PHP_SELFish: UnderContruction, Easy Social Icons

Part 1 – Reflected XSS in underConstruction Plugin

This post examines a cross site scripting vulnerability that exploits the PHP_SELF variable. Below describes another plugin suffering from a similar vulnerability related to the use of PHP_SELF.

On August 16, 2021, the Wordfence Threat Intelligence team attempted to initiate disclosure for a reflected Cross-Site Scripting vulnerability in underConstruction, a WordPress plugin with over 80,000 installations.

A patched version, 1.19, was released on August 31, 2021.

A firewall rule protecting against this vulnerability was released to Wordfence Premium users on August 16, 2021, and became available to sites using the free version of Wordfence on September 15, 2021.

If you aren’t running Wordfence, and are a user of this plugin, we recommend you immediately upgrade to version 1.19 of underConstruction which contains the patch.

Original source and technical explanation: https://www.wordfence.com/blog/2021/09/reflected-xss-in-underconstruction-plugin

Part 2 – Reflected XSS in Easy Social Icons

On August 16, 2021, the Wordfence Threat Intelligence team attempted to initiate disclosure for a reflected Cross-Site Scripting vulnerability in Easy Social Icons, a WordPress plugin with over 40,000 installations.

An initial patch, version 3.0.9, was released on August 31, 2021.

A firewall rule protecting against this vulnerability was released to Wordfence Premium users on August 16, 2021, and became available to sites using the free version of Wordfence on September 15, 2021.

Newer versions of the plugin also contain patches for additional XSS vulnerabilities, and all Wordfence users are protected against these vulnerabilities by our firewall’s built-in XSS protection. If you’re not using Wordfence, we recommend that you immediately upgrade to version 3.1.3 of the Easy Social Icons plugin.

Original source and technical explanation: https://www.wordfence.com/blog/2021/09/php_selfish-part-2-reflected-xss-in-easy-social-icons

Recently Patched Vulnerabilities in Ninja Forms Plugin Affect Over 1 Million Site Owners

On August 3, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for two vulnerabilities that were discovered in Ninja Forms, a WordPress plugin installed on over 1,000,000 sites. These flaws made it possible for an attacker to export sensitive information and send arbitrary emails from a vulnerable site that could be used to phish unsuspecting users.

Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on August 2, 2021. Sites still using the free version of Wordfence received the same protection on September 1, 2021.

We sent the full disclosure details to Ninja Forms on August 3, 2021, as per the security disclosure policy listed on Ninja Forms website. Ninja Forms quickly acknowledged the report the same day and informed us that they would start working on a patch immediately. A patch was released on September 7, 2021 in version 3.5.8.

We strongly recommend updating immediately to the latest patched version of Ninja Forms to patch these security issues, which is version 3.5.8.2 of Ninja Forms at the time of this publication.

Original source and technical explanation: https://www.wordfence.com/blog/2021/09/recently-patched-vulnerabilities-in-ninja-forms-plugin-affects-over-1-million-site-owners

CSRF Vulnerability Found in Software License Manager Plugin

Versions before 4.5.1 of the Software License Manager plugin for WordPress have an exploitable Cross-Site Request Forgery (CSRF) vulnerability. Any user logged in to a site with the vulnerable extension can, by clicking a link, be tricked to delete an entry in the plugin’s registered domain database table. The link can be distributed in an email, or on a website the victim user is likely to visit.

The good news is, there’s not much else that can be done by exploiting this weakness. And the attacker needs to know the id of the domain they wish to delete from the database beforehand. 

Still, we recommend anybody running version 4.5.0 or earlier of the plugin to upgrade as soon as possible.

Details

Source: https://jetpack.com/2021/09/14/csrf-vulnerability-found-in-software-license-manager-plugin/

WordPress 5.8.1 Security and Maintenance Release

WordPress 5.8.1 was released earlier this evening.

This security and maintenance release features 60 bug fixes in addition to 3 security fixes. Because this is a security release, it is recommended that you update your sites immediately. All versions since WordPress 5.4 have also been updated.

WordPress 5.8.1 is a short-cycle security and maintenance release. The next major release will be version 5.9.

3 security issues affect WordPress versions between 5.4 and 5.8. If you haven’t yet updated to 5.8, all WordPress versions since 5.4 have also been updated to fix the security issues.

Full details at https://wordpress.org/news/2021/09/wordpress-5-8-1-security-and-maintenance-release/

Apple Delays Plans to Scan Devices for Child Abuse Images After Privacy Backlash

Apple is temporarily hitting the pause button on its controversial plans to screen users’ devices for child sexual abuse material (CSAM) after receiving sustained blowback over worries that the tool could be weaponized for mass surveillance and erode the privacy of users.

“Based on feedback from customers, advocacy groups, researchers, and others, we have decided to take additional time over the coming months to collect input and make improvements before releasing these critically important child safety features,” the iPhone maker said in a statement on its website.

The announcement, however, doesn’t make it clear as to the kind of inputs it would be gathering, the nature of changes it aims to devise, or how it intends to implement the system in a way that mitigates the privacy and security concerns that could arise once it’s deployed.

The changes were originally slated to go live with iOS 15 and macOS Monterey later this year, starting with the U.S.

Full article: https://thehackernews.com/2021/09/apple-delays-plans-to-scan-devices-for.html

WordPress Update to 5.8

WordPress 5.8 was released on July 20 and nearly all our client’s sites were updated the same day.

This release includes additional improvements to the Block editing system, drops support for Internet Explorer 11, and adds support for the reasonably new WebP image format. WebP images are around 30% smaller on average than their JPEG or PNG equivalents, resulting in sites that are faster and use less bandwidth.

Full details on the release: https://wordpress.org/news/2021/07/tatum/

Security Vulnerability Discovered in FileBird Plugin; Update Available

On June 9, 2021, a 10up Engineer conducted a routine code review of the FileBird plugin on behalf of a client. The code review followed 10up’s Engineering Best Practices and focused on areas that did not pass our initial automated scans. It uncovered that the code was vulnerable to a Blind SQL Injection attack — a clever type of exploit that involves sending “yes or no” questions to MySQL to extract information from the database when it cannot be output directly to the browser.

That same day, our team responsibly disclosed the vulnerability. We reached out to the team at WPScan, who we’ve previously collaborated with on our WP-CLI Vulnerability Scanner and WordPress Composer Scanner, to report the vulnerability and collaborate on disclosure.

The FileBird plugin authors responded quickly and responsibly, and issued a patch within 36 hours.

This is a critical vulnerability that only impacts version 4.7.3 of the FileBird plugin. It does not impact any previous versions and has been patched in version 4.7.4. All users of FileBird version 4.7.3 are advised to upgrade immediately.

Source and more details: https://10up.com/blog/2021/security-vulnerability-filebird-wordpress-plugin/

Easily Exploitable Critical Vulnerabilities Patched in ProfilePress Plugin

The Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities that were discovered in ProfilePress, formerly WP User Avatar, a WordPress plugin installed on over 400,000 sites. These flaws made it possible for an attacker to upload arbitrary files to a vulnerable site and register as an administrator on sites even if user registration was disabled, all without requiring any prior authentication.

A patch was quickly released on May 30, 2021 as version 3.1.4.

Source: https://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerabilities-patched-in-profilepress-plugin