WordPress 5.8.1 Security and Maintenance Release

WordPress 5.8.1 was released earlier this evening.

This security and maintenance release features 60 bug fixes in addition to 3 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 5.4 have also been updated.

WordPress 5.8.1 is a short-cycle security and maintenance release. The next major release will be version 5.9.

3 security issues affect WordPress versions between 5.4 and 5.8. If you haven’t yet updated to 5.8, all WordPress versions since 5.4 have also been updated to fix the security issues.

Full details at https://wordpress.org/news/2021/09/wordpress-5-8-1-security-and-maintenance-release/

Apple Delays Plans to Scan Devices for Child Abuse Images After Privacy Backlash

Apple is temporarily hitting the pause button on its controversial plans to screen users’ devices for child sexual abuse material (CSAM) after receiving sustained blowback over worries that the tool could be weaponized for mass surveillance and erode the privacy of users.

“Based on feedback from customers, advocacy groups, researchers, and others, we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features,” the iPhone maker said in a statement on its website.

The announcement, however, doesn’t make it clear as to the kind of inputs it would be gathering, the nature of changes it aims to devise, or how it intends to implement the system in a way that mitigates the privacy and security concerns that could arise once it’s deployed.

The changes were originally slated to go live with iOS 15 and macOS Monterey later this year, starting with the U.S.

Full article: https://thehackernews.com/2021/09/apple-delays-plans-to-scan-devices-for.html

WordPress Update to 5.8

WordPress 5.8 was released on July 20 and nearly all our client’s sites were updated the same day.

This release includes additional improvements to the Block editing system, drops support for Internet Explorer 11, and adds support for the reasonably new WebP image format. WebP images are around 30% smaller on average than their JPEG or PNG equivalents, resulting in sites that are faster and use less bandwidth.

Full details on the release: https://wordpress.org/news/2021/07/tatum/

Security Vulnerability Discovered in FileBird Plugin; Update Available

On June 9, 2021, a 10up Engineer conducted a routine code review of the FileBird plugin on behalf of a client. The code review followed 10up’s Engineering Best Practices and focused on areas that did not pass our initial automated scans. It uncovered that the code was vulnerable to a Blind SQL Injection attack — a clever type of exploit that involves sending “yes or no” questions to MySQL to extract information from the database when it cannot be output directly to the browser.

That same day, our team responsibly disclosed the vulnerability. We reached out to the team at WPScan, who we’ve previously collaborated with on our WP-CLI Vulnerability Scanner and WordPress Composer Scanner, to report the vulnerability and collaborate on disclosure.

The FileBird plugin authors responded quickly and responsibly, and issued a patch within 36 hours.

This is a critical vulnerability that only impacts version 4.7.3 of the FileBird plugin. It does not impact any previous versions and has been patched in version 4.7.4. All users of FileBird version 4.7.3 are advised to upgrade immediately.

Source and more details: https://10up.com/blog/2021/security-vulnerability-filebird-wordpress-plugin/

Easily Exploitable Critical Vulnerabilities Patched in ProfilePress Plugin

The Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities that were discovered in ProfilePress, formerly WP User Avatar, a WordPress plugin installed on over 400,000 sites. These flaws made it possible for an attacker to upload arbitrary files to a vulnerable site and register as an administrator on sites even if user registration was disabled, all without requiring any prior authentication.

A patch was quickly released on May 30, 2021 as version 3.1.4.

Source: https://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerabilities-patched-in-profilepress-plugin

Cross-Site Request Forgery Patched in WP Fluent Forms

Wordfence Threat Intelligence team responsibly disclosed a Cross-Site Request Forgery(CSRF) vulnerability in WP Fluent Forms, a WordPress plugin installed on over 80,000 sites. This vulnerability also allowed a stored Cross-Site Scripting(XSS) attack which, if successfully exploited, could be used to take over a site.

A patched version of the plugin, 3.6.67, was released on March 5, 2021

Source: https://www.wordfence.com/blog/2021/06/cross-site-request-forgery-patched-in-wp-fluent-forms

High Severity Vulnerability Patched in WooCommerce Stock Manager Plugin

The Wordfence Threat Intelligence team discovered and reported a vulnerability in WooCommerce Stock Manager, a WordPress plugin installed on over 30,000 sites. This flaw made it possible for an attacker to upload arbitrary files to a vulnerable site and achieve remote code execution, as long as they could trick a site’s administrator into performing an action like clicking on a link.

A patch was quickly released on May 28, 2021 in version 2.6.0.

Source: https://www.wordfence.com/blog/2021/06/high-severity-vulnerability-patched-in-woocommerce-stock-manager-plugin

Malicious Attack Campaign Targeting Jetpack Users Reusing Passwords

The Wordfence Threat Intelligence and Site Cleaning teams have been tracking a malware campaign that redirects all site visitors to malvertising domains, while attempting to keep site administrators unaware of the infection. Since June 1, 2021, the number of sites we are tracking that have been infected with this malware has more than doubled, and we expect this campaign to continue gaining momentum as it relies on a mechanism that is difficult to block directly.

Jetpack is one of the most popular plugins in the WordPress repository, and it has a dizzying array of features that require users to connect their sites to a WordPress.com account. One of these features allows users that are logged in to WordPress.com to perform administrative tasks, including plugin installation, on sites that are connected to WordPress.com via Jetpack.

Unfortunately this means that if the credentials for a WordPress.com account are compromised, an attacker can login to that WordPress.com account and install arbitrary plugins on the connected WordPress site no matter where it is hosted. This includes the malicious plugin used in this campaign. We’ve written about this intrusion vector in the past, and it is regaining popularity due to a number of recent data breaches from other services.

To clarify, no data breach has occurred at WordPress.com itself. However, password reuse is incredibly common, and credentials obtained from recent data breaches are likely to grant access to a number of WordPress.com user accounts. Additionally, although it is possible to configure Jetpack to allow direct login to a site via WordPress.com credentials, this setting does not need to be enabled in order for a site to be vulnerable. All that is required is that a site be connected to a WordPress.com account that has compromised credentials.

What should I do?

If you use Jetpack, you should turn on 2-Factor authentication at WordPress.com. While we strongly recommend using a mobile app or security key for this, even SMS-based 2-Factor authentication is significantly more secure than relying on passwords alone.

If you use the same password for your WordPress.com account that you’ve used for any other service, change your WordPress.com password immediately.

Source: https://www.wordfence.com/blog/2021/06/malicious-attack-campaign-targeting-jetpack-users-reusing-passwords

Critical 0-day in Fancy Product Designer Under Active Attack

A patched version of Fancy Product Designer, 4.6.9, is now available as of June 2, 2021. This article has been updated to reflect newly available information, including Indicators of Compromise.

On May 31, 2021, the Wordfence Threat Intelligence team discovered a critical file upload vulnerability being actively exploited in Fancy Product Designer, a WordPress plugin installed on over 17,000 sites.

We initiated contact with the plugin’s developer the same day and received a response within 24 hours. We sent over the full disclosure the same day we received a response, on June 1, 2021. Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details until users have time to update to the patched version in order to alert the community to take precautions to keep their sites protected.

While the Wordfence Firewall’s built-in file upload protection sufficiently blocks the majority of attacks against this vulnerability, we determined that a bypass was possible in some configurations. As such, we released a new firewall rule to our premium customers on May 31, 2021. Sites still running the free version of Wordfence will receive the rule after 30 days, on June 30, 2021.

As this is a Critical 0-day under active attack and is exploitable in some configurations even if the plugin has been deactivated, we urge anyone using this plugin to update to the latest version available, 4.6.9, immediately.

Source: https://www.wordfence.com/blog/2021/06/critical-0-day-in-fancy-product-designer-under-active-attack