Wordfence Firewall Blocks Bizarre Large-Scale XSS Campaign

The Wordfence Threat Intelligence team has been monitoring an increase in attacks targeting a Cross-Site Scripting vulnerability in Beautiful Cookie Consent Banner, a WordPress plugin installed on over 40,000 sites. The vulnerability, which was fully patched in January in version 2.10.2, offers unauthenticated attackers the ability to add malicious JavaScript to a website, potentially allowing redirects to malvertizing sites as well as the creation of malicious admin users, both of which are appealing use cases for attackers.

All Wordfence sites are protected against this vulnerability by the Wordfence Firewall’s Built-in Cross-Site Scripting protection. Note that since this vulnerability did not require a separate firewall rule, statistics for it are not currently publicly available on Wordfence Intelligence as they are aggregated under the general Cross-Site Scripting chart, where it currently accounts roughly over two-thirds of all attacks blocked by the rule.

According to WordFence records, the vulnerability has been actively attacked since February 5, 2023, but this is the largest attack against it that they have seen. WordFence has blocked nearly 3 million attacks against more than 1.5 million sites, from nearly 14,000 IP addresses since May 23, 2023, and attacks are ongoing.

It is believed that this is the work of a single actor, as every single attack contained a partial payload of onmouseenter=" and no further functioning JavaScript. It is likely that this set of attacks is being performed using a misconfigured exploit that expects a customized payload, and that the attacker has simply failed to provide one.

Despite this fact, if your website is running a vulnerable version of the plugin and you are not currently using Wordfence or another Web Application Firewall, these attacks do have the potential to corrupt the configuration of the plugin which can break its intended functionality, so we still recommend updating to the latest version, which is 2.13.0 at the time of this writing, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2023/05/wordfence-firewall-blocks-bizarre-large-scale-xss-campaign

WordPress 6.2.2 Security Release

The 6.2.2 minor release addresses 1 bug and 1 security issue. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 5.9 have also been updated.

WordPress 6.2.2 is a rapid response release to address a regression in 6.2.1 and further patch a vulnerability addressed in 6.2.1. The next major release will be version 6.3 planned for August 2023.

The update process will begin automatically if you have sites that support automatic background updates.

You can download WordPress 6.2.2 from WordPress.org or visit your WordPress Dashboard, click “Updates,” and click “Update Now.”

Full info: https://wordpress.org/news/2023/05/wordpress-6-2-2-security-release/

WordPress Core 6.2.1 Security & Maintenance Release – What You Need to Know

On May 16, 2023, the WordPress core team released WordPress 6.2.1, which contains patches for 5 vulnerabilities, including a Medium Severity Directory Traversal vulnerability, a Medium-Severity Cross-Site Scripting vulnerability, and several lower-severity vulnerabilities.

These patches have been backported to every version of WordPress since 4.1. WordPress has supported automatic core updates for security releases since WordPress 3.7, and the vast majority of WordPress sites should receive a patch for their major version of WordPress automatically over the next 24 hours. We recommend verifying that your site has been automatically updated to one of the patched versions. Patched versions are available for every major version of WordPress since 4.1, so you can update without risking compatibility issues.

If your site has not been updated automatically we strongly recommend updating manually as soon as possible, as one of the vulnerabilities patched in this release can be used by an attacker with a low-privileged contributor-level account to take over a site.


Vulnerability Analysis

As with every WordPress core release containing security fixes, the Wordfence Threat Intelligence team analyzed the code changes in detail to evaluate the impact of these vulnerabilities on our customers, and to ensure our customers remain protected.

WordPress Core is vulnerable to Directory Traversal in versions up to, and including, 6.2, via the ‘wp_lang’ parameter. This allows unauthenticated attackers to access and load arbitrary translation files. In cases where an attacker is able to upload a crafted translation file onto the site, such as via an upload form, this could be also used to perform a Cross-Site Scripting attack. This vulnerability would not be easy to exploit in an impactful manner on most configurations.

WordPress Core is vulnerable to Cross-Site Request Forgery due to missing nonce validation on the ‘wp_ajax_set_attachment_thumbnail’ AJAX function in versions up to, and including, 6.2. This allows unauthenticated users to update the thumbnail image associated with existing attachments, granted they can trick an authenticated user with appropriate permissions into performing an action, such as clicking a link. The impact of this vulnerability is incredibly minimal and we do not expect to see any exploitation of this weakness.

WordPress Core is vulnerable to stored Cross-Site Scripting in versions up to, and including, 6.2, due to insufficient validation of the protocol in the response when processing oEmbed discovery. This makes it possible for authenticated attackers with contributor-level and above permissions to use a crafted oEmbed payload at a remote URL to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

WordPress Core fails to sufficiently sanitize block attributes in versions up to, and including, 6.2. This makes it possible for authenticated attackers with contributor-level and above permissions to embed arbitrary content in HTML comments on the page, though Cross-Site scripting may be possible when combined with an additional vulnerability. Please note that this would only affect sites utilizing a block editor compatible theme.

WordPress Core processes shortcodes in user-generated content on block themes in versions up to, and including, 6.2. This could allow unauthenticated attackers to execute shortcodes via submitting comments or other content, allowing them to exploit vulnerabilities that typically require Subscriber or Contributor-level permissions. While this is likely to have minimal impact on its own, it can significantly increase the severity and exploitability of other vulnerabilities.

Conclusion

In today’s article, we covered five vulnerabilities patched in the WordPress 6.2.1 Security and Maintenance Release. Most actively used WordPress sites should be patched via automatic updates within the next 24 hours.

The Wordfence firewall’s built-in directory traversal protection should block attempts to exploit the directory traversal vulnerability, and it would typically only be impactful when exploited by a skilled attacker in certain configurations. Most of the other issues fixed today are similar in that they require specific configurations or circumstances, such as other vulnerable plugins, to impactfully exploit.

However, we urge all site owners to verify that WordPress is updated as soon as possible since it is not practical to deploy a firewall rule that protects against the oEmbed issue and as such any site with untrusted contributor-level users may be at risk.

As always, we strongly recommend updating your site to a patched version of WordPress if it hasn’t been updated automatically. As long as you are running a version of WordPress greater than 4.1, an update is available to patch these vulnerabilities while keeping you on the same major version, so you will not need to worry about compatibility issues.

Source and more details: https://www.wordfence.com/blog/2023/05/wordpress-core-6-2-1-security-maintenance-release-what-you-need-to-know

Norton LifeLock says thousands of customer accounts breached

Thousands of Norton LifeLock customers had their accounts compromised in recent weeks, potentially allowing criminal hackers access to customer password managers, the company revealed in a recent data breach notice.

In a notice to customers, Gen Digital, the parent company of Norton LifeLock, said that the likely culprit was a credential stuffing attack — where previously exposed or breached credentials are used to break into accounts on different sites and services that share the same passwords — rather than a compromise of its systems. It’s why two-factor authentication, which Norton LifeLock offers, is recommended, as it blocks attackers from accessing someone’s account with just their password.

The company said it found that the intruders had compromised accounts as far back as December 1, close to two weeks before its systems detected a “large volume” of failed logins to customer accounts on December 12.

“In accessing your account with your username and password, the unauthorized third party may have viewed your first name, last name, phone number, and mailing address,” the data breach notice said. The notice was sent to customers that it believes use its password manager feature, because the company cannot rule out that the intruders also accessed customers’ saved passwords.

Gen Digital said it sent notices to about 6,450 customers whose accounts were compromised.

Norton LifeLock provides identity protection and cybersecurity services. It’s the latest incident involving the theft of customer passwords of late. Earlier this year, password manager giant LastPass confirmed a data breach in which intruders compromised its cloud storage and stole millions of customers’ encrypted password vaults. In 2021, the company behind a popular enterprise password manager called Passwordstate was hacked to push a tainted software update to its customers, allowing the cybercriminals to steal customers’ passwords.

That said, password managers are still widely recommended by security professionals for generating and storing unique passwords, so long as the appropriate precautions and protections are put in place to limit the fallout in the event of a compromise.

Source and more details: Norton LifeLock says thousands of customer accounts breached | TechCrunch

Popular password managers auto-filled credentials on untrusted websites

Security shortcomings mean that multiple password managers could be tricked into auto-filling credentials on untrusted pages, security researchers at Google warn.

The team from Google went public with their findings on Tuesday (17 January), 90 days after notifying the applications – Dashlane, Bitwarden, and the built-in password manager bundled with Apple’s Safari browser – of the vulnerabilities.

Both Dashlane and Bitwarden have updated their software although Dashlane, at least, remains unconvinced that the bug represents any kind of security threat. The status of any fix for Apple’s Safari built-in password manager remains unconfirmed at the time of writing. The Daily Swig has asked Apple to comment and we’ll update this story as and when more information comes to hand.

The security shortcomings outlined by Google mean that the vulnerable password managers auto-fill credentials into untrusted pages, without first requiring users to enter their master password.

An advisory from Google explains that the issue arises in two scenarios: where web pages have a CSP (content security policy) sandbox response header or where forms are inside a sandboxed iframe.

Auto-filling by password managers should not happen in either scenario but the affected applications all fail in this regard when encountering sandboxed content. Other password managers (including LastPass, 1Password, and Google Chrome’s password vault technology) avoid this mistake, said Google.

“Password managers should check whether content is sandboxed before auto-filling credentials. This can be done in many ways, but one way is to check self.origin of a page and refusing to fill in credentials if self.origin is ‘null’,” according to the Google advisory.

Real world impact

In response to a query from The Daily Swig, Bitwarden confirmed that the issue had been resolved through a recent pull request. Dashlane told The Daily Swig that it had also updated its technology even though it remains unconvinced there was ever a substantive problem in play.

We never submit or propose credentials for a domain when it has not been saved by the user previously – so in that specific use case, we don’t see a concrete attack scenario that would lead to credential stealing.

The findings published by Google’s security team have been helpful in improving the way we communicate with our customers in autofill scenarios.

We always welcome collaborating with security researchers to identify threats and potential attacks so that we can evolve our security architecture and keep offering the highest level of protection to our users.

Google is yet to respond to a request from The Daily Swig to respond to Dashlane’s comments on its research findings.

Source and more details: Popular password managers auto-filled credentials on untrusted websites | The Daily Swig (portswigger.net)

Multiple Vulnerabilities Patched in Shield Security

Wordfence Threat Intelligence team began the responsible disclosure process for two vulnerabilities in Shield Security, a security plugin with over 50,000 installations. One of these vulnerabilities allowed unauthenticated attackers to inject malicious JavaScript into an administrator dashboard in some configurations, while another allowed authenticated attackers to spoof log entries into the same dashboard, which could also be used to exploit the first vulnerability in configurations where the unauthenticated technique was not viable.

The Shield Security plugin for WordPress is vulnerable to stored Cross-Site Scripting in versions up to, and including, 17.0.17 via the ‘User-Agent’ header. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Shield Security plugin for WordPress is vulnerable to Missing Authorization on the ‘theme-plugin-file’ AJAX action in versions up to, and including, 17.0.17. This allows authenticated attackers to add arbitrary audit log entries indicating that a theme or plugin has been edited, and is also a vector for Cross-Site Scripting via CVE-2023-0992.

The Shield Security plugin includes a number of features, including an audit log that records certain types of suspicious activity, such as plugin and theme installation, modification, post deletion, and other types of activity that might impact the site. While most of these events require authentication or higher privileges in order to trigger, we found that certain events could be triggered by unauthenticated users. In particular, failed attempts to authenticate using application passwords, new user registrations, and spam activity are among the actions recorded for unauthenticated users.

The audit log records metadata about the client that performed the logged activity, including the client’s User-Agent, which can be accessed by clicking the “Meta” tag icon on an audit log entry. Unfortunately, the metadata was not escaped when it was output. While most of the metadata collected about a request has a very strict format and can only be spoofed to a limited extent, User-Agent strings are alphanumeric, and we were able to inject a script in an iframe in the User-Agent header that fired when an administrator viewed an event entry.

Source and more details: https://www.wordfence.com/blog/2023/04/multiple-vulnerabilities-patched-in-shield-security

Blubrry Addresses Authenticated Stored XSS Vulnerability in PowerPress WordPress Plugin

On April 5, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) vulnerability in Blubrry’s PowerPress plugin, which is actively installed on more than 50,000 WordPress websites. The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using the plugin’s shortcode.

We contacted Blubrry on April 6, 2023, and promptly received a response. After providing full disclosure details, the developer released a patch on April 10, 2023. We commend the PowerPress development team for their swift response and timely patch release.

We urge users to update their sites with the latest patched version of PowerPress, version 10.0.4 at the time of this writing, as soon as possible.

Technical Analysis

PowerPress is a plugin that allows WordPress users to publish and manage podcasts. It provides a shortcode ([powerpress]) that allows users to display the PowerPress player on a WordPress page. However, insecure implementation of the plugin’s shortcode functionality allows for the injection of arbitrary web scripts into these pages. A closer examination of the code reveals that the ‘powerpress_shortcode_handler’ function did not adequately sanitize user-supplied input and a number of functions (for various podcast player options) that utilize the shortcode attributes did not adequately escape output.

This makes it possible for threat actors to carry out stored XSS attacks. Once a script is injected, it will execute each time a user accesses the affected page. Threat actors could potentially steal sensitive information, manipulate site content, or redirect users to malicious websites.

Source and more details: https://www.wordfence.com/blog/2023/04/blubrry-addresses-authenticated-stored-xss-vulnerability-in-powerpress-wordpress-plugin

Hiding in Plain Sight: Cross-Site Scripting Vulnerabilities Patched in Weaver Products

On March 14, 2023, the Wordfence Threat Intelligence team initiated the responsible disclosure process for 2 nearly identical Cross-Site Scripting vulnerabilities in the Weaver Xtreme theme and the Weaver Show Posts plugin, which each have over 10,000 installations. The plugin developer responded the same day and we provided full disclosure.

A patched version of the Weaver Show Posts plugin, 1.7, was released on April 1, 2023, while the patched version 6.2 of the Weaver Xtreme theme became available on April 5, 2023.

The Weaver Xtreme theme for WordPress is vulnerable to stored Cross-Site Scripting due to insufficient escaping of the profile display name in versions up to, and including, 5.0.7. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

The Weaver Show Posts plugin for WordPress is vulnerable to stored Cross-Site Scripting due to insufficient escaping of the profile display name in versions up to, and including, 1.6. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Source and more details: https://www.wordfence.com/blog/2023/04/hiding-in-plain-sight-cross-site-scripting-vulnerabilities-patched-in-weaver-products

Severe Vulnerability Impacting 600,000 Sites Patched in Limit Login Attempts

The Wordfence team responsibly disclosed an unauthenticated stored Cross-Site Scripting vulnerability in Limit Login Attempts, a WordPress plugin installed on over 600,000 sites that provides site owners with the ability to block IP addresses that have made repeated failed login attempts.

The plugin is vulnerable in versions up to, and including, 1.7.1. A patch addressing this vulnerability was released on April 4, 2023 as version 1.7.2. We recommend all site owners update to version 1.7.2 as soon as possible.

All WordFence users, including those still using the free version of the plugin, are protected by the Wordfence firewall against any exploits targeting this vulnerability.

Source and more details: https://www.wordfence.com/blog/2023/04/update-now-severe-vulnerability-impacting-600000-sites-patched-in-limit-login-attempts

Privilege Escalation Vulnerability Patched Promptly in WP Data Access WordPress Plugin

On April 5, 2023 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability we discovered in WP Data Access, a WordPress plugin that is installed on over 10,000 sites. This flaw makes it possible for an authenticated attacker to grant themselves administrative privileges via a profile update, if the targeted site has the ‘Role Management’ setting enabled.

Source and more details: https://www.wordfence.com/blog/2023/04/privilege-escalation-vulnerability-patched-promptly-in-wp-data-access-wordpress-plugin