During an internal audit of the woocommerce-currency-switcher plugin, we uncovered a very severe local file inclusion vulnerability.
This security flaw could enable attackers to leak sensitive information like database credentials, cryptographic keys, and may allow arbitrary code execution in some instances.
We reported the vulnerabilities to the WOOCS team via email last week, and they released version 1.3.7 to fix this issue. If you are using an older version of this plugin, we encourage you to update immediately.
Continue reading → Severe Vulnerability Patched In WooCommerce Currency Switcher
Recently the Jetpack team found some infected files in one of our hosted customers’ sites, and quickly traced the source of infection back to the Workreap theme by Amentotech. We started an investigation and uncovered a number of vulnerable AJAX endpoints in the theme; the most severe of these was an unauthenticated unvalidated upload vulnerability potentially leading to remote code execution and a full site takeover.
We reported the vulnerabilities to the Amentotech team via the Envato Helpful Hacker program, and the issues were addressed promptly by them. Version 2.2.2 of the theme was released on June 29, 2021 that fixes the found vulnerabilities.
Due to the seriousness of the vulnerabilities, we highly recommend all users of the Workreap theme to upgrade to version 2.2.2 or later as soon as possible.
Download the upgrade from the theme website and install it manually, or upgrade automatically via the Envato market plugin.
Continue reading → Multiple vulnerabilities in Workreap theme by Amentotech
Earlier in 2021, I shared how an attacker could leverage leaked or weak credentials to install fake plugins on a compromised site. Although the plugin featured in that blog post has shown some small changes since it was posted, attackers can upload a variety of malicious software using the same method; so in this article, I’ll share with you another recent example (thanks to Luke Leal for sharing it with me).
Continue reading → Fake Plugin Alert: WordPress Plugin and User Backup Tool
During an audit of the Motor theme (full name “Motor – Cars, Parts, Service, Equipments and Accessories WooCommerce Store” by Stockware) for WordPress, we found a number of rather severe vulnerabilities.
These vulnerabilities would allow an unauthenticated attacker complete read access to files on the file system of the site host, and would also allow them to run any PHP scripts found in the file system. We did not identify any upload vulnerabilities in the Motor theme, but paired with other vulnerable plugins this could allow for a complete takeover of the vulnerable site.
We disclosed these vulnerabilities to the theme store who then contacted the theme vendor with our findings. A fixed version of the theme was released as version 3.1 on June 3, 2021. We encourage everybody using this theme to upgrade to the latest version immediately!
Continue reading → Vulnerabilities Found in Motor WordPress Theme < 3.1
Back on April 20th, 2021, our friends at WPScan reported a severe vulnerability on Kaswara Modern VC Addons, also known as Kaswara Modern WPBakery Page Builder Addons. It is not available anymore at Codecanyon/Envato, meaning that if you have this running, you must choose an alternative.
This vulnerability allows unauthenticated users to upload arbitrary files to the plugin’s icon directory (./wp-content/uploads/kaswara/icons). This is the first Indicator Of Compromise (IOC) our friends at WPScan shared with us in their report.
The ability to upload arbitrary files to a website gives the bad actor full control over the site, which makes it hard to define the final payload of this infection; thus, we’ll show you everything we found so far (we got a little carried away on the research, so feel free to jump to the IOC section if you don’t want to read through).
Continue reading → Vulnerable Kaswara Modern WPBakery Page Builder Addons Plugin Being Exploited in the Wild
At Jetpack, dealing with different types of web threats and attacks is part of our routine. Most of the time, it ranges from collecting a malicious file and finding the attack vector, to providing assistance on restoring a website from the latest backup. But sometimes we enter a different dimension of really creative attacks, a dimension of inexplicable reinfections — we enter … the twilight zone.
Okay, I’m probably being over-dramatic, but bear with me as I set the scene for this mystery tale. Ready? Please join me on this trip to the realm of ghosts, spam, and search engines.
Continue reading → Fighting Spam from the Twilight Zone
During an internal audit of the Patreon plugin for WordPress, the Jetpack Scan team found several weak points that would allow someone to take over a website.
These vulnerabilities were disclosed to the plugin authors, who promptly released version 1.7.2, which fixes all of these issues. If you’re running an older version of the plugin, please update today!
Read on for all of the technical details. If this goes over your head, don’t worry. We offer Jetpack Scan to handle malware scanning and automated upgrades or removal for you.
Continue reading → Vulnerabilities Found in Patreon WordPress plugin