Hackers Exploit Legitimate Websites to Deliver BadSpace Windows Backdoor

Legitimate-but-compromised websites are being used as a conduit to deliver a Windows backdoor dubbed BadSpace under the guise of fake browser updates.

“The threat actor employs a multi-stage attack chain involving an infected website, a command-and-control (C2) server, in some cases a fake browser update, and a JScript downloader to deploy a backdoor into the victim’s system,” German cybersecurity company G DATA said in a report.

Details of the malware were first shared by researchers kevross33 and Gi7w0rm last month.

It all starts with a compromised website, including those built on WordPress, to inject code that incorporates logic to determine if a user has visited the site before.

Should it be the user’s first visit, the code collects information about the device, IP address, user-agent, and location, and transmits it to a hard-coded domain via an HTTP GET request.

The response from the server subsequently overlays the contents of the web page with a phony Google Chrome update pop-up window to either directly drop the malware or a JavaScript downloader that, in turn, downloads and executes BadSpace.

An analysis of the C2 servers used in the campaign has uncovered connections to a known malware called SocGholish (aka FakeUpdates), a JavaScript-based downloader malware that’s propagated via the same mechanism.

BadSpace, in addition to employing anti-sandbox checks and setting up persistence using scheduled tasks, is capable of harvesting system information and processing commands that allow it to take screenshots, execute instructions using cmd.exe, read and write files, and delete the scheduled task.

The disclosure comes as both eSentire and Sucuri have warned different campaigns leveraging bogus browser update lures in compromised sites to distribute information stealers and remote access trojans.

Source: https://thehackernews.com/2024/06/hackers-exploit-legitimate-websites-to.html

40,000 WordPress Sites affected by Vulnerability That Leads to Privilege Escalation in Login/Signup Popup WordPress Plugin

On May 17th, 2024, during the Wordfence Bug Bounty Extravaganza, a submission was received for an Arbitrary Options Update vulnerability in Login/Signup Popup, a WordPress plugin with more than 40,000 active installations. This vulnerability could be used by authenticated attackers, with subscriber-level access and above, to update arbitrary options which can easily be leveraged for privilege escalation.

Props to 1337_Wannabe who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $938.00 for this discovery during our Bug Bounty Program Extravaganza.

Paid Wordfence users received a firewall rule to protect against any exploits targeting this vulnerability on May 28, 2024. Sites using the free version of Wordfence will receive the same protection 30 days later on June 27, 2024.

Wordfence contacted the XootiX team on May 24, 2024, and received a response on the next day. After providing full disclosure details, the developer released a patch on May 28, 2024. We would like to commend the XootiX team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of Login/Signup Popup, which is version 2.7.3, as soon as possible.

All in One SEO – Stored XSS to Admin Account Creation (Contributor+) Critical-High – POC(Proof of Concept)

A critical security flaw has been discovered in the widely-used WordPress plugin, All in One SEO with more then 3 millions installations, marked as CVE-2024-3368. This vulnerability poses a significant threat, allowing attackers to execute malicious code through Stored Cross-Site Scripting (XSS) attacks, potentially leading to the creation of admin accounts by contributors.

Discovery of the Vulnerability

During routine testing, security researchers identified a vulnerability in the All in One SEO plugin that enables contributors to execute arbitrary JavaScript code within the context of a WordPress post. This flaw grants unauthorized access to admin privileges, putting millions of websites at risk of compromise.

Understanding of Stored XSS attacks

Stored XSS occurs when user-supplied data is stored on a server and later displayed on a web page without proper validation. In the case of WordPress, attackers can exploit this vulnerability by injecting malicious code into posts, comments, or metadata fields, leading to unauthorized actions or data theft.

Exploiting the Stored XSS Vulnerability

By leveraging the vulnerability in All in One SEO, attackers can craft a malicious post containing JavaScript code and inject it into the SEO section. When administrators or other users interact with the compromised content, the malicious script executes, potentially resulting in the creation of admin accounts, data theft, or further exploitation.

With over 3 million active installations, the CVE-2024-3368 vulnerability in All in One SEO poses a severe risk to WordPress websites globally. Attackers could exploit this flaw to gain unauthorized access, deface websites, steal sensitive information, or distribute malware, causing significant harm to site owners and visitors.

Recommendations for Improved Security

To mitigate the risk posed by CVE-2024-3368 and similar vulnerabilities, WordPress site owners are urged to update the All in One SEO plugin to the latest patched version immediately. Additionally, regular security audits, robust access controls, and the implementation of web application firewalls (WAFs) can help safeguard against XSS attacks and other security threats.

Source and more details: https://research.cleantalk.org/cve-2024-3368/

30,000 WordPress Sites affected by Arbitrary SQL Execution Vulnerability Patched in Visualizer WordPress Plugin

On April 10th, 2024, during the second Wordfence Bug Bounty Extravaganza, a submission was received for an authenticated SQL Execution vulnerability in Visualizer, a WordPress plugin with more than 30,000 active installations. This vulnerability can be leveraged for privilege escalation among many other actions.

Props to Krzysztof Zając who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $985.00 for this discovery during our Bug Bounty Program Extravaganza.

Paid Wordfence users received a firewall rule to protect against any exploits targeting this vulnerability on April 15, 2024. Sites using the free version of Wordfence received the same protection 30 days later on May 15, 2024.

Wordfence contacted the Themeisle Team on April 12, 2024, and received a response on the next day. After providing full disclosure details, the developer released the first patch, which did not fully address the vulnerability on April 15, 2024. A fully patched version, 3.11.0, was released on May 13, 2024.

We urge users to update their sites with the latest patched version of Visualizer, which is version 3.11.0, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2024/05/30000-wordpress-sites-affected-by-arbitrary-sql-execution-vulnerability-patched-in-visualizer-wordpress-plugin/

WordPress 6.5.3 Maintenance Release

This minor release features 12 bug fixes in Core and 9 bug fixes for the block editor. You can review a summary of the maintenance updates in this release by reading the Release Candidate announcement.

WordPress 6.5.3 is a short-cycle release. The next major release will be version 6.6 planned for July 2024.

If you have sites that support automatic background updates, the update process will begin automatically.

You can download WordPress 6.5.3 from WordPress.org, or visit your WordPress Dashboard, click “Updates”, and then click “Update Now”.

For more information on this release, please visit the HelpHub site.

Source: https://wordpress.org/news/2024/05/wordpress-6-5-3-maintenance-release/

Reflected Cross-Site Scripting Vulnerability Patched in Yoast SEO WordPress Plugin

On April 22th, 2024, during the second Wordfence Bug Bounty Extravaganza a submission was received for a Reflected Cross-Site Scripting (XSS) vulnerability in Yoast SEO, a WordPress plugin with more than 5 million active installations. This vulnerability makes it possible for an unauthenticated attacker to craft a request that contains malicious JavaScript. If the attacker is able to trick a site administrator into performing an action, the malicious JavaScript executes, making it possible for the attacker to create new admin users, redirect victims, or engage in other harmful attacks.

Props to Bassem Essam who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $563.00 for this discovery during our Bug Bounty Program Extravaganza.

All Wordfence users are protected against any exploits targeting this vulnerability by the Wordfence firewall’s built-in Cross-Site Scripting protection.

Wordfence contacted the Yoast team on April 23, 2024, and received a response on the same day. After providing full disclosure details, the developer released a patch on April 30, 2024. We would like to commend the Yoast team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of Yoast SEO, which is version 22.6, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2024/05/563-bounty-awarded-for-reflected-cross-site-scripting-vulnerability-patched-in-yoast-seo-wordpress-plugin

Unauthenticated Arbitrary Post Deletion Vulnerability Patched in LeadConnector WordPress Plugin

On February 8th, 2024, during the second Wordfence Bug Bounty Extravaganza, a submission was received for an Arbitrary Post Deletion vulnerability in LeadConnector, a WordPress plugin with more than 20,000 active installations. This vulnerability could be used by unauthenticated attackers to delete arbitrary posts or pages.

Props to Krzysztof Zając who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $197.00 for this discovery during our Bug Bounty Program Extravaganza.

Wordfence PremiumWordfence Care, and Wordfence Response users received a firewall rule to protect against any exploits targeting this vulnerability on February 9, 2024. Sites using the free version of Wordfence received the same protection on March 10, 2024.

Wordfence contacted the LeadConnector Team on February 8, 2024. After not receiving a reply they escalated the issue to the WordPress.org Security Team on March 8, 2024. After that, the developer released a patch on April 23, 2024.

We urge users to update their sites with the latest patched version of LeadConnector, which is version 1.8, as soon as possible.

Source and more details: https://www.wordfence.com/blog/2024/04/197-bounty-awarded-for-unauthenticated-arbitrary-post-deletion-vulnerability-patched-in-leadconnector-wordpress-plugin/

Arbitrary Options Update Vulnerability Patched in WP Datepicker WordPress Plugin

On April 14th, 2024, during the Wordfence Bug Bounty Extravaganza a submission was received for an Arbitrary Options Update vulnerability in WP Datepicker, a WordPress plugin with more than 10,000 active installations. This vulnerability could be used by authenticated attackers, with subscriber-level access and above, to update arbitrary options which can easily be leveraged for privilege escalation.

Props to Lucio Sá who discovered and responsibly reported this vulnerability through the Wordfence Bug Bounty Program. This researcher earned a bounty of $493.00 for this discovery during our Bug Bounty Program Extravaganza.

Paid Wordfence users received a firewall rule to protect against any exploits targeting this vulnerability on April 16, 2024. Sites using the free version of Wordfence will receive the same protection 30 days later on May 16, 2024.

Wordfence contacted the developer Fahad Mahmood on April 16, 2024, and received a response on the same day. After providing full disclosure details the next day, the developer released the first patch on the same day. A fully patched version, 2.1.1, was released on April 19, 2024. We would like to commend Fahad Mahmood for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of WP Datepicker, which is version 2.1.1, as soon as possible.

Over 300,000 WordPress Websites Affected by Critical Forminator Plugin Vulnerability

The Forminator plugin for WordPress, utilized by over 500,000 sites, has a vulnerability that could let attackers upload files to the server without restrictions.

Developed by WPMU DEV, Forminator is a customizable tool for creating contact forms, surveys, quizzes, feedback forms, polls, and payment forms on WordPress. It features drag-and-drop functionality and integrates with many third-party services.

On Thursday, Japan’s Computer Emergency Response Team (CERT) issued a warning through its vulnerability notes portal (JVN) about a critical security issue in Forminator, known as CVE-2024-28890 (CVSS v3: 9.8). This flaw could let remote attackers upload malware to WordPress sites using the plugin.

According to the JVN, a remote attacker could gain sensitive information by accessing server files, moderating a site using the plugin, or causing a denial-of-service (DoS) incident.

JPCERT’s security bulletin lists three specific vulnerabilities in Forminator:

  • CVE-2024-28890 – Insufficient file validation during uploads allows remote attackers to upload and run malicious files on the server. This affects Forminator 1.29.0 and earlier.
  • CVE-2024-31077 – An SQL injection flaw enabling remote attackers with admin privileges to execute arbitrary SQL queries in the site’s database. This impacts Forminator 1.29.3 and earlier.
  • CVE-2024-31857 – A cross-site scripting (XSS) flaw allowing attackers to inject HTML and script code into a user’s browser by tricking them into clicking on a crafted link. This affects Forminator 1.15.4 and older.

Site administrators using the Forminator plugin are advised to update to version 1.29.3 or later to mitigate all three vulnerabilities.

According to WordPress.org, since the security update was released on April 8, 2024, about 180,000 site admins have downloaded the plugin, implying that about 320,000 sites could still be vulnerable.

At the time of writing, there have been no public reports of active exploitation of CVE-2024-28890. However, the flaw’s high severity and low difficulty pose a significant risk for those who delay updating the plugin.

To reduce the risk of attacks on WordPress sites, administrators should minimize the use of plugins, ensure they’re always updated, and deactivate those not actively in use.

Source: https://blog.wpsec.com/over-300000-wordpress-websites-affected-by-critical-forminator-plugin-vulnerability