Backdoor found in The School Management Pro plugin for WordPress

Versions before 9.9.7 of the WordPress plugin “The School Management Pro” from Weblizar contain a backdoor allowing an unauthenticated attacker to execute arbitrary PHP code on sites with the plugin installed. If you have an earlier version installed on your site, we recommend upgrading to version 9.9.7 or later immediately. This is a critical security issue.

Read on for the full details.

Continue reading → Backdoor found in The School Management Pro plugin for WordPress

Posted in Vulnerabilities | Tagged , , | Comments Off on Backdoor found in The School Management Pro plugin for WordPress

Severe Vulnerability Fixed In UpdraftPlus 1.22.3

During an internal audit of the UpdraftPlus plugin, we uncovered an arbitrary backup download vulnerability that could allow low-privileged users like subscribers to download a site’s latest backups.

If exploited, the vulnerability could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords).

We reported the vulnerability to the plugin’s authors, and they recently released version 1.22.3 to address it. Forced auto-updates have also been pushed due to the severity of this issue. If your site hasn’t already, we strongly recommend that you update to the latest version (1.22.3) and have an established security solution on your site, such as Jetpack Security.

You can find UpdraftPlus’ own advisory here.

Continue reading → Severe Vulnerability Fixed In UpdraftPlus 1.22.3

Posted in Vulnerabilities | Tagged , | Comments Off on Severe Vulnerability Fixed In UpdraftPlus 1.22.3

Backdoor Found in Themes and Plugins from AccessPress Themes

Update Feb. 1 – Changed the “Affected themes” section to reflect that new versions of the themes are starting to appear.

While investigating a compromised site we discovered some suspicious code in a theme by AccessPress Themes (aka Access Keys), a vendor with a large number of popular themes and plugins. On further investigation, we found that all the themes and most plugins from the vendor contained this suspicious code, but only if downloaded from their own website. The same extensions were fine if downloaded or installed directly from the WordPress.org directory.

Due to the way the extensions were compromised, we suspected an external attacker had breached the website of AccessPress Themes in an attempt to use their extensions to infect further sites.

We contacted the vendor immediately, but at first we did not receive a response. After escalating it to the WordPress.org plugin team, our suspicions were confirmed. AccessPress Themes websites were breached in the first half of September 2021, and the extensions available for download on their site were injected with a backdoor.

Once we had established a channel for communicating with the vendor, we shared our detailed findings with them. They immediately removed the offending extensions from their website.

Most of the plugins have since been updated, and known clean versions are listed towards the bottom of this post. However, the affected themes have not been updated, and are pulled from the WordPress.org theme repository. If you have any of the themes listed towards the bottom of this post installed on your site, we recommend migrating to a new theme as soon as possible.

This disclosure concerns a large number of extensions, both plugins and themes. Skip to the list below, or read on for the details.

Continue reading → Backdoor Found in Themes and Plugins from AccessPress Themes

Posted in Vulnerabilities | Tagged , | Comments Off on Backdoor Found in Themes and Plugins from AccessPress Themes

Severe Vulnerabilities Fixed in All In One SEO Plugin Version 4.1.5.3

During an internal audit of the All In One SEO plugin, we uncovered an SQL Injection vulnerability and a Privilege Escalation bug.

If exploited, the SQL Injection vulnerability could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords).

The Privilege Escalation bug we discovered may grant bad actors access to protected REST API endpoints they shouldn’t have access to. This could ultimately enable users with low-privileged accounts, like subscribers, to perform remote code execution on affected sites.

We reported the vulnerabilities to the plugin’s author via email, and they recently released version 4.1.5.3 to address them. We strongly recommend that you update to the latest plugin version and have an established security solution on your site, such as Jetpack Security.

Continue reading → Severe Vulnerabilities Fixed in All In One SEO Plugin Version 4.1.5.3

Posted in Vulnerabilities | Comments Off on Severe Vulnerabilities Fixed in All In One SEO Plugin Version 4.1.5.3

Security Issues Patched in Smash Balloon Social Post Feed Plugin

During an internal audit of the Smash Balloon Social Post Feed plugin (also known as Custom Facebook Feed), we discovered several sensitive AJAX endpoints were accessible to any users with an account on the vulnerable site, like subscribers. Some of these endpoints could enable Stored Cross-Site Scripting (XSS) attacks to occur. 

A successful Stored XSS attack could enable bad actors to store malicious scripts on every post and page of the affected site. If a logged-in administrator visits one of the affected URLs, the script may run on their browser and execute administrative actions on their behalf, like creating new administrators and installing rogue plugins.

We reported the vulnerabilities to this plugin’s author via email, and they recently released version 4.0.1 to address them. We strongly recommend that you update to the latest version of the Smash Balloon Social Post Feed plugin and have an established security solution on your site, such as Jetpack Security.

Continue reading → Security Issues Patched in Smash Balloon Social Post Feed Plugin

Posted in Security, Vulnerabilities | Tagged , , | Comments Off on Security Issues Patched in Smash Balloon Social Post Feed Plugin

Multiple vulnerabilities in WP Fastest Cache plugin

During an internal audit of the WP Fastest Cache plugin, we uncovered an Authenticated SQL Injection vulnerability and a Stored XSS (Cross-Site Scripting) via Cross-Site Request Forgery (CSRF) issue.

If exploited, the SQL Injection bug could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords). It can only be exploited if the classic-editor plugin is also installed and activated on the site. 

Successfully exploiting the CSRF & Stored XSS vulnerability could enable bad actors to perform any action the logged-in administrator they targeted is allowed to do on the targeted site.

We reported the vulnerabilities to this plugin’s author via email, and they recently released version 0.9.5 to address them. We strongly recommend that you update to the latest version of the plugin and have an established security solution on your site, such as Jetpack Security.

Continue reading → Multiple vulnerabilities in WP Fastest Cache plugin

Posted in Security, Vulnerabilities | Tagged , , | Comments Off on Multiple vulnerabilities in WP Fastest Cache plugin

CSRF Vulnerability Found in Software License Manager Plugin

Versions before 4.5.1 of the Software License Manager plugin for WordPress have an exploitable Cross-Site Request Forgery (CSRF) vulnerability. Any user logged in to a site with the vulnerable extension can, by clicking a link, be tricked to delete an entry in the plugin’s registered domain database table. The link can be distributed in an email, or on a website the victim user is likely to visit.

The good news is, there’s not much else that can be done by exploiting this weakness. And the attacker needs to know the id of the domain they wish to delete from the database beforehand. 

Still, we recommend anybody running version 4.5.0 or earlier of the plugin to upgrade as soon as possible.

Continue reading → CSRF Vulnerability Found in Software License Manager Plugin

Posted in Vulnerabilities | Tagged , , , | Comments Off on CSRF Vulnerability Found in Software License Manager Plugin

Malware using the REST API for Remote Code Execution

This week, Jetpack Scan flagged the license file of a premium extension, and the customer reached out to ask us for more information about it. So I put my detective hat on to investigate.

It is not unusual to stumble upon suspicious code that only ended up being an overprotective developer trying to hide code through common obfuscation methods. This is even more common when analyzing license management code. But in this case, it turned out to be something a bit more sinister.

Continue reading → Malware using the REST API for Remote Code Execution

Posted in Vulnerabilities | Comments Off on Malware using the REST API for Remote Code Execution

Arbitrary Role Change/Privilege Escalation in HM Multiple Roles WordPress plugin

While investigating a security advisory about an arbitrary role change/privilege escalation issue in the HM Multiple Roles WordPress plugin, the Jetpack Scan team discovered that the fix was incomplete and left the plugin still vulnerable.

The issue is fully fixed in version 1.3 of the plugin, and we advise any sites using any earlier version of this plugin to update as soon as possible.

Continue reading → Arbitrary Role Change/Privilege Escalation in HM Multiple Roles WordPress plugin

Posted in Vulnerabilities | Comments Off on Arbitrary Role Change/Privilege Escalation in HM Multiple Roles WordPress plugin

Severe Vulnerability Patched In WooCommerce Currency Switcher

During an internal audit of the woocommerce-currency-switcher plugin, we uncovered a very severe local file inclusion vulnerability. 

This security flaw could enable attackers to leak sensitive information like database credentials, cryptographic keys, and may allow arbitrary code execution in some instances.

We reported the vulnerabilities to the WOOCS team via email last week, and they released version 1.3.7 to fix this issue. If you are using an older version of this plugin, we encourage you to update immediately.

Continue reading → Severe Vulnerability Patched In WooCommerce Currency Switcher

Posted in Vulnerabilities | Comments Off on Severe Vulnerability Patched In WooCommerce Currency Switcher
  • Enter your email address to follow this blog and receive news and updates from Jetpack!

    Join 110,657 other followers

  • Browse by Topic