouard L of Patchstack along with a WordPress commissioned third-party audit for each independently identifying a XSS issue in the post link navigation block.
  • Jb Audras of the WordPress Security Team and Rafie Muhammad of Patchstack for each independently discovering an issue where comments on private posts could be leaked to other users.
  • John Blackbourn (WordPress Security Team), James GolovichJ.D GrimesNuman TurleWhiteCyberSec for each independently identifying a way for logged-in users to execute any shortcode.
  • mascara7784 and a third-party security audit for identifying a XSS vulnerability in the application password screen.
  • Jorge Costa of the WordPress Core Team for identifying XSS vulnerability in the footnotes block.
  • s5s and raouf_maklouf for independently identifying a cache poisoning DoS vulnerability.

Source and more details: https://wordpress.org/news/2023/10/wordpress-6-3-2-maintenance-and-security-release/ and https://www.wordfence.com/blog/2023/10/wordpress-6-3-2-security-release-what-you-need-to-know/

Unauthenticated File Upload Vulnerability Addressed in Royal Elementor Addons and Templates 1.3.79

During an investigation of a series of website being actively compromised we noticed the constant presence of the Royal Elementor Addons and Templates plugin installed. And all sites had at least one malicious file dropped into the /wpr-addons/forms/ directory.

As we reviewed the plugin it was found that the upload ajax action wasn’t properly validating the uploaded file’s extensions, allowing bad actors to bypass the check and drop malicious files to the /wpr-addons/forms/ directory.

Upon identifying the vulnerability, we promptly alerted the plugin development team, who released version 1.3.79 to fix the issue. It is crucial for administrators to ensure their WordPress installations are fully updated to safeguard against this vulnerability.

Source and full details: https://wpscan.com/blog/unauthenticated-file-upload-vulnerability-addressed-in-royal-elementor-addons-and-templates-1-3-79/

and https://www.wordfence.com/blog/2023/10/psa-critical-unauthenticated-arbitrary-file-upload-vulnerability-in-royal-elementor-addons-and-templates-being-actively-exploited/

Finding A RCE Gadget Chain In WordPress Core

During a recent team gathering in Belgium, WPScan had an impromptu Capture The Flag game that included a challenge with an SQL Injection vulnerability occurring inside an INSERT statement, meaning attackers could inject random stuff into the targeted table’s columns, and query information from the database, the intended “flag” being the credentials of a user on the affected blog.

The vulnerable SQL query inserted new rows into the wp_termmeta table, which while WPScan knew it could potentially lead to Object Injection attacks due to the inserted metadata being passed through maybe_unserialize upon retrieval, WPScan didn’t think too much about it since the common thought on the matter was that there was no known current RCE gadget chain in WordPress Core, and thus the challenge was “safe” since it didn’t use any other external plugins.

This proved to be enough to win that flag, however, the thought that there might be an alternative solution to the challenge piqued our curiosity. What if there was a working RCE gadget chain in Core waiting to be found?

Turns out, there was a way, which the WordPress Security Team fixed on version 6.3.2 by preventing several classes used in the final chain from either being unserialized at all, or restricting what some of their unserialized properties may contain.

Source and more details: https://wpscan.com/blog/finding-a-rce-gadget-chain-in-wordpress-core/

Email Leak Oracle Vulnerability Addressed in WordPress 6.3.2

During a thorough analysis of WordPress’ internals, WPScan discovered a subtle bug that allowed unauthenticated attackers to discern the email addresses of users who have published public posts on an affected website.

If successfully exploited, attackers could gather email addresses, putting user privacy at risk.

Upon identifying the vulnerability, WPScan promptly alerted the WordPress team, who released version 6.3.2 to fix the issue. It is crucial for administrators to ensure their WordPress installations are fully updated to safeguard against this vulnerability.

WordPress’ official advisory can be found here.

Source and more details: https://wpscan.com/blog/email-leak-oracle-vulnerability-addressed-in-wordpress-6-3-2/

Backdoor Masquerading as Legitimate Plugin

Today, we would like to share a type of malware that serves as a sophisticated backdoor capable of performing a variety of tasks while masquerading as a real plugin. Complete with a professional looking opening comment implying it is a caching plugin, this rogue code contains numerous functions, adds filters to prevent itself from being included in the list of activated plugins, and has pinging functionality that allows a malicious actor to check if the script is still operational, as well as file modification capabilities. Additionally, it offers the ability to create an admin account, and remotely activate and deactivate plugins.

The sample was discovered during a site clean by one of the analysts at WordFence on July 18, 2023. A signature was developed by the same analyst the following day and released to production within two weeks after undergoing testing. Customers using the free version of Wordfence received this signature after a 30 day delay on September 1, 2023.

Users of WordFence Premium are protected against the use of this backdoor via a firewall rule as of October 9, 2023. Users of the free version of WordFence will receive the firewall rule on November 9, 2023.

Source and more details: https://www.wordfence.com/blog/2023/10/backdoor-masquerading-as-legitimate-plugin/

Hackers modify online stores’ 404 pages to steal credit cards

A new Magecart card skimming campaign hijacks the 404 error pages of online retailer’s websites, hiding malicious code to steal customers’ credit card information.

This technique is one of the three variants observed by researchers of the Akamai Security Intelligence Group, with the other two concealing the code in the HTML image tag’s ‘onerror’ attribute and an image binary to make it appear as the Meta Pixel code snippet.

Akamai says the campaign focuses on Magento and WooCommerce sites, with some victims linked to renowned organizations in the food and retail sectors.

Manipulating 404 pages
All websites feature 404 error pages that are displayed to visitors when accessing a webpage that does not exist, has been moved, or has a dead/broken link.

The Magecart actors leverage the default ‘404 Not Found’ page to hide and load the malicious card-stealing code, which hasn’t been seen before in previous campaigns.

“This concealment technique is highly innovative and something we haven’t seen in previous Magecart campaigns,” reads Akamai’s report.

“The idea of manipulating the default 404 error page of a targeted website can offer Magecart actors various creative options for improved hiding and evasion.”

The skimmer loader either disguises itself as a Meta Pixel code snippet or hides within random inline scripts already present on the compromised checkout web page.

The loader initiates a fetch request to a relative path named ‘icons,’ but as this path does not exist on the website, the request results in a “404 Not Found” error.

Akamai’s investigators initially assumed the skimmer was no longer active or the Magecart group had made a configuration mistake. However, upon closer inspection, they found that the loader contained a regular expression match searching for a specific string in the returned HTML of the 404 page.

Upon locating the string on the page, Akamai found a concatenated base64-encoded string concealed in a comment. Decoding that string revealed the JavaScript skimmer, which hides in all 404 pages.

“We simulated additional requests to nonexistent paths, and all of them returned the same 404 error page containing the comment with the encoded malicious code,” explains Akamai

“These checks confirm that the attacker successfully altered the default error page for the entire website and concealed the malicious code within it!”

Because the request is made to a first-party path, most security tools monitoring suspicious network requests on the checkout page would overlook it.

Stealing the data
The skimmer code displays a fake form that the website visitors are expected to fill out with sensitive details, including their credit card number, expiration date, and security code.

Once this data is entered on the bogus form, the victim gets a fake “session timeout” error.

In the background, all information is base64-encoded and sent to the attacker via an image request URL carrying the string as a query parameter.

This approach helps evade detection by network traffic monitoring tools, as the request looks like a benign image fetch event. However, decoding the base64 string reveals personal and credit card information.

The case of manipulating 404 pages highlights the evolving tactics and versatility of Magecart actors, who continually make it harder for webmaster to locate their malicious code on compromised websites and sanitize them.

Source and more details: https://www.bleepingcomputer.com/news/security/hackers-modify-online-stores-404-pages-to-steal-credit-cards/