Tumblr and WordPress to Sell Users’ Data to Train AI Tools

Tumblr and WordPress.com (Ed. Note: they’re talking about wp.COM. If you’re hosting somewhere other than WordPress.com you don’t have to worry. Yet.) are preparing to sell user data to Midjourney and OpenAI, according to a source with internal knowledge about the deals and internal documentation referring to the deals. 

The exact types of data from each platform going to each company are not spelled out in documentation we’ve reviewed, but internal communications reviewed by 404 Media make clear that deals between Automattic, the platforms’ parent company, and OpenAI and Midjourney are imminent.

The internal documentation details a messy and controversial process within Tumblr itself. One internal post made by Cyle Gage, a product manager at Tumblr, states that a query made to prepare data for OpenAI and Midjourney compiled a huge number of user posts that it wasn’t supposed to. It is not clear from Gage’s post whether this data has already been sent to OpenAI and Midjourney, or whether Gage was detailing a process for scrubbing the data before it was to be sent. 

Source and more details: https://www.404media.co/tumblr-and-wordpress-to-sell-users-data-to-train-ai-tools/

WordPress LiteSpeed Plugin Vulnerability Puts 5 Million Sites at Risk

A security vulnerability has been disclosed in the LiteSpeed Cache plugin for WordPress that could enable unauthenticated users to escalate their privileges.

Tracked as CVE-2023-40000, the vulnerability was addressed in October 2023 in version 5.7.0.1.

“This plugin suffers from unauthenticated site-wide stored [cross-site scripting] vulnerability and could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request,” Patchstack researcher Rafie Muhammad said.

LiteSpeed Cache, which is used to improve site performance, has more than five million installations. The latest version of the plugin is 6.1, which was released on February 5, 2024.

The WordPress security company said CVE-2023-40000 is the result of a lack of user input sanitization and escaping output. The vulnerability is rooted in a function named update_cdn_status() and can be reproduced in a default installation.

“Since the XSS payload is placed as an admin notice and the admin notice could be displayed on any wp-admin endpoint, this vulnerability also could be easily triggered by any user that has access to the wp-admin area,” Muhammad said.

The disclosure arrives four months after Wordfence revealed another XSS flaw in the same plugin (CVE-2023-4372, CVSS score: 6.4) due to insufficient input sanitization and output escaping on user supplied attributes. It was addressed in version 5.7.

“This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page,” István Márton said.

Source and more details: https://thehackernews.com/2024/02/wordpress-litespeed-plugin.html

See also: https://wpscan.com/vulnerability/dd9054cc-1259-427d-a4ad-1875b7b2b3b4/

$1,313 Bounty Awarded for Privilege Escalation Vulnerability Patched in Academy LMS WordPress Plugin

On February 14th, 2024, during the second Wordfence Bug Bounty Extravaganza, they received a submission for a Privilege Escalation vulnerability in Academy LMS, a WordPress plugin with more than 1,000+ active installations. This vulnerability makes it possible for an authenticated attacker to grant themselves administrative privileges by updating user metadata.

Props to Lucio Sá who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $1,313.00 for this discovery during our Bug Bounty Program Extravaganza.

All users of the Wordfence plugin are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Privilege Escalation via User Meta Updates protection.

Wordfence contacted the Academy LMS Team on February 14, 2024, and received a response on February 15, 2024. After providing full disclosure details, the developer released a patch on February 19, 2024. We would like to commend the Academy LMS Team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of Academy LMS, which is version 1.9.20, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2024/02/1313-bounty-awarded-for-privilege-escalation-vulnerability-patched-in-academy-lms-wordpress-plugin

SQL Injection Vulnerability Patched in RSS Aggregator by Feedzy WordPress Plugin

On February 1st, 2024, during the second Wordfence Bug Bounty Extravaganza, they received a submission for a SQL Injection vulnerability in RSS Aggregator by Feedzy, a WordPress plugin with more than 50,000+ active installations. The vulnerability enables threat actors with contributor-level permissions or higher to extract sensitive data from the database, such as password hashes.

Props to Lucio Sá who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $329.00 for this discovery during our Bug Bounty Program Extravaganza.

All Wordfence users are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in SQL Injection protection.

Wordfence contacted Themeisle on February 8, 2024, and received a response on the same day. After providing full disclosure details, the developer released a patch on February 9, 2024. We would like to commend Themeisle for their prompt response and timely patch, which was released in just one day.

We urge users to update their sites with the latest patched version of RSS Aggregator by Feedzy, which is version 4.4.3, as soon as possible.

Source: https://www.wordfence.com/blog/2024/02/sql-injection-vulnerability-patched-in-rss-aggregator-by-feedzy-wordpress-plugin

Spam attempts increase 4x

Here at ProtectYourWP.com we’ve noticed a substantial increase in incoming spam on our clients’ sites – on average there have been four times as many spam comments over the past few weeks as usual levels.

It appears that either someone has figured out how to get around the comment filtering mechanisms built in to WordPress, or else the spammers are just sending many more than before.

The good news is that the vast majority of them are caught before they get to you, our clients. (Did you know that we delete most of the obviously spammy comments on a daily basis, so that you never have to deal with them?)

If you’d like even better protection, we’ve had excellent results using Anti-Spam by Clean Talk. It’s a service that costs just $6.00/year and is well worth it! We have no relation to CleanTalk other than being a satisfied customer!

Let us or your site developer know if you’d like us to install it on your site.

Local File Inclusion Vulnerability Patched in Shield Security WordPress Plugin

Wordfence received a submission for a Local File Inclusion vulnerability in Shield Security, a WordPress plugin with more than 50,000+ active installations, as part of their bug bounty program. It’s important to note that this vulnerability is limited to just the inclusion of PHP files, however, it could be leveraged by an attacker who has the ability to upload PHP files but can not directly access those files to execute.

Props to hir0ot who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $938.00 for this discovery during our Bug Bounty Program Extravaganza.

All Wordfence customers are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Directory Traversal and Local File Inclusion protection.

Wordfence contacted the Shield Security Team on December 21, 2023, and received a response on December 23, 2023. After providing full disclosure details, the developer released a patch on December 23, 2023. We would like to commend the Shield Security Team for their prompt response and timely patch, which was released on the same day.

The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the render_action_template parameter. This makes it possible for an unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any PHP code in those files.

We urge users to update their sites with the latest patched version of Shield Security, which is version 18.5.10, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2024/02/local-file-inclusion-vulnerability-patched-in-shield-security-wordpress-plugin

Type Juggling Leads to Two Vulnerabilities in POST SMTP Mailer WordPress Plugin

On December 14th, 2023, during the Wordfence Bug Bounty Program Holiday Bug Extravaganza, we received a submission for an Authorization Bypass vulnerability in POST SMTP Mailer, a WordPress plugin with over 300,000+ active installations. This vulnerability makes it possible for unauthenticated threat actors to reset the API key used to authenticate to the mailer and view logs, including password reset emails on WordPress sites that use this plugin. We also received another submission shortly after for an Unauthenticated Stored Cross-Site Scripting vulnerability in POST SMTP Mailer plugin from another researcher. This vulnerability enables threat actors to inject malicious web scripts into pages.

Special props to Ulyses Saicha and Sean Murphy, who discovered and responsibly reported these vulnerabilities through the Wordfence Bug Bounty Program. These researchers respectively earned bounties of $4,125 and $825 for their discoveries during our Bug Bounty Program Extravaganza.

All sites using the any version of Wordfence received the full protection on February 2, 2024.

Wordfence contacted WPExperts.io on December 8, 2023 for a separate vulnerability, and received a response on December 10, 2023. After providing full disclosure details, the developer released a patch on January 1, 2024. We would like to commend the WPExperts.io team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of POST SMTP Mailer, version 2.8.8 at the time of this writing, as soon as possible.

Source: https://www.wordfence.com/blog/2024/01/type-juggling-leads-to-two-vulnerabilities-in-post-smtp-mailer-wordpress-plugin

Cloudflare Breach: Nation-State Hackers Access Source Code and Internal Docs

Cloudflare has revealed that it was the target of a likely nation-state attack in which the threat actor leveraged stolen credentials to gain unauthorized access to its Atlassian server and ultimately access some documentation and a limited amount of source code.

The intrusion, which took place between November 14 and 24, 2023, and detected on November 23, was carried out “with the goal of obtaining persistent and widespread access to Cloudflare’s global network,” the web infrastructure company said, describing the actor as “sophisticated” and one who “operated in a thoughtful and methodical manner.”

As a precautionary measure, the company further said it rotated more than 5,000 production credentials, physically segmented test and staging systems, carried out forensic triages on 4,893 systems, reimaged and rebooted every machine across its global network.

The incident involved a four-day reconnaissance period to access Atlassian Confluence and Jira portals, following which the adversary created a rogue Atlassian user account and established persistent access to its Atlassian server to ultimately obtain access to the Bitbucket source code management system by means of the Sliver adversary simulation framework.

As many as 120 code repositories were viewed, out of which 76 are estimated to have been exfiltrated by the attacker.

“The 76 source code repositories were almost all related to how backups work, how the global network is configured and managed, how identity works at Cloudflare, remote access, and our use of Terraform and Kubernetes,” Cloudflare said.

“A small number of the repositories contained encrypted secrets which were rotated immediately even though they were strongly encrypted themselves.”

The threat actor is then said to have unsuccessfully attempted to “access a console server that had access to the data center that Cloudflare had not yet put into production in São Paulo, Brazil.”

The attack was made possible by using one access token and three service account credentials associated with Amazon Web Services (AWS), Atlassian Bitbucket, Moveworks, and Smartsheet that were stolen following the October 2023 hack of Okta’s support case management system.

Cloudflare acknowledged that it had failed to rotate these credentials, mistakenly assuming they were unused.

The company also said it took steps to terminate all malicious connections originating from the threat actor on November 24, 2023. It also involved cybersecurity firm CrowdStrike to perform an independent assessment of the incident.

“The only production systems the threat actor could access using the stolen credentials was our Atlassian environment. Analyzing the wiki pages they accessed, bug database issues, and source code repositories, it appears they were looking for information about the architecture, security, and management of our global network,” Cloudflare said.

Source: https://thehackernews.com/2024/02/cloudflare-breach-nation-state-hackers.html

The WordPress 6.4.3 Security Update – What You Need to Know

Today, January 30, 2024, WordPress released version 6.4.3, which contains two security patches for longstanding, albeit minor, security concerns in WordPress Core.

The first patch addresses an issue that allows users with Administrator (or Super Administrator on Multisite) privileges to upload PHP files directly to a site via the Plugin and Theme file upload mechanism. This is only a concern in heavily locked-down configurations that disallow Administrators and Super Administrators from installing plugins and themes via a separate mechanism. Wordfence has tracked this as a low-priority informational security alert since August 2023, though it has been public since August 2018.

The second patch addresses the way that options are stored – it first sanitizes them before checking the data type of the option – arrays and objects are serialized, as well as already serialized data, which is serialized again. While this already happens when options are updated, it was not performed during site installation, initialization, or upgrade. According to the 6.4.3 release post, this is intended to address a potential PHP Object Injection issue.

Both issues appear to require a highly privileged user or an attacker stumbling upon a site with an incomplete installation to exploit, and are likely to impact few WordPress sites in the real world.

Both patches have been backported to version 4.1 and later of WordPress.

Conclusion

The WordPress 6.4.3 security patches addressed two minor issues in WordPress core and can primarily be considered increased hardening, as the circumstances in which they are likely to have a security impact are incredibly rare. Nonetheless, we recommend updating in a reasonable time frame, especially if your site relies on a hardened configuration due to regulatory requirements.

Source and more details: https://www.wordfence.com/blog/2024/01/the-wordpress-6-4-3-security-update-what-you-need-to-know