Unauthenticated Privilege Escalation in Profile-Builder plugin

During a routine audit of various WordPress plugins, we identified some issues in Profile Builder and Profile Builder Pro (50k+ active installs). Researchers discovered an Unauthenticated Privilege Escalation Vulnerability which could allow attackers to gain administrative access without having any kind of account on the targeted site and perform unauthorized actions.

This vulnerability was fixed on July 11th, with version 3.11.9. All ProtectYourWP.com clients who use this plugin have been updated.

Source and more details: https://wpscan.com/blog/unauthenticated-privilege-escalation-in-profile-builder-plugin/

WordPress 6.5.5 Security Release – What You Need to Know

WordPress Core 6.5.5 was released on June 24, 2024. Contained within this release are three security fixes addressing two Cross-Site Scripting (XSS) vulnerabilities and one Windows-specific Directory Traversal vulnerability. Despite these vulnerabilities being medium-severity, the worst of them (specifically, the XSS vulnerabilities) can allow for site takeover by an authenticated, contributor-level user if successfully exploited.

The Directory Traversal vulnerability has been backported to every version of WordPress since 4.1, with the XSS vulnerabilities being backported to the major version in which the functionality was released. WordPress has supported automatic core updates for security releases since WordPress 3.7, and the vast majority of WordPress sites should receive a patch for their major version of WordPress automatically over the next 24 hours. We recommend verifying that your site has been automatically updated to one of the patched versions. Patched versions are available for every major version of WordPress since 4.1, so you can update without risking compatibility issues.

The Wordfence Threat Intelligence Team released a new firewall rule the same day to protect paid customers for one of the XSS vulnerabilities that didn’t have adequate protection.This rule will be available to free Wordfence users in 30 days, on July 24th, 2024. All Wordfence users have protection for the remaining two vulnerabilities.

Source and more details: https://www.wordfence.com/blog/2024/06/wordpress-6-5-5-security-release-what-you-need-to-know and https://wordpress.org/news/2024/06/wordpress-6-5-5/

Events Manager FALSE POSITIVE – Avast Anti-Virus Security Threats

[June 3rd 19:40 UTC]

Earlier today (June 3rd), we were alerted to the fact that Avast AVG, a popular Anti-Virus software (specifically the Windows version) was incorrectly alerting its users of a potential Trojan virus in our included JavaScript file, events-manager.min.js. This is a minified version of the events-manager.js file that controls all front-end UI aspects of Events Manager.

We (as other plugins/themes/WordPress) minify JS files to reduce the size, therefore making load times faster whilst reducing your bandwidth costs.

Due to the popularity of Avast, and the fact that this affects anyone using it and visiting an EM-powered site, this caused a lot of confusion and panic. We received a lot of emails and forum posts about the issue.

#1 – Steps You MUST Take

Let’s skip to the important part… what you need to do so that you’re not affected!

This issue affects anyone using Events Manager on their site. We’re uncertain about which versions Avast falsely identifies a virus on that JS file, we have had reports that version 4.6.8 is affected and likely a few versions back too.

The easy solution is to just update the plugin to version 4.6.10. This now ships with the unminified JS file being included on your website, with newly-added options to include minified files from our settings page under General > Performance Optimization. We advise leaving this setting for now, until we confirm this false-positive has been acknowledged and updated by Avast themselves.

If you cannot or do not want to update to the latest version, there is another easy way to achieve the above, and that is to include the following line in your wp-config.php file:

define('EM_DEBUG', true);

In both cases, make sure you update your caches to ensure that the .min.js file is not being served anymore.

Now… onto a breakdown of what happened.

Our First Steps Taken

Security is our top priority, and therefore the first step we took was to take this threat seriously and check the validity of this claim.

Our first thought was that (an unfortunate coincidence in timing) maybe one of our accounts were compromised as per this recent WordPress post, and some malicious code somehow made it to our recent update. We usually review every line of code being committed, but regardless…

We checked the SVN repository and compared the latest commit to one made three months ago. The affected lines in our main JavaScript file were correct. We then proceeded to re-minify the latest JS file locally, and compare the minified JS file we had with the one on the wordpress.org repo folder. They were the same. At this point we were fairly certain this was a false-positive, and informed our users of the current progress on both free and Pro forums.

Our focus was on the trunk folder in the SVN repo, because we don’t upload to the tags folder (the versioned folders which is what WP uses to serve the latest stable updates). The SVN history did not indicate further changes to the tags folder either. We upload to the trunk folder and directly copy from there to a new tag folder. For the curious, this is what we do:

svn cp "https://plugins.svn.wordpress.org/events-manager/trunk/" "https://plugins.svn.wordpress.org/events-manager/tags/x.x.x" -m "tagging x.x.x"

We then proceeded to compare these files with some of the reportedly infected JS files on live user websites. They too were the same, so we concluded with confidence at this point it was a false positive.

Check for yourself!

We made a little script that checked files or URLs against each other to ensure they are identical in content, by comparing MD5 checksums. We have made it public for now, so anyone in doubt can check their own JS files against the same version in the tags folder. However, we highly highly doubt that your JS file is infected, this was a false-positive.

‘Fixing’ the problem

Once we concluded that there was no virus or any foul play of any kind, we then started working on getting rid of these false notifications, since we understand that this would obviously scare any site visitors receiving this notice, true or not. Even though it was not our fault (or in our hands to fix the false-positive warning), it had to get resolved ASAP to prevent further unwanted consequences.

Upon further testing, by reproducing this ourselves by gaining access to a Windows environment with Avast installed, we concluded that the non-minified version of events-manager.js loaded up just fine without any warnings. We immediately decided that the best course of action was to release an update which reverts to including the regular .js file instead of the .min.js version.

Additionally, we reported the false positive to Avast, and hope they proceed to update their databases so this doesn’t keep happening and users can resume serving the minified JS files.

Conclusion

Hopefully, everyone updates or switches to serving unminified files, Avast fixes their side of things and we can all continue along! For now, the tradeoff is likely negligible for most – the difference in size between .js and .min.js is about 100Kb, which is less significant in these high-speed internet days, and bear in mind that this file is usually loaded once per visitor since browsers cache these sorts of files. Moreoever, if you use CDNs then you are even less affected performance-wise.

Even with hindsight there’s not much (if anything) we could have done here to have prevented the problem. We did our utmost to react as quickly as possible. That said, we still send our sympathies to anyone affected by this incident.

Posterity

During the course of this day, we quickly created this blog posts and forum comments with some initial announcements to keep users informed. Here they are for posterity:

Main forum conversation on wordpress.org

Initial Announcements:

[June 3rd 15:16 UTC]

We have been made aware over the past 24 hours that Windows users with Avast AVG installed are getting erroneous virus warnings when visiting a website with Events Manager installed.

We have already confirmed that this is definitely a false-positive. We are working on a solution and will update you shortly here.

[June 3rd 16:13 UTC]

We have released version 6.9.10 which now loads the unminified JS file by default. We will follow up shortly.

Source: https://wp-events-plugin.com/blog/2024/07/03/false-positive-avast-anti-virus-security-threats/

Arbitrary Options Update Vulnerability Patched in WP Datepicker WordPress Plugin

On April 14th, 2024, during the Wordfence Bug Bounty Extravaganza a submission was received for an Arbitrary Options Update vulnerability in WP Datepicker, a WordPress plugin with more than 10,000 active installations. This vulnerability could be used by authenticated attackers, with subscriber-level access and above, to update arbitrary options which can easily be leveraged for privilege escalation.

Props to Lucio Sá who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $493.00 for this discovery during our Bug Bounty Program Extravaganza.

Paid Wordfence users received a firewall rule to protect against any exploits targeting this vulnerability on April 16, 2024. Sites using the free version of Wordfence will receive the same protection 30 days later on May 16, 2024.

Wordfence contacted the developer Fahad Mahmood on April 16, 2024, and received a response on the same day. After providing full disclosure details the next day, the developer released the first patch on the same day. A fully patched version, 2.1.1, was released on April 19, 2024. We would like to commend Fahad Mahmood for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of WP Datepicker, which is version 2.1.1, as soon as possible.

Stored XSS Fixed In Popup Builder 4.2.3

During an analysis of the Popup Builder plugin, WP Scan discovered a pretty serious Stored XSS vulnerability that can be exploited by any attackers, regardless of whether they have an account on the site.

When successfully exploited, this vulnerability may let attackers perform any action the logged-in administrator they targeted is allowed to do on the targeted site, including installing arbitrary plugins, and creating new rogue Administrator users.

Upon identifying the vulnerability, we promptly alerted the authors of that plugin, who released version 4.2.3 to fix the issue. It is crucial for administrators of sites using this plugin to ensure it is fully updated to safeguard against this vulnerability.

Original report: https://a8cteam5105.wordpress.com/vulnerability/941a9aa7-f4b2-474a-84d9-9a74c99079e2/

Fix announcement and more details: https://a8cteam5105.wordpress.com/blog/stored-xss-fixed-in-popup-builder-4-2-3

Critical Unauthenticated Remote Code Execution Found in Backup Migration Plugin

On December 5th, 2023 Wordfence received a submission for a PHP Code Injection vulnerability in Backup Migration, a WordPress plugin with over 90,000+ active installations. This vulnerability makes it possible for unauthenticated threat actors to inject and execute arbitrary PHP code on WordPress sites that use this plugin.

Wordfence quickly released a firewall rule to paid Wordfence customers on December 6, 2023. Sites still running the free version of Wordfence will receive the same protection 30 days later, on January 5, 2024.

They contacted the BackupBliss team, makers of the Backup Migration plugin, on the same day they released the firewall rule. After providing full disclosure details, the team released a patch just hours later. Kudos to the BackupBliss team for an incredibly swift response and patch.

We urge users to update their sites with the latest patched version of Backup Migration, which is version 1.3.8 at the time of this writing, immediately.

Source and more details: https://www.wordfence.com/blog/2023/12/critical-unauthenticated-remote-code-execution-found-in-backup-migration-plugin/

See also: https://www.bleepingcomputer.com/news/security/50k-wordpress-sites-exposed-to-rce-attacks-by-critical-bug-in-backup-plugin/

Several Critical Vulnerabilities Patched in UserPro WordPress Plugin

On May 1, 2023, the Wordfence Threat Intelligence team began the responsible disclosure process for multiple high and critical severity vulnerabilities they discovered in Kirotech’s UserPro plugin, which is actively installed on more than 20,000 WordPress websites.

Firewall rules were released by Wordfence in May and July. Wordfence states that they have no evidence to suggest that these vulnerabilities were known or targeted during this period, nor have we seen any evidence that they are currently being targeted.

We made an initial attempt to contact Kirotech, the vendor of UserPro, on May 1, 2023, but we did not receive a response until May 10, 2023, after many additional attempts. After providing full disclosure details, the developer released the first patch on July 27, 2023, and the final patch on October 31, 2023.

We urge users to update their sites to the latest patched version of UserPro, which is version 5.1.5 at the time of this writing, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2023/11/several-critical-vulnerabilities-including-privilege-escalation-authentication-bypass-and-more-patched-in-userpro-wordpress-plugin

4 Million WordPress Sites affected by Stored Cross-Site Scripting Vulnerability in LiteSpeed Cache Plugin

The popular LiteSpeed WordPress plugin patched a vulnerability that compromised over 4 million websites, allowing hackers to upload malicious scripts.

LiteSpeed was notified of the vulnerability two months ago on August 14th and released a patch in October.

Cross-Site Scripting (XSS) Vulnerability

Wordfence discovered a Cross-Site Scripting (XSS) vulnerability in the LiteSpeed plugin, the most popular WordPress caching plugin in the world.

XSS vulnerabilities are generally a type that takes advantage of a lack of a security process called data sanitization and escaping.

Sanitization is a technique that filters what kind of files can be uploaded via a legitimate input, like on a contact form.

In the specific LiteSpeed vulnerability, the implementation of a shortcode functionality allowed a malicious hacker to upload scripts they otherwise would not be able to had the proper security protocols of sanitization/escaping data been in place.

The WordPress developer page describes the sanitization security practice:

“Untrusted data comes from many sources (users, third party sites, even your own database!) and all of it needs to be checked before it’s used.

…Sanitizing input is the process of securing/cleaning/filtering input data.”

Another WordPress developer page describes the recommended process of escaping data like this:

“Escaping output is the process of securing output data by stripping out unwanted data, like malformed HTML or script tags.

This process helps secure your data prior to rendering it for the end user.”

This specific vulnerability requires that the hacker first obtain contributor level permissions in order to carry out the attack, which makes carrying out the attack more complicated than other kinds of threats that are unauthenticated (require no permission level).

According to Wordfence:

“This makes it possible for threat actors to carry out stored XSS attacks. Once a script is injected into a page or post, it will execute each time a user accesses the affected page.

While this vulnerability does require that a trusted contributor account is compromised, or a user be able to register as a contributor, successful threat actors could steal sensitive information, manipulate site content, inject administrative users, edit files, or redirect users to malicious websites which are all severe consequences.”

Which Versions of LiteSpeed Plugin Are Vulnerable?

Versions 5.6 or less of the LiteSpeed Cache plugin are vulnerable to the XSS attack.

Users of the LiteSpeed Cache are encouraged to update their plugin as soon as possible to the latest version, 5.7 which was released on October 10, 2023.

Source and more details: https://www.wordfence.com/blog/2023/10/4-million-wordpress-sites-affected-by-stored-cross-site-scripting-vulnerability-in-lightspeed-cache-plugin/

See also: https://www.searchenginejournal.com/wordpress-litespeed-plugin-vulnerability-affects-4-million-websites/499074/#close