Multiple Vulnerabilities Patched in Pricing Table by Supsystic Plugin
On January 17th, our Threat Intelligence Team discovered several vulnerabilities in Pricing Table by Supsystic, a WordPress plugin installed on over 40,000 sites. These flaws allowed an unauthenticated user to execute several AJAX actions due to an insecure permissions weakness. Attackers were also able to inject malicious Javascript due to a Cross-Site Scripting (XSS) vulnerability, access pricing table data, and forge requests on behalf of a site administrator because of a Cross-Site Request Forgery (CSRF) vulnerability. These vulnerabilities could allow attackers the ability to run malicious Javascript on a visitor’s browser that could redirect site visitors to malicious websites, or […]

Multiple Attack Campaigns Targeting Recent Plugin Vulnerabilities
As part of our ongoing research efforts, the Wordfence Threat Intelligence team continually monitors our network for noteworthy threats facing WordPress. Recently, we’ve been tracking malicious activity targeting several vulnerabilities recently patched in popular plugins. In today’s post, we’ll provide details of our research into two active campaigns. We’ll also share some common indicators of compromise (IOCs) that can help you assess whether your site was impacted by these attacks. Wordfence malware scans will identify these IOCs and their variants on systems with the plugin installed, but we include them to help administrators and researchers better approach this data at […]

Episode 66: New Plugin Vulnerabilities & Succeeding as a Digital Nomad with Chloe at WCPHX
It has been a busy week in WordPress security with active attacks on a number of plugins including ThemeRex Addons and Theme Grill Demo Importer plugins. In this week’s Think Like a Hacker, we look at what’s happening, review what a zero-day vulnerability is, and give you some advice on keeping WordPress installations clean and safe. We also look at a vulnerability uncovered in the wpCentral plugin installed on over 60,000 sites, a WHO phishing attack, and Malwarebytes’ State of Malware report. At WordCamp Phoenix, Wordfence Threat Analyst Chloe Chamberland spoke to a packed room of attendees looking to learn […]

Active Attack on Recently Patched Duplicator Plugin Vulnerability Affects Over 1 Million Sites
Description: Unauthenticated Arbitrary File DownloadAffected Plugin: DuplicatorAffected Versions: <= 1.3.26CVSS Score: 7.5 (High)CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NPatched Version: 1.3.28 A critical security update was recently issued for Duplicator, one of the most popular plugins in the WordPress ecosystem. Over a million WordPress sites were affected by a vulnerability allowing attackers to download arbitrary files from victim sites. We urge all Duplicator users to update to version 1.3.28 as soon as possible. We are detecting active exploitation of this vulnerability in the wild, and estimate more than half a million sites are still running a vulnerable version. Built-in firewall protection prevents these attacks […]

Zero-Day Vulnerability in ThemeREX Addons Plugin Exploited in the Wild
Description: Remote Code ExecutionAffected Plugin: ThemeREX AddonsAffected Versions: Versions greater than 1.6.50CVSS Score: 9.8 (Critical)CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HPatched Version: Currently No Patch. Today, February 18th, our Threat Intelligence team was notified of a vulnerability present in ThemeREX Addons, a WordPress plugin installed on an estimated 44,000 sites. This flaw allows attackers to remotely execute code on a site with the plugin installed, including the ability to execute code that can inject administrative user accounts. At the time of writing, this vulnerability is being actively exploited, therefore we urge users to temporarily remove the ThemeREX Addons plugin if you are running a […]

Vulnerability in wpCentral Plugin Leads to Privilege Escalation
Description: Improper Access Control to Privilege EscalationAffected Plugin: wpCentralAffected Versions: <= 1.5.0CVE ID: CVE-2020-9043CVSS Score: 8.8 (High)CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:HPatched Version: 1.5.1 On February 13th, our Threat Intelligence team discovered a vulnerability in wpCentral, a WordPress plugin installed on over 60,000 sites. The flaw allowed anybody to escalate their privileges to those of an administrator, including subscriber-level users given open registration was enabled on a WordPress site with the vulnerable plugin installed. The flaw also allowed for remote control of the site via the wpCentral administrative dashboard. This would be considered an improper access control vulnerability that led to privilege escalation. […]

Critical Vulnerability In Profile Builder Plugin Allowed Site Takeover
Description: Unauthenticated Administrator RegistrationAffected Plugin: Profile Builder (Free, Pro, and Hobbyist versions affected)Affected Versions: <= 3.1.0CVSS Score: 10.0 (Critical)CVSS Vector:CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:HPatched Version: 3.1.1 Earlier this week, a critical vulnerability was patched in the Profile Builder plugin for WordPress. This vulnerability affected the free version available on the repository, as well as the commercial Pro and Hobbyist variants. According to the WordPress repository more than 50,000 sites are running the free version of Profile Builder, and our estimates suggest there are roughly 15,000 installations of the Pro and Hobbyist versions, for an estimated total of 65,000 affected sites. Profile Builder versions […]

Improper Access Controls in GDPR Cookie Consent Plugin
Description: Improper Access ControlsAffected Plugin: GDPR Cookie ConsentAffected Versions: <= 1.8.2CVSS Score: 9.0 (Critical)CVSS Vector:CVSS:3.0/AV:N/AC:L/PR:L/UI:R/S:C/C:H/I:H/A:HPatched Version: 1.8.3 The following post describes how improper access controls lead to a stored cross-site scripting vulnerability in the GDPR Cookie Consent plugin that emerged after it was removed from the repository. The Wordfence team released a firewall rule to our Premium customers on February 10th. To help create awareness of this issue, we are disclosing details of this vulnerability today, now that a fix has been released and users who do not use Wordfence Premium have a clear upgrade path. A technical description of […]

Podcast Episode 64: Backdoors, Webshells, and the Growing Risks of Leaks & Breaches
We take a look at the annual hacked site report from GoDaddy’s Sucuri Security and the types of malware they found in various CMS and shopping cart applications. Microsoft reports they’re finding 77k webshells daily, and WP Scan’s roundup lists a number of popular plugins and themes with recent vulnerabilities. A report from students at Harvard University exposes the growing risks of online leaks & breaches. Here are some timestamps if you want to jump around: 1:27 The 2019 hacked website report from our friends at GoDaddy’s Sucuri Security 5:02 Microsoft says it detects over 77,000 active webshells daily 5:21 […]

High Severity CSRF to RCE Vulnerability Patched in Code Snippets Plugin
Description: Cross-Site Request Forgery to Remote Code ExecutionAffected Plugin: Code SnippetsAffected Versions: <= 2.13.3CVE ID: CVE-2020-8417CVSS Score: 8.8 (High)CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:R/S:U/C:H/I:H/A:HPatched Version: 2.14.0 On January 23rd, our Threat Intelligence team discovered a vulnerability in Code Snippets, a WordPress plugin installed on over 200,000 sites. The flaw allowed anybody to forge a request on behalf of an administrator and inject executable code on a vulnerable site. This is a Cross-Site Request Forgery (CSRF) to Remote Code Execution (RCE) vulnerability. We privately disclosed the full details to the plugin’s developer on January 24th, who was quick to respond and released a patch […]