Fake plugin wave affecting WordPress sites

Recently our colleague Joshua Goode escalated to the Security Research team an investigation he was performing on several websites that presented the same indicators of compromise. There were small variations in what the final payload was, but the attack timeline was always the same.

Attack timeline

As Joshua initially pointed out and subsequently confirmed by me, the chain starts with the installation of the core-stab plugin, followed by other additional items. The following timeline depicts one of the many compromised sites we reviewed:

  •  Jan 10, 2023 @ 17:29:49.587 UTC – Core stab plugin upload – /wp-admin/update.php?action=upload-plugin
  • Jan 10, 2023 @ 17:29:52.270 – /wp-content/plugins/core-stab/index.php
  • Jan 11, 2023 @ 02:12:50.773 – /wp-admin/theme-install.php?tab=upload
  • Jan 11, 2023 @ 02:12:57.862 – Classic theme upload –  /wp-content/themes/classic/inc/index.php
  • Jan 11, 2023 @ 03:37:58.870 – Another core-stab install
  • Jan 11, 2023 @ 04:15:06.014 – Installation of a new plugin, task-controller, /wp-content/plugins/task-controller/index.php
  • Jan 11, 2023 @ 08:23:26.519 – Installation of WP File Manager (Unsure if by attacker but this plugin is typical with a lot of malware)

The most common “coincidence” is that all users involved in this attack had their emails listed on at least one public password leak since 2019, which only corroborates the overall findings: the attacker(s) used compromised or leaked accounts to install the malware.

You can find more details on how the core-stab malware works, as well as detailed detection and blocking information for WP security experts, via WPScan.

Testing and validating our Proof-of-Concept for the malicious code.

What to do if my site was infected?

If you find the core-stab plugin installed on your site, the first thing you should do is remove it and then follow these next steps:

  • Change all admin user’s passwords and make sure you’re using multi-factor authentication.
  • Review all WordPress users and remove the ones you don’t recognize (especially the admin ones).
  • Review for unused or unknown themes and plugins and remove anything unnecessary or unknown.
  • Reinstall all your plugins since they may have been compromised.
  • Review your theme for added or changed files that weren’t added or changed with your consent.
  • Reinstall WordPress core files.

Finally, at Jetpack, we work hard to make sure your websites are protected from these types of vulnerabilities. We recommend that you have a security plan for your site that includes malicious file scanning and backups. The Jetpack Security bundle is one great WordPress security option to ensure your site and visitors are safe. This product includes real-time malware scanning, site backups, comment and form spam protection from Akismet, brute force attack protection, and more.

Posted in scan, Security, Vulnerabilities | Tagged | Comments Off on Fake plugin wave affecting WordPress sites

Vulnerabilities Found in the 3DPrint Premium Plugin

The premium version of the WordPress plugin 3DPrint is vulnerable to Cross Site Request Forgery (CSRF) and directory traversal attacks when the file manager functionality is enabled. These vulnerabilities allow an attacker to delete or get access to arbitrary files and directories on the affected sites, including sensitive files like the site configuration files, which again could lead to a full site takeover.

Continue reading → Vulnerabilities Found in the 3DPrint Premium Plugin

Posted in Vulnerabilities | Comments Off on Vulnerabilities Found in the 3DPrint Premium Plugin

Capture the Flag at WordCamp Europe 2022

During WordCamp Europe 2022, we ran a WordPress Capture The Flag (CTF) competition across four challenges.

We wanted to introduce folks to the addictive world of CTF, and let people experience how security researchers approach bug hunting, such as looking for oddities in the code and combining them to do weird, sometimes counterintuitive things.

Challenge #1 – Are You Lucky?

Challenge #2 – Blocklist Bypass?

Challenge #3 – License to Capture the Flag

Challenge #4 – License to CTF: Part 2

Continue reading → Capture the Flag at WordCamp Europe 2022

Posted in Security, Vulnerabilities | Comments Off on Capture the Flag at WordCamp Europe 2022

Backdoor found in The School Management Pro plugin for WordPress

Versions before 9.9.7 of the WordPress plugin “The School Management Pro” from Weblizar contain a backdoor allowing an unauthenticated attacker to execute arbitrary PHP code on sites with the plugin installed. If you have an earlier version installed on your site, we recommend upgrading to version 9.9.7 or later immediately. This is a critical security issue.

Read on for the full details.

Continue reading → Backdoor found in The School Management Pro plugin for WordPress

Posted in Vulnerabilities | Tagged , , | Comments Off on Backdoor found in The School Management Pro plugin for WordPress

Severe Vulnerability Fixed In UpdraftPlus 1.22.3

During an internal audit of the UpdraftPlus plugin, we uncovered an arbitrary backup download vulnerability that could allow low-privileged users like subscribers to download a site’s latest backups.

If exploited, the vulnerability could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords).

We reported the vulnerability to the plugin’s authors, and they recently released version 1.22.3 to address it. Forced auto-updates have also been pushed due to the severity of this issue. If your site hasn’t already, we strongly recommend that you update to the latest version (1.22.3) and have an established security solution on your site, such as Jetpack Security.

You can find UpdraftPlus’ own advisory here.

Continue reading → Severe Vulnerability Fixed In UpdraftPlus 1.22.3

Posted in Vulnerabilities | Tagged , | Comments Off on Severe Vulnerability Fixed In UpdraftPlus 1.22.3

Backdoor Found in Themes and Plugins from AccessPress Themes

Update Feb. 1 – Changed the “Affected themes” section to reflect that new versions of the themes are starting to appear.

While investigating a compromised site we discovered some suspicious code in a theme by AccessPress Themes (aka Access Keys), a vendor with a large number of popular themes and plugins. On further investigation, we found that all the themes and most plugins from the vendor contained this suspicious code, but only if downloaded from their own website. The same extensions were fine if downloaded or installed directly from the WordPress.org directory.

Due to the way the extensions were compromised, we suspected an external attacker had breached the website of AccessPress Themes in an attempt to use their extensions to infect further sites.

We contacted the vendor immediately, but at first we did not receive a response. After escalating it to the WordPress.org plugin team, our suspicions were confirmed. AccessPress Themes websites were breached in the first half of September 2021, and the extensions available for download on their site were injected with a backdoor.

Once we had established a channel for communicating with the vendor, we shared our detailed findings with them. They immediately removed the offending extensions from their website.

Most of the plugins have since been updated, and known clean versions are listed towards the bottom of this post. However, the affected themes have not been updated, and are pulled from the WordPress.org theme repository. If you have any of the themes listed towards the bottom of this post installed on your site, we recommend migrating to a new theme as soon as possible.

This disclosure concerns a large number of extensions, both plugins and themes. Skip to the list below, or read on for the details.

Continue reading → Backdoor Found in Themes and Plugins from AccessPress Themes

Posted in Vulnerabilities | Tagged , | Comments Off on Backdoor Found in Themes and Plugins from AccessPress Themes

Severe Vulnerabilities Fixed in All In One SEO Plugin Version 4.1.5.3

During an internal audit of the All In One SEO plugin, we uncovered an SQL Injection vulnerability and a Privilege Escalation bug.

If exploited, the SQL Injection vulnerability could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords).

The Privilege Escalation bug we discovered may grant bad actors access to protected REST API endpoints they shouldn’t have access to. This could ultimately enable users with low-privileged accounts, like subscribers, to perform remote code execution on affected sites.

We reported the vulnerabilities to the plugin’s author via email, and they recently released version 4.1.5.3 to address them. We strongly recommend that you update to the latest plugin version and have an established security solution on your site, such as Jetpack Security.

Continue reading → Severe Vulnerabilities Fixed in All In One SEO Plugin Version 4.1.5.3

Posted in Vulnerabilities | Comments Off on Severe Vulnerabilities Fixed in All In One SEO Plugin Version 4.1.5.3

Security Issues Patched in Smash Balloon Social Post Feed Plugin

During an internal audit of the Smash Balloon Social Post Feed plugin (also known as Custom Facebook Feed), we discovered several sensitive AJAX endpoints were accessible to any users with an account on the vulnerable site, like subscribers. Some of these endpoints could enable Stored Cross-Site Scripting (XSS) attacks to occur. 

A successful Stored XSS attack could enable bad actors to store malicious scripts on every post and page of the affected site. If a logged-in administrator visits one of the affected URLs, the script may run on their browser and execute administrative actions on their behalf, like creating new administrators and installing rogue plugins.

We reported the vulnerabilities to this plugin’s author via email, and they recently released version 4.0.1 to address them. We strongly recommend that you update to the latest version of the Smash Balloon Social Post Feed plugin and have an established security solution on your site, such as Jetpack Security.

Continue reading → Security Issues Patched in Smash Balloon Social Post Feed Plugin

Posted in Security, Vulnerabilities | Tagged , , | Comments Off on Security Issues Patched in Smash Balloon Social Post Feed Plugin

Multiple vulnerabilities in WP Fastest Cache plugin

During an internal audit of the WP Fastest Cache plugin, we uncovered an Authenticated SQL Injection vulnerability and a Stored XSS (Cross-Site Scripting) via Cross-Site Request Forgery (CSRF) issue.

If exploited, the SQL Injection bug could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords). It can only be exploited if the classic-editor plugin is also installed and activated on the site. 

Successfully exploiting the CSRF & Stored XSS vulnerability could enable bad actors to perform any action the logged-in administrator they targeted is allowed to do on the targeted site.

We reported the vulnerabilities to this plugin’s author via email, and they recently released version 0.9.5 to address them. We strongly recommend that you update to the latest version of the plugin and have an established security solution on your site, such as Jetpack Security.

Continue reading → Multiple vulnerabilities in WP Fastest Cache plugin

Posted in Security, Vulnerabilities | Tagged , , | Comments Off on Multiple vulnerabilities in WP Fastest Cache plugin

CSRF Vulnerability Found in Software License Manager Plugin

Versions before 4.5.1 of the Software License Manager plugin for WordPress have an exploitable Cross-Site Request Forgery (CSRF) vulnerability. Any user logged in to a site with the vulnerable extension can, by clicking a link, be tricked to delete an entry in the plugin’s registered domain database table. The link can be distributed in an email, or on a website the victim user is likely to visit.

The good news is, there’s not much else that can be done by exploiting this weakness. And the attacker needs to know the id of the domain they wish to delete from the database beforehand. 

Still, we recommend anybody running version 4.5.0 or earlier of the plugin to upgrade as soon as possible.

Continue reading → CSRF Vulnerability Found in Software License Manager Plugin

Posted in Vulnerabilities | Tagged , , , | Comments Off on CSRF Vulnerability Found in Software License Manager Plugin
  • Enter your email address to follow this blog and receive news and updates from Jetpack!

    Join 111,350 other subscribers
  • Browse by Topic