All in One SEO – Stored XSS to Admin Account Creation (Contributor+) Critical-High – POC(Proof of Concept)

A critical security flaw has been discovered in the widely-used WordPress plugin, All in One SEO with more then 3 millions installations, marked as CVE-2024-3368. This vulnerability poses a significant threat, allowing attackers to execute malicious code through Stored Cross-Site Scripting (XSS) attacks, potentially leading to the creation of admin accounts by contributors.

Discovery of the Vulnerability

During routine testing, security researchers identified a vulnerability in the All in One SEO plugin that enables contributors to execute arbitrary JavaScript code within the context of a WordPress post. This flaw grants unauthorized access to admin privileges, putting millions of websites at risk of compromise.

Understanding of Stored XSS attacks

Stored XSS occurs when user-supplied data is stored on a server and later displayed on a web page without proper validation. In the case of WordPress, attackers can exploit this vulnerability by injecting malicious code into posts, comments, or metadata fields, leading to unauthorized actions or data theft.

Exploiting the Stored XSS Vulnerability

By leveraging the vulnerability in All in One SEO, attackers can craft a malicious post containing JavaScript code and inject it into the SEO section. When administrators or other users interact with the compromised content, the malicious script executes, potentially resulting in the creation of admin accounts, data theft, or further exploitation.

With over 3 million active installations, the CVE-2024-3368 vulnerability in All in One SEO poses a severe risk to WordPress websites globally. Attackers could exploit this flaw to gain unauthorized access, deface websites, steal sensitive information, or distribute malware, causing significant harm to site owners and visitors.

Recommendations for Improved Security

To mitigate the risk posed by CVE-2024-3368 and similar vulnerabilities, WordPress site owners are urged to update the All in One SEO plugin to the latest patched version immediately. Additionally, regular security audits, robust access controls, and the implementation of web application firewalls (WAFs) can help safeguard against XSS attacks and other security threats.

Source and more details: https://research.cleantalk.org/cve-2024-3368/

WordPress 6.5.3 Maintenance Release

This minor release features 12 bug fixes in Core and 9 bug fixes for the block editor. You can review a summary of the maintenance updates in this release by reading the Release Candidate announcement.

WordPress 6.5.3 is a short-cycle release. The next major release will be version 6.6 planned for July 2024.

If you have sites that support automatic background updates, the update process will begin automatically.

You can download WordPress 6.5.3 from WordPress.org, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”.

For more information on this release, please visit the HelpHub site.

Source: https://wordpress.org/news/2024/05/wordpress-6-5-3-maintenance-release/

WordPress 6.5.2 released: Unauthenticated Stored Cross-Site Scripting Vulnerability Patched in WordPress Core

WordPress 6.5.2 was released on April 9, 2024. It included a single security patch, along with a handful of bug fixes. The security patch was for a Stored Cross-Site Scripting vulnerability that could be exploited by both unauthenticated users, when a comment block is present on a page, and by authenticated users who have access to the block editor such as contributors.

All Wordfence users are already protected against exploits targeting this vulnerability through unauthenticated methods. Users of paid versions of Wordfence received a firewall rule to protect against any exploits targeting this vulnerability through authenticated methods on April 10, 2024. Sites using the free version of Wordfence will receive the same protection 30 days later on May 10, 2024.

The patch has been backported to version 6.1 and later of WordPress. We urge all WordPress users to verify that their sites are updated to 6.5.2, or another backported security release, immediately as this issue could allow full site takeover when the right conditions are met. Most sites should have auto-updated, however, it’s a good idea to verify the auto-update was successful.

Source and more info: https://www.wordfence.com/blog/2024/04/unauthenticated-stored-cross-site-scripting-vulnerability-patched-in-wordpress-core

see also: https://wpscan.com/blog/unauthenticated-stored-xss-fixed-in-wordpress-core/

Privilege Escalation and Local File Inclusion Vulnerabilities Patched in MasterStudy LMS WordPress Plugin

On February 25th, 2024, during the second Wordfence Bug Bounty Extravaganza, a submission was received for a Privilege Escalation vulnerability in MasterStudy LMS, a WordPress plugin with more than 10,000 active installations. This vulnerability makes it possible for an unauthenticated attacker to grant themselves administrative privileges by updating user metadata during registration. The next day on February 26th, 2024, and later on March 31st, we also received submissions for a Local File Inclusion vulnerability in the MasterStudy LMS WordPress plugin. This vulnerability makes it possible for unauthenticated attackers to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files.

Props to Hiroho Shimada who discovered and responsibly reported these vulnerabilities through the Wordfence Bug Bounty Program. This researcher earned a bounty of $625.00 for the Privilege Escalation and $312.00 for the Local File Inclusion during our Bug Bounty Program Extravaganza.

All Wordfence users are protected against any exploits targeting these vulnerabilities by the Wordfence firewall’s protection.

Wordfence contacted StylemixThemes on March 13, 2024, and received a response on the same day. After providing full disclosure details, the developer released the first patch on March 20, 2024, the second patch on March 27, 2024, and the third patch on April 4, 2024. We would like to commend StylemixThemes for their prompt response and timely patches.

We urge users to update their sites with the latest patched version of MasterStudy LMS, which is version 3.3.4, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2024/04/937-bounty-awarded-for-privilege-escalation-and-local-file-inclusion-vulnerabilities-patched-in-masterstudy-lms-wordpress-plugin

Spam attempts increase 4x

Here at ProtectYourWP.com we’ve noticed a substantial increase in incoming spam on our clients’ sites – on average there have been four times as many spam comments over the past few weeks as usual levels.

It appears that either someone has figured out how to get around the comment filtering mechanisms built in to WordPress, or else the spammers are just sending many more than before.

The good news is that the vast majority of them are caught before they get to you, our clients. (Did you know that we delete most of the obviously spammy comments on a daily basis, so that you never have to deal with them?)

If you’d like even better protection, we’ve had excellent results using Anti-Spam by Clean Talk. It’s a service that costs just $6.00/year and is well worth it! We have no relation to CleanTalk other than being a satisfied customer!

Let us or your site developer know if you’d like us to install it on your site.

Local File Inclusion Vulnerability Patched in Shield Security WordPress Plugin

Wordfence received a submission for a Local File Inclusion vulnerability in Shield Security, a WordPress plugin with more than 50,000+ active installations, as part of their bug bounty program. It’s important to note that this vulnerability is limited to just the inclusion of PHP files, however, it could be leveraged by an attacker who has the ability to upload PHP files but can not directly access those files to execute.

Props to hir0ot who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $938.00 for this discovery during our Bug Bounty Program Extravaganza.

All Wordfence customers are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Directory Traversal and Local File Inclusion protection.

Wordfence contacted the Shield Security Team on December 21, 2023, and received a response on December 23, 2023. After providing full disclosure details, the developer released a patch on December 23, 2023. We would like to commend the Shield Security Team for their prompt response and timely patch, which was released on the same day.

The Shield Security – Smart Bot Blocking & Intrusion Prevention Security plugin for WordPress is vulnerable to Local File Inclusion in all versions up to, and including, 18.5.9 via the render_action_template parameter. This makes it possible for an unauthenticated attacker to include and execute PHP files on the server, allowing the execution of any PHP code in those files.

We urge users to update their sites with the latest patched version of Shield Security, which is version 18.5.10, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2024/02/local-file-inclusion-vulnerability-patched-in-shield-security-wordpress-plugin

The WordPress 6.4.3 Security Update – What You Need to Know

Today, January 30, 2024, WordPress released version 6.4.3, which contains two security patches for longstanding, albeit minor, security concerns in WordPress Core.

The first patch addresses an issue that allows users with Administrator (or Super Administrator on Multisite) privileges to upload PHP files directly to a site via the Plugin and Theme file upload mechanism. This is only a concern in heavily locked-down configurations that disallow Administrators and Super Administrators from installing plugins and themes via a separate mechanism. Wordfence has tracked this as a low-priority informational security alert since August 2023, though it has been public since August 2018.

The second patch addresses the way that options are stored – it first sanitizes them before checking the data type of the option – arrays and objects are serialized, as well as already serialized data, which is serialized again. While this already happens when options are updated, it was not performed during site installation, initialization, or upgrade. According to the 6.4.3 release post, this is intended to address a potential PHP Object Injection issue.

Both issues appear to require a highly privileged user or an attacker stumbling upon a site with an incomplete installation to exploit, and are likely to impact few WordPress sites in the real world.

Both patches have been backported to version 4.1 and later of WordPress.

Conclusion

The WordPress 6.4.3 security patches addressed two minor issues in WordPress core and can primarily be considered increased hardening, as the circumstances in which they are likely to have a security impact are incredibly rare. Nonetheless, we recommend updating in a reasonable time frame, especially if your site relies on a hardened configuration due to regulatory requirements.

Source and more details: https://www.wordfence.com/blog/2024/01/the-wordpress-6-4-3-security-update-what-you-need-to-know

Website Takeover Campaign Takes Advantage of Unauthenticated Stored Cross-Site Scripting Vulnerability in Popup Builder Plugin

On December 11, 2023, Wordfence added an Unauthenticated Stored XSS vulnerability in the Popup Builder WordPress plugin to their Wordfence Intelligence Vulnerability Database. This vulnerability, which was originally reported by WPScan, allows an unauthenticated attacker to inject arbitrary JavaScript that will be executed whenever a user accesses an injected page.

Later on January 10th, 2024 they received an interesting malware submission demonstrating how a Cross-Site Scripting (XSS) vulnerability in single plugin can allow an unauthenticated attacker to inject an arbitrary administrative account that can be used to take over a website. This type of vulnerability is often exploited in order to add spam content or malicious redirects to a compromised website. However, this time they found a successful attempt to directly inject a WordPress administrator account, one of the few they’ve been able to definitively attribute to this technique with the evidence still preserved.

Paid Wordfence users received a malware signature to detect this malicious file on January 11th, 2024. Wordfence free users received this signature after 30 days on February 11th, 2024. In addition all WordFence users are protected against any exploits targeting this vulnerability.

Source and more details: https://www.wordfence.com/blog/2024/01/website-takeover-campaign-takes-advantage-of-unauthenticated-cross-site-scripting-vulnerability-in-popup-builder-plugin