Recently disclosed WordPress vulnerability made a massive shock to some WordPress community members. It’s not the vulnerability itself. Some users were shocked by the fact that it was already reported to the WordPress Security team about seven months ago. Well, let’s analyse everything step by step.
Disclosed WordPress vulnerability
First of all, relax. I can say that most of the WordPress sites are not affected by this vulnerability. In order to exploit this vulnerability, certain conditions are required. In this case, an attacker must have sufficient rights to edit and delete media files (for example “author” role or any custom role with the previously mentioned rights). There are several possible ways to affect site security by exploiting this vulnerability.
- An attacker can delete the .htaccess file and gain access to some files or folders that were restricted by the custom rules of that particular .htaccess file.
- Also, it is possible to delete index.php files from various folders and make them accessible for a directory listing to see all the files and folder structure.
- More sophisticated exploitation vector possible by deleting a wp-config.php file, it will allow an attacker to access WordPress installation procedure and gain more control over the site.
- Finally, I need to mention that it is possible to delete any file and partially deface or entirely screw up the site.
Continue reading Disclosed WordPress vulnerability affects current 4.9.6 and earlier WordPress versions
Multidots Inc. is a software development company from India that has developed a wide range of various WordPress plugins. About a month ago ThreatPress Security Research Team found a lot of vulnerabilities in ten plugins designed by Multidots to extend the capabilities of WooCommerce. As you can understand, these plugins designed for online stores powered by WooCommerce / WordPress. ThreatPress notified the Multidots instantly about the issues with their WordPress plugins, usually developer fixes problem as soon as possible, but in this case, everything went quite a different way.
Vulnerable plugins by Multidots
So, overall ThreatPress found that there are ten vulnerable plugins. All of them hosted on WordPress.org plugin repository. Here’s the list of these plugins (plugin name, active installs and vulnerability type):
- WooCommerce Category Banner Management (Active installations: 3,000+) – Unauthenticated Settings Change
- Add Social Share Messenger Buttons Whatsapp and Viber (Active installations: 500+) – Cross-Site Request Forgery (CSRF)
- Advance Search for WooCommerce (Active installations: 200+) – Stored Cross-Site Scripting (XSS)
- Eu Cookie Notice (Active installations: 600+) – Cross-Site Request Forgery (CSRF)
- Mass Pages/Posts Creator (Active installations: 1,000+) – Authenticated Stored Cross-Site Scripting (XSS)
- Page Visit Counter (Active installations: 10,000+) – SQL Injection
- WooCommerce Checkout For Digital Goods (Active installations: 2,000) – Cross-Site Request Forgery (CSRF)
- WooCommerce Enhanced Ecommerce Analytics Integration with Conversion Tracking (Active installations: 1,000+) – Cross-Site Request Forgery (CSRF) and Stored Cross-site scripting (XSS)
- WooCommerce Product Attachment (Active installations: 800+) – Authenticated stored Cross-Site Scripting (XSS)
- Woo Quick Reports (Active installations: 300+) – Stored Cross-Site Scripting (XSS)
Continue reading WordPress plugins for WooCommerce by Multidots endangered thousands of online stores
WordPress plugins, and more precisely their security is one of the most common causes of website hacks. There are more than 55,000 plugins available on the WordPress.org plugin directory. More of them are available at Codecanyon and other similar plugin directories or numerous plugin vendor sites. Checking all the code lines of each plugin is impossible. No one knows how much of them are vulnerable. Vulnerable plugins periodically identified by WordPress community or WordPress security companies.
In most cases, these vulnerabilities fixed as soon as possible. But sometimes WordPress Security Team closes vulnerable plugins if there are no updates from authors within a specified period or plugin poses a high threat. And here we have a huge problem. By closing a vulnerable plugin WordPress Security Team protects all users from downloading an unsafe software, but what about those who already have those plugins installed on their websites?
Closed WordPress plugins by Multidots
I will write a separate post about this case, but now I want to use it as an example. Recently WordPress security company ThreatPress found ten vulnerable WordPress plugins designed for WooCommerce function extension. They notified Multidots Inc. about the security issues of their products. Later ThreatPress research team informed WordPress Security Team since there were no updates for several weeks. All ten plugins – closed. Continue reading WordPress plugins – closed, abandoned and dangerous
I have already written about the danger to your website caused by insecurely stored back up files. However, it was a case when I was able to find FTP credentials used by Updraft backup WordPress plugin stored in the back up of the database. I think this is the most straightforward hacking technique ever and it doesn’t require specialised knowledge or software to perform the hack. But today I will tell you about the more sophisticated method.
So, let’s begin with the very first step of this hacking method. As I mentioned in the previous post, some Google dorks could lead you to websites with unprotected backup files due to the open directory listing. Trust me, there are hundreds if not thousands of such sites, and you can find them by applying various dorks since various WordPress backup plugins have different file naming scheme.
OK, now when you have a potential list of vulnerable websites, it’s time to pick up one and proceed with other steps. We are looking for sites with backups of the database which you can use on your local machine. Download the WordPress database file, and you’re ready to start the hack. Continue reading Hacking website with brute-force type attack on a local machine
WordPress backup files is an excellent way to ensure you can restore your website without any data loss. Making backups is a good practice, and I highly recommend to make copies of your website files and database periodically. In case of security breach, website defacing or other disasters these copies will save you a lot of time and maybe money. But sometimes these files may be the reason why your WordPress site got hacked. A few days ago I made a small researched to find out the threats caused by backup files.
WordPress backup plugins
There are a lot of different backup plugins for WordPress on the WordPress.org plugin repository. Also, there are many various premium plugins available outside. All these plugins have the same primary function, to make a backup of your precious data. Some of them offer simple backing up functions, some of them are more sophisticated and could provide more features to manage the backing up process. To do the research I need to pick up a target, right? So I picked up the most popular WordPress backup plugin that is available in WordPress plugin repository – UpdraftPlus WordPress Backup Plugin. Continue reading WordPress backup files may endanger your website