Multiple Vulnerabilities in Brizy Page Builder Plugin Allow Site Takeover

The Wordfence Threat Intelligence team initiated the Responsible Disclosure process for Brizy – Page Builder, a WordPress plugin installed on over 90,000 sites.

During a routine review of their firewall rules, they found traffic indicating that a vulnerability might be present in the Brizy – Page Builder plugin, though it did not appear to be under active attack. This led them to discover two new vulnerabilities as well as a previously patched access control vulnerability in the plugin that had been reintroduced.

Both new vulnerabilities could take advantage of the access control vulnerability to allow complete site takeover, including a combination that allowed any logged-in user to modify any published post and add malicious JavaScript to it, as well as a separate flaw that allowed any logged-in user to upload potentially executable files and achieve remote code execution.

A patched version of the Brizy – Page Builder plugin, 2.3.12, was released on August 24, 2021. As per the WordFence responsible disclosure policy, they are now disclosing the vulnerability details as the plugin has been fully patched for some time.

All Wordfence users, including Wordfence Premium users as well as those using the free version, are protected by a combination of built-in firewall rules and an existing firewall rule released in June of 2020, which covered a similar vulnerability in a previous version of Brizy – Page Builder.

The original vulnerability was patched in version 1.0.126, but an almost identical vulnerability was reintroduced in version 1.0.127.

We strongly recommend updating to the latest version available, 2.3.17, as soon as possible, especially if you are not running Wordfence.

Source: https://www.wordfence.com/blog/2021/10/multiple-vulnerabilities-in-brizy-page-builder-plugin-allow-site-takeover/

See also: https://threatpost.com/brizy-wordpress-plugin-exploit-site-takeovers/175463/

Apple fixes iOS zero-day exploited in the wild (CVE-2021-30883)

With the newest iOS and iPad updates, Apple has fixed another vulnerability (CVE-2021-30883) that is being actively exploited by attackers.

As per usual, Apple did not share more details about the flaw or the attack(s) exploiting it, and the researcher who discovered it remains unnamed.

But, thanks to security researcher Saar Amar, who analyzed Apple’s patch, we know that the flaw is “a classic integer overflow.”

More details at: https://www.helpnetsecurity.com/2021/10/12/cve-2021-30883

High Severity Vulnerability Patched in Access Demo Importer Plugin

The Wordfence Threat Intelligence team discovered a vulnerability in Access Demo Importer, a WordPress plugin installed on over 20,000 sites. This flaw made it possible for authenticated attackers with just subscriber level access to upload arbitrary files that could be used to achieve remote code execution. On sites with open registration, an anonymous user could easily register and exploit this vulnerability.

As the vendor was unresponsive, they escalated the issue to the WordPress.org plugins team. The plugins team responded immediately and closed the plugin for downloads on August 27, 2021, pending a full review. A partially patched version of the plugin was reopened for downloads around September 7, 2021. After following up with the developer and the WordPress plugins team, a fully patched version of the plugin was released on September 21, 2021.

Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on August 9, 2021. Sites still using the free version of Wordfence received the same protection on September 8, 2021. As per the WordFence responsible disclosure policy, they are now fully disclosing the vulnerability details because enough time has elapsed since the fix was released.

If you have not already done so, we strongly recommend updating the latest version of the plugin available, 1.0.7, as soon as possible to ensure your site is not vulnerable to this security issue.

Source: https://www.wordfence.com/blog/2021/10/high-severity-vulnerability-patched-in-access-demo-importer-plugin/

PHP_SELFish: UnderContruction, Easy Social Icons

Part 1 – Reflected XSS in underConstruction Plugin

This post examines a cross site scripting vulnerability that exploits the PHP_SELF variable. Below describes another plugin suffering from a similar vulnerability related to the use of PHP_SELF.

On August 16, 2021, the Wordfence Threat Intelligence team attempted to initiate disclosure for a reflected Cross-Site Scripting vulnerability in underConstruction, a WordPress plugin with over 80,000 installations.

A patched version, 1.19, was released on August 31, 2021.

A firewall rule protecting against this vulnerability was released to Wordfence Premium users on August 16, 2021, and became available to sites using the free version of Wordfence on September 15, 2021.

If you aren’t running Wordfence, and are a user of this plugin, we recommend you immediately upgrade to version 1.19 of underConstruction which contains the patch.

Original source and technical explanation: https://www.wordfence.com/blog/2021/09/reflected-xss-in-underconstruction-plugin

Part 2 – Reflected XSS in Easy Social Icons

On August 16, 2021, the Wordfence Threat Intelligence team attempted to initiate disclosure for a reflected Cross-Site Scripting vulnerability in Easy Social Icons, a WordPress plugin with over 40,000 installations.

An initial patch, version 3.0.9, was released on August 31, 2021.

A firewall rule protecting against this vulnerability was released to Wordfence Premium users on August 16, 2021, and became available to sites using the free version of Wordfence on September 15, 2021.

Newer versions of the plugin also contain patches for additional XSS vulnerabilities, and all Wordfence users are protected against these vulnerabilities by our firewall’s built-in XSS protection. If you’re not using Wordfence, we recommend that you immediately upgrade to version 3.1.3 of the Easy Social Icons plugin.

Original source and technical explanation: https://www.wordfence.com/blog/2021/09/php_selfish-part-2-reflected-xss-in-easy-social-icons

Recently Patched Vulnerabilities in Ninja Forms Plugin Affect Over 1 Million Site Owners

On August 3, 2021 the Wordfence Threat Intelligence team initiated the responsible disclosure process for two vulnerabilities that were discovered in Ninja Forms, a WordPress plugin installed on over 1,000,000 sites. These flaws made it possible for an attacker to export sensitive information and send arbitrary emails from a vulnerable site that could be used to phish unsuspecting users.

Wordfence Premium users received a firewall rule to protect against any exploits targeting this vulnerability on August 2, 2021. Sites still using the free version of Wordfence received the same protection on September 1, 2021.

We sent the full disclosure details to Ninja Forms on August 3, 2021, as per the security disclosure policy listed on Ninja Forms website. Ninja Forms quickly acknowledged the report the same day and informed us that they would start working on a patch immediately. A patch was released on September 7, 2021 in version 3.5.8.

We strongly recommend updating immediately to the latest patched version of Ninja Forms to patch these security issues, which is version 3.5.8.2 of Ninja Forms at the time of this publication.

Original source and technical explanation: https://www.wordfence.com/blog/2021/09/recently-patched-vulnerabilities-in-ninja-forms-plugin-affects-over-1-million-site-owners

CSRF Vulnerability Found in Software License Manager Plugin

Versions before 4.5.1 of the Software License Manager plugin for WordPress have an exploitable Cross-Site Request Forgery (CSRF) vulnerability. Any user logged in to a site with the vulnerable extension can, by clicking a link, be tricked to delete an entry in the plugin’s registered domain database table. The link can be distributed in an email, or on a website the victim user is likely to visit.

The good news is, there’s not much else that can be done by exploiting this weakness. And the attacker needs to know the id of the domain they wish to delete from the database beforehand. 

Still, we recommend anybody running version 4.5.0 or earlier of the plugin to upgrade as soon as possible.

Details

Source: https://jetpack.com/2021/09/14/csrf-vulnerability-found-in-software-license-manager-plugin/

Over 1 Million Sites Affected by Gutenberg Template Library & Redux Framework Vulnerabilities

Two vulnerabilities were discovered in the Gutenberg Template Library & Redux Framework plugin, which is installed on over 1 million WordPress sites. One vulnerability allowed users with lower permissions, such as contributors, to install and activate arbitrary plugins and delete any post or page via the REST API. A second vulnerability allowed unauthenticated attackers to access potentially sensitive information about a site’s configuration.

A patched version of the plugin, 4.2.13, was released on August 11, 2021.

Source: https://www.wordfence.com/blog/2021/09/over-1-million-sites-affected-by-redux-framework-vulnerabilities

US govt warns orgs to patch massively exploited Confluence bug

US Cyber Command (USCYBERCOM) has issued a rare alert today urging US organizations to patch a massively exploited Atlassian Confluence critical vulnerability immediately.

“Mass exploitation of Atlassian Confluence CVE-2021-26084 is ongoing and expected to accelerate,” said Cyber National Mission Force (CNMF). 

The USCYBERCOM unit also stressed the importance of patching vulnerable Confluence servers as soon as possible: “Please patch immediately if you haven’t already— this cannot wait until after the weekend.”

This warning comes after Deputy National Security Advisor Anne Neuberger encouraged organizations “to be on guard for malicious cyberactivity in advance of the holiday weekend” during a Thursday White House press briefing.

It’s the second alert of this kind in the last 12 months, the previous one (from June) notifying that CISA was aware that threat actors might attempt to exploit a remote code execution vulnerability affecting all vCenter Server installs.

CISA also urged users and admins today to immediately apply the Confluence security updates recently issued by Atlassian.

Original article: https://www.bleepingcomputer.com/news/security/us-govt-warns-orgs-to-patch-massively-exploited-confluence-bug/amp/