The Official Facebook Chat Plugin Created Vector for Social Engineering Attacks

https://www.wordfence.com/blog/2020/08/the-official-facebook-chat-plugin-created-vector-for-social-engineering-attacks/

On June 26, 2020, our Threat Intelligence team discovered a vulnerability in The Official Facebook Chat Plugin, a WordPress plugin installed on over 80,000 sites. This flaw made it possible for low-level authenticated attackers to connect their own Facebook Messenger account to any site running the vulnerable plugin and engage in chats with site visitors on affected sites. We initially reached out to Facebook on June 26, 2020 and included the full disclosure details at the time of reaching out. They initially responded on June 30, 2020, and after much back and forth, Facebook released a patch on July 28, […]

Critical Vulnerability Exposes over 700,000 Sites Using Divi, Extra, and Divi Builder

https://www.wordfence.com/blog/2020/08/critical-vulnerability-exposes-over-700000-sites-using-divi-extra-and-divi-builder/

On July 23, 2020, our Threat Intelligence team discovered a vulnerability present in two themes by Elegant Themes, Divi and Extra, as well as Divi Builder, a WordPress plugin. Combined, these products are installed on an estimated 700,000 sites. This flaw gave authenticated attackers, with contributor-level or above capabilities, the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server. We initially reached out to Elegant Themes on July 23, 2020 and, after establishing an appropriate communication channel, we provided the full disclosure details on July 28, 2020. The developers responded on […]

Newsletter Plugin Vulnerabilities Affect Over 300,000 Sites

https://www.wordfence.com/blog/2020/08/newsletter-plugin-vulnerabilities-affect-over-300000-sites/

On July 13, 2020, our Threat Intelligence team was alerted to a recently patched vulnerability in Newsletter, a WordPress plugin with over 300,000 installations. While investigating this vulnerability, we discovered two additional, more serious vulnerabilities, including a reflected Cross-Site Scripting(XSS) vulnerability and a PHP Object Injection vulnerability. We reached out to the plugin’s author on July 15, 2020, and received a response the next day. After fully disclosing the vulnerability on July 16, 2020, the plugin’s author released a patch the next day, on July 17, 2020. A firewall rule to protect against the Reflected Cross-Site Scripting vulnerability was released […]

Episode 80: Critical File Upload Vulnerability in wpDiscuz Plugin

https://www.wordfence.com/blog/2020/07/episode-80-critical-file-upload-vulnerability-in-wpdiscuz-plugin/

In this week’s news, our Threat Intelligence team discovered a vulnerability in the wpDiscuz plugin, affecting over 80,000 WordPress sites. A blind SQL injection attack affected analytics service Waydev, exposing OAuth tokens for GitHub repositories for software companies, leading to further breaches. A debate about problematic admin notices on the WordPress admin dashboard has many wondering how to best solve the issue, while WordCamps move to all virtual in 2020. And finally, Garmin’s ransomware attack takes down more than step counting. Here are timestamps and links in case you’d like to jump around, and a transcript is below.0:13 Critical file […]

Critical Arbitrary File Upload Vulnerability Patched in wpDiscuz Plugin

https://www.wordfence.com/blog/2020/07/critical-arbitrary-file-upload-vulnerability-patched-in-wpdiscuz-plugin/

On June 19th, our Threat Intelligence team discovered a vulnerability present in Comments – wpDiscuz, a WordPress plugin installed on over 80,000 sites. This flaw gave unauthenticated attackers the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server. We initially reached out to the plugin’s developer on June 18, 2020, and after establishing an appropriate communication channel, we provided the full disclosure details on June 19, 2020. The developers responded on June 20, 2020 to let us know a patch would be coming in version 7.0.4. After several follow-ups, an initial […]

High Severity Vulnerability Patched in TC Custom JavaScript

https://www.wordfence.com/blog/2020/07/high-severity-vulnerability-patched-in-tc-custom-javascript/

On June 12, 2020, Wordfence Threat Intelligence discovered an unauthenticated stored Cross-Site Scripting(XSS) vulnerability in TC Custom JavaScript, a WordPress plugin with over 10,000 installations. Wordfence Premium customers received a new firewall rule to provide protection against attacks targeting this vulnerability the same day. Wordfence users still using the free version received this rule after 30 days, on July 12, 2020. We attempted to contact the plugin’s developer the same day, on June 12, 2020, but we did not receive a response. After 10 days without an initial response, we contacted the WordPress Plugins team on June 22, 2020. An […]

Episode 79: High Profile Twitter Accounts Compromised in Coordinated Attack

https://www.wordfence.com/blog/2020/07/episode-79-high-profile-twitter-accounts-compromised-in-coordinated-attack/

A number of high profile Twitter accounts including those of Elon Musk, Apple, Uber, Bill Gates, Joe Biden and others were compromised as a part of a coordinated bitcoin scam attack. The attack lasted a few hours and netted the attackers about $100,000 worth of bitcoin. We talk about how this attack could have possibly happened and lessons for businesses with remote workers accessing company systems. We also talk about a vulnerability our Threat Intelligence team discovered in the All in One SEO Pack plugin used by over 2 million WordPress sites. This vulnerability could be used by a malicious […]

2 Million Users Affected by Vulnerability in All in One SEO Pack

https://www.wordfence.com/blog/2020/07/2-million-users-affected-by-vulnerability-in-all-in-one-seo-pack/

On July 10, 2020, our Threat Intelligence team discovered a vulnerability in All In One SEO Pack, a WordPress plugin installed on over 2 million sites. This flaw allowed authenticated users with contributor level access or above the ability to inject malicious scripts that would be executed if a victim accessed the wp-admin panel’s ‘all posts’ page. We reached out to the plugin’s team the same day of discovery on July 10, 2020 and a patch was released just a few days later on July 15, 2020. This is considered a medium severity security issue that, as with all XSS […]

XSS Flaw Impacting 100,000 Sites Patched in KingComposer

https://www.wordfence.com/blog/2020/07/xss-flaw-impacting-100000-sites-patched-in-kingcomposer/

On June 15, 2020, our Threat Intelligence team was made aware of a number of access control vulnerabilities that had recently been disclosed in KingComposer, a WordPress plugin installed on over 100,000 sites. During our investigation of these vulnerabilities, we discovered an unpatched reflected Cross-Site Scripting(XSS) vulnerability. Wordfence Premium customers received a new firewall rule the same day, protecting against the newly patched access control vulnerabilities as well as the unpatched Cross-Site Scripting vulnerability. Wordfence users still using the free version will receive this rule after 30 days, on July 15, 2020. We attempted to contact the plugin’s developers the […]

Critical Vulnerabilities Patched in Adning Advertising Plugin

https://www.wordfence.com/blog/2020/07/critical-vulnerabilities-patched-in-adning-advertising-plugin/

On June 24, 2020, our Threat Intelligence team was made aware of a possible vulnerability in the Adning Advertising plugin, a premium plugin with over 8,000 customers. We eventually discovered 2 vulnerabilities, one of which was a critical vulnerability that allowed an unauthenticated attacker to upload arbitrary files, leading to Remote Code Execution(RCE), which could allow complete site takeover. The next day, on June 25, 2020, we privately disclosed these vulnerabilities to the plugin’s author, Tunafish. A patched version was made available in less than 24 hours, on June 26, 2020. We strongly recommend updating to the latest version of […]