Podcast Episode 14: Interview with Trauma Surgeon and Plugin Dev Andy Fragen


 
Dr. Andy Fragen is a trauma/acute care surgeon as well as a prolific WordPress plugin author. One of his plugins, GitHub Updater, allows you to host WordPress plugins and themes on GitHub instead of WordPress.org. Andy supports numerous WordCamps and is an active member of the WordPress community in southern California. I had the pleasure of talking with Andy at WordCamp Orange County. He’s a fascinating person and I really think you’ll enjoy our conversation.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find me on Twitter as @mmaunder and Dr. Andy Fragen as @andyfragen. Please don’t hesitate to post your feedback in the comments below.

The post Podcast Episode 14: Interview with Trauma Surgeon and Plugin Dev Andy Fragen appeared first on Wordfence.

Read More

Podcast Episode 12: Major WhatsApp Vulnerability and Other News

This week in our news-focused episode we cover the WhatsApp zero-day vulnerability that allegedly was used to infect phones with malware by simply calling a phone with the app. We also announced a new update to the Wordfence plugin, making an updated two-factor authentication feature available to all Wordfence users. We cover a story about SIM hijacking and discuss why we need to move away from SMS 2-factor authentication. We also cover an ongoing supply-chain attack affecting thousands of sites, three antivirus companies that have been compromised, a malvertiser indictment and other stories.

Here are approximate timestamps in case you want to jump around:
0:30 WhatsApp voice calls used to inject malware
7:07 New Wordfence login security features
12:30 Ongoing supply-chain attack
18:58 SIM card hijacking campaign
22:05 Three US Antivirus companies compromised
23:55 Malvertiser compromised
30:12 Opting out of facial recognition at airports
32:48 Microsoft Word gets politically correct
37:38 Binance intrusion
41:25 Federal agencies spending millions to hack into phones

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

This week in the news we cover:

You can find me on Twitter as @mmaunder and Kathy as @kathyzant. Please don’t hesitate to post your feedback in the comments below.

The post Podcast Episode 12: Major WhatsApp Vulnerability and Other News appeared first on Wordfence.

Read More

Podcast Episode 12: Major WhatsApp Vulnerability and Other News

This week in our news-focused episode we cover the WhatsApp zero-day vulnerability that allegedly was used to infect phones with malware by simply calling a phone with the app. We also announced a new update to the Wordfence plugin, making an updated two-factor authentication feature available to all Wordfence users. We cover a story about SIM hijacking and discuss why we need to move away from SMS 2-factor authentication. We also cover an ongoing supply-chain attack affecting thousands of sites, three antivirus companies that have been compromised, a malvertiser indictment and other stories.

Here are approximate timestamps in case you want to jump around:
0:30 WhatsApp voice calls used to inject malware
7:07 New Wordfence login security features
12:30 Ongoing supply-chain attack
18:58 SIM card hijacking campaign
22:05 Three US Antivirus companies compromised
23:55 Malvertiser compromised
30:12 Opting out of facial recognition at airports
32:48 Microsoft Word gets politically correct
37:38 Binance intrusion
41:25 Federal agencies spending millions to hack into phones

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

This week in the news we cover:

You can find me on Twitter as @mmaunder and Kathy as @kathyzant. Please don’t hesitate to post your feedback in the comments below.

The post Podcast Episode 12: Major WhatsApp Vulnerability and Other News appeared first on Wordfence.

Read More

Announcing 3 New Login Security Features

Spend any time looking at blocked attacks in Wordfence Live Traffic and you’ll walk away worried about login security. WordPress sites are under constant attack by bots attempting to guess your users’ passwords. A lot of these attacks simply test lists of commonly used passwords along with usernames they think you may have chosen, like ‘admin’ or different takes on your domain name.

More recently we’ve started to see more sophisticated attackers leveraging lists of passwords from data breaches in their attacks. These are referred to as credential stuffing attacks and have a much higher success rate than traditional password guessing attacks. If you’ve given other users access to your website, are you confident that they haven’t reused their password? If they have, you may be just one data breach away from a hacked website.

Today, with the release of Wordfence 7.3.1, we are excited to announce several new login security features! They are:

  • A completely rebuilt two-factor authentication feature, now available in the free version of Wordfence
  • Login page CAPTCHA
  • Improved XML-RPC protection

Together with the other login security features already included in Wordfence, these additions give you robust, layered protection from password guessing and credential stuffing attacks.

Completely Rebuilt Two-Factor Authentication Feature

Two-factor authentication, or 2FA, adds a second layer of security to your users’ accounts. It requires them to not only enter their password, but also a second piece of information only they have access to. An account protected by 2FA is virtually impossible to compromise. Even if an attacker discovers your username and password somehow, they still can’t log in.

Setting up 2FA is easy! Just scan the barcode with your authenticator app and enter a login code.

Use Any TOTP-Based Authenticator App

The new Wordfence 2FA feature leverages authenticator applications and services that support the time-based one-time password (TOTP) standard. There are many of them to choose from on the market; Google Authenticator, Authy, FreeOTP and 1Password are just a few. Many of you are probably already using one of these. For those who aren’t, they are incredibly easy to set up and use.

After entering your password, you simply enter the 6 digit login code from your authenticator app.

Wordfence 2FA is Now Available For Free

2FA is now available for use on sites running both the free and Premium versions of Wordfence. When we first added 2FA to Wordfence roughly 6 years ago, we leveraged SMS to send you a text message with a 2FA code when logging in to your site. Since sending SMS messages costs money we made it a Premium-only feature. A couple years ago we added an authenticator app option in addition to SMS.

The previous iteration of our 2FA feature is now being phased out completely and the replacement no longer includes an SMS option. Sites with the old version activated are able to continue to use it, but are strongly encouraged to transition to the new one. SMS is a less secure way to deliver login codes and is prone to delivery issues. In fact, NIST now specifically recommends against using SMS-based authentication.

Enable 2FA For Any User Role You Want

While it’s most important to protect your site’s admin accounts, there are plenty of other user roles with capabilities you don’t want to hand over to an attacker. Wordfence now lets you enable 2FA for any role you like. Simply visit the Settings tab on the Login Security page within Wordfence.

Whitelisted IPs That Bypass 2FA

This field accepts IP addresses or ranges where 2FA will not be required. You can use this to skip 2FA on networks you trust, like if you have a static IP. Another example is if you have a network with a trusted range of IPs, such as allowing users on your corporate network to log in without 2FA unless they are logging in from outside the network.

New Login Page CAPTCHA Feature

In recent years the number of IoT devices has exploded. Unfortunately they have been highly prone to security vulnerabilities. This has resulted in a massive increase in the size of botnets available for attackers. In the context of login security for WordPress, this means that attackers have more compromised machines, and IPs, to use in their attacks. By spreading attacks across much larger pools of IP addresses they are able to dial the number of login attempts made by each IP address down so far that they evade even the most aggressive login attempt limiting rules, at least at the site level.

Earlier in the year we experienced an attack just like that, where the attacker was leveraging hundreds of thousands of IP addresses in a very sophisticated manner. We determined that in order to effectively thwart the attack our best option would have been deploy CAPTCHA protection on our  login page, effectively nullifying the attack.

As is often the case, a solution to a problem we’re facing with WordPress security becomes great product idea. You are now able to enable Google reCAPTCHA v3 on your login and registration pages using Wordfence. It does a fantastic job of blocking bots from attempting to log in while allowing humans through without incident.

As a fail-safe, any user that Google erroneously deems to be a bot (and who does not have 2FA active) may continue logging in by clicking a verification link in an email sent to the account’s email address. User registration attempts that are blocked may also send an email to the email address configured for site administration, which is rate limited to prevent abuse.

Improved XML-RPC Protection

XML-RPC is an interface that allows WordPress to communicate with other applications. It is unfortunately often overlooked by WordPress users when discussing login security. “Just move your login page and you’re secure!” they say with bravado. Unfortunately they are often wrong. In the last 30 days, 60.6% of the login attempts blocked by Wordfence were hitting XML-RPC, not the site’s login page.

Fortunately there is a way to secure XML-RPC as well, with the new login security features in Wordfence.

Disabling XML-RPC

Because XML-RPC is such a popular target for attackers, we strongly recommend that you figure out whether you need it or not. If you do, protect it with 2FA if possible. If you don’t use the WordPress app or the Jetpack plugin it is likely safe for you to disable XML-RPC.

If you don’t need it, disable it. Once you know it is safe to do so, disabling it is as easy as checking a box in your Wordfence settings. Just be aware that it may cause you problems in the future should you start using an app or plugin that requires it.

Two-Factor Authentication for XML-RPC

If you have a custom application that logs in via XML-RPC, it can be configured to append a TOTP code when logging in using Wordfence. This option allows you to protect your XML-RPC endpoint from brute force attacks while making it available for your custom app. Unfortunately most off-the-shelf plugins and apps that utilize XML-RPC cannot be configured to use 2FA just yet, but with Wordfence you’ll be ready for when they can.

Conclusion

In this age of massive botnets and constant data breaches, login security has become increasingly important. These new features combined with our existing ones will provide you with the tools you need to implement the layered security approach that will keep your site safe. We strongly recommend that you upgrade to the latest version of Wordfence if you haven’t done so already, and invest the time to enable these powerful new features.

Thanks and stay safe!

The post Announcing 3 New Login Security Features appeared first on Wordfence.

Read More

Announcing 3 New Login Security Features

Spend any time looking at blocked attacks in Wordfence Live Traffic and you’ll walk away worried about login security. WordPress sites are under constant attack by bots attempting to guess your users’ passwords. A lot of these attacks simply test lists of commonly used passwords along with usernames they think you may have chosen, like ‘admin’ or different takes on your domain name.

More recently we’ve started to see more sophisticated attackers leveraging lists of passwords from data breaches in their attacks. These are referred to as credential stuffing attacks and have a much higher success rate than traditional password guessing attacks. If you’ve given other users access to your website, are you confident that they haven’t reused their password? If they have, you may be just one data breach away from a hacked website.

Today, with the release of Wordfence 7.3.1, we are excited to announce several new login security features! They are:

  • A completely rebuilt two-factor authentication feature, now available in the free version of Wordfence
  • Login page CAPTCHA
  • Improved XML-RPC protection

Together with the other login security features already included in Wordfence, these additions give you robust, layered protection from password guessing and credential stuffing attacks.

Completely Rebuilt Two-Factor Authentication Feature

Two-factor authentication, or 2FA, adds a second layer of security to your users’ accounts. It requires them to not only enter their password, but also a second piece of information only they have access to. An account protected by 2FA is virtually impossible to compromise. Even if an attacker discovers your username and password somehow, they still can’t log in.

Setting up 2FA is easy! Just scan the barcode with your authenticator app and enter a login code.

Use Any TOTP-Based Authenticator App

The new Wordfence 2FA feature leverages authenticator applications and services that support the time-based one-time password (TOTP) standard. There are many of them to choose from on the market; Google Authenticator, Authy, FreeOTP and 1Password are just a few. Many of you are probably already using one of these. For those who aren’t, they are incredibly easy to set up and use.

After entering your password, you simply enter the 6 digit login code from your authenticator app.

Wordfence 2FA is Now Available For Free

2FA is now available for use on sites running both the free and Premium versions of Wordfence. When we first added 2FA to Wordfence roughly 6 years ago, we leveraged SMS to send you a text message with a 2FA code when logging in to your site. Since sending SMS messages costs money we made it a Premium-only feature. A couple years ago we added an authenticator app option in addition to SMS.

The previous iteration of our 2FA feature is now being phased out completely and the replacement no longer includes an SMS option. Sites with the old version activated are able to continue to use it, but are strongly encouraged to transition to the new one. SMS is a less secure way to deliver login codes and is prone to delivery issues. In fact, NIST now specifically recommends against using SMS-based authentication.

Enable 2FA For Any User Role You Want

While it’s most important to protect your site’s admin accounts, there are plenty of other user roles with capabilities you don’t want to hand over to an attacker. Wordfence now lets you enable 2FA for any role you like. Simply visit the Settings tab on the Login Security page within Wordfence.

Whitelisted IPs That Bypass 2FA

This field accepts IP addresses or ranges where 2FA will not be required. You can use this to skip 2FA on networks you trust, like if you have a static IP. Another example is if you have a network with a trusted range of IPs, such as allowing users on your corporate network to log in without 2FA unless they are logging in from outside the network.

New Login Page CAPTCHA Feature

In recent years the number of IoT devices has exploded. Unfortunately they have been highly prone to security vulnerabilities. This has resulted in a massive increase in the size of botnets available for attackers. In the context of login security for WordPress, this means that attackers have more compromised machines, and IPs, to use in their attacks. By spreading attacks across much larger pools of IP addresses they are able to dial the number of login attempts made by each IP address down so far that they evade even the most aggressive login attempt limiting rules, at least at the site level.

Earlier in the year we experienced an attack just like that, where the attacker was leveraging hundreds of thousands of IP addresses in a very sophisticated manner. We determined that in order to effectively thwart the attack our best option would have been deploy CAPTCHA protection on our  login page, effectively nullifying the attack.

As is often the case, a solution to a problem we’re facing with WordPress security becomes great product idea. You are now able to enable Google reCAPTCHA v3 on your login and registration pages using Wordfence. It does a fantastic job of blocking bots from attempting to log in while allowing humans through without incident.

As a fail-safe, any user that Google erroneously deems to be a bot (and who does not have 2FA active) may continue logging in by clicking a verification link in an email sent to the account’s email address. User registration attempts that are blocked may also send an email to the email address configured for site administration, which is rate limited to prevent abuse.

Improved XML-RPC Protection

XML-RPC is an interface that allows WordPress to communicate with other applications. It is unfortunately often overlooked by WordPress users when discussing login security. “Just move your login page and you’re secure!” they say with bravado. Unfortunately they are often wrong. In the last 30 days, 60.6% of the login attempts blocked by Wordfence were hitting XML-RPC, not the site’s login page.

Fortunately there is a way to secure XML-RPC as well, with the new login security features in Wordfence.

Disabling XML-RPC

Because XML-RPC is such a popular target for attackers, we strongly recommend that you figure out whether you need it or not. If you do, protect it with 2FA if possible. If you don’t use the WordPress app or the Jetpack plugin it is likely safe for you to disable XML-RPC.

If you don’t need it, disable it. Once you know it is safe to do so, disabling it is as easy as checking a box in your Wordfence settings. Just be aware that it may cause you problems in the future should you start using an app or plugin that requires it.

Two-Factor Authentication for XML-RPC

If you have a custom application that logs in via XML-RPC, it can be configured to append a TOTP code when logging in using Wordfence. This option allows you to protect your XML-RPC endpoint from brute force attacks while making it available for your custom app. Unfortunately most off-the-shelf plugins and apps that utilize XML-RPC cannot be configured to use 2FA just yet, but with Wordfence you’ll be ready for when they can.

Conclusion

In this age of massive botnets and constant data breaches, login security has become increasingly important. These new features combined with our existing ones will provide you with the tools you need to implement the layered security approach that will keep your site safe. We strongly recommend that you upgrade to the latest version of Wordfence if you haven’t done so already, and invest the time to enable these powerful new features.

Thanks and stay safe!

The post Announcing 3 New Login Security Features appeared first on Wordfence.

Read More

Podcast Episode 11: The Dave Ryan Interview

Today we’ve published episode 11 of Think Like a Hacker. As we mentioned earlier in the week, we’ve switched to a new format beginning this week, separating the news and our interview into two episodes. In today’s interview-focused episode we talk to Dave Ryan at WordCamp Orange County.

Dave Ryan is an Interdisciplinary WordPress Developer at Bluehost, where he focuses on helping build WordPress and supporting the WordPress community. He is an organizer for Phoenix area WordPress meetups and WordCamp Phoenix. He also speaks at numerous WordCamps around the country.

In the past Dave has worked for large publishers and universities and scaling high-traffic WordPress sites by blending his skills in information design, journalism and web development.

Dave lives in Phoenix, loves a good taco and will like every photo of your dog on Instagram.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find me on Twitter as @mmaunder and Kathy as @kathyzant and Dave as @0aveRyan. Please don’t hesitate to post your feedback in the comments below.

The post Podcast Episode 11: The Dave Ryan Interview appeared first on Wordfence.

Read More

Podcast Episode 10: WordPress 5.2 Security Enhancements and Other News

Today we are pleased to bring you the tenth episode of Think Like a Hacker. We’re doing things a little different this week, separating the news and our interview into two episodes. In today’s we cover the news and we will share another compelling interview later in the week.

In the news we discuss new cryptographic protection against supply chain attacks in WordPress 5.2 which was released today. We talk about Israel’s missile attack against Hamas hackers, a data breach affecting 80 million households, the Gutenberg accessibility audit, DuckDuckGo’s “do not track” bill, a hacker selling Windows ZeroDay vulnerabilities and a sophisticated supply chain attack originating in China amongst other stories.

Here are approximate timestamps in case you want to jump around:
1:24 Security enhancements in WordPress 5.2
8:35 Israeli defense force missile attack
11:05 WordCamp Atlanta recap
13:24 Breach affecting 80 million households
16:44 Gutenberg accessibility audit
26:10 DuckDuckGo Do Not Track Bill
31:10 Hacker Selling Windows 0Day vulnerabilities
34:50 Mozilla bans add-on obfuscated code
38:30 Hackers on a supply-chain attack spree
46:05 Hacker wiping Git repositories
48:54 Firefox certificate causes add-on failure
50:40 Japanese government developing defensive malware

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast.

This week in the news we cover:

You can find me on Twitter as @mmaunder and Kathy as @kathyzant. Please don’t hesitate to post your feedback in the comments below.

The post Podcast Episode 10: WordPress 5.2 Security Enhancements and Other News appeared first on Wordfence.

Read More

Unauthenticated Media Deletion Vulnerability Patched In WooCommerce Checkout Manager Plugin

Earlier this week, a security update was released for the WooCommerce Checkout Manager plugin for WordPress. This update fixes two distinct vulnerabilities: an arbitrary file upload flaw present in certain configurations, and a flaw allowing attackers to delete media files from affected sites. The plugin’s users are advised to install the latest available version (4.3 at the time of this writing) as soon as possible to prevent exploitation of the flaws patched in this update.

The file upload vulnerability was initially made public in a report by an unnamed security researcher, which was irresponsibly published on April 23rd without privately notifying the plugin’s author. In the process of verifying the report, our team identified an additional media deletion flaw which needed to be patched. We reached out to the plugin’s developer the same day to begin the disclosure process, and have deployed a firewall rule to protect our users from these exploits.

In this post we’ll be sharing details regarding both of these flaws, with particular focus on the media deletion flaw which has yet to be reported.

Conditional Arbitrary File Upload

The initially disclosed flaw in WooCommerce Checkout Manager allowed unauthenticated users to upload arbitrary files to affected sites in certain configurations. Specifically, the plugin’s “Categorize Uploaded Files” option needed to be active for this flaw to be exploitable.

With the plugin active, a site’s customers have the ability to upload files associated with their orders during the checkout process. Without the “Categorize Uploaded Files” option enabled, the plugin made use of WordPress’s built-in media upload handler, which is generally effective at keeping out malicious scripts. However, when the option is enabled, it directly uploads the file without any security checks, allowing dangerous files to be uploaded.

Wordfence firewall users, both premium and free, are protected from malicious script uploads.

Unauthenticated Media Deletion Flaw

While testing reports of the file upload flaw above, our team discovered a flaw which would allow attackers to delete media files from the affected site.

Alongside the file upload feature, the plugin is able to delete the attachments users have uploaded at checkout. In unpatched versions, this deletion feature allowed unauthenticated users to delete any media file, not just those associated with a user’s checkout uploads.

function update_attachment_wccm_callback() {

	global $post, $wpdb, $woocommerce;

	$array1 = explode( ',', sanitize_text_field( isset( $_POST['wccm_default_keys_load'] ) ? $_POST['wccm_default_keys_load'] : '' ) );
	$array2 = explode( ',', sanitize_text_field( isset( $_POST['product_image_gallery'] ) ? $_POST['product_image_gallery'] : '' ) );
	$attachment_ids = array_diff( $array1, $array2 );

	if( isset( $_POST['wccm_default_keys_load'] ) ) {
		if( !empty( $attachment_ids ) ) {
			foreach( $attachment_ids as $key => $values ) {
				wp_delete_attachment( $attachment_ids[$key] );
			}
		}
		echo __('Deleted successfully.','woocommerce-checkout-manager');
	}
	die();

}
add_action( 'wp_ajax_update_attachment_wccm', 'update_attachment_wccm_callback' );
add_action( 'wp_ajax_nopriv_update_attachment_wccm', 'update_attachment_wccm_callback' );

The above function, update_attachment_wccm_callback, is hooked into the update_attachment_wccm AJAX action. The function is only intended for Administrator and Shop Manager users, but was available to unauthenticated users due to its additional nopriv_ registration and a lack of capabilities checks. In the function, two POST body parameters are converted to arrays and then compared. Any media attachments with IDs present in $_POST['wccm_default_keys_load'] but not in $_POST['product_image_gallery'] are deleted via the built-in wp_delete_attachment function. This not only deletes the associated file, but removes its metadata from the WordPress media library.

An attacker with motivation to take down a site’s images and other media could do so by identifying a set of media IDs, or simply iterating over a wide range of values, and assigning them to wccm_default_keys_load as a comma-delimited string. Because the ternary operation on line 2176 returns an empty string by default, we don’t need to set a product_image_gallery parameter for comparison unless we wanted to exclude specific IDs for some reason.

For example, to delete any media files with IDs from 1 to 10, you’d send a POST request to http://example[.]com/wp-admin/admin-ajax.php?action=update_attachment_wccm with the POST body wccm_default_keys_load=1,2,3,4,5,6,7,8,9,10.

Next Steps

The plugin’s author, Visser Labs, has patched these issues in version 4.3 of WooCommerce Checkout Manager. It is advised that all sites making use of the plugin update as soon as possible. For sites which haven’t patched, a new Wordfence firewall rule has been deployed to prevent abuse of the media deletion flaw. Premium users have immediate access to this new rule, and free users will gain access in thirty days. Both free and premium users already benefit from built-in rules which offer protection from the file upload vulnerability as well.

At this time, we have not identified significant exploitation of either of these vulnerabilities. We will continue to monitor for related activity and issue further reports if necessary.

Thanks to Ram Gall from the Defiant QA team for the discovery of the media deletion vulnerability.

The post Unauthenticated Media Deletion Vulnerability Patched In WooCommerce Checkout Manager Plugin appeared first on Wordfence.

Read More

Unauthenticated Media Deletion Vulnerability Patched In WooCommerce Checkout Manager Plugin

Earlier this week, a security update was released for the WooCommerce Checkout Manager plugin for WordPress. This update fixes two distinct vulnerabilities: an arbitrary file upload flaw present in certain configurations, and a flaw allowing attackers to delete media files from affected sites. The plugin’s users are advised to install the latest available version (4.3 at the time of this writing) as soon as possible to prevent exploitation of the flaws patched in this update.

The file upload vulnerability was initially made public in a report by an unnamed security researcher, which was irresponsibly published on April 23rd without privately notifying the plugin’s author. In the process of verifying the report, our team identified an additional media deletion flaw which needed to be patched. We reached out to the plugin’s developer the same day to begin the disclosure process, and have deployed a firewall rule to protect our users from these exploits.

In this post we’ll be sharing details regarding both of these flaws, with particular focus on the media deletion flaw which has yet to be reported.

Conditional Arbitrary File Upload

The initially disclosed flaw in WooCommerce Checkout Manager allowed unauthenticated users to upload arbitrary files to affected sites in certain configurations. Specifically, the plugin’s “Categorize Uploaded Files” option needed to be active for this flaw to be exploitable.

With the plugin active, a site’s customers have the ability to upload files associated with their orders during the checkout process. Without the “Categorize Uploaded Files” option enabled, the plugin made use of WordPress’s built-in media upload handler, which is generally effective at keeping out malicious scripts. However, when the option is enabled, it directly uploads the file without any security checks, allowing dangerous files to be uploaded.

Wordfence firewall users, both premium and free, are protected from malicious script uploads.

Unauthenticated Media Deletion Flaw

While testing reports of the file upload flaw above, our team discovered a flaw which would allow attackers to delete media files from the affected site.

Alongside the file upload feature, the plugin is able to delete the attachments users have uploaded at checkout. In unpatched versions, this deletion feature allowed unauthenticated users to delete any media file, not just those associated with a user’s checkout uploads.

function update_attachment_wccm_callback() {

	global $post, $wpdb, $woocommerce;

	$array1 = explode( ',', sanitize_text_field( isset( $_POST['wccm_default_keys_load'] ) ? $_POST['wccm_default_keys_load'] : '' ) );
	$array2 = explode( ',', sanitize_text_field( isset( $_POST['product_image_gallery'] ) ? $_POST['product_image_gallery'] : '' ) );
	$attachment_ids = array_diff( $array1, $array2 );

	if( isset( $_POST['wccm_default_keys_load'] ) ) {
		if( !empty( $attachment_ids ) ) {
			foreach( $attachment_ids as $key => $values ) {
				wp_delete_attachment( $attachment_ids[$key] );
			}
		}
		echo __('Deleted successfully.','woocommerce-checkout-manager');
	}
	die();

}
add_action( 'wp_ajax_update_attachment_wccm', 'update_attachment_wccm_callback' );
add_action( 'wp_ajax_nopriv_update_attachment_wccm', 'update_attachment_wccm_callback' );

The above function, update_attachment_wccm_callback, is hooked into the update_attachment_wccm AJAX action. The function is only intended for Administrator and Shop Manager users, but was available to unauthenticated users due to its additional nopriv_ registration and a lack of capabilities checks. In the function, two POST body parameters are converted to arrays and then compared. Any media attachments with IDs present in $_POST['wccm_default_keys_load'] but not in $_POST['product_image_gallery'] are deleted via the built-in wp_delete_attachment function. This not only deletes the associated file, but removes its metadata from the WordPress media library.

An attacker with motivation to take down a site’s images and other media could do so by identifying a set of media IDs, or simply iterating over a wide range of values, and assigning them to wccm_default_keys_load as a comma-delimited string. Because the ternary operation on line 2176 returns an empty string by default, we don’t need to set a product_image_gallery parameter for comparison unless we wanted to exclude specific IDs for some reason.

For example, to delete any media files with IDs from 1 to 10, you’d send a POST request to http://example[.]com/wp-admin/admin-ajax.php?action=update_attachment_wccm with the POST body wccm_default_keys_load=1,2,3,4,5,6,7,8,9,10.

Next Steps

The plugin’s author, Visser Labs, has patched these issues in version 4.3 of WooCommerce Checkout Manager. It is advised that all sites making use of the plugin update as soon as possible. For sites which haven’t patched, a new Wordfence firewall rule has been deployed to prevent abuse of the media deletion flaw. Premium users have immediate access to this new rule, and free users will gain access in thirty days. Both free and premium users already benefit from built-in rules which offer protection from the file upload vulnerability as well.

At this time, we have not identified significant exploitation of either of these vulnerabilities. We will continue to monitor for related activity and issue further reports if necessary.

Thanks to Ram Gall from the Defiant QA team for the discovery of the media deletion vulnerability.

The post Unauthenticated Media Deletion Vulnerability Patched In WooCommerce Checkout Manager Plugin appeared first on Wordfence.

Read More

Podcast Episode 9: The Jon Brown Interview and Vulnerabilities, The Dark Web, Scams, Oh My!

We cover quite a few news stories this week, including two plugins requiring immediate updating due to disclosed vulnerabilities, what we can expect from WordPress version 5.2 and a dark web marketplace that appears to have exit scammed users. We follow up on Google Sensorvault, a great interview with Richard Stallman about Facebook and JetBlue’s use of facial recognition technology. We take a look at GoDaddy’s removal of 15,000 spam subdomains, the Docker breach and Slack’s upcoming IPO and their dire warning to investors.

This week, I chat with Jon Brown, CEO of 9seeds, a digital agency. We chatted at Chris and Katie Bayer’s Black Mountain Coffee Roastery in Idyllwild, California. Jon and I talk about running an agency, remote work, being a digital nomad and of course, WordPress. We had a great conversation, and I think you’ll enjoy it.

Here are approximate timestamps in case you want to jump around:
1:15 WordPress plugin WooCommerce Checkout Manager vulnerabilities
3:40 Buddy Press vulnerabilities disclosed
4:42 WordPress 5.2 expected release
9:27 Dark web marketplace exit scammed
12:20 Congress asking questions about Google Sensorvault
14:39 Richard Stallman on Facebook
21:10 JetBlue facial recognition
26:17 GoDaddy spammy subdomain
29:25 IoT devices with P2P component flaws vulnerable
32:12 Docker breach
37:33 The Slack pre-IPO SEC disclosure
41:39 The Jon Brown Interview

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast.

This week in the news we cover:

You can find me on Twitter as @mmaunder and Kathy as @kathyzant, and Jon Brown at @jb510 or at 9seeds.com. Please don’t hesitate to post your feedback in the comments below.

The post Podcast Episode 9: The Jon Brown Interview and Vulnerabilities, The Dark Web, Scams, Oh My! appeared first on Wordfence.

Read More
Page 10 of 1,025« First...«89101112»203040...Last »