+383 (0) 45 522 768

Category: Blog

  1. Home
  2. Blog
36
vulnerability wordpress
Hackers exploiting critical WordPress WooCommerce Payments bug

Hackers are conducting widespread exploitation of a critical WooCommerce Payments plugin to gain the privileges of any users, including administrators, on vulnerable WordPress installation.

WooCommerce Payments is a very popular WordPress plugin allowing websites to accept credit and debit cards as payment in WooCommerce stores. According to WordPress, the plugin is used on over 600,000 active installations.

On March 23rd, 2023, the developers released version 5.6.2 to fix the critical 9.8-rated vulnerability tracked as CVE-2023-28121. The flaw affects WooCommerce Payment plugin versions 4.8.0 and higher, with it being fixed in versions 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2, 5.6.2, and later.
As the vulnerability allows any remote user to impersonate an administrator and take complete control over a WordPress site, Automattic force installed the security fix of WordPress installations utilizing the plugin.

At the time, WooCommerce said there was no known active exploitation of the vulnerability, but researchers warned that due to the critical nature of the bug, we would likely see exploitation in the future.

Flaw actively exploited
This month, researchers at RCE Security analyzed the bug and released a technical blog on the CVE-2023-28121 vulnerability and how it can be exploited.

The researchers explain that attackers can simply add an ‘X-WCPAY-PLATFORM-CHECKOUT-USER’ request header and set it to the user ID of the account they wish to impersonate.

When WooCommerce Payments sees this header, it will treat the request as if it was from the specified user ID, including all of the user’s privileges.

As part of the blog post, RCE Security released a proof-of-concept exploit that uses this flaw to create a new admin user on vulnerable WordPress sites, making it easy for threat actors to take complete control over the site.

Using the exploit to create the 'hacked' administrator account

Using the exploit to create the ‘hacked’ administrator account
Using the exploit to create the ‘hacked’ administrator account
Source: RCE Security
Today, WordPress security firm Wordfence warned that threat actors are exploiting this vulnerability in a massive campaign targeting over 157,000 sites by Saturday.

“Large-scale attacks against the vulnerability, assigned CVE-2023-28121, began on Thursday, July 14, 2023 and continued over the weekend, peaking at 1.3 million attacks against 157,000 sites on Saturday, July 16, 2023,” explains Wordfence.

by Admin
1,042 Views36
Tags:
40
Blog vulnerability wordpress
WordPress migration add-on flaw could lead to data breaches

All-in-One WP Migration, a popular data migration plugin for WordPress sites with 5 million active installations, suffers from unauthenticated access token manipulation that could allow attackers to access sensitive site information.

All-in-One WP Migration is a user-friendly WordPress site migration tool for non-technical and inexperienced users, allowing seamless exports of databases, media, plugins, and themes into a single archive that is easy to restore on a new destination.

Patchstack reports that various premium extensions the plugin’s vendor ServMask offers all contain the same snippet of vulnerable code that lacks permission and nonce validation in the init function.

This code is present in the Box extension, Google Drive extension, One Drive extension, and Dropbox extension, which were created for facilitating data migration procedures using the said third-party platforms.

The flaw, tracked as CVE-2023-40004, allows unauthenticated users to access and manipulate token configurations on the affected extensions, potentially allowing attackers to divert website migration data to their own third-party cloud service accounts or restoring malicious backups.

The primary ramification of successfully exploiting CVE-2023-40004 is a data breach that might include user details, critical website data, and proprietary information.

The security problem is somewhat mitigated by the fact that All-in-One WP Migration is only used during site migration projects and should normally not be active at any other time.

The broken access control flaw was discovered by PatchStack’s researcher Rafie Muhammad, on July 18, 2023, and reported to ServMask for fixing.

The vendor released security updates on July 26, 2023, introducing permission and nonce validation to the init function.

Users of the impacted premium third-party extensions are advised to upgrade to the following fixed versions:

  • Box Extension: v1.54
  • Google Drive Extension: v2.80
  • OneDrive Extension: v1.67
  • Dropbox Extension: v3.76

Also, users are recommended to use the latest version of the (free) base plugin, All-in-One WP Migration v7.78.

by Admin
619 Views40
Tags:
91
Blog vulnerability wordpress
Hackers exploit zero-day in Ultimate Member WordPress plugin with 200K installs

Hackers exploit a zero-day privilege escalation vulnerability in the ‘Ultimate Member’ WordPress plugin to compromise websites by bypassing security measures and registering rogue administrator accounts.

Ultimate Member is a user profile and membership plugin that facilitates sign-ups and building communities on WordPress sites, and it currently has over 200,000 active installations.

The exploited flaw, tracked as CVE-2023-3460, and having a CVSS v3.1 score of 9.8 (“critical”), impacts all versions of the Ultimate Member plugin, including its latest version, v2.6.6.

While the developers initially attempted to fix the flaw in versions 2.6.3, 2.6.4, 2.6.5, and 2.6.6, there are still ways to exploit the flaw. The developers have said they are continuing to work on resolving the remaining issue and hope to release a new update soon.

“We are working on the fixes related to this vulnerability since 2.6.3 version when we get a report from one of our customer,” posted one of the Ultimate Member developers.

“Versions 2.6.4, 2.6.5, 2.6.6 partially close this vulnerability but we are still working together with WPScan team for getting the best result. We also get their report with all necessary details.”

“All previous versions are vulnerable so we highly recommend to upgrade your websites to 2.6.6 and keep updates in the future for getting the recent security and feature enhancements.”

Attacks exploiting CVE-2023-3460

The attacks exploiting this zero-day were discovered by website security specialists at Wordfence, who warn that threat actors exploit it by using the plugin’s registration forms to set arbitrary user meta values on their accounts.

More specifically, attackers set the “wp_capabilities” user meta value to define their user role as administrators, granting them complete access to the vulnerable site.

The plugin has a blocklist for keys that users shouldn’t be possible to upgrade; however, bypassing this protection measure is trivial, says Wordfence.

WordPress sites hacked using CVE-2023-3460 in these attacks will show the following indicators:

  • Appearance of new administrator accounts on the website
  • Usage of the usernames wpenginer, wpadmins, wpengine_backup, se_brutal, segs_brutal
  • Log records showing that IPs known to be malicious accessed the Ultimate Member registration page
  • Log records showing access from 146.70.189.245, 103.187.5.128, 103.30.11.160, 103.30.11.146, and 172.70.147.176
  • Appearance of a user account with an email address associated to “exelica.com”
  • Installation of new WordPress plugins and themes on the site
by Admin
1,458 Views91
Tags:

© Copyright 2019 All Rights Reserved