WordPress Plugin ‘Social Warfare’ < 3.5.3 XSS

Malicious eval() is being inserted into the wp_options table, in the option_name: social_wafare_settings, in the Twitter field.

When the plugin is active, it causes the site to issue a JavaScript redirect to porn sites.

Deactivating the plugin disables the redirect, but the malicious eval() is still in the database.

The plugin has been pulled from the WordPress repository.

https://wordpress.org/support/topic/malware-into-new-update/

So far we have seen this exploited on live sites running 3.5.1 and 3.5.2.

Source: https://www.tenable.com/plugins/nessus/159570

See also: https://wpscan.com/vulnerability/9238

Critical Authentication Bypass Vulnerability Patched in SiteGround Security Plugin

On March 10, 2022 the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability they discovered in “SiteGround Security”, a WordPress plugin that is installed on over 400,000 sites. This flaw makes it possible for attackers to gain administrative user access on vulnerable sites when two-factor authentication (2FA) is enabled but not yet configured for an administrator.

A patch was released the next day on March 11, 2022. While the plugin was partially patched immediately, it wasn’t optimally patched until April 7, 2022.

SiteGround Security is a plugin designed to enhance the security of WordPress installations via several features like login security including 2FA, general WordPress hardening, activity monitoring, and more. It’s also worth noting that it comes pre-installed on all SiteGround hosted WordPress sites. Unfortunately, the 2FA functionality of the plugin was insecurely implemented making it possible for unauthenticated attackers to gain access to privileged accounts.

Source & more details: https://www.wordfence.com/blog/2022/04/critical-authentication-bypass-vulnerability-patched-in-siteground-security-plugin

Questionable URL? Here’s a tool to help.

We recently heard of VirusTotal.com’s FREE web-based web address checker.

Have you received email which looks suspicious or has a link which you’re uncertain about? (This is how phishing often takes advantage of you!)

Right click on the link and copy the link address, then go to https://www.virustotal.com/gui/home/url and paste it in. It’ll return a rating as to whether it’s likely to be malicious or not.

It’s not perfect – I entered a link to an exploit reporting website and six out of 93 reports said it was malicious (it isn’t). But it will definitely give you a better idea as to the trustworthiness of any random URL you receive.

By the way, it works on most shortened URLs too: bit.ly, goo.gl, etc.

Dangerous new one-click Gmail hack puts your private data at risk

If you need any more reasons to be particularly careful when opening an email attachment, here’s one for you. A new Gmail hack campaign is currently making the rounds, and a single click could be enough to infect your computer and put your data at risk.

Last week, Trustwave senior security researcher Diana Lopera published a blog post about a frightening new email hack campaign. According to Lopera, scammers are sneakily attaching malicious files to emails using file formats that would not normally raise suspicion. They are using this technique to spread the data-stealing Vidar malware.

The emails are short and direct the reader’s attention to the attachment. The attachment in question is often named “request.doc,” but it is really an ISO file. As Lopera explains, ISO is a disk image file format cybercriminals occasionally use to store malware. It might look like a text document, but the ISO actually contains two files. One is a Microsoft Compiled HTML Help (CHM) file named “pss10r.chm” and the other is an executable named “app.exe.”

As you hopefully know by now, never ever open an email attachment from a source you don’t recognize. In fact, even if you do recognize the sender, double-check everything first. There are plenty of scams that involve using similar addresses to convince victims of their legitimacy.

More details: https://bgr.com/tech/dangerous-new-one-click-gmail-hack-puts-your-private-data-at-risk

Compromised WordPress sites launch DDoS on Ukrainian websites

Threat actors compromised WordPress sites to deploy a script that was used to launch DDoS attacks, when they are visited, on Ukrainian websites.

MalwareHunterTeam researchers discovered the malicious script on a compromised WordPress site, when the users were visiting the website the script launched a DDoS attack against ten Ukrainian sites.

The JavaScript was designed to perform thousands of HTTP GET requests to the targeted sites.

The only evidence of the ongoing attack is the slowing down of the browser performance.

According to BleepingComputer, which first reported the discovery, DDoS attacks targeted pro-Ukrainian sites and Ukrainian government agencies, including think tanks, recruitment sites for the International Legion of Defense of Ukraine, and financial sites.

The script generates random requests to avoid that they are served through a caching service.

In an interesting twist, BleepingComputer discovered that the same script is being used by the pro-Ukrainian site to launch attacks against Russian websites.

“When visiting the site, users’ browsers are used to conduct DDoS attacks on 67 Russian websites.” states BleepingComputer.

Source: https://securityaffairs.co/wordpress/129597/hacking/wordpress-compromsied-sites-ddos-ukraine.html

Reflected XSS in Spam protection, AntiSpam, FireWall by CleanTalk

CleanTalk is a WordPress plugin designed to protect websites from spam comments and registrations. One of the features it includes is the ability to check comments for spam and present the spammy comments for deletion.

Thanks to a quirk of how WordPress processes the page parameter and the default PHP request order, it is possible to use this parameter to perform a reflected cross-site scripting attack, which is almost identical to a vulnerability recently covered by the folks at WordFence.

The vulnerability can be used to execute JavaScript in the browser of a logged-in administrator, for instance, by tricking them into visiting a self-submitting form that sends a POST request to the site at wp-admin/edit-comments.php?page=ct_check_spam, with the $_POST[‘page’] parameter set to malicious JavaScript.

As with any Cross-Site Scripting vulnerability, executing JavaScript in an administrator’s session can be used to take over a site by adding a new malicious administrator or injecting a backdoor, among other potential methods.

A patched version was released on March 25th and installed on all our clients’ websites the same day.

Increase In Malware Sightings on GoDaddy Managed Hosting

On March 15, 2022, The Wordfence Incident Response team alerted the WordFence Threat Intelligence team to an increase in infected websites hosted on GoDaddy’s Managed WordPress service, which includes MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress sites. These affected sites have a nearly identical backdoor prepended to the wp-config.php file. Of the 298 sites that have been newly infected by this backdoor starting 5 days ago on March 11, at least 281 are hosted with GoDaddy.

The backdoor in question has been in use since at least 2015. It generates spammy Google search results and includes resources customized to the infected site. The main backdoor is added to the very beginning of wp-config.php and looks like this:

The encoded file that is downloaded contains a template based on the infected site source code, but with links to pharmaceutical spam added. This spam link template is set to display whenever the site is accessed.

If your site is hosted on GoDaddy’s Managed WordPress platform (which includes MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress sites), we strongly recommend that you manually check your site’s wp-config.php file, or run a scan with a malware detection solution such as the free Wordfence scanner to ensure that your site is not infected.

If your site is infected you will need to have it cleaned and may also need to remove spam search engine results. 

Source: https://www.wordfence.com/blog/2022/03/increase-in-malware-sightings-on-godaddy-managed-hosting

WordPress 5.9.2 Security Update Released – Fixes XSS and Prototype Pollution Vulnerabilities

WordPress core team released WordPress version 5.9.2 on March 10 which contains security patches for a high-severity vulnerability as well as two medium-severity issues.

The high-severity issue affects version 5.9.0 and 5.9.1 and allows contributor-level users and above to insert malicious JavaScript into WordPress posts. The Wordfence Threat Intelligence team was able to create a Proof of Concept for this vulnerability fairly quickly and released a firewall rule early on March 11, 2022, to protect WordPress sites that have not yet been updated.

The two medium-severity vulnerabilities impact WordPress versions earlier than 5.9.2 and potentially allow attackers to execute arbitrary JavaScript in a user’s session if they can trick that user into clicking a link, though there are no known practical exploits for these two vulnerabilities affecting WordPress. All versions of WordPress since WordPress 3.7 have also been updated with the fix for these vulnerabilities.

More details:

https://www.wordfence.com/blog/2022/03/wordpress-5-9-2-security-update-fixes-xss-and-prototype-pollution-vulnerabilities