Massive attack against 1.6 million WordPress sites underway

Wordfence analysts report having detected a massive wave of attacks in the last couple of days, originating from 16,000 IPs and targeting over 1.6 million WordPress sites.

The threat actors target four WordPress plugins and fifteen Epsilon Framework themes, one of which has no available patch.

Some of the targeted plugins were patched all the way back in 2018, while others had their vulnerabilities addressed as recently as this week.

The affected plugins and their versions are:

  • PublishPress Capabilities
  • Kiwi Social Plugin
  • Pinterest Automatic
  • WordPress Automatic

The targeted Epsilon Framework themes are:

  • Shapely
  • NewsMag
  • Activello
  • Illdy
  • Allegiant
  • Newspaper X
  • Pixova Lite
  • Brilliance
  • MedZone Lite
  • Regina Lite
  • Transcend
  • Affluent
  • Bonkers
  • Antreas
  • NatureMag Lite – No patch available

“In most cases, the attackers are updating the users_can_register option to enabled and setting the default_role option to administrator,” Wordfence explains.

“This makes it possible for attackers to register on any site as an administrator effectively taking over the site.”

Source: https://www.bleepingcomputer.com/news/security/massive-attack-against-16-million-wordpress-sites-underway/

AWS Attacks Targeting WordPress Increase 5X

The Wordfence Threat Intelligence team has been tracking a huge increase in malicious login attempts against WordPress sites in our network. Since November 17, 2021, the number of attacks targeting login pages has doubled.

WordFence have seen a global increase in attacks against WordPress sites during the past week, and more than a quarter of all of the malicious login attempts we’re tracking are now originating from Amazon Web Services (AWS) EC2 instances.

While AWS makes it easy for businesses to move to the cloud, attackers are also utilizing the  scale provided by cloud services, including AWS, in increasing numbers.

Many site owners still reuse the same password in multiple locations, and data breaches, such as the recent GoDaddy breach, are frequently a source of compromised passwords. These compromised passwords are used by attackers to attempt to login to even more sites and services. Using this technique, attackers may guess your login correctly on the first try.

We also recommend that everyone use 2-factor authentication wherever possible, as it is an incredibly effective way of protecting your site even if an attacker has your password. The free version of Wordfence includes 2-factor authentication as a feature.

Full article at https://www.wordfence.com/blog/2021/11/aws-attacks-targeting-wordpress-increase-5x

WooCommerce Extension – Reflected XSS Vulnerability

A vulnerability was discovered in “Preview E-mails for WooCommerce”, a WordPress plugin that is an extension for WooCommerce, installed on over 20,000 sites. This flaw made it possible for an attacker to inject malicious JavaScript into a page that would execute if the attacker successfully tricked a site’s administrator into performing an action like clicking on a link.

Preview E-mails for WooCommerce is a simple plugin designed to give site owners the ability to preview the emails that are sent to customers via WooCommerce. Unfortunately, the plugin had a flaw that made it possible for attackers to inject malicious web scripts into the `digthis-woocommerce-preview-emails` page.

Details from WordFence: https://www.wordfence.com/blog/2021/11/woocommerce-extension-reflected-xss-vulnerability

Over 1 Million Sites Impacted by Vulnerability in Starter Templates Plugin

The Starter Templates plugin allows site owners to import prebuilt templates and blocks for various page builders, including Elementor.

Starter Templates plugin, which is installed on over 1 Million WordPress websites was found to have a vulnerability which could allow for malicious javascript to be inserted and then used to overwrite any post or page by sending an AJAX request.

(The full name of the WordPress plugin is “Starter Templates — Elementor, Gutenberg & Beaver Builder Templates”)

Versions 2.7.0 and older of this plugin contain a vulnerability that allows Contributor-level users to completely overwrite any page on the site with malicious JavaScript.

Full details at: https://www.wordfence.com/blog/2021/11/over-1-million-sites-impacted-by-vulnerability-in-starter-templates-plugin/

Vulnerability in WP DSGVO Tools (GDPR) Plugin

A vulnerability was found by the WordFence team in WP DSGVO Tools (GDPR), a WordPress plugin with over 30,000 installations. They were investigating the plugin to verify that their customers were fully protected from an actively exploited XSS issue, and found a flaw that allowed unauthenticated attackers to completely and permanently delete arbitrary posts and pages on a website.

The WP DSGVO Tools (GDPR) plugin contains functionality to let users request their personal information to be removed from a site. It also contained an AJAX action, admin-dismiss-unsubscribe, to allow administrators to “dismiss” these removal requests. The requests were stored in the WordPress posts table, so “dismissing” a data removal request simply involved deleting the associated post ID.

Unfortunately, the AJAX action was available to unauthenticated users, and the plugin did not check to see if the post to be deleted was actually a data removal request. As such, it was possible for any site visitor to delete any post or page on the site by sending an AJAX request with the admin-dismiss-unsubscribe action along with the ID of the post to be deleted. Sending the AJAX request once would move the post to the trash, while repeating the request would permanently delete it.

While it is true that site defacements have become less popular in recent years as they are more difficult to monetize, it would be trivial for an attacker to delete most of a site’s content in a way that would be impossible to recover unless the site’s database had been backed up.

We strongly recommend updating to the latest version of the plugin available immediately, which is 3.1.26 as of this writing, as it contains fixes for both the post deletion vulnerability and the XSS issue.

Source: https://www.wordfence.com/blog/2021/11/vulnerability-in-wp-dsgvo-tools-gdpr-plugin-allows-unauthenticated-page-deletion

XSS Vulnerability in NextScripts: Social Networks Auto-Poster Plugin Impacts 100,000 Sites

The Wordfence Threat Intelligence team discovered a reflected Cross-Site Scripting(XSS) vulnerability we found in NextScripts: Social Networks Auto-Poster, a WordPress plugin with over 100,000 installations.

All Wordfence users, including Wordfence Premium customers as well as those still using the free version of Wordfence, are protected against this vulnerability by our firewall’s built-in cross-site scripting protection.

As with all XSS attacks, malicious JavaScript running in an administrator’s session could be used to add malicious administrative users or insert backdoors into a site, and thus be used for site takeover.

All the gory details are available at the original article at: https://www.wordfence.com/blog/2021/10/xss-vulnerability-in-nextscripts-social-networks-auto-poster-plugin-impacts-100000-sites

Site Deletion Vulnerability in Hashthemes Plugin

A vulnerability in Hashthemes Demo Importer, a WordPress plugin with over 7,000 installations was reported by WordFence recently.

This vulnerability allowed any authenticated user to completely reset a site, permanently deleting nearly all database content as well as all uploaded media.

The plugin was temporarily removed from the WordPress plugin repository on September 20, 2021, and a patched version, 1.1.2, was made available on September 24, 2021

The Hashthemes demo importer plugin failed to perform capability checks for many of its AJAX actions. While it did perform a nonce check, the AJAX nonce was visible in the admin dashboard for all users, including low-privileged users such as subscribers. The most severe consequence of this was that a subscriber-level user could reset all of the content on a given site.

Any logged-in user could trigger the hdi_install_demo AJAX function and provide a reset parameter set to true, resulting in the plugin running it’s database_reset function. This function wiped the database by truncating every database table on the site except for wp_optionswp_users, and wp_usermeta. Once the database was wiped, the plugin would then run its clear_uploads function, which deleted every file and folder in wp-content/uploads.

Details at: https://www.wordfence.com/blog/2021/10/site-deletion-vulnerability-in-hashthemes-plugin

“I Was Hacked. The Spyware Used Against Me Makes Us All Vulnerable.”

Invasive hacking software sold to countries to fight terrorism is easily abused. Researchers say my phone was hacked twice, probably by Saudi Arabia.

Ben Hubbard in the New York Times.

in a world where we store so much of our personal and professional lives in the devices we carry in our pockets, and where surveillance software continues to become ever more sophisticated, we are all increasingly vulnerable.

As it turned out, I didn’t even have to click on a link for my phone to be infected.

To try to determine what had happened, I worked with Citizen Lab, a research institute at the Munk School of Global Affairs at the University of Toronto that studies spyware.

Continue reading: https://www.nytimes.com/2021/10/24/insider/hacking-nso-surveillance.html

WordPress Cache Plugin Exploit Affects +1 Million Websites

WP Fastest Cache WordPress plugin vulnerabilities can lead to full site takeover and password leaks

Popular WordPress plugin WP Fastest Cache plugin was discovered by Jetpack security researchers to have multiple vulnerabilities that could allow an attacker to assume full administrator privileges. The exploits affect over a million WordPress installations.

The Authenticated SQL Injection allows a logged-in users to access administrator level information through the database.

A SQL Injection vulnerability is an attack that’s directed at the database, which is where the website elements, including passwords, are stored.

A successful SQL Injection attack could lead to a full website takeover.

More at original article: https://www.searchenginejournal.com/wp-fastest-cache-vulnerability/424278/amp/

Vulnerability Patched in Sassy Social Share Plugin

Wordfence Threat Intelligence team discovered a vulnerability in “Sassy Social Share”, a WordPress plugin installed on over 100,000 sites. The vulnerability provided a way for subscriber level users to gain remote code execution and take over a vulnerable site. Sites that have open registration allow anyone to create a “subscriber” level account, and are particularly vulnerable to this vulnerability.

Wordfence Premium users received a firewall rule to protect against exploits targeting this vulnerability on August 31, 2021. Sites still using the free version of Wordfence received the same protection on September 30, 2021.

In this case, the flaw made it possible for an attacker to import plugin settings and potentially inject PHP Objects that could be used as part of a POP Chain – a code execution sequence in the application that is exploited by the attacker.

Full details at https://www.wordfence.com/blog/2021/10/vulnerability-patched-in-sassy-social-share-plugin