Over 1 Million Sites Affected by Gutenberg Template Library & Redux Framework Vulnerabilities

Two vulnerabilities were discovered in the Gutenberg Template Library & Redux Framework plugin, which is installed on over 1 million WordPress sites. One vulnerability allowed users with lower permissions, such as contributors, to install and activate arbitrary plugins and delete any post or page via the REST API. A second vulnerability allowed unauthenticated attackers to access potentially sensitive information about a site’s configuration.

A patched version of the plugin, 4.2.13, was released on August 11, 2021.

Source: https://www.wordfence.com/blog/2021/09/over-1-million-sites-affected-by-redux-framework-vulnerabilities

US govt warns orgs to patch massively exploited Confluence bug

US Cyber Command (USCYBERCOM) has issued a rare alert today urging US organizations to patch a massively exploited Atlassian Confluence critical vulnerability immediately.

“Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate,”¬†said¬†Cyber National Mission Force (CNMF).¬†

The USCYBERCOM unit also stressed the importance of patching vulnerable Confluence servers as soon as possible: “Please patch immediately if you haven‚Äôt already‚ÄĒ this cannot wait until after the weekend.”

This warning comes after Deputy National Security Advisor Anne Neuberger encouraged organizations “to be on guard for malicious cyberactivity in advance of the holiday weekend” during a Thursday White House press briefing.

It’s the second alert of this kind in the last 12 months, the previous one (from June) notifying that CISA was aware that threat actors might attempt to exploit a remote code execution vulnerability affecting all vCenter Server installs.

CISA also urged users and admins today to immediately apply the Confluence security updates recently issued by Atlassian.

Original article: https://www.bleepingcomputer.com/news/security/us-govt-warns-orgs-to-patch-massively-exploited-confluence-bug/amp/

Nested Pages Patches Post Deletion Vulnerability

 Two vulnerabilities were identified in late August in Nested Pages, a WordPress plugin installed on over 80,000 sites that provides drag and drop functionality to manage your page structure and post ordering.

These vulnerabilities included a Cross-Site Request Forgery vulnerability that allowed posts and pages to be deleted, unpublished or assigned to a different author in bulk, as well as a separate open redirect vulnerability.

The plugin author released a patched version of the plugin, version 3.1.16, a few hours later.

Due to the nature of Cross-Site Request Forgery vulnerabilities, which involve tricking administrators into performing actions that they are allowed to perform, it is not possible to provide protection for these vulnerabilities without blocking legitimate requests. As such, it is strongly recommended to update to the latest patched version of Nested Pages to ensure your site is protected against exploits targeting these vulnerabilities.

Full article and analysis: https://www.wordfence.com/blog/2021/08/nested-pages-patches-post-deletion-vulnerability

Critical Authentication Bypass Vulnerability Patched in Booster for WooCommerce

Booster for WooCommerce is an addon plugin for WooCommerce designed to enhance its functionality through the use of various modules that site owners can enable and disable at any point. One module that the plugin offers is an Email Verification module, which adds a requirement for users to verify their email after they have registered on the site.

Unfortunately, the WordFence team found that this feature was insecurely implemented, which made it possible for an attacker to impersonate any user and send a verification request that could allow the attacker to easily recreate the token needed to ‚Äúverify‚ÄĚ the targeted user‚Äôs email, and be automatically logged in as that user.

More details at: https://www.wordfence.com/blog/2021/08/critical-authentication-bypass-vulnerability-patched-in-booster-for-woocommerce

XSS Vulnerability Patched in SEOPress Affects 100,000 sites

SEOPress is a WordPress plugin designed to optimize the SEO (Search Engine Optimization) of WordPress sites through many different features, like the ability to add SEO meta-data, breadcrumbs, schemas, and more. One feature the plugin implements is the ability to add a SEO title and description to posts, and this can be done while saving edits to a post or via a newly introduced REST-API endpoint.

Unfortunately, this REST-API endpoint was insecurely implemented. The permissions_callback for the endpoint only verified if the user had a valid REST-API nonce in the request. A valid REST-API nonce can be generated by any authenticated user using the rest-nonce WordPress core AJAX action. This meant that any authenticated user, like a subscriber, could call the REST route with a valid nonce, and update the SEO title and description for any post.

Full details: https://www.wordfence.com/blog/2021/08/xss-vulnerability-patched-in-seopress-affects-100000-sites

Millions of IoT devices, baby monitors open to audio, video snooping

The vulnerability would allow threat actors to remotely compromise a targeted ThroughTek IoT device and watch the real-time video feed, listen to audio, and compromise device credentials for additional attacks.

The cybersecurity researchers at FireEye have shared details of a critical IoT supply chain vulnerability that might be exposing millions of ThroughTek internet-connected cameras to espionage. Reportedly, the flaw affects IoT cameras worldwide and lets attackers hijack video streams.

It is worth noting that at the time of publishing this article; ThroughTek claims to have more than 83 million active IoT devices and over 1.1 billion monthly connections on their platform.

Flaw Identified in ThroughTek’s P2P SDK

The flaw was discovered in ThroughTek‚Äôs software core component of the Kalay cloud platform used by OEMs to manufacture IP cameras, baby/pet monitoring cameras, battery devices, and robotic devices.

The vulnerability (CVE-2021-28372) is present in the company‚Äôs P2P SDK, which is a function that allows a client on a desktop or mobile app to access the camera‚Äôs audio or video streams via the internet.

It is reported that the protocol used to transmit these data streams don’t possess a secure key exchange. Instead, it relies on a fixed key-based obfuscation scheme. Hence, attackers can access it and construct the audio/video stream to spy on users remotely.

Moreover, it can allow attackers to carry out device spoofing, eavesdropping on-camera audio/video, and hijack device certificates.

CISA Releases Security Alert

Yesterday, CISA released a separate advisory for ThroughTek P2P SDK and gave it a CVSS score of 9.1, stating that:

‚ÄúThroughTek supplies multiple original equipment manufacturers of IP cameras with P2P connections as part of its cloud platform. Successful exploitation of this vulnerability could permit unauthorized access to sensitive information, such as camera audio/video feeds.‚ÄĚ

CISA noted that the vulnerability impacts SDK version 3.1.5 and older, versions with nossl tag, and device firmware lacking AuthKey for IOTC connection and using the RDT module, P2PTunnel, or AVAPI module without enabling DTLS.

The advisory revealed that the impacted P2P products don‚Äôt adequately protect the data transmitted between the company‚Äôs servers and the local device, letting the attackers access sensitive data such as camera feeds.

CVE-2021-28372 poses a huge risk to an end user‚Äôs security and privacy and should be mitigated appropriately. Unprotected devices, such as IoT cameras, can be compromised remotely with access to a UID and further attacks are possible depending on the functionality exposed by a device, FireEye researchers warned in a blog post.

ThroughTek’s Response

The company conveniently blamed developers who incorrectly implemented its SDK or didn’t update to the latest version. ThroughTek claims that it introduced version 3.3 in mid-2020 to fix this issue and update its devices’ SDK version, and those who didn’t upgrade the software are vulnerable to this threat.

Original article: https://cybersecdn.com/index.php/2021/08/17/millions-of-iot-devices-baby-monitors-open-to-audio-video-snooping/

Multiple Vulnerabilities Patched in WordPress Download Manager

The WordFence team found two separate vulnerabilities, including a sensitive information disclosure as well as a file upload vulnerability which could have resulted in Remote Code Execution in some configurations.

A patched version of the WP Download Manager plugin was released within days of disclosure.

Original article: https://www.wordfence.com/blog/2021/07/wordpress-download-manager-vulnerabilities/

Critical SQL Injection Vulnerability Patched in WooCommerce

If you run a WooCommerce store on your site you may not see this update in this month’s report. That’s because this one was critical enough that WordPress made the rare decision to “push” the update as soon as it was available. Trust us, all our WooCommerce sites are safe and up to date!

WooCommerce is the leading e-Commerce platform for WordPress and is installed on over 5 million websites. Additionally, the WooCommerce Blocks feature plugin, installed on over 200,000 sites, was affected by the vulnerability and was patched at the same time.

Stories at https://woocommerce.com/posts/critical-vulnerability-detected-july-2021/ and https://www.wordfence.com/blog/2021/07/critical-sql-injection-vulnerability-patched-in-woocommerce/