SQL Injection Vulnerability Patched in CleanTalk AntiSpam Plugin

The CleanTalk WordPress plugin has a number of uses, but one of its primary purposes is to protect sites against spam comments. Part of how it does this is by maintaining a blocklist and tracking the behavior of different IP addresses, including the user-agent string that browsers send to identify themselves.

Many of our users have CleanTalk installed.

The vulnerability was patched on March 10 and the update was applied to all our client sites within 24 hrs. Fortunately, we’re not aware of any clients having become victims.

Article source: https://www.wordfence.com/blog/2021/05/sql-injection-vulnerability-patched-in-cleantalk-antispam-plugin

Widespread Attacks Continue Targeting Vulnerabilities in The Plus Addons for Elementor Pro

From WordFence:

Over the past 10 days, Wordfence has blocked over 14 million attacks targeting Privilege Escalation Vulnerabilities in The Plus Addons for Elementor Pro on over 75% of sites reporting attacks during this period. By April 13, 2021, this campaign was targeting more sites than all other campaigns put together.

Despite only having an estimated install count of roughly 30,000 sites, nearly 60% of which should now be running a patched version of the plugin, over 2.8 million sites protected by Wordfence have been targeted by this campaign since April 8, 2021. It is likely that these numbers are reflected by the larger WordPress ecosystem as a whole and that millions of sites that are not protected by Wordfence are also being attacked.

The original vulnerability was already being actively attacked when it was reported by hosting company Seravo, making it a 0-day at the time. This vulnerability allowed attackers to login as an administrator or to create new administrative accounts on any site with the plugin installed. While analyzing the plugin, the Wordfence Threat Intelligence team found additional vulnerabilities and notified the plugin’s developer. A firewall rule protecting against these vulnerabilities was released to our premium users on March 8, 2021, and became available to free users on April 7, 2021.

Source: https://www.wordfence.com/blog/2021/04/widespread-attacks-continue-targeting-vulnerabilities-in-the-plus-addons-for-elementor-pro

Vulnerabilities Patched in WP Page Builder

On February 15, 2021, the Wordfence Threat Intelligence team began the responsible disclosure process for several vulnerabilities in WP Page Builder, a plugin installed on over 10,000 sites. These vulnerabilities allowed any logged-in user, including subscribers, to access the page builder’s editor and make changes to existing posts on the site by default. Additionally, any logged-in user could add malicious JavaScript to any post, potentially resulting in site takeover.

Wordfence Premium users received a firewall rule protecting against these vulnerabilities on February 15, 2021. Sites still running the free version of Wordfence received the same protection 30 days later, on March 17, 2021.

Full article: https://www.wordfence.com/blog/2021/04/vulnerabilities-patched-in-wp-page-builder

Recently Patched Vulnerability in Thrive Themes Actively Exploited in the Wild

On March 23, 2021, the Wordfence Threat Intelligence Team discovered two recently patched vulnerabilities being actively exploited in Thrive Theme’s “Legacy” Themes and Thrive Theme plugins that were chained together to allow unauthenticated attackers to upload arbitrary files on vulnerable WordPress sites. They estimate that more than 100,000 WordPress sites are using Thrive Theme products that may still be vulnerable.

Patches were released on March 12, 2021 for the vulnerable themes and plugins. WordFence is seeing these vulnerabilities being actively exploited in the wild, and they urge users to update to the latest versions available immediately since they contain a patch for these vulnerabilities.

Full article at: https://www.wordfence.com/blog/2021/03/recently-patched-vulnerability-in-thrive-themes-actively-exploited-in-the-wild/

Update from March 26:

Active Exploitation Continues on Unpatched Thrive Themes

Update: https://www.wordfence.com/blog/2021/03/episode-110-active-exploitation-continues-on-unpatched-thrive-themes/

Two Vulnerabilities Patched in Facebook for WordPress Plugin

The WordFence Threat Intelligence team responsibly disclosed a vulnerability in Facebook for WordPress, formerly known as Official Facebook Pixel, a WordPress plugin installed on over 500,000 sites. This flaw made it possible for unauthenticated attackers with access to a site’s secret salts and keys to achieve remote code execution through a deserialization weakness.

In addition, on January 27, 2021, WordFence disclosed a separately identified vulnerability in Facebook for WordPress that was introduced in the rebranding of the plugin in version 3.0.0. This flaw made it possible for attackers to inject malicious JavaScript into the plugin’s settings, if an attacker could successfully trick an administrator into performing an action such as clicking a link.

Full article: https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/

Cross-Site Scripting Vulnerabilities in Elementor Impact Over 7 Million Sites

 These vulnerabilities allowed any user able to access the Elementor editor, including contributors, to add JavaScript to posts. This JavaScript would be executed if the post was viewed, edited, or previewed by any other site user, and could be used to take over a site if the victim was an administrator.

Full article at https://www.wordfence.com/blog/2021/03/cross-site-scripting-vulnerabilities-in-elementor-impact-over-7-million-sites

Critical Vulnerability Patched in WooCommerce Upload Files

Please note that this is a separate plugin from the main WooCommerce plugin and is designed as an add-on to that plugin.

All of our current clients are protected against this vulnerability.

The threat researchers at WordFence detailed a critical 0-day vulnerability in the WooCommerce Upload Files plugin that would have allowed attackers to infect and completely take over a website. This vulnerability has been patched in version 59.4, and we recommend that all users update to the latest version of the plugin as soon as possible, which is 60.1 at the time of this writing.

Full article at: https://www.wordfence.com/blog/2021/03/critical-vulnerability-patched-in-woocommerce-upload-files

Medium Severity Vulnerability Patched in User Profile Picture Plugin

Discovered 2/15/21, update issues 2/18/21.

User Profile Picture is a plugin designed to allow site owners to upload profile pictures for individual users. By default, WordPress will set a users profile picture to the associated Gravatar, if present, for any given email. This plugin makes it so that user profile pictures can be customized and can override the Gravatar associated with an email address.

One feature the plugin offered was the ability to add user profiles to a post using a Gutenberg block. When adding the block to a post, the plugin made a request for user data to retrieve the users profile picture and username for users with access to the Gutenberg editor in order to add the information to the block. To retrieve this information, the plugin registered the REST API route /mpp/v2/get_users tied to the rest_api_get_users function.

Unfortunately, this REST API endpoint returned more information than was required for its functionality. This included password hashes, hashed user activation keys, usernames, emails, and other less sensitive information.

Full article: https://www.wordfence.com/blog/2021/03/medium-severity-vulnerability-patched-in-user-profile-picture-plugin

One Ransomware Victim Every 10 Seconds in 2020

A new organization became a victim of ransomware every 10 seconds in 2020 with remote workers experiencing a sharp uptick in threats, according to Check Point.

The security vendor’s 2021 Security Report is compiled from its ThreatCloud intelligence sensor data, its own research and recent surveys of IT professionals.

The report claimed that consumers and organizations face 100,000 malicious websites and 10,000 malicious files every day, with double extortion ransomware in particular on the rise. In Q3 2020, nearly half of all ransomware incidents involved theft of data from the targeted organization.

“Once a single victim is infected, the attackers leverage that person’s old email conversations for malware distribution, forwarding the last email of the thread and adding malicious files as attachments,” the report explained.

Full article: https://www.infosecurity-magazine.com/news/one-ransomware-victim-every-10/

Multiple Vulnerabilities In Ninja Forms WordPress Plugin Could Allow Site Takeovers Attribution

Some serious security vulnerabilities existed in the Ninja Forms WordPress plugin that risked over a million sites. Exploiting these vulnerabilities could allow an attacker to takeover target websites and redirect incoming traffic to malicious links.

Of course, any sites under management by ProtectYourWP.com have already been updated with the latest fixes.

Full article: https://latesthackingnews.com/2021/02/22/multiple-vulnerabilities-in-ninja-forms-wordpress-plugin-could-allow-site-takeovers/