WP-VCD: The Malware You Installed On Your Own Site

One of the most prevalent malware infections facing the WordPress ecosystem in recent weeks is a campaign known as WP-VCD. Despite the relatively long existence of the campaign, the Wordfence threat intelligence team has associated WP-VCD with a higher rate of new infections than any other WordPress malware every week since August 2019, and the campaign shows no signs of slowing down.

In today’s post, we are publishing a comprehensive whitepaper analyzing WP-VCD. This whitepaper contains the full details of our research efforts into this prevalent campaign. It is intended as a resource for threat analysts, security researchers, WordPress developers and administrators, and anyone else interested in tracking or preventing the behavior associated with WP-VCD.

WP-VCD In Brief

The WP-VCD infection itself is spread via “nulled”, or pirated, plugins and themes distributed by a network of related sites, and it’s remarkable in the way it propagates once deployed. Behind the scenes, extensive command and control (C2) infrastructure and self-healing infections allow attackers to maintain a persistent foothold on these infected sites.

<?php
if (isset($_REQUEST['action']) && isset($_REQUEST['password']) && ($_REQUEST['password'] == '2f3ad13e4908141130e292bf8aa67474'))
	{
$div_code_name="wp_vcd";
switch ($_REQUEST['action'])
{
	case 'change_domain';
	if (isset($_REQUEST['newdomain']))

The code snippet above was sourced from an infected functions.php file on a site compromised by WP-VCD. Due to the campaign’s prevalence, this example is likely immediately recognizable to anyone with experience handling WordPress malware infections.

Full details and code analysis of the WP-VCD campaign can be found in the full report.

Infrastructure, Monetization, and Attribution

At various points in its history, specific features have been added and removed from the malware, but most core components of WP-VCD have remained consistent. Monetization comes from two main sources: viral marketing activity intended to manipulate search engine results via black hat SEO, and malvertising code which creates potentially dangerous redirects and pop-up ads for users viewing a compromised site.

In the whitepaper, we provide some insight into the extent of WP-VCD’s infrastructure and monetization scheme. We also reveal data which provides attribution to the threat actor behind the campaign.

Indicators of Compromise (IOCs)

In order to aid the security community in the prevention, detection, and eradication of WP-VCD infections, we have provided an extensive list of IOCs associated with this campaign. We have also shared some YARA-compatible malware detection rules for public use in the identification of infected sites.

Read The Full Report

The full scope of our investigation into WP-VCD far exceeds that of a typical research blog post, so please read the complete whitepaper: WP-VCD: The Malware You Installed On Your Own Site.

Credits: WP-VCD whitepaper by Mikey Veenstra. Editing by Sean Murphy and Ramuel Gall. 

The post WP-VCD: The Malware You Installed On Your Own Site appeared first on Wordfence.

Read More

Podcast Episode 53: WordCamp US 2019 Preview from St. Louis

Mark and Kathy connect in person on Halloween in St. Louis to talk about what’s happening at WordCamp US. We review what’s new at WCUS, some of the more interesting sessions, and all of the fun activities Wordfence is bringing to North America’s largest WordCamp. Kathy and Mark also tear down the 4th wall to talk to award-winning Director Sean Korbitz, the creative force behind OPEN | The Community Code, the movie about the WordPress community that premieres Saturday, November 2.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

  • See Jen Swisher on St. Louis local news talking about WordCamp US 2019.
  • Check out the WordCamp US 2019 livestream.
  • The WordCamp US full schedule.
  • Watch the Open trailer before November 2, or the full film after November 2 on open.film.

You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant.

Please feel free to post your feedback in the comments below.

The post Podcast Episode 53: WordCamp US 2019 Preview from St. Louis appeared first on Wordfence.

Read More

Stored XSS Patched in SyntaxHighlighter Evolved Plugin

Description: Stored XSS
CVSS Severity Score: 5.4 (Medium)
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:L/I:L/A:N
Affected Software: SyntaxHighlighter Evolved
Plugin Slug: syntaxhighlighter
Affected Version: 3.5.0
Patched Version: 3.5.1

While doing a security audit of the plugins and themes we run on wordfence.com, I discovered a stored XSS vulnerability in SyntaxHighlighter Evolved. SyntaxHighlighter Evolved currently has around 40,000+ active installations. We use SyntaxHighlighter here at Wordfence for code samples within blog posts.

SyntaxHighlighter will, by default, create links for URLs within the shortcode body. The URL regex is loose enough where a javascript:// psuedo-protocol can be used to execute JavaScript when clicked. SyntaxHighlighter will process shortcodes in post comments, so an unauthenticated user can submit shortcodes containing an XSS payload. The XSS payload is then rendered within the comments section of the post, and the comments moderation page in WP Admin.

Proof of Concept:

[code]javascript://%0dalert%28document.cookie%29[/code]

This creates a link with the javascript: pseudo-protocol that can be used to execute arbitrary JavaScript when clicked. The vulnerability is actually with the regular expression used to match and auto-link URLs within the code block:

/&lt;\w+:\/\/[\w-.\/?%&=@:;]*&gt;|\w+:\/\/[\w-.\/?%&=@:;]*/g

The \w+ character class part of \w+:\/\/ is too loose and will create links with javascript:, data:, etc. The stored XSS payload when submitted through comments will be rendered in both the comments section of a post, and within the comments moderation section of the WordPress admin panel.

*.wordpress.com Sites Also Affected

I noticed Automattic listed as a contributor to SyntaxHighlighter. I decided to see if SyntaxHighlighter was one of the plugins covered under Automattic’s bug bounty program. It wasn’t in the list, so I checked to see if they were using SyntaxHighlighter on wordpress.com. They do, in fact, use it to render code blocks within comments for sites hosted with wordpress.com.

I submitted the vulnerability report to Automattic through HackerOne. Automattic triaged the report and deployed a fix to wordpress.com within 2 hours of the initial report. Version 3.5.1 of SyntaxHighlighter was released 4 days following the initial report. Automattic awarded a $300 bounty with a $50 bonus for the report.

Bounty Donated to OHSU in Memory of Alex Mills

The original developer of SyntaxHighlighter was a WordPress developer named Alex Mills. Sadly, he passed away earlier this year from leukemia. He worked for Automattic and was quite a prolific member of the WordPress community.

I decided to donate the bounty from Automattic to Oregon Health and Science University (OHSU) in memory of Alex Mills. OHSU played a key role in Alex’s care when undergoing treatment. You can read more about OHSU and about Alex on his blog.

Disclosure Timeline

  • October 4th, 2019 10:16am EDT – Vulnerability report sent to Automattic via HackerOne.
  • October 4th, 2019 12:05pm EDT – Automattic deploys fix to *.wordpress.com sites.
  • October 8th, 2019 – Automattic releases version 3.5.1 of SyntaxHighlighter.
  • October 9th, 2019 – Bounty awarded by Automattic and donated to OHSU.
  • October 21st, 2019 – Report (#707720) disclosed on HackerOne.

Conclusion

SyntaxHighlighter Evolved <= 3.5.0 contains a stored XSS vulnerability via specially crafted comments. The vulnerability was fixed in 3.5.1, and it is recommended that you update as soon as possible. This vulnerability is covered by our generic XSS firewall rule, so Wordfence users have been protected from this vulnerability all along.

The post Stored XSS Patched in SyntaxHighlighter Evolved Plugin appeared first on Wordfence.

Read More

Open Redirect Vulnerability Patched In Bridge Theme

Description: Open Redirect
CVSS v3.0 Score: 7.1 (High)
CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Affected Software: Two built-in plugins packaged with the Bridge theme – Qode Instagram Widget and Qode Twitter Feed
Plugin Slugs: qode-instagram-widget, qode-twitter-feed
Affected Versions: Bridge Theme: 18.2 / Plugins: 2.0.1
Patched Version: Bridge Theme: 18.2.1 / Plugins: 2.0.2

Our Threat Intelligence team recently identified an open redirect vulnerability in Bridge, a commercial WordPress theme purchased more than 120,000 times. We disclosed this issue to Qode Interactive, the theme’s developers, who have since released a patch for the affected components.

The initial discovery was related to one of the theme’s prepackaged helper plugins, Qode Instagram Widget. After discovery, Qode’s team patched a similar open redirect flaw in another prepackaged plugin, Qode Twitter Feed. Both of these plugins should be updated to their latest version, which is 2.0.2 in both cases at the time of this writing. These updates will be accessible from within the Bridge theme’s recommended plugin manager once the theme has been updated to 18.2.1.

We have released new firewall rules which protects Wordfence users’ sites from abuse of these open redirects. Wordfence Premium users already have access to these rules, and users still on the free version will have access in thirty days.

In today’s post, we’ll take a look at the vulnerabilities that were patched, and we’ll briefly discuss the risk that an open redirect vulnerability presents. Update workflows can vary for commercial themes and plugins such as these, so we’ll additionally be providing a short guide to help Bridge users ensure they’re up to date.

What Is An Open Redirect?

An open redirect vulnerability exists when a web application can be made to redirect a visitor to an arbitrary location based on user input. This can be used to create innocent-looking web links to legitimate domains, which then redirect the victim to a dangerous location. This is commonly used in phishing scams, since a link to a trustworthy site is much more likely to be clicked than a typical phishing domain.

A classic example of this type of flaw is as follows:

$redirect_url = $_GET['url'];
header("Location: " . $redirect_url);

In the example above, a victim could be sent a link to https://legitimatesite.com/redirect.php?url=https://evilsite.com, hover over the link to confirm the legitimatesite.com domain, click on it, and be taken to evilsite.com without their permission.

In the WordPress ecosystem, this could be used in spearphishing attacks against site administrators. An administrator could receive a link to their own website and be taken to a WordPress login page, not knowing they were redirected to a phishing site built to harvest their credentials.

Vulnerable Redirect Scripts In Prepackaged Plugins

Upon install, the Bridge theme prompts users to install a number of prepackaged plugins. Two of these plugins, Qode Instagram Widget and Qode Twitter Feed, contained redirect scripts which allowed open redirects.

For Qode Instagram Widget, the following script could be found at lib/instagram-redirect.php:

<?php

if(!empty($_GET['redirect_uri']) && !empty($_GET['code'])) {
    $glue = strstr($_GET['redirect_uri'], '?') ? '&' : '?';
    header('Location: '.($_GET['redirect_uri'].$glue.'code='.$_GET['code']));
}

This code takes the GET parameters redirect_uri and code, and combine them into an eventual redirect location.

The code in Qode Twitter Feed is almost identical. The following can be found at lib/twitter-redirect.php:

<?php

if(!empty($_GET['redirect_url']) && !empty($_GET['oauth_token']) && !empty($_GET['oauth_verifier'])) {
    $glue = strstr($_GET['redirect_url'], '?') ? '&' : '?';
    header('Location: '.($_GET['redirect_url'].$glue.'oauth_token='.$_GET['oauth_token']).'&oauth_verifier='.$_GET['oauth_verifier']);
}

Not counting the interchange of “URI” and “URL” in the variable names, the only differences are the additional GET parameters required to trigger the redirect.

Upon disclosure, Qode Interactive responded that these scripts were only present for demo purposes, and they have been removed entirely from patched versions of the plugins.

How Do I Patch?

Commercial WordPress themes and plugins often have update workflows that differ from those native to the WordPress.org repository. In the case of the Bridge theme and its associated plugins, it seems many users aren’t getting the updates they need. According to our data, 38% of active Qode Instagram Widget installations haven’t been updated in more than two years, and that number jumps to 68% for Qode Twitter Feed users. 

Updating these plugins first requires users to update the Bridge theme. This is done either by manually downloading and installing an updated copy of the theme from ThemeForest, or by using the Envato Market plugin which also comes bundled with the Bridge theme to update from within the WordPress dashboard.

Screenshot of the Envato Market plugin’s API setup process.

Once the Envato Market plugin is installed, you can open its menu in the dashboard and set up your site’s API access to the Envato Marketplace. This will require you to log in to the account you used to purchase the Bridge theme and generate an access token using the steps they provide.

Once the API connection has been established, the theme can be updated. Unfortunately, the need to update isn’t made particularly obvious from most of the dashboard, as it doesn’t interact with WordPress’s built-in update notification system. Instead, you’ll see the update available within the Theme selector (Appearance -> Themes), or within the Themes tab of the Envato Market options page.

Screenshot of the WordPress theme selector showing an update available for Bridge.

Once Bridge has been updated, users may see a nag notification telling them their built-in plugins need to be updated, but if they ignore or dismiss it there’s no persistent indication that an update is available. If users open their plugins page, they won’t see a typical update notice. The individual plugin entries will show an “Update Required” link, however.

Screenshot of a WordPress plugin management page, showing several Qode plugins with “Update Required” links.

Short-Term Fix: Delete The Scripts

In the event that updating your site’s Bridge theme isn’t immediately possible, such as cases where a one-time developer installed it before vanishing into the wind, it’s easy to resolve the security issues present in these plugins without updating anything else.

Since the vulnerable files aren’t actually used or referenced in the plugins themselves, users can simply delete instagram-redirect.php and twitter-redirect.php from their sites without causing any problems. While it’s still always recommended that users update their themes and plugins, removing these files will still mitigate security concerns in the meantime.

Disclosure Timeline

  • 09/19/19 – Vendor notified of issue
  • 09/23/19 – Vendor acknowledged issue and proposed patch
  • 10/16/19 – Patched version released

 

The post Open Redirect Vulnerability Patched In Bridge Theme appeared first on Wordfence.

Read More

Open Redirect Vulnerability Patched In Bridge Theme

Description: Open Redirect
CVSS v3.0 Score: 7.1 (High)
CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:L
Affected Software: Two built-in plugins packaged with the Bridge theme – Qode Instagram Widget and Qode Twitter Feed
Plugin Slugs: qode-instagram-widget, qode-twitter-feed
Affected Versions: Bridge Theme: 18.2 / Plugins: 2.0.1
Patched Version: Bridge Theme: 18.2.1 / Plugins: 2.0.2

Our Threat Intelligence team recently identified an open redirect vulnerability in Bridge, a commercial WordPress theme purchased more than 120,000 times. We disclosed this issue to Qode Interactive, the theme’s developers, who have since released a patch for the affected components.

The initial discovery was related to one of the theme’s prepackaged helper plugins, Qode Instagram Widget. After discovery, Qode’s team patched a similar open redirect flaw in another prepackaged plugin, Qode Twitter Feed. Both of these plugins should be updated to their latest version, which is 2.0.2 in both cases at the time of this writing. These updates will be accessible from within the Bridge theme’s recommended plugin manager once the theme has been updated to 18.2.1.

We have released new firewall rules which protects Wordfence users’ sites from abuse of these open redirects. Wordfence Premium users already have access to these rules, and users still on the free version will have access in thirty days.

In today’s post, we’ll take a look at the vulnerabilities that were patched, and we’ll briefly discuss the risk that an open redirect vulnerability presents. Update workflows can vary for commercial themes and plugins such as these, so we’ll additionally be providing a short guide to help Bridge users ensure they’re up to date.

What Is An Open Redirect?

An open redirect vulnerability exists when a web application can be made to redirect a visitor to an arbitrary location based on user input. This can be used to create innocent-looking web links to legitimate domains, which then redirect the victim to a dangerous location. This is commonly used in phishing scams, since a link to a trustworthy site is much more likely to be clicked than a typical phishing domain.

A classic example of this type of flaw is as follows:

$redirect_url = $_GET['url'];
header("Location: " . $redirect_url);

In the example above, a victim could be sent a link to https://legitimatesite.com/redirect.php?url=https://evilsite.com, hover over the link to confirm the legitimatesite.com domain, click on it, and be taken to evilsite.com without their permission.

In the WordPress ecosystem, this could be used in spearphishing attacks against site administrators. An administrator could receive a link to their own website and be taken to a WordPress login page, not knowing they were redirected to a phishing site built to harvest their credentials.

Vulnerable Redirect Scripts In Prepackaged Plugins

Upon install, the Bridge theme prompts users to install a number of prepackaged plugins. Two of these plugins, Qode Instagram Widget and Qode Twitter Feed, contained redirect scripts which allowed open redirects.

For Qode Instagram Widget, the following script could be found at lib/instagram-redirect.php:

<?php

if(!empty($_GET['redirect_uri']) && !empty($_GET['code'])) {
    $glue = strstr($_GET['redirect_uri'], '?') ? '&' : '?';
    header('Location: '.($_GET['redirect_uri'].$glue.'code='.$_GET['code']));
}

This code takes the GET parameters redirect_uri and code, and combine them into an eventual redirect location.

The code in Qode Twitter Feed is almost identical. The following can be found at lib/twitter-redirect.php:

<?php

if(!empty($_GET['redirect_url']) && !empty($_GET['oauth_token']) && !empty($_GET['oauth_verifier'])) {
    $glue = strstr($_GET['redirect_url'], '?') ? '&' : '?';
    header('Location: '.($_GET['redirect_url'].$glue.'oauth_token='.$_GET['oauth_token']).'&oauth_verifier='.$_GET['oauth_verifier']);
}

Not counting the interchange of “URI” and “URL” in the variable names, the only differences are the additional GET parameters required to trigger the redirect.

Upon disclosure, Qode Interactive responded that these scripts were only present for demo purposes, and they have been removed entirely from patched versions of the plugins.

How Do I Patch?

Commercial WordPress themes and plugins often have update workflows that differ from those native to the WordPress.org repository. In the case of the Bridge theme and its associated plugins, it seems many users aren’t getting the updates they need. According to our data, 38% of active Qode Instagram Widget installations haven’t been updated in more than two years, and that number jumps to 68% for Qode Twitter Feed users. 

Updating these plugins first requires users to update the Bridge theme. This is done either by manually downloading and installing an updated copy of the theme from ThemeForest, or by using the Envato Market plugin which also comes bundled with the Bridge theme to update from within the WordPress dashboard.

Screenshot of the Envato Market plugin’s API setup process.

Once the Envato Market plugin is installed, you can open its menu in the dashboard and set up your site’s API access to the Envato Marketplace. This will require you to log in to the account you used to purchase the Bridge theme and generate an access token using the steps they provide.

Once the API connection has been established, the theme can be updated. Unfortunately, the need to update isn’t made particularly obvious from most of the dashboard, as it doesn’t interact with WordPress’s built-in update notification system. Instead, you’ll see the update available within the Theme selector (Appearance -> Themes), or within the Themes tab of the Envato Market options page.

Screenshot of the WordPress theme selector showing an update available for Bridge.

Once Bridge has been updated, users may see a nag notification telling them their built-in plugins need to be updated, but if they ignore or dismiss it there’s no persistent indication that an update is available. If users open their plugins page, they won’t see a typical update notice. The individual plugin entries will show an “Update Required” link, however.

Screenshot of a WordPress plugin management page, showing several Qode plugins with “Update Required” links.

Short-Term Fix: Delete The Scripts

In the event that updating your site’s Bridge theme isn’t immediately possible, such as cases where a one-time developer installed it before vanishing into the wind, it’s easy to resolve the security issues present in these plugins without updating anything else.

Since the vulnerable files aren’t actually used or referenced in the plugins themselves, users can simply delete instagram-redirect.php and twitter-redirect.php from their sites without causing any problems. While it’s still always recommended that users update their themes and plugins, removing these files will still mitigate security concerns in the meantime.

Disclosure Timeline

  • 09/19/19 – Vendor notified of issue
  • 09/23/19 – Vendor acknowledged issue and proposed patch
  • 10/16/19 – Patched version released

 

The post Open Redirect Vulnerability Patched In Bridge Theme appeared first on Wordfence.

Read More

Podcast Episode 52: Innovating for Customer Success with Andrea Zoellner

Andrea Zoellner has been an active organizer of WordCamp Montreal and is the Chief Content Creator at hosting provider, SiteGround. Andrea focuses on supporting SiteGround customers in the North American and English-speaking market. With a background in journalism, Andrea found WordPress as the easiest way to get online and integrate with different services. She talked with us at WordCamp Sacramento about how she got involved with WordPress and the community and how her position at SiteGround puts her in a unique position to innovate through new tools and services for WordPress customers at SiteGround.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find Andrea Zoellner on Twitter as @AndreaZoellner and @SiteGround. You can also see Andrea speak at WordCamp US in St. Louis in just a few weeks.

You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant.

Please feel free to post your feedback in the comments below.

The post Podcast Episode 52: Innovating for Customer Success with Andrea Zoellner appeared first on Wordfence.

Read More

Podcast Episode 51: WeWork’s Financial Woes Spark Meetup RSVP Fees and the WordPress 5.2.4 Security Release

This week, we cover WeWork’s failed IPO and financial woes and how this likely led to Meetup’s introduction of an RSVP fee. We discuss why this decision doesn’t bode well for WeWork’s future. We also look at the WordPress 5.2.4 security release and what fixes are included. We discuss the planned release of PHP 7.4 on November 28 and how WordPress core is preparing for this update. We also get a little excited about our plans for WordCamp US November 1-2 and our party to celebrate the worldwide premiere of the open source film about the WordPress community: Open, The Community Code.

Here are timestamps if you’d like to jump around:
1:45 WeWork financial woes
8:40 Meetup’s RSVP fee
27:40 Open The Community Code party at WordCamp US
34:40 WordPress 5.2.4 security release
41:02 PHP 7.4 release on November 28, 2019

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

This week in the news we cover:

You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant. To learn more about Open, visit open.film or follow on Twitter @opendotfilm.

Please feel free to post your feedback in the comments below.

The post Podcast Episode 51: WeWork’s Financial Woes Spark Meetup RSVP Fees and the WordPress 5.2.4 Security Release appeared first on Wordfence.

Read More

Medium Severity Vulnerability Patched in Fast Velocity Minify Plugin

Description: Full Path Disclosure
CVSS v3.0 Score: 4.3 (Medium)
CVSS Vector String: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Affected Plugin: Fast Velocity Minify
Plugin Slug: fast-velocity-minify
Affected Versions: <= 2.7.6
Patched Version: 2.7.7

A few days ago, our Threat Intelligence team identified a vulnerability present in Fast Velocity Minify, a WordPress plugin with approximately  80,000+ active installs. This flaw allowed authenticated attackers to discover the full web root path to the running WordPress application. We disclosed this issue privately to the plugin’s development team who released a patch just a few hours after our initial disclosure.

Fast Velocity Minify versions up to 2.7.6 are vulnerable to attacks against this flaw. All Fast Velocity Minify users should update to version 2.7.7 immediately. Wordfence Premium customers received a new firewall rule on October 14th to protect against exploits targeting this vulnerability. Free Wordfence users will receive the rule after thirty days.

Vulnerability In Detail

Fast Velocity Minify is a plugin that provides a functionality to help improve the speed of WordPress sites it is installed on by using a caching method that merges Javascript & CSS files into a limited number of grouped files. One feature of this plugin is meant to allow administrators to review cached files in the plugin settings dashboard. In order to display the status of the cached files, the plugin uses a wp_ajax callback to the $cachedir  where it retrieves the information about the files. While this feature did use the is_admin() function to verify that the request was coming from an administrative screen, it did not do a capability check to verify if the call was coming from an authenticated administrative user viewing the status page.

 if(is_admin()) {
    add_action('admin_menu', 'fastvelocity_min_admin_menu');
    add_action('admin_enqueue_scripts', 'fastvelocity_min_load_admin_jscss');
    add_action('wp_ajax_fastvelocity_min_files', 'fastvelocity_min_files_callback');
    add_action('admin_init', 'fastvelocity_min_register_settings');
 # function to list all cache files
function fastvelocity_min_files_callback() {
	global $cachedir;
	
	# default
	$size = fastvelocity_get_cachestats();
	$return = array('js' => array(), 'css' => array(), 'cachesize'=> $size); 

This functionality is intended to provide site owners with status updates on already available files that can be seen in the source code of WordPress sites. The real issue appeared when the option ‘Enable FVM Debug Mode’ was enabled. Once that option was enabled, the full file path including the web root was logged in the $cachedir with a status update that could later be viewed on the ‘status’ page. Since this plugin was using the is_admin() function for authorization, it meant the AJAX request only needed to come from an administrative page so authentication could be bypassed and the information could be accessed. 

Any user with subscriber and above capabilities could send an AJAX request from an administrative page and see the information found on the ‘Status’ page which included the full path to the WordPress instance when ‘Enable FVM Debug Mode’ was enabled.

Fast Velocity Minify Full Path Disclosure Exploit.

Zoomed in on Fast Velocity Minify Full Path Disclosure.

Although there was no direct harm with this vulnerability, it could have been used to further escalate a more sophisticated attack. Therefore, we created a firewall rule to protect Wordfence users against its exploitation.

Vulnerability Importance and Impact

Discovered vulnerabilities should always be corrected and protected from when discovered, regardless of the vulnerability’s severity. Although a full path disclosure vulnerability is not the most severe vulnerability, it still poses a security risk to anyone running the vulnerable software on their systems.

A full path disclosure can be used as part of a larger chain of attacks. An attacker gaining the path of your site’s web root structure could allow them to map out your file structure for exploitation such as a directory traversal attack where malicious actors could access restricted directories and can potentially execute commands outside of the web root directory where WordPress is installed. Attackers can also use a full path disclosure to help aid in a local file inclusion attack, where they may need the full web root directory structure in order to include the file they would like to execute as a result of the vulnerability. A full path disclosure provides attackers with useful information needed to exploit other more severe vulnerabilities, which is what makes them dangerous.

Out of precaution, we immediately released a firewall rule to our Wordfence Premium users so that they would be protected against this vulnerability. The chances of this vulnerability being exploited are quite low for most WordPress users, and the requirements make it quite difficult to exploit. Wordfence takes all security vulnerabilities seriously, and our threat intelligence team proactively researches, discloses and protects against known vulnerabilities to keep our users safe. 

Disclosure Timeline

October 14th, 2019 – Developers notified privately of security issue. 
October 14th, 2019 – Firewall rule released to Wordfence Premium users.
October 14th, 2019 – Developers acknowledged issue and released patch. 
November 14th, 2019 – Free users receive firewall rule to protect against this vulnerability.

Conclusion

In today’s post, we detailed a full path disclosure flaw present in the Fast Velocity Minify plugin. This flaw has been patched in version 2.7.7 and we recommend users update to the latest version available. Sites running Wordfence Premium have been protected from attacks against this vulnerability since October 14th, 2019. Sites running the free version of Wordfence will receive the firewall rule update on November 14th, 2019.

Thank you to the plugin’s developer Raul Peixoto, for their extremely prompt response and cooperation in quickly patching this vulnerability.

The post Medium Severity Vulnerability Patched in Fast Velocity Minify Plugin appeared first on Wordfence.

Read More

Podcast Episode 50: Empowering WordPress Users Through Education with Jennifer Bourn

Jennifer Bourn has been a leader in the WordPress community for years, helping WordPress users of all experience levels get the most out of the platform. She has also created beautiful websites for recognizable brands through her design company, Bourn Creative. At WordCamp Sacramento, we talked about how the WordPress community has opened new experiences for her entire family, her new ventures in training including Content Camp and the Profitable Project Plan, the Bourn family goal of visiting all national parks as well as the future of WordPress.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find Jennifer Bourn on Twitter as @JenniferBourn and @BournCreative. You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant.

Please feel free to post your feedback in the comments below.

The post Podcast Episode 50: Empowering WordPress Users Through Education with Jennifer Bourn appeared first on Wordfence.

Read More

Podcast Episode 50: Empowering WordPress Users Through Education with Jennifer Bourn

Jennifer Bourn has been a leader in the WordPress community for years, helping WordPress users of all experience levels get the most out of the platform. She has also created beautiful websites for recognizable brands through her design company, Bourn Creative. At WordCamp Sacramento, we talked about how the WordPress community has opened new experiences for her entire family, her new ventures in training including Content Camp and the Profitable Project Plan, the Bourn family goal of visiting all national parks as well as the future of WordPress.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find Jennifer Bourn on Twitter as @JenniferBourn and @BournCreative. You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant.

Please feel free to post your feedback in the comments below.

The post Podcast Episode 50: Empowering WordPress Users Through Education with Jennifer Bourn appeared first on Wordfence.

Read More
Page 2 of 1,024«12345»102030...Last »