Interesting Cross-Site Request Forgery to Local JS File Inclusion Vulnerability Patched in File Manager WordPress Plugin

On February 15th, 2024, during the second Wordfence Bug Bounty Extravaganza, a submission was received for a Cross-Site Request Forgery to Local JS File Inclusion vulnerability in File Manager, a WordPress plugin with more than 1,000,000+ active installations. This vulnerability can be leveraged to achieve Remote Code Execution (RCE) via a forged request, provided an attacker can trick a site administrator into performing an action such as clicking on a link.

Please note that while this vulnerability is unlikely to be targeted and exploited due to the prerequisites required to exploit it, we wanted to highlight the discovery of this researcher as this was a cleverly crafted exploit.

Props to 0xBishop who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $601.00 for this discovery during our Bug Bounty Program Extravaganza.

All Wordfence users are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Local File Inclusion protection.

Wordfence contacted WebDesi9 on February 16, 2024, and received a response on February 16, 2024. After providing full disclosure details, the developer released the first patch on February 28, 2024. A fully patched version, 7.2.5, was released on March 15, 2024. We would like to commend WebDesi9 for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of File Manager, which is version 7.2.5, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2024/03/601-bounty-awarded-for-interesting-cross-site-request-forgery-to-local-js-file-inclusion-vulnerability-patched-in-file-manager-wordpress-plugin/

SQL Injection Vulnerability Patched in Tutor LMS WordPress Plugin

On February 15th, 2024, during the second Wordfence Bug Bounty Extravaganza, a submission was received for an authenticated SQL Injection vulnerability in Tutor LMS, a WordPress plugin with more than 80,000+ active installations. This vulnerability can be leveraged to extract sensitive data from the database, such as password hashes.

Props to Muhammad Hassham Nagori who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $625.00 for this discovery during our Bug Bounty Program Extravaganza.

All Wordfence users are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in SQL Injection protection.

Wordfence contacted Themeum on February 22, 2024, and received a response on February 23, 2024. After providing full disclosure details, the developer released a patch on March 11, 2024. We would like to commend Themeum for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of Tutor LMS, which is version 2.6.2, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2024/03/sql-injection-vulnerability-patched-in-tutor-lms-wordpress-plugin/

Too Much Escaping Backfires, Allows Shortcode-Based XSS Vulnerability in Contact Form Entries WordPress Plugin

On February 24th, 2024, during the second Wordfence Bug Bounty Extravaganza, a submission was received for a stored Cross-Site Scripting (XSS) vulnerability in Contact Form Entries, a WordPress plugin with more than 60,000+ active installations. The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using the plugin’s shortcode.

Props to Krzysztof Zając who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $132.00 for this discovery during our Bug Bounty Program Extravaganza.

Users of paid versions of Wordfence as well as those using the free version of the plugin are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Cross-Site Scripting protection.

Wordfence contacted the CRM Perks Team on February 29, 2024, and received a response on March 1, 2024. After providing full disclosure details, the developer released a patch on March 6, 2024. We would like to commend the CRM Perks Team for their prompt response and timely patch, which was released on the next day.

We urge users to update their sites with the latest patched version of Contact Form Entries, which is version 1.3.4 as of the date of this post, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2024/03/too-much-escaping-backfires-allows-shortcode-based-xss-vulnerability-in-contact-form-entries-wordpress-plugin/

Privilege Escalation Vulnerability Patched in RegistrationMagic WordPress Plugin

On February 26th, 2024, during the second Wordfence Bug Bounty Extravaganza, a submission was received for a Privilege Escalation vulnerability in RegistrationMagic, a WordPress plugin with more than 10,000+ active installations. This vulnerability makes it possible for an authenticated attacker to grant themselves administrative privileges by updating the user role.

Props to Krzysztof Zając who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $1,313.00 for this discovery during our Bug Bounty Program Extravaganza.

Users of paid versions of Wordfence received a firewall rule to protect against any exploits targeting this vulnerability on February 28, 2024. Sites using the free version of Wordfence received the same protection on March 29, 2024.

Wordfence contacted Metagauss on February 29, 2024, and received a response on March 4, 2024. After providing full disclosure details, the developer released a patch on March 11, 2024. We would like to commend Metagauss for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of RegistrationMagic, which is version 5.3.1.0 as of the date of this post, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2024/03/1313-bounty-awarded-for-privilege-escalation-vulnerability-patched-in-registrationmagic-wordpress-plugin

Critical Vulnerability Remains Unpatched in Two Permanently Closed MiniOrange WordPress Plugins (updated, with patch)

On March 1st, 2024, during the second Wordfence Bug Bounty Extravaganza, they received a submission for a Privilege Escalation vulnerability in miniOrange’s Malware Scanner, a WordPress plugin with more than 10,000+ active installations, and our Wordfence Threat Intelligence team identified the same vulnerability in miniOrange’s Web Application Firewall, a WordPress plugin with more than 300+ active installations. This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by updating the user password.

Update as of 3/26/2024: Both plugins have been patched and re-opened in the WordPress repository. We recommend updating to the respective patched versions immediately.  

Props to Stiofan who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $1,250.00 for this discovery during the Bug Bounty Program Extravaganza. While plugins with fewer than 50,000 Active Installations are out of scope for standard researchers in the Bug Bounty Program, they made an exception due to the potential impact of this vulnerability. The mission of Wordfence is to Secure the Web, so they are proud to continue investing in vulnerability research like this and collaborating with researchers of this caliber through the Bug Bounty Program.

Users of paid versions of Wordfence received a firewall rule to protect against any exploits targeting this vulnerability on March 4, 2024. Sites using the free version of Wordfence received the same protection on April 3, 2024.

MiniOrange was contacted on March 5, 2024, and Wordfence received a response on March 6, 2024. After providing full disclosure details the same day, the developer closed the plugins. After patching in 3/26 the plugins were re-opened in the WordPress plugin repository.

Source and more details: https://www.wordfence.com/blog/2024/03/critical-vulnerability-remains-unpatched-in-two-permanently-closed-miniorange-wordpress-plugins-1250-bounty-awarded/

Unauthenticated Stored XSS Vulnerability Patched in Ultimate Member WordPress Plugin

On February 28th, 2024, during the Wordfence second Bug Bounty Extravaganza, they received a submission for an unauthenticated stored Cross-Site Scripting (XSS) vulnerability in Ultimate Member, a WordPress plugin with more than 200,000+ active installations. This vulnerability can be leveraged to inject malicious web scripts.

Props to stealthcopter who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $563.00 for this discovery during our Bug Bounty Program Extravaganza. Our mission is to Secure the Web, so we are proud to continue investing in vulnerability research like this and collaborating with researchers of this caliber through our Bug Bounty Program. This demonstrates that we are not only committed to investing in making the WordPress ecosystem more secure, but also the entire web.

All sites using the Wordfence plugin are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Cross-Site Scripting protection.

Wordfence provided full disclosure details to the Ultimate Member Team on March 2, 2024, and received a response on March 4, 2024. The developer released a patch on March 6, 2024. We would like to commend the Ultimate Member Team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of Ultimate Member, which is version 2.8.4, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2024/03/unauthenticated-stored-xss-vulnerability-patched-in-ultimate-member-wordpress-plugin/