The WordPress 5.2.3 Security Release Unpacked

WordPress core version 5.2.3 has just been released. This is a security release which contains several fixes. I’m going to detail each of them below and unpack what each fix means and add any additional info that may be relevant.

Seven of the eight vulnerabilities fixed in this release are cross site scripting (XSS) vulnerabilities. Wordfence includes robust XSS protection in our free and Premium versions which will prevent exploitation of these vulnerabilities. The eighth is an open redirect vulnerability our team is monitoring to determine impact.

WordPress 5.2.3 Security Updates by the Numbers

This release contains eight security fixes which include seven XSS vulnerabilities and an open redirect. As a reminder, an XSS vulnerability is code that allows an attacker to send malicious output to a victim when they visit a website. This can happen because an attacker caused the site to store malicious data which is displayed later to a victim visitor (a stored XSS) or it can happen when an attacker crafts a link that displays malicious code when a victim visits that URL on a website (a reflected XSS).

If you’d like to go deep on cross site scripting (XSS), then visit our learning center article which explains exactly how cross site scripting vulnerabilities are created in PHP code.

This release arrived yesterday evening, so we are expecting full details of each of these vulnerabilities to be released by the researchers some time after the core release. This follows standard disclosure policy and gives WordPress users time to upgrade. In the meantime we will describe what we know about each vulnerability.

1. Cross Site Scripting in Post Previews by Contributors

This is a stored XSS. In examining a diff of the code changes, it appears that there was a stored XSS in the post-status field. That is, the field that stores the current status of a WordPress post. That field does not use a fixed list of possible values like a MySQL ‘enum’ data type, but rather reads the text value of the drop-down list and uses that.

This allows an attacker to create their own value for post-status and use that in a cross site scripting attack.

This is what the code diff looks like in post.js where the fix was implemented:

The attack vector in this case is that a contributor may be able to inject malicious code into post-status, which would then be viewed by a site admin with much higher privileges. That code would be executed by the admin with their privileges and the contributor, who is actually an attacker, would gain admin privileges by using the admin’s permissions to perform various actions.

Our team also speculates that this may be exploitable via malicious language packs, although we have not verified that attack vector.

This vulnerability was discovered by Simon Scannell of RIPS Tech.

2. Cross Site Scripting Vulnerability in Stored Comments

This appears to be a stored XSS and the announcement doesn’t provide any caveats with regards to user permissions. This is worrying because it suggests there is a stored XSS that affects the WordPress commenting system. This alone should strongly encourage users to upgrade ASAP.

The attack vector here would be an attacker posting a comment on a WordPress site and then someone with higher privileges like an admin viewing or moderating the comments and having code executed in their browser which could create a new admin user for the attacker.

This was also reported by Simon Scannell of RIPS.

3. Validation and Sanitization of a URL Leads to Open Redirect

An open redirect vulnerability is one that is often used in phishing campaigns. The vulnerability occurs when a website gives external users the ability to craft URLs that will redirect a visitor from the vulnerable website to any other URL.

In phishing attacks, an attacker will email a victim with the goal of getting them to click on a link. The link is to a trusted website which the victim recognizes. The attacker clicks on the link and one of several scenarios play out.

In a first scenario, the victim is taken directly to a malicious website where a vulnerability in their browser may be exploited.

In a second scenario, the victim may be asked to sign in to the legitimate website and is then directed to a malicious website where they may be asked to reenter their credentials. They may, for example, see a failed login screen and not realize they have been redirected. At this point their credentials are stolen.

In a third scenario, a victim may be redirected to a spam website after they clicked a link that was a URL to a trusted website with an open redirect.

There are many ways for attackers to exploit an open redirect and the severity of this vulnerability type should not be underestimated.

This vulnerability was disclosed by Tim Coen.

4. Reflected Cross Site Scripting During Media Uploads

This is another XSS which occurs during media uploads. In this case a user with lower privileges will upload media to the WordPress site which includes malicious code. This code would then be executed in the context of another user’s browser – and that user would have higher privileges.

In examining the code diff, it appears that until now, if you could jam an XSS payload into a media upload filename, this would result in an XSS. WordPress 5.2.3 no longer allows that attack vector.

This vulnerability was disclosed by Anshul Jain.

5. XSS in Shortcode Previews

Another XSS was fixed in the shortcode preview system. This vulnerability would allow a malicious user with lower privileges to inject code in a shortcode that, when previewed, would be executed in another user’s browser. If that user has higher privileges then the attacker may be able to perform actions as that user.

This vulnerability was discovered by Zhouyuan Yang.

6. XSS in the WordPress Dashboard

Ian Dunn from the WordPress Core security team discovered an XSS vulnerability in the WordPress dashboard. This vulnerability is a reflected XSS, which means that data is not stored, but rather is reflected back to a victim by an attacker. An example of this is if an attacker crafts a malicious link to the WordPress dashboard which causes their attack code to be executed in the browser context of the victim.

Full details of this vulnerability are not available yet, but what may be feasible here is for an attacker to provide a victim with a link to their own WordPress site dashboard. When the victim clicks the link, they visit their own site dashboard and actually execute malicious code, thereby granting the attacker access to their site. The malicious code may create an admin account, modify site content or perform other nefarious actions.

7. URL Sanitization XSS

Soroush Dalili from NCC Group disclosed an XSS vulnerability caused by URLs not being sanitized correctly.

8. jQuery Updated in Older WP Versions to Fix an XSS

jQuery is a javascript library used extensively by WordPress core and plugins and themes. A cross site scripting vulnerability was discovered in jQuery.extend and was fixed in jQuery 3.4.0.

WordPress uses it’s own WP specific version of jQuery. This fix in jQuery 3.4.0 which is detailed on the jQuery site in the changelog, was backported in to the WordPress version of jQuery. That version is listed as jQuery v1.12.4 in the source code comments. And they’ve updated the WordPress jQuery code without incrementing that version number.

Additional Notes

Change in edit-form-blocks.php

We also noticed a change in /wp-admin/edit-form-blocks.php which has switched from using file_exists() to is_file() in a conditional statement. Here is the diff:

When PHP is configured with “allow_url_fopen=On”, certain versions of PHP will allow the file_exists() function to fetch a URL. So this may also be part of a security fix or improvement.

Change in wp-sanitize.js

We noticed that this sanitization routine now includes recursion which will continue to sanitize text until the text no longer changes. It also uses textarea.textContent instead of textarea.innerHTML in the new version. Here is the diff:

What to do Next

At the risk of stating the obvious, update as soon as possible. This is a minor WordPress release, which means that most sites will automatically update.

If you’re running a high traffic production website with a dev/staging/production workflow involving a QA team, you probably need to run 5.2.3 on staging, let your QA team pound on it and then once they have worked through any issues, push to production. This takes time, but considering these vulnerabilities, I would recommend prioritizing this release over other projects.

The researchers who contributed these vulnerabilities to the core dev team will likely be releasing full details of each vulnerability fairly soon now that the core release is out. My guess is that the more professional researchers will release details in a week or two and others may release sooner. Once the details are out, these vulnerabilities are fully exploitable by anyone.

However, it’s worth noting that these vulnerabilities may become exploitable before details are released. The data released so far paints a bullseye on several areas of code in WordPress core, and by looking at a code diff, attackers can reverse engineer these vulnerabilities and develop exploit code themselves. For this reason, I strongly recommend that you update to 5.2.3 as soon as possible if you aren’t automatically updated.

In Closing

We’d like to congratulate the researchers who contributed fixes to WordPress core and express our appreciation to them for following responsible disclosure guidelines. Also thanks to the WP core team for implementing these fixes and helping keep the WordPress community safe.

You can find the official announcement of the WP 5.2.3 release on this page. If you have any questions or comments, please don’t hesitate to post them below and we’ll do our best to answer them in a timely manner. If you are one of the researchers whose work is included above and would like to provide additional detail or corrections, we welcome your comments.

Mark Maunder.

The post The WordPress 5.2.3 Security Release Unpacked appeared first on Wordfence.

Read More

Introducing the Wordfence Login Security Plugin

Today we are excited to announce the release of a brand new plugin: Wordfence Login Security. This plugin is a completely standalone plugin and you don’t need to install the full version of Wordfence to take advantage of the specific security features included in it.

Wordfence Login Security is designed by our team to secure your login and authentication system. It’s worth noting that this plugin does not include the firewall, malware scanner and other features that the full Wordfence plugin comes with.

If you already have an alternative firewall solution in place and are covered for malware scanning, then this plugin is perfect for you because it secures your login system against several dangerous and targeted attacks.

Wordfence Login Security includes the following features:

  • It provides robust two-factor authentication that is not vulnerable to cellphone SIM porting attacks.
  • It includes a login page CAPTCHA that protects you from sophisticated credential stuffing attacks that use a wide range of IP addresses.
  • It also includes XML-RPC protection.

These features are also included in the full Wordfence plugin. So if you are using Wordfence already, you don’t need to install this new plugin. You can learn more about how these features are available in Wordfence by checking out last week’s announcement post.

Why did we do this?

Over the last year we have spent a lot of time talking to WordPress users. One thing we learned, from larger companies especially, is that everyone’s situation is different. And that even means (gasp!) that some people can’t or don’t run Wordfence on some of their sites. The reasons vary, but in most cases there are many features they could benefit from using.

With that in mind, when we decided to completely rewrite our two-factor authentication feature we decided to also release it as a separate plugin. Our hope is that by making sets of related features available in “modular” plugins like this, that more websites will benefit from Wordfence protection. Our goal, after all, is to make the web safer. The more sites we can keep safe the better.

Do I need both plugins?

In a word, no. Wordfence Login Security and the full Wordfence plugin share the same code for these features. If you already have the full Wordfence plugin installed you already have all of the features available in Wordfence Login Security. If you try to install Wordfence Login Security, nothing will change.

Can I install the full Wordfence plugin if I have Wordfence Login Security installed?

Wordfence Login Security and Wordfence are built to play nicely together. They integrate seamlessly. If you are using Wordfence Login Security and then install the full version of Wordfence, all of your settings are preserved.

Once you install the full version of Wordfence, a new ‘Wordfence’ section will be added to your menu. The settings for Wordfence Login Security will appear in this area as one of the security features available to you.

Again, all your settings are preserved and you can continue knowing your site has the additional features that Wordfence includes like our firewall and malware scanner.

Do I need to upgrade to Premium to use Wordfence Login Security?

This plugin is free and you do not need to pay to use it. In addition, the features that are included in Wordfence Login Security are also available in the free version of the full Wordfence plugin.

The Wordfence team is committed to making the Web a safer place. We wanted to make these essential security features available to absolutely every WordPress site owner and user at no cost. We also built the plugin to be as widely compatible as possible so that there is no barrier to entry when it comes to securing your website against credential stuffing attacks and other attacks targeting your login system.

What’s next for Wordfence Login Security?

Our team spent the past year developing and testing Wordfence Login Security. Our team has taken the plugin through a rigorous QA process that ensures it is widely compatible, rock solid and ready for production. We have also performed a comprehensive security audit on it to ensure that there are no loopholes or issues that an attacker can exploit.

At this point, Wordfence Login Security is an extremely stable and robust security solution for your WordPress authentication system. Our intention is to set the standard for WordPress two-factor authentication with this product.

Our next steps are to listen to the community feedback while providing excellent support for our customers. This will help guide the product direction and our development team.

If you are not currently using the full version of Wordfence, we hope you will at the very least install Wordfence Login Security to protect your WordPress authentication system. Our team is installing this plugin on their own sites – in fact many have been running the beta version for months.

Wordfence Login Security is a huge step forward in helping secure WordPress and we hope you will help spread the word in the community that this plugin is available, completely free, and does an excellent job of improving the security posture of a WordPress website.

Regards,

Mark Maunder
Wordfence/Defiant Founder and CEO

The post Introducing the Wordfence Login Security Plugin appeared first on Wordfence.

Read More

Podcast Episode 16: Cami Kaos talks WordCamps, Meetups and Community


If you’ve ever attended a WordCamp or a WordPress meetup in the last 6 years, that community experience was based on the guidance and support from WordCamp Central and Community Manager Cami Kaos. Cami is the primary contact for the 150 WordCamps and over 600 WordPress meetups taking place around the world this year. Her efforts ensure that the volunteers contributing to community events have what they need to succeed. Cami shares her thoughts on getting started with WordPress meetups and WordCamps, challenges facing the growing community, and how to get involved.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find me on Twitter as @mmaunder and Cami Kaos as @CamiKaos. You can learn more about getting involved with the WordPress community on make.wordpress.org. Please don’t hesitate to post your feedback in the comments below.

The post Podcast Episode 16: Cami Kaos talks WordCamps, Meetups and Community appeared first on Wordfence.

Read More

Podcast Episode 14: Interview with Trauma Surgeon and Plugin Dev Andy Fragen


 
Dr. Andy Fragen is a trauma/acute care surgeon as well as a prolific WordPress plugin author. One of his plugins, GitHub Updater, allows you to host WordPress plugins and themes on GitHub instead of WordPress.org. Andy supports numerous WordCamps and is an active member of the WordPress community in southern California. I had the pleasure of talking with Andy at WordCamp Orange County. He’s a fascinating person and I really think you’ll enjoy our conversation.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find me on Twitter as @mmaunder and Dr. Andy Fragen as @andyfragen. Please don’t hesitate to post your feedback in the comments below.

The post Podcast Episode 14: Interview with Trauma Surgeon and Plugin Dev Andy Fragen appeared first on Wordfence.

Read More

Podcast Episode 9: The Jon Brown Interview and Vulnerabilities, The Dark Web, Scams, Oh My!

We cover quite a few news stories this week, including two plugins requiring immediate updating due to disclosed vulnerabilities, what we can expect from WordPress version 5.2 and a dark web marketplace that appears to have exit scammed users. We follow up on Google Sensorvault, a great interview with Richard Stallman about Facebook and JetBlue’s use of facial recognition technology. We take a look at GoDaddy’s removal of 15,000 spam subdomains, the Docker breach and Slack’s upcoming IPO and their dire warning to investors.

This week, I chat with Jon Brown, CEO of 9seeds, a digital agency. We chatted at Chris and Katie Bayer’s Black Mountain Coffee Roastery in Idyllwild, California. Jon and I talk about running an agency, remote work, being a digital nomad and of course, WordPress. We had a great conversation, and I think you’ll enjoy it.

Here are approximate timestamps in case you want to jump around:
1:15 WordPress plugin WooCommerce Checkout Manager vulnerabilities
3:40 Buddy Press vulnerabilities disclosed
4:42 WordPress 5.2 expected release
9:27 Dark web marketplace exit scammed
12:20 Congress asking questions about Google Sensorvault
14:39 Richard Stallman on Facebook
21:10 JetBlue facial recognition
26:17 GoDaddy spammy subdomain
29:25 IoT devices with P2P component flaws vulnerable
32:12 Docker breach
37:33 The Slack pre-IPO SEC disclosure
41:39 The Jon Brown Interview

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast.

This week in the news we cover:

You can find me on Twitter as @mmaunder and Kathy as @kathyzant, and Jon Brown at @jb510 or at 9seeds.com. Please don’t hesitate to post your feedback in the comments below.

The post Podcast Episode 9: The Jon Brown Interview and Vulnerabilities, The Dark Web, Scams, Oh My! appeared first on Wordfence.

Read More

Podcast Episode 7: The Tyler Lau Interview, Assange, Thought Experiments, AirBnB Scams and More

This week we look at the Assange arrest, an irresponsible security researcher affecting the WordPress community and do a bit of a thought experiment. We also look at Google’s Sensorvault and how it’s being used by law enforcement, the fascinating rise and fall of the Bayrob malware gang, and some tips for avoiding a new AirBnB scam. I also talked to Tyler Lau at WordCamp Phoenix last month, and we share that interview with you today. Tyler is the Social Community Manager at Sandhills Development. Sandhills makes some very popular plugins including Easy Digital Downloads, AffiliateWP. We talked about the WordPress community, WordPress in general and some of the cool things that Sandhills is involved in. Enjoy!

Here are approximate timestamps in case you want to jump around:
0:51 Assange taken into custody
20:27 Irresponsible security researcher
30:50 Google Sensorvault
35:14 Bayrob malware gang
43:07 Land Lordz service powering AirBnB scams
49:57 Tyler Lau interview

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast.

This week in the news we cover:

  • Julian Assange is taken into custody after seven years in the Ecuadorian embassy in London. The US Department of Justice is charging him with conspiracy to commit computer intrusion for agreeing to break a password to a classified U.S. government computer.
  • Ars Technica publishes details about the rogue security researcher with a grudge dropping 0days on innocent WordPress users. We’ve covered this irresponsible researchers on past episodes. Mark had a bit of a Tweet storm about this over the weekend. Here’s the link to the WordPress HackerOne bug bounty program.
  • Google’s sensorvault, a database of location records from hundreds of millions of devices, is being used by law enforcement.
  • A fascinating story about the Bayrob malware gang from Romania gives an detailed look at who makes money from malware, their expertise, and ultimately how they were caught.
  • Scammers use a new tool called Land Lordz to automate fake AirBnB scams, but there are ways to detect this scam and stay safe.

You can find me on Twitter as @mmaunder, Kathy as @kathyzant, and Tyler Lau as @tylermaximuslau. Please don’t hesitate to post your feedback in the comments below.

The post Podcast Episode 7: The Tyler Lau Interview, Assange, Thought Experiments, AirBnB Scams and More appeared first on Wordfence.

Read More

Podcast Episode 3: The Cory Miller Interview and Active Exploits Target Easy WP SMTP Plugin

Welcome to Think Like a Hacker, Episode 3. In this episode Mikey Veenstra, a threat analyst at Wordfence, discusses an active exploit in the Easy WP SMTP plugin. This is breaking news which we added to the podcast at the very last minute.

We also chat with Cory Miller, the founder and former CEO of iThemes about how he created his business, why he sold to Liquid Web, what it’s like being an entrepreneur and much more. You can find Cory on Twitter at @corymiller303. And as always we cover the news with Kathy Zant.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast.

This week in the news we cover:

You can find me on Twitter as @mmaunder, Kathy as @kathyzant, and Mikey as @heyitsmikeyv. Please don’t hesitate to post your feedback in the comments below.

The post Podcast Episode 3: The Cory Miller Interview and Active Exploits Target Easy WP SMTP Plugin appeared first on Wordfence.

Read More

Podcast Episode 2: Mikey Veenstra Talks XSS Vulnerability + The Adam Warner Interview

Welcome to Think Like a Hacker, Episode 2. In this episode Mikey Veenstra, a threat analyst at Wordfence, discusses a serious XSS vulnerability in an abandoned cart plugin. We also chat with Adam Warner, a well known figure in the WordPress community. In our interview we chat about Adam’s personal WordPress journey, community engagement success and the future of WordPress. You can find Adam on Twitter at @wpmodder. And as always we cover the news with Kathy Zant.

Find us on iTunes, Spotify, YouTube, SoundCloud, TuneIn and Stitcher. More platforms coming soon!

Click here to download an MP3 version of this podcast.

This week in the news we cover:

  • The web just took a big step toward a password-free future with WebAuthn. The Worldwide Web Consortium approved the WebAuthn standard on March 4. We look at how it works, why this is important, and what it means for WordPress.
  • A marketing company left a massive database of detailed marketing data exposed. Security researchers discovered the database, including a trove of personally identifiable information about over 800 million people.
  • Researchers have discovered a collection of MongoDBs containing information collected by China about their citizens from a variety of platforms, tied to individual profiles and distributed to police across the country.
  • It’s been 30 years of the web, and Sir Tim Berners-Lee wrote a blog post about the state of the web some thoughts on where we’re going next.

You can find me on Twitter as @mmaunder, Kathy as @kathyzant, and Mikey as @heyitsmikeyv. Please don’t hesitate to post your feedback in the comments below.

The post Podcast Episode 2: Mikey Veenstra Talks XSS Vulnerability + The Adam Warner Interview appeared first on Wordfence.

Read More

Podcast Episode 2: Mikey Veenstra Talks XSS Vulnerability + The Adam Warner Interview

Welcome to Think Like a Hacker, Episode 2. In this episode Mikey Veenstra, a threat analyst at Wordfence, discusses a serious XSS vulnerability in an abandoned cart plugin. We also chat with Adam Warner, a well known figure in the WordPress community. In our interview we chat about Adam’s personal WordPress journey, community engagement success and the future of WordPress. You can find Adam on Twitter at @wpmodder. And as always we cover the news with Kathy Zant.

Find us on iTunes, Spotify, YouTube, SoundCloud, TuneIn and Stitcher. More platforms coming soon!

Click here to download an MP3 version of this podcast.

This week in the news we cover:

  • The web just took a big step toward a password-free future with WebAuthn. The Worldwide Web Consortium approved the WebAuthn standard on March 4. We look at how it works, why this is important, and what it means for WordPress.
  • A marketing company left a massive database of detailed marketing data exposed. Security researchers discovered the database, including a trove of personally identifiable information about over 800 million people.
  • Researchers have discovered a collection of MongoDBs containing information collected by China about their citizens from a variety of platforms, tied to individual profiles and distributed to police across the country.
  • It’s been 30 years of the web, and Sir Tim Berners-Lee wrote a blog post about the state of the web some thoughts on where we’re going next.

You can find me on Twitter as @mmaunder, Kathy as @kathyzant, and Mikey as @heyitsmikeyv. Please don’t hesitate to post your feedback in the comments below.

The post Podcast Episode 2: Mikey Veenstra Talks XSS Vulnerability + The Adam Warner Interview appeared first on Wordfence.

Read More

Think Like a Hacker Podcast Episode 1: An Interview with Josepha Haden

Josepha Haden is the Executive Director of the WordPress project at Automattic. She oversees and directs all contributor teams in their work to build and maintain WordPress. Josepha can be found at https://josepha.blog. In our news segment, we talk about recent vulnerabilities in the Freemius library affecting WordPress plugins, the CoinHive shutdown, and why potential changes in WordPress core development will benefit end users’ security and more.

Click here to download an MP3 version of this podcast. Note that we are in the process of syndicating video and audio versions of this podcast to your favorite player, and we needed to publish our first episode to enable syndication. So check back in a few days and you should find us just about everywhere. Thanks for your patience.

This week in the news we cover:

  • WordPress as of version 5.1 now alerts site owners on the dashboard if they’re using an out of date version of PHP.
  • The 2018 hacked site report from GoDaddy Security/Sucuri indicates increased prevalence of WordPress sites in their site cleaning business. In better news, they’re seeing more WordPress sites updated than in years past, and the WordPress sites are being updated much more frequently than eCommerce platforms.
  • Freemius, a library used by a number of plugins with large installation bases, recently experienced a vulnerability disclosure and a challenging experience with a security researcher. Their blog post is a heartening read about how we all can handle security vulnerability disclosures that serve customers and the community as a whole.
  • The widely used Chrome browser requires an update to patch a very serious vulnerability.
  • WordPress core team is hoping to tighten major release cycles that hopes to streamline development for contributors as well as encourage more site owners to enable autoupdating.
  • A distributed cryptocurrency mining platform called CoinHive is ceasing operations. CoinHive was popular amongst hackers as a new way to mine cryptocurrency on hacked websites, but the crash in cryptocurrency value made it less profitable.

You can find me on Twitter as @mmaunder and Kathy as @kathyzant. Please don’t hesitate to post your feedback in the comments below.

The post Think Like a Hacker Podcast Episode 1: An Interview with Josepha Haden appeared first on Wordfence.

Read More
Page 1 of 1112345»10...Last »