During an internal audit of the Smash Balloon Social Post Feed plugin (also known as Custom Facebook Feed), we discovered several sensitive AJAX endpoints were accessible to any users with an account on the vulnerable site, like subscribers. Some of these endpoints could enable Stored Cross-Site Scripting (XSS) attacks to occur.
A successful Stored XSS attack could enable bad actors to store malicious scripts on every post and page of the affected site. If a logged-in administrator visits one of the affected URLs, the script may run on their browser and execute administrative actions on their behalf, like creating new administrators and installing rogue plugins.
We reported the vulnerabilities to this plugin’s author via email, and they recently released version 4.0.1 to address them. We strongly recommend that you update to the latest version of the Smash Balloon Social Post Feed plugin and have an established security solution on your site, such as Jetpack Security.
Continue reading → Security Issues Patched in Smash Balloon Social Post Feed Plugin
During an internal audit of the WP Fastest Cache plugin, we uncovered an Authenticated SQL Injection vulnerability and a Stored XSS (Cross-Site Scripting) via Cross-Site Request Forgery (CSRF) issue.
If exploited, the SQL Injection bug could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords). It can only be exploited if the classic-editor plugin is also installed and activated on the site.
Successfully exploiting the CSRF & Stored XSS vulnerability could enable bad actors to perform any action the logged-in administrator they targeted is allowed to do on the targeted site.
We reported the vulnerabilities to this plugin’s author via email, and they recently released version 0.9.5 to address them. We strongly recommend that you update to the latest version of the plugin and have an established security solution on your site, such as Jetpack Security.
Continue reading → Multiple vulnerabilities in WP Fastest Cache plugin
Versions before 4.5.1 of the Software License Manager plugin for WordPress have an exploitable Cross-Site Request Forgery (CSRF) vulnerability. Any user logged in to a site with the vulnerable extension can, by clicking a link, be tricked to delete an entry in the plugin’s registered domain database table. The link can be distributed in an email, or on a website the victim user is likely to visit.
The good news is, there’s not much else that can be done by exploiting this weakness. And the attacker needs to know the id of the domain they wish to delete from the database beforehand.
Still, we recommend anybody running version 4.5.0 or earlier of the plugin to upgrade as soon as possible.
Continue reading → CSRF Vulnerability Found in Software License Manager Plugin
This week, Jetpack Scan flagged the license file of a premium extension, and the customer reached out to ask us for more information about it. So I put my detective hat on to investigate.
It is not unusual to stumble upon suspicious code that only ended up being an overprotective developer trying to hide code through common obfuscation methods. This is even more common when analyzing license management code. But in this case, it turned out to be something a bit more sinister.
Continue reading → Malware using the REST API for Remote Code Execution
While investigating a security advisory about an arbitrary role change/privilege escalation issue in the HM Multiple Roles WordPress plugin, the Jetpack Scan team discovered that the fix was incomplete and left the plugin still vulnerable.
The issue is fully fixed in version 1.3 of the plugin, and we advise any sites using any earlier version of this plugin to update as soon as possible.
Continue reading → Arbitrary Role Change/Privilege Escalation in HM Multiple Roles WordPress plugin
During an internal audit of the woocommerce-currency-switcher plugin, we uncovered a very severe local file inclusion vulnerability.
This security flaw could enable attackers to leak sensitive information like database credentials, cryptographic keys, and may allow arbitrary code execution in some instances.
We reported the vulnerabilities to the WOOCS team via email last week, and they released version 1.3.7 to fix this issue. If you are using an older version of this plugin, we encourage you to update immediately.
Continue reading → Severe Vulnerability Patched In WooCommerce Currency Switcher
Recently the Jetpack team found some infected files in one of our hosted customers’ sites, and quickly traced the source of infection back to the Workreap theme by Amentotech. We started an investigation and uncovered a number of vulnerable AJAX endpoints in the theme; the most severe of these was an unauthenticated unvalidated upload vulnerability potentially leading to remote code execution and a full site takeover.
We reported the vulnerabilities to the Amentotech team via the Envato Helpful Hacker program, and the issues were addressed promptly by them. Version 2.2.2 of the theme was released on June 29, 2021 that fixes the found vulnerabilities.
Due to the seriousness of the vulnerabilities, we highly recommend all users of the Workreap theme to upgrade to version 2.2.2 or later as soon as possible.
Download the upgrade from the theme website and install it manually, or upgrade automatically via the Envato market plugin.
Continue reading → Multiple vulnerabilities in Workreap theme by Amentotech
Earlier in 2021, I shared how an attacker could leverage leaked or weak credentials to install fake plugins on a compromised site. Although the plugin featured in that blog post has shown some small changes since it was posted, attackers can upload a variety of malicious software using the same method; so in this article, I’ll share with you another recent example (thanks to Luke Leal for sharing it with me).
Continue reading → Fake Plugin Alert: WordPress Plugin and User Backup Tool
During an audit of the Motor theme (full name “Motor – Cars, Parts, Service, Equipments and Accessories WooCommerce Store” by Stockware) for WordPress, we found a number of rather severe vulnerabilities.
These vulnerabilities would allow an unauthenticated attacker complete read access to files on the file system of the site host, and would also allow them to run any PHP scripts found in the file system. We did not identify any upload vulnerabilities in the Motor theme, but paired with other vulnerable plugins this could allow for a complete takeover of the vulnerable site.
We disclosed these vulnerabilities to the theme store who then contacted the theme vendor with our findings. A fixed version of the theme was released as version 3.1 on June 3, 2021. We encourage everybody using this theme to upgrade to the latest version immediately!
Continue reading → Vulnerabilities Found in Motor WordPress Theme < 3.1
Back on April 20th, 2021, our friends at WPScan reported a severe vulnerability on Kaswara Modern VC Addons, also known as Kaswara Modern WPBakery Page Builder Addons. It is not available anymore at Codecanyon/Envato, meaning that if you have this running, you must choose an alternative.
This vulnerability allows unauthenticated users to upload arbitrary files to the plugin’s icon directory (./wp-content/uploads/kaswara/icons). This is the first Indicator Of Compromise (IOC) our friends at WPScan shared with us in their report.
The ability to upload arbitrary files to a website gives the bad actor full control over the site, which makes it hard to define the final payload of this infection; thus, we’ll show you everything we found so far (we got a little carried away on the research, so feel free to jump to the IOC section if you don’t want to read through).
Continue reading → Vulnerable Kaswara Modern WPBakery Page Builder Addons Plugin Being Exploited in the Wild