Episode 91: How Hackers Can Use CSRF Vulnerabilities and Spearphishing to Wreak Havoc on WordPress

https://www.wordfence.com/blog/2020/10/episode-91-how-hackers-can-use-csrf-vulnerabilities-and-spearphishing-to-wreak-havoc-on-wordpress/

On this week’s episode of Think Like a Hacker, we chat about the cross-site request forgery (CSRF) vulnerability found in the Child Theme Creator by Orbisius and how attackers could use a vulnerability like this with spearphishing to wreak havoc, much like the phishing campaigns now being found on the Canva design platform. With WordPress adding application passwords for REST API authentication, we discuss the benefits coming with this capability in WordPress version 5.6. We also consider the ramifications of the critical, wormable RCE bug patched by Microsoft, and how attackers are actively attacking the recent zerologon vulnerability that was […]

High Severity Vulnerability Patched in Child Theme Creator by Orbisius

https://www.wordfence.com/blog/2020/10/high-severity-vulnerability-patched-in-child-theme-creator-by-orbisius/

On September 9, 2020, our Threat Intelligence team discovered a vulnerability in Child Theme Creator by Orbisius, a WordPress plugin installed on over 30,000 sites. This flaw gave attackers the ability to forge requests on behalf of an administrator in order to modify arbitrary theme files and create new PHP files, which could allow an attacker to achieve remote code execution (RCE) on a vulnerable site’s server. We initially reached out to the plugin’s developer on September 9th, 2020. After establishing an appropriate communication channel, we provided the full disclosure details on September 10, 2020. The developer provided us with […]

Episode 90: WPBakery Plugin Vulnerability Exposes Over 4 Million Sites

https://www.wordfence.com/blog/2020/10/episode-90-wpbakery-plugin-vulnerability-exposes-over-4-million-sites/

A vulnerability discovered by the Wordfence Threat Intelligence team in the WPBakery plugin exposes over 4 million sites. High severity vulnerabilities were discovered in the Post Grid and Team Showcase plugins. The online avatar service Gravatar, has been exposed to a user enumeration technique, which could be abused to collect data on its users’ profiles, and a card skimmer was found on Boom! Mobile’s web site, putting customer card data at risk. Here are timestamps and links in case you’d like to jump around, and a transcript is below. 0:12 Vulnerability Exposes Over 4 Million Sites Using WPBakery Plugin 1:50 […]

Vulnerability Exposes Over 4 Million Sites Using WPBakery

https://www.wordfence.com/blog/2020/10/vulnerability-exposes-over-4-million-sites-using-wpbakery/

On July 27th, our Threat Intelligence team discovered a vulnerability in WPBakery, a WordPress plugin installed on over 4.3 million sites. This flaw made it possible for authenticated attackers with contributor-level or above permissions to inject malicious JavaScript in posts. We initially reached out to the plugin’s team on July 28, 2020 through their support forum. After receiving confirmation of the appropriate support channel, we disclosed the full details on July 29, 2020. They confirmed the vulnerability and reported that their development team had begun working on a fix on July 31, 2020. After a long period of correspondence with […]

High Severity Vulnerabilities in Post Grid and Team Showcase Plugins

https://www.wordfence.com/blog/2020/10/high-severity-vulnerabilities-in-post-grid-and-team-showcase-plugins/

On September 14, 2020, our Threat Intelligence team discovered two high severity vulnerabilities in Post Grid, a WordPress plugin with over 60,000 installations. While investigating one of these vulnerabilities, we discovered that almost identical vulnerabilities were also present in Team Showcase, a separate plugin by the same author with over 6,000 installations. We initially reached out to the plugin’s developer, PickPlugins, on September 16, 2020 and provided full disclosure the next day. Patches for both plugins were made available only a few hours after we provided disclosure on September 17, 2020. Wordfence Premium users received a firewall rule protecting both […]

Episode 89: Shopify Rogue Employees, Medium and Twitter Vulnerabilities, and Hackers Hiding Out in Corporate Networks

https://www.wordfence.com/blog/2020/10/episode-89-shopify-rogue-employees-medium-and-twitter-vulnerabilities-and-hackers-hiding-out-in-corporate-networks/

Shopify reports that two rogue employees stole data from 200 merchants on their platform. A security researcher found a vulnerability in the Medium Partner Program could have allowed an attacker to steal writers’ earnings. Symantec reports that a state-sponsored hacking group has been hiding out in company networks as a part of an information-stealing campaign. And Twitter reports that an API bug exposed app keys and tokens via a caching issue. Here are timestamps and links in case you’d like to jump around, and a transcript is below.0:12 Shopify Says ‘Rogue’ Employees Stole Data From Merchants1:15 Flaw in Medium Partner […]

Common Ways Attackers Are Stealing Credentials

https://www.wordfence.com/blog/2020/10/common-ways-attackers-are-stealing-credentials/

A few weeks ago, we reviewed some of the worst website hacks we’ve ever seen. Every one of them started with poor password choices and escalated into a disastrous event for the site owner. Strong passwords and good password hygiene are often the first line of defense. On September 29, 2020, the Wordfence Live team covered the 10 Worst Password Mistakes We’ve Ever Seen. This companion blog post reviews the most Common Ways Attackers Are Stealing Credentials to shed some light on common ways malicious actors are obtaining passwords so that you can make better decisions about your credentials We […]

Episode 88: XCloner Vulnerabilities, LokiBot Malware, & a 14 Year Old Nets a $25K Bug Bounty

https://www.wordfence.com/blog/2020/09/episode-88-xcloner-vulnerabilities-lokibot-malware-a-14-year-old-nets-a-25k-bug-bounty/

Our Threat Intelligence team discovered several vulnerabilities present in XCloner Backup and Restore, a WordPress plugin installed on over 30,000 sites. These vulnerabilities could have allowed an attacker to modify arbitrary files, including PHP files. The US government Cybersecurity and Infrastructure Security Agency is warning of detected persistent malicious activity traced back to LokiBot infections. An upcoming API change will break Facebook and Instagram oEmbed links across the web beginning October 24. Google has launched the Web Stories for WordPress plugin with a drag-and-drop, WYSIWYG interface for making full-screen, tappable content. Drupal patches a critical reflected XSS vulnerability. And a […]

Critical Vulnerabilities Patched in XCloner Backup and Restore Plugin

https://www.wordfence.com/blog/2020/09/critical-vulnerabilities-patched-in-xcloner-backup-and-restore-plugin/

On August 14, our Threat Intelligence team discovered several vulnerabilities present in XCloner Backup and Restore, a WordPress plugin installed on over 30,000 sites. This flaw gave authenticated attackers, with subscriber-level or above capabilities, the ability to modify arbitrary files, including PHP files. Doing so would allow an attacker to achieve remote code execution on a vulnerable site’s server. Alternatively, an attacker could create an exploit chain to obtain a database dump due to the same unprotected AJAX endpoint, amongst other things. The plugin also contained several endpoints that were vulnerable to cross-site request forgery (CSRF). We initially reached out […]

Episode 87: Vulnerabilities Affect Discount Rules for WooCommerce Plugin, ModSecurity & Windows

https://www.wordfence.com/blog/2020/09/episode-87-vulnerabilities-affect-discount-rules-for-woocommerce-plugin-modsecurity-windows/

Vulnerabilities were recently patched in the Discount Rules for WooCommerce plugin installed on over 40,000 WordPress sites. Developers from OWASP Core Rule Set said ModSecurity v3 is exposed to denial of service exploits, though the maintainers of ModSecurity reject that claim. A severe vulnerability called Zerologon in Windows Netlogon was patched in August; this bug could be exploited to attack enterprise servers. And a security researcher also discovered that the Windows TCPIP Finger command can also function as a file downloader and a makeshift command and control server. Last weekend, nearly 2,000 Magento stores were compromised in the largest hacking […]