Reflected XSS in Spam protection, AntiSpam, FireWall by CleanTalk

CleanTalk is a WordPress plugin designed to protect websites from spam comments and registrations. One of the features it includes is the ability to check comments for spam and present the spammy comments for deletion.

Thanks to a quirk of how WordPress processes the page parameter and the default PHP request order, it is possible to use this parameter to perform a reflected cross-site scripting attack, which is almost identical to a vulnerability recently covered by the folks at WordFence.

The vulnerability can be used to execute JavaScript in the browser of a logged-in administrator, for instance, by tricking them into visiting a self-submitting form that sends a POST request to the site at wp-admin/edit-comments.php?page=ct_check_spam, with the $_POST[‘page’] parameter set to malicious JavaScript.

As with any Cross-Site Scripting vulnerability, executing JavaScript in an administrator’s session can be used to take over a site by adding a new malicious administrator or injecting a backdoor, among other potential methods.

A patched version was released on March 25th and installed on all our clients’ websites the same day.

WordPress 5.9.2 Security Update Released – Fixes XSS and Prototype Pollution Vulnerabilities

WordPress core team released WordPress version 5.9.2 on March 10 which contains security patches for a high-severity vulnerability as well as two medium-severity issues.

The high-severity issue affects version 5.9.0 and 5.9.1 and allows contributor-level users and above to insert malicious JavaScript into WordPress posts. The Wordfence Threat Intelligence team was able to create a Proof of Concept for this vulnerability fairly quickly and released a firewall rule early on March 11, 2022, to protect WordPress sites that have not yet been updated.

The two medium-severity vulnerabilities impact WordPress versions earlier than 5.9.2 and potentially allow attackers to execute arbitrary JavaScript in a user’s session if they can trick that user into clicking a link, though there are no known practical exploits for these two vulnerabilities affecting WordPress. All versions of WordPress since WordPress 3.7 have also been updated with the fix for these vulnerabilities.

More details:

https://www.wordfence.com/blog/2022/03/wordpress-5-9-2-security-update-fixes-xss-and-prototype-pollution-vulnerabilities

UpdraftPlus WordPress plugin update forced for million sites

WordPress has forced the update of the UpdraftPlus plugin around three million sites to address a high-severity vulnerability, tracked as CVE-2022-0633 (CVSS v3.1 score of 8.5) that can allow website subscribers to download the latest database backups, which could potentially contain sensitive data.

“The UpdraftPlus WordPress plugin Free before 1.22.3 and Premium before 2.22.3 do not properly validate a user has the required privileges to access a backup’s nonce identifier, which may allow any users with an account on the site (such as subscriber) to download the most recent site & database backup.” reads the advisory for this issue.

The flaw was discovered Marc Montpas during an internal audit of the plugin.

“The plugin uses custom “nonces” and timestamps to securely identify backups. Given the knowledge of said nonce and timestamp can give someone access to quite a few of the plugin’s features, making sure this info is only accessible to those who legitimately need it is crucial.” reported the analysis. “Unfortunately, as we’ll demonstrate, it wasn’t the case.”

The issue impacts versions 1.16.7 to 1.22.2 of the plugin, the development team addressed it with the release of 1.22.3 or 2.22.3 for the (paid) Premium version.

Source: https://securityaffairs.co/wordpress/128170/hacking/updraftplus-forced-update.html

PHP Everywhere Bugs Put 30K+ WordPress Sites at Risk of RCE

The plug-in’s default settings spawned flaws that could allow for full site takeover but have since been fixed in an update that users should immediately install, Wordfence researchers said.

Tens of thousands of WordPress sites are at risk from critical vulnerabilities in a widely used plug-in that facilitates the use of PHP code on a site.

One of the bugs allows any authenticated user of any level – even subscribers and customers – to execute code that can completely take over a site that has the plugin installed, researchers have found.

Researchers from Wordfence Threat Intelligence discovered three critical vulnerabilities in PHP Everywhere, a plug-in installed on more than 30,000 WordPress sites, as they revealed in a blog post published Tuesday. The plug-in does precisely what its name suggests, allowing WordPress site developers to put PHP code in various components of a site, including pages, posts and sidebars.

Source: https://threatpost.com/php-everywhere-bugs-wordpress-rce/178338/

See also: https://www.bleepingcomputer.com/news/security/php-everywhere-rce-flaws-threaten-thousands-of-wordpress-sites/

Elementor WordPress plugin has a gaping security hole – update now

If you run a WordPress site and you use the Elementor website creation toolkit, you could be at risk of a security hole that combines data leakage and remote code execution.

That’s if you use a plugin called Essential Addons for Elementor, which is a popular tool for adding visual features such as timelines, image galleries, ecommerce forms and price lists.

An independent threat researcher called Wai Yan Myo Thet recently discovered what’s known as a file inclusion vulnerability in the product.

This security hole made it possible for attackers to trick the plugin into accessing and including a server-side file…

…using a filename supplied in the incoming web request.

Simply put, a malicious visitor could trick an unpatched server into serving up a file it’s not supposed to, such as the server’s own username database, or coerce the server into running a script it shouldn’t, thus creating a remote code execution (RCE) hole.

As you probably know, web server RCE bugs are typically abused to implant malware that allows the attackers to do something to your immediate, and often costly, detriment.

Clients of ProtectYourWP.com have already been updated, of course.

Source and more details: https://nakedsecurity.sophos.com/2022/02/02/elementor-wordpress-plugin-has-a-gaping-security-hole-update-now/

https://www.darkreading.com/vulnerabilities-threats/tens-of-thousands-of-websites-vulnerable-to-rce-flaw-in-wordpress-plugin

WordPress 5.9 Released

WordPress 5.9 represents the largest release of Gutenberg features since the initial Gutenberg launch in WordPress 5.0. In addition, WordPress 5.9 includes 99 enhancements including Full Site Editing and 100 bug fixes.

Important things to know:

  • You need a block-based theme to actually use Full Site Editing. A block theme is a WordPress theme with templates entirely composed of blocks so that in addition to the post content of the different post types (pages, posts, …), the block editor can also be used to edit all areas of the site: headers, footers, sidebars, etc. Chances are: you aren’t using a block-based theme at the moment.
  • Full Site Editing is still in a current phase as a minimum viable product. This allows for a gradual adoption from users as most themes are still not ready to utilize this functionality or would be incompatible moving forward.
  • You don’t have to adopt Full Site Editing. If you aren’t ready for a block-based theme just yet, don’t worry. “Classic” themes continue to exist and work as always.

See the official details at https://wordpress.org/news/2022/01/josephine/.

Unauthenticated XSS Vulnerability Patched in HTML Email Template Designer Plugin

WP HTML Mail is a WordPress plugin developed to make designing custom emails simpler for WordPress site owners. It is compatible with various WordPress plugins like WooCommerce, Ninja Forms, BuddyPress, and more. The plugin registers two REST-API routes which are used to retrieve email template settings and update email template settings. Unfortunately, these were insecurely implemented making it possible for unauthenticated users to access these endpoints.

Details: https://www.wordfence.com/blog/2022/01/unauthenticated-xss-vulnerability-patched-in-html-email-template-designer-plugin

84,000 WordPress Sites Affected by Three Plugins With The Same Vulnerability

Researchers discovered vulnerabilities that can allow for full site takeover in login and e-commerce add-ons for the popular website-building platform.

Researchers have discovered three WordPress plug-ins with the same vulnerability that allows an attacker to update arbitrary site options on a vulnerable site and completely take it over. Exploiting the flaw does require some action from the site administrator, however.

On Nov. 5, 2021, the Wordfence Threat Intelligence team started a process to disclose a vulnerability researchers had found in “Login/Signup Popup,” a WordPress plug-in installed on more than 20,000 sites, Wordfence’s Chloe Chamberland wrote in a post published online Thursday.

However, a few days later they discovered that the flaw was present in two other plug-ins by the same developer, who goes by the online name of XootiX. They are “Side Cart Woocommerce (Ajax),” which has been installed on more than 60,000 sites, and “Waitlist Woocommerce (Back in stock notifier),” which has been installed on more than 4,000.

Sources:

https://threatpost.com/plugins-vulnerability-84k-wordpress-sites/177654/

https://www.wordfence.com/blog/2022/01/84000-wordpress-sites-affected-by-three-plugins-with-the-same-vulnerability