Over 1 Million Sites Affected by Gutenberg Template Library & Redux Framework Vulnerabilities

On August 3, 2021, the Wordfence Threat Intelligence team initiated the disclosure process for two vulnerabilities we discovered in the Gutenberg Template Library & Redux Framework plugin, which is installed on over 1 million WordPress sites. One vulnerability allowed users with lower permissions, such as contributors, to install and activate arbitrary plugins and delete any post or page via the REST API. A second vulnerability allowed unauthenticated attackers to access potentially sensitive information about a site’s configuration.

The plugin’s publisher, Redux.io, replied almost immediately to their initial contact and they provided full disclosure the same day, on August 3, 2021. A patched version of the plugin, 4.2.13, was released on August 11, 2021.

Wordfence Premium users received a firewall rule to protect against the vulnerability targeting the REST API on August 3, 2021. Sites still running the free version of Wordfence will receive the same protection after 30 days, on September 2, 2021.

Description: Incorrect Authorization Leading to Arbitrary Plugin Installation and Post Deletion
Affected Plugin: Gutenberg Template Library & Redux Framework
Plugin Slug: redux-framework
Affected Versions: <= 4.2.11
CVE ID: CVE-2021-38312
CVSS Score: 7.1(High)
Researcher/s: Ramuel Gall
Fully Patched Version: 4.2.13

The Gutenberg Template Library & Redux Framework plugin allows site owners to add blocks and block templates to extend the functionality of a site by choosing them from a library. In order to do this, it uses the WordPress REST API to process requests to list and install available blocks, manage existing blocks, and more.

Source: https://www.wordfence.com/blog/2021/09/over-1-million-sites-affected-by-redux-framework-vulnerabilities/

Nested Pages Patches Post Deletion Vulnerability

 Two vulnerabilities were identified in late August in Nested Pages, a WordPress plugin installed on over 80,000 sites that provides drag and drop functionality to manage your page structure and post ordering.

These vulnerabilities included a Cross-Site Request Forgery vulnerability that allowed posts and pages to be deleted, unpublished or assigned to a different author in bulk, as well as a separate open redirect vulnerability.

The plugin author released a patched version of the plugin, version 3.1.16, a few hours later.

Due to the nature of Cross-Site Request Forgery vulnerabilities, which involve tricking administrators into performing actions that they are allowed to perform, it is not possible to provide protection for these vulnerabilities without blocking legitimate requests. As such, it is strongly recommended to update to the latest patched version of Nested Pages to ensure your site is protected against exploits targeting these vulnerabilities.

Full article and analysis: https://www.wordfence.com/blog/2021/08/nested-pages-patches-post-deletion-vulnerability

Critical Authentication Bypass Vulnerability Patched in Booster for WooCommerce

Booster for WooCommerce is an addon plugin for WooCommerce designed to enhance its functionality through the use of various modules that site owners can enable and disable at any point. One module that the plugin offers is an Email Verification module, which adds a requirement for users to verify their email after they have registered on the site.

Unfortunately, the WordFence team found that this feature was insecurely implemented, which made it possible for an attacker to impersonate any user and send a verification request that could allow the attacker to easily recreate the token needed to “verify” the targeted user’s email, and be automatically logged in as that user.

More details at: https://www.wordfence.com/blog/2021/08/critical-authentication-bypass-vulnerability-patched-in-booster-for-woocommerce

XSS Vulnerability Patched in SEOPress Affects 100,000 sites

SEOPress is a WordPress plugin designed to optimize the SEO (Search Engine Optimization) of WordPress sites through many different features, like the ability to add SEO meta-data, breadcrumbs, schemas, and more. One feature the plugin implements is the ability to add a SEO title and description to posts, and this can be done while saving edits to a post or via a newly introduced REST-API endpoint.

Unfortunately, this REST-API endpoint was insecurely implemented. The permissions_callback for the endpoint only verified if the user had a valid REST-API nonce in the request. A valid REST-API nonce can be generated by any authenticated user using the rest-nonce WordPress core AJAX action. This meant that any authenticated user, like a subscriber, could call the REST route with a valid nonce, and update the SEO title and description for any post.

Full details: https://www.wordfence.com/blog/2021/08/xss-vulnerability-patched-in-seopress-affects-100000-sites

Millions of IoT devices, baby monitors open to audio, video snooping

The vulnerability would allow threat actors to remotely compromise a targeted ThroughTek IoT device and watch the real-time video feed, listen to audio, and compromise device credentials for additional attacks.

The cybersecurity researchers at FireEye have shared details of a critical IoT supply chain vulnerability that might be exposing millions of ThroughTek internet-connected cameras to espionage. Reportedly, the flaw affects IoT cameras worldwide and lets attackers hijack video streams.

It is worth noting that at the time of publishing this article; ThroughTek claims to have more than 83 million active IoT devices and over 1.1 billion monthly connections on their platform.

Flaw Identified in ThroughTek’s P2P SDK

The flaw was discovered in ThroughTek’s software core component of the Kalay cloud platform used by OEMs to manufacture IP cameras, baby/pet monitoring cameras, battery devices, and robotic devices.

The vulnerability (CVE-2021-28372) is present in the company’s P2P SDK, which is a function that allows a client on a desktop or mobile app to access the camera’s audio or video streams via the internet.

It is reported that the protocol used to transmit these data streams don’t possess a secure key exchange. Instead, it relies on a fixed key-based obfuscation scheme. Hence, attackers can access it and construct the audio/video stream to spy on users remotely.

Moreover, it can allow attackers to carry out device spoofing, eavesdropping on-camera audio/video, and hijack device certificates.

CISA Releases Security Alert

Yesterday, CISA released a separate advisory for ThroughTek P2P SDK and gave it a CVSS score of 9.1, stating that:

“ThroughTek supplies multiple original equipment manufacturers of IP cameras with P2P connections as part of its cloud platform. Successful exploitation of this vulnerability could permit unauthorized access to sensitive information, such as camera audio/video feeds.”

CISA noted that the vulnerability impacts SDK version 3.1.5 and older, versions with nossl tag, and device firmware lacking AuthKey for IOTC connection and using the RDT module, P2PTunnel, or AVAPI module without enabling DTLS.

The advisory revealed that the impacted P2P products don’t adequately protect the data transmitted between the company’s servers and the local device, letting the attackers access sensitive data such as camera feeds.

CVE-2021-28372 poses a huge risk to an end user’s security and privacy and should be mitigated appropriately. Unprotected devices, such as IoT cameras, can be compromised remotely with access to a UID and further attacks are possible depending on the functionality exposed by a device, FireEye researchers warned in a blog post.

ThroughTek’s Response

The company conveniently blamed developers who incorrectly implemented its SDK or didn’t update to the latest version. ThroughTek claims that it introduced version 3.3 in mid-2020 to fix this issue and update its devices’ SDK version, and those who didn’t upgrade the software are vulnerable to this threat.

Original article: https://cybersecdn.com/index.php/2021/08/17/millions-of-iot-devices-baby-monitors-open-to-audio-video-snooping/

Multiple Vulnerabilities Patched in WordPress Download Manager

The WordFence team found two separate vulnerabilities, including a sensitive information disclosure as well as a file upload vulnerability which could have resulted in Remote Code Execution in some configurations.

A patched version of the WP Download Manager plugin was released within days of disclosure.

Original article: https://www.wordfence.com/blog/2021/07/wordpress-download-manager-vulnerabilities/

Critical SQL Injection Vulnerability Patched in WooCommerce

If you run a WooCommerce store on your site you may not see this update in this month’s report. That’s because this one was critical enough that WordPress made the rare decision to “push” the update as soon as it was available. Trust us, all our WooCommerce sites are safe and up to date!

WooCommerce is the leading e-Commerce platform for WordPress and is installed on over 5 million websites. Additionally, the WooCommerce Blocks feature plugin, installed on over 200,000 sites, was affected by the vulnerability and was patched at the same time.

Stories at https://woocommerce.com/posts/critical-vulnerability-detected-july-2021/ and https://www.wordfence.com/blog/2021/07/critical-sql-injection-vulnerability-patched-in-woocommerce/

Amazon’s Ring is the largest civilian surveillance network the US has ever seen

Ring is effectively building the largest corporate-owned, civilian-installed surveillance network that the US has ever seen. An estimated 400,000 Ring devices were sold in December 2019 alone, and that was before the across-the-board boom in online retail sales during the pandemic. Amazon is cagey about how many Ring cameras are active at any one point in time, but estimates drawn from Amazon’s sales data place yearly sales in the hundreds of millions. The always-on video surveillance network extends even further when you consider the millions of users on Ring’s affiliated crime reporting app, Neighbors, which allows people to upload content from Ring and non-Ring devices.

Then there’s this: since Amazon bought Ring in 2018, it has brokered more than 1,800 partnerships with local law enforcement agencies, who can request recorded video content from Ring users without a warrant. That is, in as little as three years, Ring connected around one in 10 police departments across the US with the ability to access recorded content from millions of privately owned home security cameras. These partnerships are growing at an alarming rate.

Because Ring cameras are owned by civilians, law enforcement are given a backdoor entry into private video recordings of people in residential and public space that would otherwise be protected under the fourth amendment. By partnering with Amazon, law enforcement circumvents these constitutional and statutory protections, as noted by the attorney Yesenia Flores. In doing so, Ring blurs the line between police work and civilian surveillance and turns your neighbor’s home security system into an informant. Except, unlike an informant, it’s always watching.

Full article: https://www.theguardian.com/commentisfree/2021/may/18/amazon-ring-largest-civilian-surveillance-network-us

Easily Exploitable Critical Vulnerabilities Patched in ProfilePress Plugin

The Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities that were discovered in ProfilePress, formerly WP User Avatar, a WordPress plugin installed on over 400,000 sites. These flaws made it possible for an attacker to upload arbitrary files to a vulnerable site and register as an administrator on sites even if user registration was disabled, all without requiring any prior authentication.

A patch was quickly released on May 30, 2021 as version 3.1.4.

Source: https://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerabilities-patched-in-profilepress-plugin