‘Tis the Season for the Wayward Package Phish

The holiday shopping season always means big business for phishers, who tend to find increased success this time of year with a lure about a wayward package that needs redelivery. Here’s a look at a fairly elaborate SMS-based phishing scam that spoofs FedEx in a bid to extract personal and financial information from unwary recipients.

Louis Morton, a security professional based in Fort Worth, Texas, forwarded an SMS phishing or “smishing” message sent to his wife’s mobile device that indicated a package couldn’t be delivered.

“It is a nearly perfect attack vector at this time of year,” Morton said. “A link was included, implying that the recipient could reschedule delivery.”

Attempting to visit the domain in the phishing link — o001cfedeex[.]com — from a desktop web browser redirects the visitor to a harmless page with ads for car insurance quotes. But by loading it in a mobile device (or by mimicking one using developer tools), we can see the intended landing page pictured in the screenshot in the article below — returns-fedex[.]com.

https://krebsonsecurity.com/2021/11/tis-the-season-for-the-wayward-package-phish/

XSS Vulnerability in NextScripts: Social Networks Auto-Poster Plugin Impacts 100,000 Sites

The Wordfence Threat Intelligence team discovered a reflected Cross-Site Scripting(XSS) vulnerability we found in NextScripts: Social Networks Auto-Poster, a WordPress plugin with over 100,000 installations.

All Wordfence users, including Wordfence Premium customers as well as those still using the free version of Wordfence, are protected against this vulnerability by our firewall’s built-in cross-site scripting protection.

As with all XSS attacks, malicious JavaScript running in an administrator’s session could be used to add malicious administrative users or insert backdoors into a site, and thus be used for site takeover.

All the gory details are available at the original article at: https://www.wordfence.com/blog/2021/10/xss-vulnerability-in-nextscripts-social-networks-auto-poster-plugin-impacts-100000-sites

1,000,000 Sites Affected by OptinMonster Vulnerabilities

OptinMonster is an incredibly intuitive and easy to use plugin designed to create sales campaigns on WordPress sites through the use of dialogs. The vast majority of the plugin’s functionality as well as the OptinMonster app site rely on the use of API endpoints to allow seamless integration and a streamlined design process.

Unfortunately, the majority of the REST-API endpoints were insecurely implemented, making it possible for unauthenticated attackers to access many of the various endpoints on sites running a vulnerable version of the plugin.

The most critical of the REST-API endpoints was the /wp-json/omapp/v1/support endpoint, which disclosed sensitive data like the site’s full path on the server, along with the API key needed to make requests on the OptinMonster site. With access to the API key, an attacker could make changes to any campaign associated with a site’s connected OptinMonster account and add malicious JavaScript that would execute anytime a campaign was displayed on the exploited site.

Worse yet, an attacker did not need to be authenticated to the site in order to access the API endpoint due to the functionality implemented within the logged_in_or_has_api_key function used as the permissions_callback

We strongly recommend validating that your site has been updated to the latest patched version of OptinMonster which is 2.6.5 at the time of this publication.

Full details at: https://www.wordfence.com/blog/2021/10/1000000-sites-affected-by-optinmonster-vulnerabilities

WordPress Cache Plugin Exploit Affects +1 Million Websites

WP Fastest Cache WordPress plugin vulnerabilities can lead to full site takeover and password leaks

Popular WordPress plugin WP Fastest Cache plugin was discovered by Jetpack security researchers to have multiple vulnerabilities that could allow an attacker to assume full administrator privileges. The exploits affect over a million WordPress installations.

The Authenticated SQL Injection allows a logged-in users to access administrator level information through the database.

A SQL Injection vulnerability is an attack that’s directed at the database, which is where the website elements, including passwords, are stored.

A successful SQL Injection attack could lead to a full website takeover.

More at original article: https://www.searchenginejournal.com/wp-fastest-cache-vulnerability/424278/amp/

Vulnerability Patched in Sassy Social Share Plugin

Wordfence Threat Intelligence team discovered a vulnerability in “Sassy Social Share”, a WordPress plugin installed on over 100,000 sites. The vulnerability provided a way for subscriber level users to gain remote code execution and take over a vulnerable site. Sites that have open registration allow anyone to create a “subscriber” level account, and are particularly vulnerable to this vulnerability.

Wordfence Premium users received a firewall rule to protect against exploits targeting this vulnerability on August 31, 2021. Sites still using the free version of Wordfence received the same protection on September 30, 2021.

In this case, the flaw made it possible for an attacker to import plugin settings and potentially inject PHP Objects that could be used as part of a POP Chain – a code execution sequence in the application that is exploited by the attacker.

Full details at https://www.wordfence.com/blog/2021/10/vulnerability-patched-in-sassy-social-share-plugin

Multiple Vulnerabilities in Brizy Page Builder Plugin Allow Site Takeover

The Wordfence Threat Intelligence team initiated the Responsible Disclosure process for Brizy – Page Builder, a WordPress plugin installed on over 90,000 sites.

During a routine review of their firewall rules, they found traffic indicating that a vulnerability might be present in the Brizy – Page Builder plugin, though it did not appear to be under active attack. This led them to discover two new vulnerabilities as well as a previously patched access control vulnerability in the plugin that had been reintroduced.

Both new vulnerabilities could take advantage of the access control vulnerability to allow complete site takeover, including a combination that allowed any logged-in user to modify any published post and add malicious JavaScript to it, as well as a separate flaw that allowed any logged-in user to upload potentially executable files and achieve remote code execution.

A patched version of the Brizy – Page Builder plugin, 2.3.12, was released on August 24, 2021. As per the WordFence responsible disclosure policy, they are now disclosing the vulnerability details as the plugin has been fully patched for some time.

All Wordfence users, including Wordfence Premium users as well as those using the free version, are protected by a combination of built-in firewall rules and an existing firewall rule released in June of 2020, which covered a similar vulnerability in a previous version of Brizy – Page Builder.

The original vulnerability was patched in version 1.0.126, but an almost identical vulnerability was reintroduced in version 1.0.127.

We strongly recommend updating to the latest version available, 2.3.17, as soon as possible, especially if you are not running Wordfence.

Source: https://www.wordfence.com/blog/2021/10/multiple-vulnerabilities-in-brizy-page-builder-plugin-allow-site-takeover/

See also: https://threatpost.com/brizy-wordpress-plugin-exploit-site-takeovers/175463/

Apple fixes iOS zero-day exploited in the wild (CVE-2021-30883)

With the newest iOS and iPad updates, Apple has fixed another vulnerability (CVE-2021-30883) that is being actively exploited by attackers.

As per usual, Apple did not share more details about the flaw or the attack(s) exploiting it, and the researcher who discovered it remains unnamed.

But, thanks to security researcher Saar Amar, who analyzed Apple’s patch, we know that the flaw is “a classic integer overflow.”

More details at: https://www.helpnetsecurity.com/2021/10/12/cve-2021-30883

High Severity Vulnerability Patched in Access Demo Importer Plugin

The Wordfence Threat Intelligence team discovered a vulnerability in Access Demo Importer, a WordPress plugin installed on over 20,000 sites. This flaw made it possible for authenticated attackers with just subscriber level access to upload arbitrary files that could be used to achieve remote code execution. On sites with open registration, an anonymous user could easily register and exploit this vulnerability.

As the vendor was unresponsive, they escalated the issue to the WordPress.org plugins team. The plugins team responded immediately and closed the plugin for downloads on August 27, 2021, pending a full review. A partially patched version of the plugin was reopened for downloads around September 7, 2021. After following up with the developer and the WordPress plugins team, a fully patched version of the plugin was released on September 21, 2021.

Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on August 9, 2021. Sites still using the free version of Wordfence received the same protection on September 8, 2021. As per the WordFence responsible disclosure policy, they are now fully disclosing the vulnerability details because enough time has elapsed since the fix was released.

If you have not already done so, we strongly recommend updating the latest version of the plugin available, 1.0.7, as soon as possible to ensure your site is not vulnerable to this security issue.

Source: https://www.wordfence.com/blog/2021/10/high-severity-vulnerability-patched-in-access-demo-importer-plugin/

PHP_SELFish: UnderContruction, Easy Social Icons

Part 1 – Reflected XSS in underConstruction Plugin

This post examines a cross site scripting vulnerability that exploits the PHP_SELF variable. Below describes another plugin suffering from a similar vulnerability related to the use of PHP_SELF.

On August 16, 2021, the Wordfence Threat Intelligence team attempted to initiate disclosure for a reflected Cross-Site Scripting vulnerability in underConstruction, a WordPress plugin with over 80,000 installations.

A patched version, 1.19, was released on August 31, 2021.

A firewall rule protecting against this vulnerability was released to Wordfence Premium users on August 16, 2021, and became available to sites using the free version of Wordfence on September 15, 2021.

If you aren’t running Wordfence, and are a user of this plugin, we recommend you immediately upgrade to version 1.19 of underConstruction which contains the patch.

Original source and technical explanation: https://www.wordfence.com/blog/2021/09/reflected-xss-in-underconstruction-plugin

Part 2 – Reflected XSS in Easy Social Icons

On August 16, 2021, the Wordfence Threat Intelligence team attempted to initiate disclosure for a reflected Cross-Site Scripting vulnerability in Easy Social Icons, a WordPress plugin with over 40,000 installations.

An initial patch, version 3.0.9, was released on August 31, 2021.

A firewall rule protecting against this vulnerability was released to Wordfence Premium users on August 16, 2021, and became available to sites using the free version of Wordfence on September 15, 2021.

Newer versions of the plugin also contain patches for additional XSS vulnerabilities, and all Wordfence users are protected against these vulnerabilities by our firewall’s built-in XSS protection. If you’re not using Wordfence, we recommend that you immediately upgrade to version 3.1.3 of the Easy Social Icons plugin.

Original source and technical explanation: https://www.wordfence.com/blog/2021/09/php_selfish-part-2-reflected-xss-in-easy-social-icons