Easily Exploitable Vulnerabilities Patched in WP Database Reset Plugin

On January 7th, our Threat Intelligence team discovered vulnerabilities in WP Database Reset, a WordPress plugin installed on over 80,000 websites. One of these flaws allowed any unauthenticated user to reset any table from the database to the initial WordPress set-up state, while the other flaw allowed any authenticated user, even those with minimal permissions, the ability to grant their account administrative privileges while dropping all other users from the table with a simple request.

These are considered critical security issues that can cause complete site reset and/or takeover. We highly recommend updating to the latest version (3.15) immediately. Wordfence Premium users have been protected from these vulnerabilities since January 8th with a custom firewall rule. Wordfence free users will receive the same protection on January 7th.


Description: Unauthenticated Database Reset
Affected Plugin: WP Database Reset
Affected Versions: <= 3.1
CVE ID: CVE-2020-7048
CVSS Score: 9.1 (Critical)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Patched Version: 3.15

WP Database Reset is an easy to use database reset plugin that provides users with the ability to reset any database tables on their site to the same state as a fresh WordPress install. This is handy for administrators doing testing on their website and for administrators who want to start over without requiring a complete WordPress re-installation. This plugin provides a powerful feature that, if left unprotected, could wreak havoc for site owners. Unfortunately, that was exactly what we found in this plugin.

None of the database reset functions in the plugin were securely protected with capability checks or security nonces. Without proper security controls in place, the WP Database Reset plugin contained a serious flaw that allowed any unauthenticated user the ability to reset any table in the database. This reset would result in a complete loss of data availability. An attacker could send a simple request and a site would be completely reset to the WordPress standard defaults.

Vulnerable version of the plugin code:

  
 public function reset( array $tables ) {     
 	      if ( in_array('users', $tables ) ) {
 	        $this->reset_users = true;
 	      }
	 	
 	      $this->validate_selected( $tables );
 	      $this->set_backup();
 	      $this->reinstall();
 	      $this->restore_backup();
 	    }
	 	
 	    private function validate_selected( array $tables ) {
 	      if ( ! empty( $tables ) && is_array( $tables ) ) {
 	        $this->selected = array_flip( $tables );

Revised version of the plugin code with security nonce check and capability check in place:

    public function reset(array $tables)
    {
      if (wp_verify_nonce(@$_REQUEST['submit_reset_form'], 'reset_nounce') && current_user_can('administrator')) {
         // Check if current user is Admin and check the nonce

        if (in_array('users', $tables)) {
          $this->reset_users = true;
        }

        $this->validate_selected($tables);
        $this->set_backup();
        $this->reinstall();
        $this->restore_backup();
      } else {
        throw new Exception(__('Please reload the page and try again. Double check your security code.', 'wordpress-database-reset'));
      }
    }

A WordPress database stores all data that makes up the site including posts, pages, users, site options, comments, and more. With a few simple clicks and a couple of seconds, an unauthenticated user could wipe an entire WordPress installation clean if that installation was using a vulnerable version of this plugin.


Description: Privilege Escalation
Affected Plugin: WP Database Reset
Affected Versions: <= 3.1
CVE ID: CVE-2020-7047
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Patched Version: 3.15

To further escalate the previous vulnerability, any user authenticated as a subscriber and above had the ability to reset the wp_users table. Initially, this doesn’t seem too severe. Dropping all users during a database reset may be problematic, but we can always recreate users, right? Unfortunately, this was more complex. Whenever the wp_users table was reset, it dropped all users from the user table, including any administrators, except for the currently logged-in user. The user sending the request would automatically be escalated to administrator, even if they were only a subscriber. That user would also become the only administrator, thus allowing an attacker to fully take over the WordPress site.

private function update_user_settings() {
 global $wpdb;

 $user_id = $this->reset_users? 1: $this->user->ID;

 $wpdb->query(
   $wpdb->prepare(
    "UPDATE $wpdb->users
     SET user_pass = '%s', user_activation_key = ''
     WHERE ID = '%d'",
     $this->user->user_pass, $user_id
   )
 );

 if ( $this->reset_users ) {
   wp_clear_auth_cookie();
   wp_set_auth_cookie( true );
 }
}

A site owner allowing open registration on a site with a vulnerable version of the WP Database Reset plugin could lose control of their site. Here’s a demonstration of how this exploit would work.


Reminder: Backup Your WordPress Site

This vulnerability serves as an important reminder that maintaining site backups is an incredibly important component to maintaining the security and availability of your site. Some compromises require professional clean up or incident response and forensic investigation. Without backups, even professional remediation wouldn’t be helpful after a compromise like this. Backups can also improve recovery time in the event of a compromise. We recommend that site owners:

  • Backup regularly in intervals. Once a week would be a good place to start.
  • Backup every time a major change is made on the site.
  • Store backups on a server or device separate from WordPress installations. That way the integrity of your backup can be trusted in the event that the site or its server becomes compromised.

Disclosure Timeline

January 7th, 2020 – Vulnerability initially discovered and analyzed.
January 8th, 2020 – Full details disclosed to plugin developer and custom firewall rule released to Wordfence premium users.
January 13th, 2020 – Developer responds and notifies us that a patch will be released the next day.
January 14th, 2020 – Patch released.
January 16th, 2020 – Public disclosure.

Conclusion

In today’s post, we detailed two severe vulnerabilities discovered in the WP Database Reset plugin. These flaws are patched in version 3.15. If you have this plugin installed on your site, we urge you to update immediately.

Sites running Wordfence Premium have been protected from any attacks against these vulnerabilities since January 8th. Free users will receive the same protection on February 7th.

The post Easily Exploitable Vulnerabilities Patched in WP Database Reset Plugin appeared first on Wordfence.

Read More

Easily Exploitable Vulnerabilities Patched in WP Database Reset Plugin

On January 7th, our Threat Intelligence team discovered vulnerabilities in WP Database Reset, a WordPress plugin installed on over 80,000 websites. One of these flaws allowed any unauthenticated user to reset any table from the database to the initial WordPress set-up state, while the other flaw allowed any authenticated user, even those with minimal permissions, the ability to grant their account administrative privileges while dropping all other users from the table with a simple request.

These are considered critical security issues that can cause complete site reset and/or takeover. We highly recommend updating to the latest version (3.15) immediately. Wordfence Premium users have been protected from these vulnerabilities since January 8th with a custom firewall rule. Wordfence free users will receive the same protection on January 7th.


Description: Unauthenticated Database Reset
Affected Plugin: WP Database Reset
Affected Versions: <= 3.1
CVE ID: CVE-2020-7048
CVSS Score: 9.1 (Critical)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:H/A:H
Patched Version: 3.15

WP Database Reset is an easy to use database reset plugin that provides users with the ability to reset any database tables on their site to the same state as a fresh WordPress install. This is handy for administrators doing testing on their website and for administrators who want to start over without requiring a complete WordPress re-installation. This plugin provides a powerful feature that, if left unprotected, could wreak havoc for site owners. Unfortunately, that was exactly what we found in this plugin.

None of the database reset functions in the plugin were securely protected with capability checks or security nonces. Without proper security controls in place, the WP Database Reset plugin contained a serious flaw that allowed any unauthenticated user the ability to reset any table in the database. This reset would result in a complete loss of data availability. An attacker could send a simple request and a site would be completely reset to the WordPress standard defaults.

Vulnerable version of the plugin code:

  
 public function reset( array $tables ) {     
 	      if ( in_array('users', $tables ) ) {
 	        $this->reset_users = true;
 	      }
	 	
 	      $this->validate_selected( $tables );
 	      $this->set_backup();
 	      $this->reinstall();
 	      $this->restore_backup();
 	    }
	 	
 	    private function validate_selected( array $tables ) {
 	      if ( ! empty( $tables ) && is_array( $tables ) ) {
 	        $this->selected = array_flip( $tables );

Revised version of the plugin code with security nonce check and capability check in place:

    public function reset(array $tables)
    {
      if (wp_verify_nonce(@$_REQUEST['submit_reset_form'], 'reset_nounce') && current_user_can('administrator')) {
         // Check if current user is Admin and check the nonce

        if (in_array('users', $tables)) {
          $this->reset_users = true;
        }

        $this->validate_selected($tables);
        $this->set_backup();
        $this->reinstall();
        $this->restore_backup();
      } else {
        throw new Exception(__('Please reload the page and try again. Double check your security code.', 'wordpress-database-reset'));
      }
    }

A WordPress database stores all data that makes up the site including posts, pages, users, site options, comments, and more. With a few simple clicks and a couple of seconds, an unauthenticated user could wipe an entire WordPress installation clean if that installation was using a vulnerable version of this plugin.


Description: Privilege Escalation
Affected Plugin: WP Database Reset
Affected Versions: <= 3.1
CVE ID: CVE-2020-7047
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Patched Version: 3.15

To further escalate the previous vulnerability, any user authenticated as a subscriber and above had the ability to reset the wp_users table. Initially, this doesn’t seem too severe. Dropping all users during a database reset may be problematic, but we can always recreate users, right? Unfortunately, this was more complex. Whenever the wp_users table was reset, it dropped all users from the user table, including any administrators, except for the currently logged-in user. The user sending the request would automatically be escalated to administrator, even if they were only a subscriber. That user would also become the only administrator, thus allowing an attacker to fully take over the WordPress site.

private function update_user_settings() {
 global $wpdb;

 $user_id = $this->reset_users? 1: $this->user->ID;

 $wpdb->query(
   $wpdb->prepare(
    "UPDATE $wpdb->users
     SET user_pass = '%s', user_activation_key = ''
     WHERE ID = '%d'",
     $this->user->user_pass, $user_id
   )
 );

 if ( $this->reset_users ) {
   wp_clear_auth_cookie();
   wp_set_auth_cookie( true );
 }
}

A site owner allowing open registration on a site with a vulnerable version of the WP Database Reset plugin could lose control of their site. Here’s a demonstration of how this exploit would work.


Reminder: Backup Your WordPress Site

This vulnerability serves as an important reminder that maintaining site backups is an incredibly important component to maintaining the security and availability of your site. Some compromises require professional clean up or incident response and forensic investigation. Without backups, even professional remediation wouldn’t be helpful after a compromise like this. Backups can also improve recovery time in the event of a compromise. We recommend that site owners:

  • Backup regularly in intervals. Once a week would be a good place to start.
  • Backup every time a major change is made on the site.
  • Store backups on a server or device separate from WordPress installations. That way the integrity of your backup can be trusted in the event that the site or its server becomes compromised.

Disclosure Timeline

January 7th, 2020 – Vulnerability initially discovered and analyzed.
January 8th, 2020 – Full details disclosed to plugin developer and custom firewall rule released to Wordfence premium users.
January 13th, 2020 – Developer responds and notifies us that a patch will be released the next day.
January 14th, 2020 – Patch released.
January 16th, 2020 – Public disclosure.

Conclusion

In today’s post, we detailed two severe vulnerabilities discovered in the WP Database Reset plugin. These flaws are patched in version 3.15. If you have this plugin installed on your site, we urge you to update immediately.

Sites running Wordfence Premium have been protected from any attacks against these vulnerabilities since January 8th. Free users will receive the same protection on February 7th.

The post Easily Exploitable Vulnerabilities Patched in WP Database Reset Plugin appeared first on Wordfence.

Read More

Critical Authentication Bypass Vulnerability in InfiniteWP Client Plugin

Description: Authentication Bypass
Affected Plugin: InfiniteWP Client
Affected Versions: < 1.9.4.5
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Patched Version: 1.9.4.5

A vulnerability has been discovered in the InfiniteWP Client plugin versions 1.9.4.4 or earlier. InfiniteWP Client is a plugin that, when installed on a WordPress site, allows a site owner to manage unlimited WordPress sites from their own server. InfiniteWP Client is currently installed on over 300,000 WordPress sites.

This is a critical authentication bypass vulnerability. A proof of concept was published this morning, January 14, 2020. If you are using InfiniteWP client version 1.9.4.4 or earlier we recommend immediately updating your installation to protect your site.

How the InfiniteWP Client Works

The InfiniteWP Client plugin works by allowing a central management server to authenticate to the WordPress installation so that site owners can manage the site. From a central location, site owners can perform maintenance such as one-click updates for core, plugins, and themes across all sites, backup and site restores, and activating/deactivating plugins and themes on multiple sites simultaneously. The InfiniteWP Client plugin authenticates the central management server to each WordPress installation.

The InfiniteWP Authentication Bypass

The vulnerability disclosed last week is an authentication bypass vulnerability, which could allow an attacker to use the authentication logic in the InfiniteWP Client plugin to authenticate and access the WordPress installation with InfiniteWP installed. An attacker would not need the InfiniteWP server installed to exploit this vulnerability; they could simply craft a request addressing the InfiniteWP logic to log in as any administrative user if they know the username.

Update to Wordfence

Normally the Wordfence threat intelligence team would create a firewall rule and deploy it to existing Wordfence installations. Due to the complexity and severity of this vulnerability, we had to integrate protection for this vulnerability into the Wordfence code base, which required us to release a new version of Wordfence.

On Monday, January 13, 2020, we released Wordfence version 7.4.3, which includes protection against the InfiniteWP Client authentication bypass vulnerability.

Technical Details

Here’s a basic proof of concept request which exploits the vulnerability.

POST / HTTP/1.1
Host: example.org
User-Agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.14; rv:72.0) Gecko/20100101 Firefox/72.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: text/plain
Content-Length: 93

_IWP_JSON_PREFIX_eyJpd3BfYWN0aW9uIjoiYWRkX3NpdGUiLCJwYXJhbXMiOnsidXNlcm5hbWUiOiJhZG1pbiJ9fQ==

The body of the request decodes to {"iwp_action":"add_site","params":{"username":"admin"}} which instructs the InfiniteWP client to run the add_site action, and also to login as the admin user. It requires no authentication and is relatively easy to exploit.

When a site is initially setup using InfiniteWP client, it needs to connect to the InfiniteWP server software. The InfiniteWP server sends a request to the InfiniteWP client and passes on a public key. The InfiniteWP server has the corresponding private key which is used to sign requests. Subsequent requests from the InfiniteWP server to the InfiniteWP client can be authenticated by the site by verifying the signature using the public key. The initial request from the InfiniteWP server uses one of two actions, add_site or readd_site. By design, these actions are unauthenticated (since we don’t yet have a public key). Unfortunately, the code is structured so that some features can still be used. In this case, InfiniteWP client provides a feature to automatically login as an administrator without supplying a password.

When a site is initially connected to the InfiniteWP server, the request made by InfiniteWP server to the site actually exploits this vulnerability (unintentionally). This mades it quite difficult to write a WAF rule to protect against this vulnerability since legitimate and malicious requests can be identical.

We opted to integrate protection for this vulnerability into Wordfence. From within Wordfence, we can determine if the site is already connected to an InfiniteWP server, and prevent the vulnerable code from running if either the add_site or readd_site actions are passed to InfiniteWP client.

So far, we have not seen evidence of this vulnerability being exploited in the wild, but we expect to see attempts in the near future.

Non-WordPress Firewalls Ineffective

As an additional note, the fix we have implemented for this vulnerability required tight integration with WordPress. Wordfence runs as a WordPress plugin and is therefore able to implement this kind of fix.

As a firewall vendor, our goal is to minimize false positives while blocking attacks. We don’t want to accidentally block legitimate traffic. Due to the nature of this vulnerability, it is extremely difficult to create a firewall rule that blocks attacks AND eliminates false positives for this vulnerability, without tight integration with the WordPress API.

We are bringing this to your attention because if you are using a cloud based WAF that does not tightly integrate with WordPress, you may not be protected against this vulnerability. Your cloud WAF does not have access to the WordPress API to implement this kind of fix.

Protection for All Users

Normally, we would release a firewall rule to as a part of our Threat Defense Feed which is deployed in real-time to our Wordfence Premium customers, and to the free community version of Wordfence within 30 days. Because protection for this vulnerability required code changes within Wordfence, we’ve opted to make it available to all users immediately.

Our recommendation at this time is to update your InfiniteWP Client plugin as soon as possible to version 1.9.4.5. Updating Wordfence to version 7.4.3 on sites using InfiniteWP Client will provide concurrent protection.

Thank you to Matt Rusnak and Ramuel Gall for contributing to this update.

The post Critical Authentication Bypass Vulnerability in InfiniteWP Client Plugin appeared first on Wordfence.

Read More

Multiple Vulnerabilities Patched in Minimal Coming Soon & Maintenance Mode – Coming Soon Page Plugin

A few weeks ago, our threat intelligence team discovered several vulnerabilities present in Minimal Coming Soon & Maintenance Mode – Coming Soon Page, a WordPress plugin installed on over 80,000 websites. The most severe weakness allowed for an attacker to exploit Cross Site Request Forgery (CSRF) and enable maintenance mode while injecting cross-site scripting (XSS), in addition to several important settings modifications. We later found additional weaknesses that allowed any authenticated user to enable/disable maintenance mode, export settings, and change maintenance mode themes. 

We privately disclosed the issue to the plugin’s developer, with whom we were already working on a security issue in 301 Redirects – Easy Redirects Manager. As we saw with 301 Redirects, they were quick to acknowledge the report and start working on a patch. 

For the vulnerabilities present in Minimal Coming Soon & Maintenance Mode, Wordfence Premium customers received new firewall rules to protect against exploits; free users will receive these rules after thirty days, on February 2, 2020.


Description: CSRF to Stored XSS and Setting Changes
Affected Plugin: Minimal Coming Soon & Maintenance Mode – Coming Soon Page 
Affected Versions: <= 2.10
CVE ID: CVE-2020-6167
CVSS Score: 9.6 (Critical)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H
Patched Version: 2.15

Nonce Checks Needed to Validate Setting Changes

The Minimal Coming Soon & Maintenance Mode – Coming Soon Page plugin provides a plethora of features to help customize a site’s maintenance or coming soon page, all of which are accessible in a centralized settings area. 

Unfortunately, this plugin had no nonce checks on any of the settings to verify that a request came from a legitimate source, such as a logged in administrative user. The lack of nonce checks created a CSRF vulnerability, and an attacker could craft a request disguised by a link to trick a site owner into modifying the settings of the plugin.

Vulnerable code snippet:

 } elseif ( isset( $_POST['signals_csmm_submit'] ) ) { {

Revised code snippet with nonce verification:

	  } elseif ( isset( $_POST['signals_csmm_submit'] ) && isset($_POST['csmm_save_nonce']) && wp_verify_nonce($_POST['csmm_save_nonce'], 'csmm_save_settings')) {

The functionality of the settings significantly increases the severity of this vulnerability. In this instance, every setting controlling the plugin’s features could be modified. This included features like inserting custom HTML, enabling maintenance mode, IP whitelisting, general content design, and importing logos. 

An attacker capable of tricking an administrator into clicking on a link with a specially crafted request could create havoc for site owners and their visitors. A malicious link could take the vulnerable site offline by enabling maintenance mode while injecting a malicious javascript into the custom HTML field. That malicious script would then execute when an innocent user browsed the site. This XSS vulnerability could redirect site visitors to malicious websites, infect vulnerable computers, or perform other malicious actions.

XSS exploited in Minimal Coming Soon & Maintenance Mode plugin.

An attacker could also make several additional impactful changes like enabling the “Temporarily Pause Search Engines” setting, hurting a site’s search engine ranking, or including remote files as a “logo” on the site, with little to no restriction on file type. 

This vulnerability is similar to what we saw in another maintenance mode plugin, WP Maintenance, a few weeks ago. Though CSRF is hard to protect against, the Wordfence firewall’s built-in XSS protection protects against any XSS attempts made during a CSRF exploit attempt. Avoid CSRF attacks by not clicking on links or attachments from untrusted sources.


Description: Insecure Permissions: Enable and Disable Maintenance Mode
Affected Plugin: Minimal Coming Soon & Maintenance Mode – Coming Soon Page 
Affected Versions: <= 2.10
CVE ID: CVE-2020-6168
CVSS Score: 7.1 (High)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Patched Version: 2.15

The Minimal Coming Soon & Maintenance Mode plugin provides users with the capability to enable and disable maintenance mode from the admin bar to make it more convenient for administrators to toggle between the two modes when performing maintenance on a site.

In order to provide this feature, the plugin registers an admin action with an is_admin() check right before the registered action. Unfortunately, it is a common misconception that the is_admin() function verifies that a request is coming from an administrator logged into the admin dashboard. However, is_admin() only checks that the request is being sent to an administrative page. Administrative pages are accessible to any logged in user, not just administrators. 

This created a flaw that allowed any authenticated user with subscriber permissions or above the ability to enable and disable maintenance mode on a vulnerable site by sending a simple request. If an attacker was unable to create a subscriber account on a vulnerable website without open registrations, they could attempt to exploit this using CSRF due to the lack of nonce checks.

Vulnerable code snippet:

class CSMM {
 static function init() {
   if (is_admin()) {
     add_action('admin_action_csmm_change_status', array(__CLASS__, 'change_status'));
   }
<?php
	  if ($signals_csmm_options['status']== '1') {
	    $action_url = add_query_arg(array('action' => 'csmm_change_status', 'new_status' => 'disabled', 'redirect' => urlencode($_SERVER['REQUEST_URI'])), admin_url('admin.php'));
	  } else {
	    $action_url = add_query_arg(array('action' => 'csmm_change_status', 'new_status' => 'enabled', 'redirect' => urlencode($_SERVER['REQUEST_URI'])), admin_url('admin.php'));
	  }

Proof of Concept

In order to exploit this vulnerability, an attacker would login as a user with subscriber or above permissions and send the following request to enable maintenance mode:

/wp-admin/admin.php?action=csmm_change_status&new_status=enabled&redirect=/wp-admin/

Alternatively, a malicious actor could send the following request to disable maintenance mode:

/wp-admin/admin.php?action=csmm_change_status&new_status=disabled&redirect=/wp-admin/

Wordfence Premium customers have already received new firewall rules to protect against these exploits; free users will receive these rules after thirty days, on February 2, 2020.

 


Description: Insecure permissions: Export Settings/Theme Change
Affected Plugin: Minimal Coming Soon & Maintenance Mode – Coming Soon Page 
Affected Versions: <= 2.15
CVE ID: CVE-2020-6166
CVSS Score: 5.4 (Medium)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N
Patched Version: 2.17

Another set of features provided by the Minimal Coming Soon & Maintenance Mode plugin includes the ability to export settings and change maintenance mode themes. 

As with the previous vulnerability, we see the same error here: is_admin() appears to be the improper permission check used to verify that an action is triggered by an administrative user, when it is just checking that the request is being sent to a page within the administrative dashboard. 

This created a flaw that would allow any user logged in as a subscriber or above to export the plugin settings as a .txt file or modify the theme of the maintenance page on a vulnerable site.

Example of vulnerable code for settings export:

function csmm_plugin_admin_init() {
	  if (!is_admin()) {
	    Return;
}
add_action('admin_action_csmm_export_settings', 'csmm_export_settings');
function csmm_export_settings() {
    $filename = str_replace(array('http://', 'https://'), '', home_url());
    $filename = str_replace(array('/', '\\', '.'), '-', $filename);
    $filename .= '-' . date('Y-m-d') . '-csmm.txt';

    $options = csmm_get_options();
    unset($options['none']);
    $options = apply_filters('csmm_options_pre_export', $options);

    $out = array('type' => 'CSMM', 'version' => csmm_get_plugin_version(), 'data' => $options);
    $out = json_encode($out);

    header('Content-Type: text/plain');
    header('Content-Disposition: attachment; filename=' . $filename);
    header('Expires: 0');
    header('Cache-Control: must-revalidate');
    header('Pragma: public');
    header('Content-Length: ' . strlen($out));

    @ob_end_clean();
    flush();

    echo $out;
    exit;
  } // export_settings

Proof of Concept

In order to exploit this vulnerability an attacker would need to login with subscriber or above permissions and send the following request to export the plugin settings:

/wp-admin/admin.php?action=csmm_export_settings&redirect=/wp-admin/

Alternatively, a malicious actor could send the following request to change the theme:

/wp-admin/admin.php?action=csmm_activate_theme&theme=minimal&redirect=/wp-admin/

Wordfence Premium customers have already received new firewall rules to protect against these exploits; free users will receive these rules after thirty days, on February 2, 2020.

Timeline

December 18th, 2019 – Initial contact with developer and notification of CSRF/XSS issues. No rule deployed as our existing XSS rule mitigates the XSS portion of the attack.
December 19th, 2019 – Developer responds and acknowledges issues. 
December 25th, 2019 – Developer releases first patch.
January 3rd, 2020 – Discovery of additional security issues disclosed to plugin developer. New firewall rules released for premium Wordfence users. 
January 7th, 2020 – Developer acknowledges additional vulnerabilities, begins working on additional fixes. 
January 8th, 2020 – Final patch is released. 
February 2nd, 2020 – Free users receive firewall rules.

Conclusion

In today’s post, we detailed several vulnerabilities present in the Minimal Coming Soon & Maintenance Mode – Coming Soon Page plugin, which included one critical vulnerability. Fortunately, the plugin developer was incredibly quick to respond and release a patch for the vulnerable endpoints. These flaws have all been patched in version 2.17 and we urge users to update to the latest available version as soon as possible. 

Sites running Wordfence Premium have been protected from attacks against this vulnerability since January 3, 2020. Sites running the free version of Wordfence will receive the firewall rule update on February 2, 2020 and should update the plugin immediately.

The post Multiple Vulnerabilities Patched in Minimal Coming Soon & Maintenance Mode – Coming Soon Page Plugin appeared first on Wordfence.

Read More

Episode 62: 2019 Think Like a Hacker Highlights

We’ve had quite a year with Think Like a Hacker, the podcast about WordPress, security and innovation. For this end of year episode, we take a look back at a few of our favorite interviews and news stories. We review conversations with Josepha Haden, Brandy Lawson, Jennifer Bourn, Matt Cromwell, and we look back at the Pipdig story that created a furor earlier this year.

Thank you to everyone who sat down with us over the first year of Think Like a Hacker, and thank you to our audience for listening, commenting, and helping Think Like a Hacker become what it is. We have big plans for 2020, and we hope you join us. Happy holidays to everyone celebrating, and we’ll see you in 2020.

Here are timestamps if you’d like to jump around:
0:55 Josepha Haden on how she got involved with WordPress
1:59 Jon Brown talks about managing a remote team
3:50 Verious Smith’s entrepreneurship journey
5:40 The Pipdig story with Mikey Veenstra
6:53 Ryan Dewhurst on the WP Vulnerability Database
7:44 Brandy Lawson talks about entrepreneurship
8:42 WordPress core and signing core updates
10:19 Matt Cromwell on why open source community matters
11:37 Jennifer Bourn on the benefits of young people in WordPress
13:03 Marieke van de Rakt on Yoast Academy
14:00 Think Like a Hacker at WordCamp US

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

In this episode, we look back at a few of our favorite episodes and stories during 2019.

You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant.

Please feel free to post your feedback in the comments below. What was your favorite episode of Think Like a Hacker in 2019?

The post Episode 62: 2019 Think Like a Hacker Highlights appeared first on Wordfence.

Read More

Critical Vulnerability Patched in 301 Redirects – Easy Redirect Manager

Description: Authenticated Arbitrary Redirect Injection and Modification
Affected Plugin: 301 Redirects – Easy Redirect Manager 
Affected Versions: <= 2.40
CVSS Score: 9.0 (Critical)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:H
Patched Version: 2.45

On Friday December 13th, our Threat Intelligence team discovered vulnerabilities present in 301 Redirects – Easy Redirect Manager, a WordPress plugin installed on over 70,000 websites. These weaknesses allowed any authenticated user, even subscribers, to modify, delete, and inject redirect rules that could potentially result in a loss of site availability. We privately disclosed the issue to the plugin’s developer, who was incredibly quick to respond and release a patch.

Though this vulnerability required the attacker to be authenticated, numerous WordPress sites allow for registration as a subscriber. For these sites, exploitation of this vulnerability would be quite simple.

This is considered a critical security issue, and websites running 301 Redirects – Easy Redirect Manager 2.40 or below should be updated to version 2.45 immediately. On the same day we discovered the vulnerability, Wordfence Premium customers received a new firewall rule to protect against exploits; free users will receive the rule after thirty days, on January 12, 2020.

Unprotected AJAX Actions Gone Awry

301 Redirects – Easy Redirect Manager is a simple plugin used to set up 301 redirects on WordPress sites. In order to save new redirects and modify old redirects, the plugin registers several AJAX actions using a seemingly safe is_admin() function to prevent unauthorized access. 

if (is_admin()) {

  // Ajax funcs
  add_action('wp_ajax_eps_redirect_get_new_entry',            array($this, 'ajax_get_entry'));
  add_action('wp_ajax_eps_redirect_delete_entry',             array($this, 'ajax_eps_delete_entry'));
  add_action('wp_ajax_eps_redirect_get_inline_edit_entry',    array($this, 'ajax_get_inline_edit_entry'));
  add_action('wp_ajax_eps_redirect_save',                     array($this, 'ajax_save_redirect'));

Trac: eps-301-redirects.php

However, is_admin() only checks to see if the “dashboard or the administration panel is attempting to be displayed.” As per the WordPress.org Codex, “this function does not verify whether the current user has permission to view the Dashboard or the administration panel.” In addition, the same goes for the admin-ajax function: it only verifies that the request is coming from the administration panel and does not verify any permissions. 

Therefore, due to the lack of capability checks on the AJAX actions, any user authenticated as a subscriber or above can use these AJAX actions to delete redirect entries, create new redirects, and view the form to add or edit inline entries. Because many attackers compromise sites with the hopes of redirecting traffic to spammy or malware-infested sites, this is an attractive and easy method of exploiting a vulnerable site. 

The unprotected AJAX actions are where the vulnerabilities begin; a deeper look found more problems.

Lack of Proper Input Validation

Investigating further, we found that the ID parameter, which is used to create an ID for new rules and identify existing rules, lacked any input validation or sanitization and was later reflected on the page. This led to a reflected XSS vulnerability that could not only be exploited on its own, but also in conjunction with a new redirect injection. Fortunately, the Wordfence firewall’s built-in XSS protection blocks this vulnerability for both our free and premium users. 

XSS being exploited in 301 Redirects – Easy Redirect Manager plugin using <BODY ONLOAD=alert(1)> payload.

Missing CSRF Protection

The vulnerable version of the plugin also failed to use a nonce for any of the AJAX actions that were used to modify and create new rules. This created a CSRF weakness that could be exploited if an attacker could not gain subscriber level privileges. In addition, the attack surface for CSRF to be exploited was much larger due to the lack of permissions checks on the AJAX actions. As such, any user with subscriber or above permissions could be targeted to exploit this vulnerability, creating a more worrisome issue. 

The End Result

Each independent vulnerability was significant. As a group, the vulnerabilities in the 301 Redirects plugin created a significant risk to the WordPress site owner with a vulnerable version installed. An attacker exploiting these weaknesses could create havoc for site visitors who could have been redirected to malicious sites. These sites could have collected credentials via phishing pages or infected vulnerable computers with malware, amongst other things. 

Even if a site did not have subscriber registration open, the CSRF vulnerability might allow a social engineering attack to succeed in injecting new redirects or deleting old ones. 

If one exploit attempt failed, there was another exploit that could possibly succeed. 

Disclosure Timeline

December 13th, 2019 – Initial private contact with developer and notification of security issue. Firewall rule is released to premium members.
December 14th, 2019 – Developer responds.
December 16th, 2019 – Full details sent to developer. 
December 16th, 2019 – Developer acknowledges vulnerabilities and starts working on patches 
December 17th, 2019 – Developer releases patch.   
January 12th, 2020 – Free users receive firewall rule. 

Conclusion

In today’s post, we detailed several vulnerabilities present in the 301 Redirects – Easy Redirect Manager plugin, that led to one very severe issue. Fortunately, the plugin developer was incredibly quick to respond and release a patch for the vulnerable endpoints. These flaws have been patched in version 2.45 and we urge users update to the latest version available as soon as possible. 

Sites running Wordfence Premium have been protected from attacks against this vulnerability since December 13th, 2019. Sites running the free version of Wordfence will receive the firewall rule update on January 12th, 2020 and should update the 301 Redirects plugin immediately.

The post Critical Vulnerability Patched in 301 Redirects – Easy Redirect Manager appeared first on Wordfence.

Read More

Episode 61: Improving Website Performance and User Experiences with Dave Ryan

With Google Chrome experimenting with a badge of shame for websites that load slowly in Chrome, there is a new urgency for high performance interfaces for web users. Gatsby, Gridsome and other static site interfaces are hot in the development community right now, especially when talking about headless WordPress.

At WordCamp US, Mark chats with Dave Ryan about these technologies, reminding us that no matter the technology we use to create a website, our decisions during development matter to the end users’ experience.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find Dave Ryan on Twitter as @0aveRyan, and you can meet him at WordCamp Phoenix. Wordfence is sponsoring and we’d love to meet you there, too.

You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant.

Please feel free to post your feedback in the comments below.

The post Episode 61: Improving Website Performance and User Experiences with Dave Ryan appeared first on Wordfence.

Read More

WP-VCD Evolves To Remain Most Prevalent WordPress Infection

Early last month we released a comprehensive paper covering WP-VCD, the most prevalent malware campaign affecting the WordPress ecosystem in recent memory. In this paper we examined the campaign from a number of angles, such as the behavior of the malware itself, its method of distribution, and its evolution over time.

The presence of threats like WP-VCD demands that WordPress users remain vigilant about the security of their sites in the long term. Scams like these are prolific for a reason: They’re effective. Our data shows that WP-VCD is still infecting more new sites per week than any other active malware campaign. Even after publishing a paper on the campaign, we have yet to identify any meaningful change in the rate of new infections.

This lack of impact suggests an issue of user demographics. Simply put, it’s unlikely that security is a priority for the WordPress user who downloads pirated content from back-alley websites. Neither the whitepaper itself, nor reports from popular security news sources on the subject, would ever have been on that user’s radar. This reinforces an important point: Awareness is your most valuable security tool.

In today’s post, we’re going to look at what’s changed with WP-VCD between last month and today, and share some tips for staying vigilant against this threat and other scams like it.

Recap: What is WP-VCD?

WP-VCD is a malware infection designed to target WordPress sites by hiding in nulled, or pirated, plugins and themes. Its controllers exploit their victims to boost search engine rankings for the sites that distribute the infected code. The attackers then monetize the campaign with malvertising scripts, which trigger potentially dangerous popups and redirects for the victim sites’ visitors.

It’s a sophisticated campaign. It preys on unaware WordPress users looking for a way to get free access to paid content. Then, by using newly infected sites to draw more victims in, it can maintain a reliable base of compromised sites even as earlier victims clean up the mess. Lastly, the campaign is resilient. In the event that one of WP-VCD’s command and control (C2) domains are taken down, it can quickly rotate in a new one.

Some details were still unclear when we wrote the report, however. We hadn’t been able to identify where the campaign hosted its infrastructure. All domains used in the campaign, from the malware’s C2 sites to the SEO-boosted sites distributing the infected content, had DNS routed through Cloudflare’s content delivery network (CDN). This abstraction allowed the campaign to run without revealing the IP addresses behind it all.

Intervention From Cloudflare

Cloudflare acted quickly when we published our report. Less than twenty-four hours after the paper went live, access to WP-VCD’s C2 domains had been limited by the addition of a warning page.

A phishing warning page from Cloudflare.

A phishing warning page from Cloudflare.

While a human visitor could click through to see the content behind the warning page, a call from an infected website wouldn’t make it through. This prevented WP-VCD’s victim sites from accessing the /code.php and /o.php endpoints, which distributed instructions and registered newly infected sites.

The campaign’s C2 domains were the only ones affected by this intervention. Cloudflare did not add warnings to the sites responsible for distributing the infected plugins and themes.

DNS Exposure

Since the malware scripts could no longer access their C2 sites, WP-VCD’s controllers were forced to pull those domains from Cloudflare’s services.

Beginning November 5th, less than a day after the campaign’s exposure in our whitepaper, WP-VCD moved its command and control DNS away from Cloudflare. The new DNS provider is AliDNS, a service associated with Alibaba, the Chinese tech conglomerate.

WHOIS results for C2 domain trilns.com, showing ALIDNS.COM nameservers.

WHOIS results for C2 domain trilns.com, showing ALIDNS.COM nameservers.

While Cloudflare provided CDN services which concealed the primary server behind the campaign, AliDNS did not. The C2 domain’s DNS records were now pointing directly at a single address: 94.156.175.170.

Researching The Host

The IP address 94.156.175.170 points to a cPanel server belonging to Verdina LTD, a company ostensibly based in Belize but with servers in Bulgaria.

This isn’t the first time hackers used Verdina’s servers to perform criminal activity without reprisal. In 2016 it was revealed that DDoS-for-hire service vDOS was hosted across four of Verdina’s servers. The service was also known for allowing IP spoofing, which made “stresser” services like vDOS possible. Hacking forum users have pointed out Verdina specifically as an example of hosts that were forced to stop spoofing in order to retain their allocated IP address space.

The company’s connection to Belize also appears to be exclusively a bureaucratic one. The corporate address listed in Verdina’s Terms of Service, 1 Mapp Street, Belize City, Belize, suggests a relationship with International Corporate Services, a financial firm designed to help you create your very own non-resident corporation in Belize.

Screenshot of the homepage of offshorebelize.com.

Screenshot of the homepage of offshorebelize.com.

We’re continuing to investigate activity associated with Verdina’s IP address space.

Testing The Host Server

As we detailed in the whitepaper, WP-VCD’s C2 sites rotated through new domain names frequently. We included more than a hundred in our report, but it’s safe to assume there have been more than that. What we didn’t know, due to their use of a CDN, was whether the attackers were rotating servers behind the scenes as well. With one domain name now pointing to one server, we needed to test if that server could be linked to previously used C2 domains.

For example, the C2 domain active at the time of this writing is www.trilns.com (Note the www. in the address, these domains have always required the www. subdomain to resolve). An HTTPS request to 94.156.175.170 for the hostname www.trilns.com will receive a valid TLS certificate for the domain, which was generated by the cPanel server running the site. Since the server administrator would need to intentionally generate each certificate, we could test the server for the existence of certificates associated with earlier C2 domains.

Screenshot of the cPanel-signed certificate for C2 domain www.ratots.com.

Screenshot of the cPanel-signed certificate for C2 domain www.ratots.com.

 

In our testing, we were able to confirm the presence of valid cPanel certificates for all of the command and control domains we tested, even those not actively used in years. We also confirmed that this server hosts ins.spekt.pw, a domain used as part of WP-VCD’s viral marketing campaign.

SEO-Heavy Download Sites Still Behind Cloudflare

One part of the campaign we couldn’t associate with this server, however, was the distribution of infected plugins and themes. While an old, broken version of vestathemes.com could be found on 94.156.175.170 with an expired certificate, we determined that server wasn’t the current host of it or the other sites in the distribution network like downloadfreethemes.co and freenulled.top. We also hadn’t found the origin server behind the site hosting the actual infected zip files, download-freethemes.download.

Screenshot of a DIG request showing Cloudflare DNS used on download-freethemes.download.

Screenshot of a DIG request showing Cloudflare DNS used on download-freethemes.download.

Each of these sites, entry points for unknowing WordPress administrators to infect themselves with WP-VCD, were still protected by Cloudflare’s CDN. It is unclear at this time why Cloudflare intervened with warning pages on the C2 domains but not the sites reached by human visitors.

…But We Found Them Anyway

The C2 server at 94.156.175.170 broadcasts its hostname as vesta.vestathemes.com. With that in mind, we searched Shodan for other hostnames or service banners associated with the vestathemes name. Two different addresses were calling themselves server2.vestathemes.com: 94.156.175.192 and 94.156.175.193.

Using the same tests as before, we determined that 94.156.175.192 is the origin IP behind the nulled content distribution network. This includes the SEO-boosted domains advertising the infected plugins and themes, as well as download-freethemes.download, the site the zips are actually downloaded from.

The remaining address, 94.156.175.193, is still under investigation. We have not affirmatively associated this server with any outward-facing activity. However, navigating directly to either IP address and forcing a cPanel 404 page reveals a mailto: link for x1ngbox@gmail.com. Those who read the WP-VCD whitepaper will recognize this as the primary email address associated with the WP-VCD campaign.

A cPanel-generated 404 page from 94.156.175.193, linking the server to the email x1ngbox@gmail.com.

A cPanel-generated 404 page from 94.156.175.193, linking the server to the email x1ngbox@gmail.com.

Tips For Remaining Vigilant Against Scams

  1. Be responsible with the third-party code you add to your website. While WP-VCD is simple enough to avoid by steering clear of nulled plugins and themes, recent history has shown that even ostensibly-legitimate developers are capable of adding questionable code to their products.
  2. If you are not personally handling the development of your website, ensure you fully trust the people you’ve assigned the task. Less-than-reputable “gig” developers, who claim to offer full custom site builds for a price that’s too good to be true, frequently cut corners that will cost you headaches at minimum. Even if they’re not intending to infect your website, they’re still interested in cutting costs by getting commercial themes for free, and they’re not sticking around your site long enough to make sure it’s clean.
  3. As a general rule, never trust a page you didn’t intend to visit. WP-VCD and other recent attack campaigns have been identified injecting malvertising scripts. These scripts redirect a site’s visitors to unwanted locations. These pages attempt to trick you into giving them what they want. This includes phishing for logins with claims like “You must log in to your Google account to view this content”, or prompting you to engage in a tech support scam by claiming your device is corrupted or infected. They’ll also ask mobile users for permission to receive push notifications, which can be used to send further spam notifications.
  4. Periodically visit your sites from new devices and locations without logging into them. WP-VCD’s malvertising code attempts to hide itself from administrators by storing a cookie on their device and logging the IP address they connected from. That way, even if the admin logs out, it can still hide until they clear their cookies and connect from a new IP address. This technique is not unique to WP-VCD, and can be useful in identifying other malicious activity that would have otherwise gone unnoticed.
  5. If your site was a victim of WP-VCD or another malware infection, you should inform your users as quickly as possible. Responsible site ownership means being forthright about the fact that your site’s visitors may have encountered dangerous code. Plus, depending on the way browsers cache your site, some of your visitors may still see an infected version for a while after you’ve cleaned it. Giving your users a heads-up isn’t just the ethical thing to do, it demonstrates to them that their security is a priority.

Conclusion

The actors behind the WP-VCD campaign have shown that they are quick to respond when infrastructure changes are necessary. It’s possible that new changes are forthcoming in the wake of the campaign’s recent information leakage. It’s hard to say how this campaign may evolve further over time. Continuing trends in the detection of new WP-VCD infections suggest that the campaign is going as strong as ever.

Preventing your site from falling victim to WP-VCD is simple: don’t install nulled plugins or themes. Not only does it take money from the folks who built the content, but sourcing code from untrustworthy sources has clear negative implications for the health of your website.

Because awareness is the most effective defense against infecting your own site, you can help spread this defense across the WordPress ecosystem. Share the WP-VCD whitepaper, inform, and educate less technical users so they’re empowered against the malicious actors that prey upon a lack of awareness. WordPress is stronger because of the community, and our educational efforts make us all stronger.

If you’re curious for more detail about WP-VCD and haven’t read it already, check out our report: WP-VCD: The Malware You Installed On Your Own Site.

The post WP-VCD Evolves To Remain Most Prevalent WordPress Infection appeared first on Wordfence.

Read More

Podcast Episode 60: Top WordPress Influencer Lists & Chrome Password Security Improvements

A small furor erupted over a top influencers in WordPress list that neglected to show the diverse nature of the WordPress community. We talk about the impossibility of making an accurate list that reflects the true nature of WordPress influence or contribution, and the diversity we saw during our work on Open, our film project about the WordPress community. We also talk about Google plans to give slow websites a new badge of shame in Chrome, password security updates in Chrome 79, and the DHS reconsiders a plan to use facial-recognition technology on all U.S. citizens traveling internationally.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

This week in the news we cover:

  • A WordPress top influencer list misses out on the diversity and depth of WordPress influence and contribution.
  • Google Chrome plans to warn site visitors of speed and performance problems with websites.
  • Chrome 79 launches with password protection and dozens of security fixes.
  • DHS reconsiders facial recognition technology on US travelers. The US lags behind China in number of surveillance cameras.

You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant.

Please feel free to post your feedback in the comments below.

The post Podcast Episode 60: Top WordPress Influencer Lists & Chrome Password Security Improvements appeared first on Wordfence.

Read More

Podcast Episode 59: Mailpoet’s Kim Gjerstad on Beating Spammers and Improving Net Promoter Scores

Kim Gjerstad, one of the founders of Mailpoet, visited with Mark at the Wordfence booth at WordCamp US. Kim and Mark talked about the origins of Mailpoet, the plugin that gives users a full email management system within the WordPress administrative dashboard. They talk about email deliverability as well as the challenges of fighting email abuse, a constant battle that Mailpoet is winning.

They also talk about net promoter scores and what it means for the success of a SaaS business.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find Kim Gjerstad on Twitter as @kgjerstad. You can learn more about Mailpoet at mailpoet.com.

You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant.

Please feel free to post your feedback in the comments below.

The post Podcast Episode 59: Mailpoet’s Kim Gjerstad on Beating Spammers and Improving Net Promoter Scores appeared first on Wordfence.

Read More
Page 1 of 1,02412345»102030...Last »