Fake plugin wave affecting WordPress sites

Recently our colleague Joshua Goode escalated to the Security Research team an investigation he was performing on several websites that presented the same indicators of compromise. There were small variations in what the final payload was, but the attack timeline was always the same.

Attack timeline

As Joshua initially pointed out and subsequently confirmed by me, the chain starts with the installation of the core-stab plugin, followed by other additional items. The following timeline depicts one of the many compromised sites we reviewed:

  •  Jan 10, 2023 @ 17:29:49.587 UTC – Core stab plugin upload – /wp-admin/update.php?action=upload-plugin
  • Jan 10, 2023 @ 17:29:52.270 – /wp-content/plugins/core-stab/index.php
  • Jan 11, 2023 @ 02:12:50.773 – /wp-admin/theme-install.php?tab=upload
  • Jan 11, 2023 @ 02:12:57.862 – Classic theme upload –  /wp-content/themes/classic/inc/index.php
  • Jan 11, 2023 @ 03:37:58.870 – Another core-stab install
  • Jan 11, 2023 @ 04:15:06.014 – Installation of a new plugin, task-controller, /wp-content/plugins/task-controller/index.php
  • Jan 11, 2023 @ 08:23:26.519 – Installation of WP File Manager (Unsure if by attacker but this plugin is typical with a lot of malware)

The most common “coincidence” is that all users involved in this attack had their emails listed on at least one public password leak since 2019, which only corroborates the overall findings: the attacker(s) used compromised or leaked accounts to install the malware.

You can find more details on how the core-stab malware works, as well as detailed detection and blocking information for WP security experts, via WPScan.

Testing and validating our Proof-of-Concept for the malicious code.

What to do if my site was infected?

If you find the core-stab plugin installed on your site, the first thing you should do is remove it and then follow these next steps:

  • Change all admin user’s passwords and make sure you’re using multi-factor authentication.
  • Review all WordPress users and remove the ones you don’t recognize (especially the admin ones).
  • Review for unused or unknown themes and plugins and remove anything unnecessary or unknown.
  • Reinstall all your plugins since they may have been compromised.
  • Review your theme for added or changed files that weren’t added or changed with your consent.
  • Reinstall WordPress core files.

Finally, at Jetpack, we work hard to make sure your websites are protected from these types of vulnerabilities. We recommend that you have a security plan for your site that includes malicious file scanning and backups. The Jetpack Security bundle is one great WordPress security option to ensure your site and visitors are safe. This product includes real-time malware scanning, site backups, comment and form spam protection from Akismet, brute force attack protection, and more.

Posted in scan, Security, Vulnerabilities | Tagged | Comments Off on Fake plugin wave affecting WordPress sites

Backdoor found in The School Management Pro plugin for WordPress

Versions before 9.9.7 of the WordPress plugin “The School Management Pro” from Weblizar contain a backdoor allowing an unauthenticated attacker to execute arbitrary PHP code on sites with the plugin installed. If you have an earlier version installed on your site, we recommend upgrading to version 9.9.7 or later immediately. This is a critical security issue.

Read on for the full details.

Continue reading → Backdoor found in The School Management Pro plugin for WordPress

Posted in Vulnerabilities | Tagged , , | Comments Off on Backdoor found in The School Management Pro plugin for WordPress

Severe Vulnerability Fixed In UpdraftPlus 1.22.3

During an internal audit of the UpdraftPlus plugin, we uncovered an arbitrary backup download vulnerability that could allow low-privileged users like subscribers to download a site’s latest backups.

If exploited, the vulnerability could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords).

We reported the vulnerability to the plugin’s authors, and they recently released version 1.22.3 to address it. Forced auto-updates have also been pushed due to the severity of this issue. If your site hasn’t already, we strongly recommend that you update to the latest version (1.22.3) and have an established security solution on your site, such as Jetpack Security.

You can find UpdraftPlus’ own advisory here.

Continue reading → Severe Vulnerability Fixed In UpdraftPlus 1.22.3

Posted in Vulnerabilities | Tagged , | Comments Off on Severe Vulnerability Fixed In UpdraftPlus 1.22.3

Why You Should Avoid Using Nulled Plugins and Themes

It’s a general rule that if something seems too good to be true, it probably is. That’s especially true when it comes to nulled themes and plugins for WordPress sites. What can seem like a great deal on software can damage your website and result in more problems and costs than any potential savings. For safety and security, it’s important to be able to identify and avoid nulled software.

Continue reading → Why You Should Avoid Using Nulled Plugins and Themes

Posted in Security | Tagged | Comments Off on Why You Should Avoid Using Nulled Plugins and Themes

Security Issues Patched in Smash Balloon Social Post Feed Plugin

During an internal audit of the Smash Balloon Social Post Feed plugin (also known as Custom Facebook Feed), we discovered several sensitive AJAX endpoints were accessible to any users with an account on the vulnerable site, like subscribers. Some of these endpoints could enable Stored Cross-Site Scripting (XSS) attacks to occur. 

A successful Stored XSS attack could enable bad actors to store malicious scripts on every post and page of the affected site. If a logged-in administrator visits one of the affected URLs, the script may run on their browser and execute administrative actions on their behalf, like creating new administrators and installing rogue plugins.

We reported the vulnerabilities to this plugin’s author via email, and they recently released version 4.0.1 to address them. We strongly recommend that you update to the latest version of the Smash Balloon Social Post Feed plugin and have an established security solution on your site, such as Jetpack Security.

Continue reading → Security Issues Patched in Smash Balloon Social Post Feed Plugin

Posted in Security, Vulnerabilities | Tagged , , | Comments Off on Security Issues Patched in Smash Balloon Social Post Feed Plugin

Multiple vulnerabilities in WP Fastest Cache plugin

During an internal audit of the WP Fastest Cache plugin, we uncovered an Authenticated SQL Injection vulnerability and a Stored XSS (Cross-Site Scripting) via Cross-Site Request Forgery (CSRF) issue.

If exploited, the SQL Injection bug could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords). It can only be exploited if the classic-editor plugin is also installed and activated on the site. 

Successfully exploiting the CSRF & Stored XSS vulnerability could enable bad actors to perform any action the logged-in administrator they targeted is allowed to do on the targeted site.

We reported the vulnerabilities to this plugin’s author via email, and they recently released version 0.9.5 to address them. We strongly recommend that you update to the latest version of the plugin and have an established security solution on your site, such as Jetpack Security.

Continue reading → Multiple vulnerabilities in WP Fastest Cache plugin

Posted in Security, Vulnerabilities | Tagged , , | Comments Off on Multiple vulnerabilities in WP Fastest Cache plugin

CSRF Vulnerability Found in Software License Manager Plugin

Versions before 4.5.1 of the Software License Manager plugin for WordPress have an exploitable Cross-Site Request Forgery (CSRF) vulnerability. Any user logged in to a site with the vulnerable extension can, by clicking a link, be tricked to delete an entry in the plugin’s registered domain database table. The link can be distributed in an email, or on a website the victim user is likely to visit.

The good news is, there’s not much else that can be done by exploiting this weakness. And the attacker needs to know the id of the domain they wish to delete from the database beforehand. 

Still, we recommend anybody running version 4.5.0 or earlier of the plugin to upgrade as soon as possible.

Continue reading → CSRF Vulnerability Found in Software License Manager Plugin

Posted in Vulnerabilities | Tagged , , , | Comments Off on CSRF Vulnerability Found in Software License Manager Plugin

Multiple vulnerabilities in Workreap theme by Amentotech

Recently the Jetpack team found some infected files in one of our hosted customers’ sites, and quickly traced the source of infection back to the Workreap theme by Amentotech. We started an investigation and uncovered a number of vulnerable AJAX endpoints in the theme; the most severe of these was an unauthenticated unvalidated upload vulnerability potentially leading to remote code execution and a full site takeover.

We reported the vulnerabilities to the Amentotech team via the Envato Helpful Hacker program, and the issues were addressed promptly by them. Version 2.2.2 of the theme was released on June 29, 2021 that fixes the found vulnerabilities.

TL;DR

Due to the seriousness of the vulnerabilities, we highly recommend all users of the Workreap theme to upgrade to version 2.2.2 or later as soon as possible. 

Download the upgrade from the theme website and install it manually, or upgrade automatically via the Envato market plugin.

Continue reading → Multiple vulnerabilities in Workreap theme by Amentotech

Posted in Vulnerabilities | Tagged , , | Comments Off on Multiple vulnerabilities in Workreap theme by Amentotech
Jetpack New Release

Jetpack 9.8: Engage your audience with WordPress Stories

At Jetpack, we are continuously working to develop a better product for you and your website. This month, we bring the popular Story Block to the web editor, a feature previously exclusive to mobile. This release also includes a fix for a security vulnerability for the Carousel feature.

We consequently encourage you to update all sites that you administer as soon as possible.

Continue reading → Jetpack 9.8: Engage your audience with WordPress Stories

Posted in Releases, Security | Tagged , , | 3 Comments
Jetpack plugin features

What Does the Jetpack Plugin Do?

One of the greatest benefits of WordPress is its extendability — there’s a plugin for nearly any task you could imagine so you can build a website that accomplishes anything that you want. 

Does this mean you should load up on plugins? No. The more plugins you have, the slower your site loads, which negatively impacts your visitors’ experience. And some plugins can conflict with one another or with your theme, leading to errors or downtime.

That’s why Jetpack is a great option for WordPress sites: with dozens of tools in a single plugin, it provides a ton of functionality without weighing down your site.

Continue reading → What Does the Jetpack Plugin Do?

Posted in Features | Tagged , , , , | 4 Comments
  • Enter your email address to follow this blog and receive news and updates from Jetpack!

    Join 111,350 other subscribers
  • Browse by Topic