Backdoor Found in Themes and Plugins from AccessPress Themes

While investigating a compromised site we discovered some suspicious code in a theme by AccessPress Themes (aka Access Keys), a vendor with a large number of popular themes and plugins. On further investigation, we found that all the themes and most plugins from the vendor contained this suspicious code, but only if downloaded from their own website. The same extensions were fine if downloaded or installed directly from the WordPress.org directory.

Due to the way the extensions were compromised, we suspected an external attacker had breached the website of AccessPress Themes in an attempt to use their extensions to infect further sites.

We contacted the vendor immediately, but at first we did not receive a response. After escalating it to the WordPress.org plugin team, our suspicions were confirmed. AccessPress Themes websites were breached in the first half of September 2021, and the extensions available for download on their site were injected with a backdoor.

Once we had established a channel for communicating with the vendor, we shared our detailed findings with them. They immediately removed the offending extensions from their website.

Most of the plugins have since been updated, and known clean versions are listed towards the bottom of this post. However, the affected themes have not been updated, and are pulled from the WordPress.org theme repository. If you have any of the themes listed towards the bottom of this post installed on your site, we recommend migrating to a new theme as soon as possible.

This disclosure concerns a large number of extensions, both plugins and themes. Skip to the list below, or read on for the details.

Continue reading → Backdoor Found in Themes and Plugins from AccessPress Themes

Posted in Vulnerabilities | Tagged , | Comments Off on Backdoor Found in Themes and Plugins from AccessPress Themes

Severe Vulnerabilities Fixed in All In One SEO Plugin Version 4.1.5.3

During an internal audit of the All In One SEO plugin, we uncovered an SQL Injection vulnerability and a Privilege Escalation bug.

If exploited, the SQL Injection vulnerability could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords).

The Privilege Escalation bug we discovered may grant bad actors access to protected REST API endpoints they shouldn’t have access to. This could ultimately enable users with low-privileged accounts, like subscribers, to perform remote code execution on affected sites.

We reported the vulnerabilities to the plugin’s author via email, and they recently released version 4.1.5.3 to address them. We strongly recommend that you update to the latest plugin version and have an established security solution on your site, such as Jetpack Security.

Continue reading → Severe Vulnerabilities Fixed in All In One SEO Plugin Version 4.1.5.3

Posted in Vulnerabilities | Leave a comment

Security Issues Patched in Smash Balloon Social Post Feed Plugin

During an internal audit of the Smash Balloon Social Post Feed plugin (also known as Custom Facebook Feed), we discovered several sensitive AJAX endpoints were accessible to any users with an account on the vulnerable site, like subscribers. Some of these endpoints could enable Stored Cross-Site Scripting (XSS) attacks to occur. 

A successful Stored XSS attack could enable bad actors to store malicious scripts on every post and page of the affected site. If a logged-in administrator visits one of the affected URLs, the script may run on their browser and execute administrative actions on their behalf, like creating new administrators and installing rogue plugins.

We reported the vulnerabilities to this plugin’s author via email, and they recently released version 4.0.1 to address them. We strongly recommend that you update to the latest version of the Smash Balloon Social Post Feed plugin and have an established security solution on your site, such as Jetpack Security.

Continue reading → Security Issues Patched in Smash Balloon Social Post Feed Plugin

Posted in Security, Vulnerabilities | Tagged , , | Comments Off on Security Issues Patched in Smash Balloon Social Post Feed Plugin

Multiple vulnerabilities in WP Fastest Cache plugin

During an internal audit of the WP Fastest Cache plugin, we uncovered an Authenticated SQL Injection vulnerability and a Stored XSS (Cross-Site Scripting) via Cross-Site Request Forgery (CSRF) issue.

If exploited, the SQL Injection bug could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords). It can only be exploited if the classic-editor plugin is also installed and activated on the site. 

Successfully exploiting the CSRF & Stored XSS vulnerability could enable bad actors to perform any action the logged-in administrator they targeted is allowed to do on the targeted site.

We reported the vulnerabilities to this plugin’s author via email, and they recently released version 0.9.5 to address them. We strongly recommend that you update to the latest version of the plugin and have an established security solution on your site, such as Jetpack Security.

Continue reading → Multiple vulnerabilities in WP Fastest Cache plugin

Posted in Security, Vulnerabilities | Tagged , , | Comments Off on Multiple vulnerabilities in WP Fastest Cache plugin

CSRF Vulnerability Found in Software License Manager Plugin

Versions before 4.5.1 of the Software License Manager plugin for WordPress have an exploitable Cross-Site Request Forgery (CSRF) vulnerability. Any user logged in to a site with the vulnerable extension can, by clicking a link, be tricked to delete an entry in the plugin’s registered domain database table. The link can be distributed in an email, or on a website the victim user is likely to visit.

The good news is, there’s not much else that can be done by exploiting this weakness. And the attacker needs to know the id of the domain they wish to delete from the database beforehand. 

Still, we recommend anybody running version 4.5.0 or earlier of the plugin to upgrade as soon as possible.

Continue reading → CSRF Vulnerability Found in Software License Manager Plugin

Posted in Vulnerabilities | Tagged , , , | Comments Off on CSRF Vulnerability Found in Software License Manager Plugin

Malware using the REST API for Remote Code Execution

This week, Jetpack Scan flagged the license file of a premium extension, and the customer reached out to ask us for more information about it. So I put my detective hat on to investigate.

It is not unusual to stumble upon suspicious code that only ended up being an overprotective developer trying to hide code through common obfuscation methods. This is even more common when analyzing license management code. But in this case, it turned out to be something a bit more sinister.

Continue reading → Malware using the REST API for Remote Code Execution

Posted in Vulnerabilities | Comments Off on Malware using the REST API for Remote Code Execution

Arbitrary Role Change/Privilege Escalation in HM Multiple Roles WordPress plugin

While investigating a security advisory about an arbitrary role change/privilege escalation issue in the HM Multiple Roles WordPress plugin, the Jetpack Scan team discovered that the fix was incomplete and left the plugin still vulnerable.

The issue is fully fixed in version 1.3 of the plugin, and we advise any sites using any earlier version of this plugin to update as soon as possible.

Continue reading → Arbitrary Role Change/Privilege Escalation in HM Multiple Roles WordPress plugin

Posted in Vulnerabilities | Comments Off on Arbitrary Role Change/Privilege Escalation in HM Multiple Roles WordPress plugin

Severe Vulnerability Patched In WooCommerce Currency Switcher

During an internal audit of the woocommerce-currency-switcher plugin, we uncovered a very severe local file inclusion vulnerability. 

This security flaw could enable attackers to leak sensitive information like database credentials, cryptographic keys, and may allow arbitrary code execution in some instances.

We reported the vulnerabilities to the WOOCS team via email last week, and they released version 1.3.7 to fix this issue. If you are using an older version of this plugin, we encourage you to update immediately.

Continue reading → Severe Vulnerability Patched In WooCommerce Currency Switcher

Posted in Vulnerabilities | Comments Off on Severe Vulnerability Patched In WooCommerce Currency Switcher

Multiple vulnerabilities in Workreap theme by Amentotech

Recently the Jetpack team found some infected files in one of our hosted customers’ sites, and quickly traced the source of infection back to the Workreap theme by Amentotech. We started an investigation and uncovered a number of vulnerable AJAX endpoints in the theme; the most severe of these was an unauthenticated unvalidated upload vulnerability potentially leading to remote code execution and a full site takeover.

We reported the vulnerabilities to the Amentotech team via the Envato Helpful Hacker program, and the issues were addressed promptly by them. Version 2.2.2 of the theme was released on June 29, 2021 that fixes the found vulnerabilities.

TL;DR

Due to the seriousness of the vulnerabilities, we highly recommend all users of the Workreap theme to upgrade to version 2.2.2 or later as soon as possible. 

Download the upgrade from the theme website and install it manually, or upgrade automatically via the Envato market plugin.

Continue reading → Multiple vulnerabilities in Workreap theme by Amentotech

Posted in Vulnerabilities | Tagged , , | Comments Off on Multiple vulnerabilities in Workreap theme by Amentotech

Fake Plugin Alert: WordPress Plugin and User Backup Tool

Earlier in 2021, I shared how an attacker could leverage leaked or weak credentials to install fake plugins on a compromised site. Although the plugin featured in that blog post has shown some small changes since it was posted, attackers can upload a variety of malicious software using the same method; so in this article, I’ll share with you another recent example (thanks to Luke Leal for sharing it with me).

Continue reading → Fake Plugin Alert: WordPress Plugin and User Backup Tool

Posted in Vulnerabilities | Comments Off on Fake Plugin Alert: WordPress Plugin and User Backup Tool
  • Enter your email address to follow this blog and receive news and updates from Jetpack!

    Join 110,315 other followers

  • Browse by topic