High Severity Arbitrary File Upload Vulnerability Patched in File Manager Pro WordPress Plugin

On December 14th, 2023, shortly after the launch of the Wordfence Holiday Bug Extravaganza, they received a submission for an Arbitrary File Upload vulnerability in File Manager Pro, a WordPress plugin with an estimated 10,000+ active installations. This vulnerability made it possible for authenticated attackers to create a PHP file that could contain malicious content and be used for complete site takeover.

Props to Tobias Weißhaar who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $657.00 for this discovery during our Bug Bounty Program Extravaganza. Although the installation count would typically place this vulnerability out of scope for our bug bounty program, the severity and ease of exploitation combined with the much larger installation count of the free version of the plugin warranted some flexibility.

Paid Wordfence users received a firewall rule to protect against any exploits targeting this vulnerability on January 8, 2024. Sites still using the free version of Wordfence received the same protection on February 7, 2024.

Wordfence contacted the File Manager developer team on December 14th, 2023, and received a response on December 15th, 2023. After providing full disclosure details, the developer released a patch on January 8th, 2024.

We urge users to update their sites with the latest patched version of File Manager Pro, version 8.3.5 at the time of this writing, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2024/01/high-severity-arbitrary-file-upload-vulnerability-patched-in-file-manager-pro-wordpress-plugin

EFF adds Street Surveillance Hub so Americans can check who’s checking on them

‘The federal government has almost entirely abdicated its responsibility’

For a country that prides itself on being free, America does seem to have an awful lot of spying going on, as the new Street Surveillance Hub from the Electronic Frontier Foundation shows.

The Hub contains detailed breakdowns of the type of surveillance systems used, from bodycams to biometrics, predictive policing software to gunshot detection microphones and drone-equipped law enforcement. It also has a full news feed so that concerned citizens can keep up with the latest US surveillance news; they can also contribute to the Atlas of Surveillance on the site.

The Atlas, started in 2019, allows anyone to check what law enforcement is being used in their local area – be it license plate readers, drones, or gunshot detection microphones. It can also let you know if local law enforcement is collaborating with third parties like home security vendor Ring to get extra information.

EFF policy analyst Matthew Guariglia told The Register that once people look into what’s being deployed using their tax dollars, a lot of red flags are raised.

Over the last few years America’s thin blue line have not only been harvesting huge amounts of data themselves, but also buying it in from commercial operators. The result is a perfect storm on privacy – with police, homeowners, and our personal technology proving to be a goldmine of intrusive information that’s often misused.

The Register: The updated guide has a bunch of new information, how big is the problem?

Guariglia: We have to start to pay attention to the fact that many cities across the United States are paying millions of dollars for all these high tech devices and software that they claimed were going to be the silver bullet to ending crime.

Just after a few months or a few years, they are canceling those contracts, because they’re actually not very useful, or the technology gets things wrong. Police used to want to put up as many cameras as possible, but now we see them pivoting more toward things like automated license plate readers.

The Register: Is this solely a police problem or is surveillance becoming more ubiquitous?

Guariglia: The disturbing thing about our current landscape is that just because police don’t own cameras doesn’t mean they have access to footage. So if communities or homeowners associations are putting up license plate reader, police often can very easily get access to that data as well. Increasingly, police, use private technology companies, and the data they collect, as an extension of their own evidence.

The Register: Does that extend all the way down to supposedly personal technology devices?

Guariglia:As police extend their own network of surveillance, and as it becomes more omnipresent, there is a whole other landscape of surveillance below the surface, which is our personal devices. These collect data which police can also access, sometimes without a warrant.

Source & more details: https://www.theregister.com/2024/01/22/eff_privacy_atlas/

Website Takeover Campaign Takes Advantage of Unauthenticated Stored Cross-Site Scripting Vulnerability in Popup Builder Plugin

On December 11, 2023, Wordfence added an Unauthenticated Stored XSS vulnerability in the Popup Builder WordPress plugin to their Wordfence Intelligence Vulnerability Database. This vulnerability, which was originally reported by WPScan, allows an unauthenticated attacker to inject arbitrary JavaScript that will be executed whenever a user accesses an injected page.

Later on January 10th, 2024 they received an interesting malware submission demonstrating how a Cross-Site Scripting (XSS) vulnerability in single plugin can allow an unauthenticated attacker to inject an arbitrary administrative account that can be used to take over a website. This type of vulnerability is often exploited in order to add spam content or malicious redirects to a compromised website. However, this time they found a successful attempt to directly inject a WordPress administrator account, one of the few they’ve been able to definitively attribute to this technique with the evidence still preserved.

Paid Wordfence users received a malware signature to detect this malicious file on January 11th, 2024. Wordfence free users received this signature after 30 days on February 11th, 2024. In addition all WordFence users are protected against any exploits targeting this vulnerability.

Source and more details: https://www.wordfence.com/blog/2024/01/website-takeover-campaign-takes-advantage-of-unauthenticated-cross-site-scripting-vulnerability-in-popup-builder-plugin