Reflected XSS in Spam protection, AntiSpam, FireWall by CleanTalk

CleanTalk is a WordPress plugin designed to protect websites from spam comments and registrations. One of the features it includes is the ability to check comments for spam and present the spammy comments for deletion.

Thanks to a quirk of how WordPress processes the page parameter and the default PHP request order, it is possible to use this parameter to perform a reflected cross-site scripting attack, which is almost identical to a vulnerability recently covered by the folks at WordFence.

The vulnerability can be used to execute JavaScript in the browser of a logged-in administrator, for instance, by tricking them into visiting a self-submitting form that sends a POST request to the site at wp-admin/edit-comments.php?page=ct_check_spam, with the $_POST[‘page’] parameter set to malicious JavaScript.

As with any Cross-Site Scripting vulnerability, executing JavaScript in an administrator’s session can be used to take over a site by adding a new malicious administrator or injecting a backdoor, among other potential methods.

A patched version was released on March 25th and installed on all our clients’ websites the same day.

Increase In Malware Sightings on GoDaddy Managed Hosting

On March 15, 2022, The Wordfence Incident Response team alerted the WordFence Threat Intelligence team to an increase in infected websites hosted on GoDaddy’s Managed WordPress service, which includes MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress sites. These affected sites have a nearly identical backdoor prepended to the wp-config.php file. Of the 298 sites that have been newly infected by this backdoor starting 5 days ago on March 11, at least 281 are hosted with GoDaddy.

The backdoor in question has been in use since at least 2015. It generates spammy Google search results and includes resources customized to the infected site. The main backdoor is added to the very beginning of wp-config.php and looks like this:

The encoded file that is downloaded contains a template based on the infected site source code, but with links to pharmaceutical spam added. This spam link template is set to display whenever the site is accessed.

If your site is hosted on GoDaddy’s Managed WordPress platform (which includes MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress sites), we strongly recommend that you manually check your site’s wp-config.php file, or run a scan with a malware detection solution such as the free Wordfence scanner to ensure that your site is not infected.

If your site is infected you will need to have it cleaned and may also need to remove spam search engine results. 

Source: https://www.wordfence.com/blog/2022/03/increase-in-malware-sightings-on-godaddy-managed-hosting

Beware: new IRS rules will lead to a wave of phishing frauds

Thanks to new legislation that went into place at the beginning of this year, I predict that a lot of unsuspecting small business owners are about to fall victim to a fresh scam.

The scam will relate to legislation around new tax reporting rules that will affect millions of freelancers and small businesses. As explained in an earlier column, beginning for the 2022 tax year, if you receive more than $600 in total payments during the course of the year from a payment service like PayPal, Venmo (which is owned by PayPal), Square, Stripe or online sales of your products made through Amazon, Etsy and other marketplaces – regardless of how many customers are paying – that payment service is required to report that amount to the IRS and to you by sending a Form 1099-K – used for reporting payments via these third parties – in early 2023.

Full story: https://www.theguardian.com/money/2022/feb/27/beware-phising-fraud-new-irs-rules-online-payment-service-receipts

Elementor WordPress plugin has a gaping security hole – update now

If you run a WordPress site and you use the Elementor website creation toolkit, you could be at risk of a security hole that combines data leakage and remote code execution.

That’s if you use a plugin called Essential Addons for Elementor, which is a popular tool for adding visual features such as timelines, image galleries, ecommerce forms and price lists.

An independent threat researcher called Wai Yan Myo Thet recently discovered what’s known as a file inclusion vulnerability in the product.

This security hole made it possible for attackers to trick the plugin into accessing and including a server-side file…

…using a filename supplied in the incoming web request.

Simply put, a malicious visitor could trick an unpatched server into serving up a file it’s not supposed to, such as the server’s own username database, or coerce the server into running a script it shouldn’t, thus creating a remote code execution (RCE) hole.

As you probably know, web server RCE bugs are typically abused to implant malware that allows the attackers to do something to your immediate, and often costly, detriment.

Clients of ProtectYourWP.com have already been updated, of course.

Source and more details: https://nakedsecurity.sophos.com/2022/02/02/elementor-wordpress-plugin-has-a-gaping-security-hole-update-now/

https://www.darkreading.com/vulnerabilities-threats/tens-of-thousands-of-websites-vulnerable-to-rce-flaw-in-wordpress-plugin

Massive attack against 1.6 million WordPress sites underway

Wordfence analysts report having detected a massive wave of attacks in the last couple of days, originating from 16,000 IPs and targeting over 1.6 million WordPress sites.

The threat actors target four WordPress plugins and fifteen Epsilon Framework themes, one of which has no available patch.

Some of the targeted plugins were patched all the way back in 2018, while others had their vulnerabilities addressed as recently as this week.

The affected plugins and their versions are:

  • PublishPress Capabilities
  • Kiwi Social Plugin
  • Pinterest Automatic
  • WordPress Automatic

The targeted Epsilon Framework themes are:

  • Shapely
  • NewsMag
  • Activello
  • Illdy
  • Allegiant
  • Newspaper X
  • Pixova Lite
  • Brilliance
  • MedZone Lite
  • Regina Lite
  • Transcend
  • Affluent
  • Bonkers
  • Antreas
  • NatureMag Lite – No patch available

“In most cases, the attackers are updating the users_can_register option to enabled and setting the default_role option to administrator,” Wordfence explains.

“This makes it possible for attackers to register on any site as an administrator effectively taking over the site.”

Source: https://www.bleepingcomputer.com/news/security/massive-attack-against-16-million-wordpress-sites-underway/

WordPress Cache Plugin Exploit Affects +1 Million Websites

WP Fastest Cache WordPress plugin vulnerabilities can lead to full site takeover and password leaks

Popular WordPress plugin WP Fastest Cache plugin was discovered by Jetpack security researchers to have multiple vulnerabilities that could allow an attacker to assume full administrator privileges. The exploits affect over a million WordPress installations.

The Authenticated SQL Injection allows a logged-in users to access administrator level information through the database.

A SQL Injection vulnerability is an attack that’s directed at the database, which is where the website elements, including passwords, are stored.

A successful SQL Injection attack could lead to a full website takeover.

More at original article: https://www.searchenginejournal.com/wp-fastest-cache-vulnerability/424278/amp/

Millions of IoT devices, baby monitors open to audio, video snooping

The vulnerability would allow threat actors to remotely compromise a targeted ThroughTek IoT device and watch the real-time video feed, listen to audio, and compromise device credentials for additional attacks.

The cybersecurity researchers at FireEye have shared details of a critical IoT supply chain vulnerability that might be exposing millions of ThroughTek internet-connected cameras to espionage. Reportedly, the flaw affects IoT cameras worldwide and lets attackers hijack video streams.

It is worth noting that at the time of publishing this article; ThroughTek claims to have more than 83 million active IoT devices and over 1.1 billion monthly connections on their platform.

Flaw Identified in ThroughTek’s P2P SDK

The flaw was discovered in ThroughTek’s software core component of the Kalay cloud platform used by OEMs to manufacture IP cameras, baby/pet monitoring cameras, battery devices, and robotic devices.

The vulnerability (CVE-2021-28372) is present in the company’s P2P SDK, which is a function that allows a client on a desktop or mobile app to access the camera’s audio or video streams via the internet.

It is reported that the protocol used to transmit these data streams don’t possess a secure key exchange. Instead, it relies on a fixed key-based obfuscation scheme. Hence, attackers can access it and construct the audio/video stream to spy on users remotely.

Moreover, it can allow attackers to carry out device spoofing, eavesdropping on-camera audio/video, and hijack device certificates.

CISA Releases Security Alert

Yesterday, CISA released a separate advisory for ThroughTek P2P SDK and gave it a CVSS score of 9.1, stating that:

“ThroughTek supplies multiple original equipment manufacturers of IP cameras with P2P connections as part of its cloud platform. Successful exploitation of this vulnerability could permit unauthorized access to sensitive information, such as camera audio/video feeds.”

CISA noted that the vulnerability impacts SDK version 3.1.5 and older, versions with nossl tag, and device firmware lacking AuthKey for IOTC connection and using the RDT module, P2PTunnel, or AVAPI module without enabling DTLS.

The advisory revealed that the impacted P2P products don’t adequately protect the data transmitted between the company’s servers and the local device, letting the attackers access sensitive data such as camera feeds.

CVE-2021-28372 poses a huge risk to an end user’s security and privacy and should be mitigated appropriately. Unprotected devices, such as IoT cameras, can be compromised remotely with access to a UID and further attacks are possible depending on the functionality exposed by a device, FireEye researchers warned in a blog post.

ThroughTek’s Response

The company conveniently blamed developers who incorrectly implemented its SDK or didn’t update to the latest version. ThroughTek claims that it introduced version 3.3 in mid-2020 to fix this issue and update its devices’ SDK version, and those who didn’t upgrade the software are vulnerable to this threat.

Original article: https://cybersecdn.com/index.php/2021/08/17/millions-of-iot-devices-baby-monitors-open-to-audio-video-snooping/

Experian API Exposed Credit Scores of Most Americans (again)

Big-three consumer credit bureau Experian just fixed a weakness with a partner website that let anyone look up the credit score of tens of millions of Americans just by supplying their name and mailing address, KrebsOnSecurity has learned. Experian says it has plugged the data leak, but the researcher who reported the finding says he fears the same weakness may be present at countless other lending websites that work with the credit bureau.

Security Researcher Bill Demirkapi found the Experian API could be accessed directly without any sort of authentication, and that entering all zeros in the “date of birth” field let him then pull a person’s credit score. He even built a handy command-line tool to automate the lookups, which he dubbed “Bill’s Cool Credit Score Lookup Utility.”

In addition to credit scores, the Experian API returns for each consumer up to four “risk factors,” indicators that might help explain why a person’s score is not higher.

Source: https://krebsonsecurity.com/2021/04/experian-api-exposed-credit-scores-of-most-americans/

Severe Vulnerabilities Patched in Redirection for Contact Form 7 Plugin

The WordFence Threat Intelligence team discovered and responsibly disclosed several vulnerabilities in Redirection for Contact Form 7, a WordPress plugin used by over 200,000 sites in early February. One of these flaws made it possible for unauthenticated attackers to generate arbitrary nonces for any function. The second flaw made it possible for authenticated attackers to install arbitrary plugins and inject PHP Objects. The third flaw made it possible for authenticated attackers to delete arbitrary posts on a site running the plugin causing a loss of availability.

These are considered severe vulnerabilities. Therefore, we highly recommend updating to the latest patched version available immediately.

Full details at https://www.wordfence.com/blog/2021/04/severe-vulnerabilities-patched-in-redirection-for-contact-form-7-plugin