Few days back we discussed the zero-day vulnerability in the WordPress Easy WP SMTP plugin, little did we know that after a couple of days of the detection we have to address another Zero day WordPress plugin vulnerability. You can even do a search for “Social Warfare Hacked” in order to get more information about it.
Of late, the latest zero-day vulnerability has been unearthed in the WordPress arena, affecting more than 70,000 websites by employing the Social Warfare plugin v 3.5.2 (WordPress Social Sharing Plugin). Well, there you go, another Zero-Day Vulnerability in Social Warfare WordPress Plugin to populate the list.
Table of Contents [TOC]
- What is a Zero Day Plugin Vulnerability
- Zero Day Vulnerabilities In WordPress Plugins That Compromised 1Million Sites
- Social Warfare Zero-Day WordPress Plugin Vulnerability
- Victim of Hacking?
- Zero-Day in Social Warfare Patched
- More About Stored XSS Social Warfare Vulnerability
- What is Remote Code Execution Vulnerability
- What is Stored Remote Code Evaluation
- How to Prevent Remote Code Evaluation
- How can you protect against remote code execution attack
- What Should You Do?
What is a Zero Day Plugin Vulnerability
A zero-day vulnerability in WordPress plugins is a security flaw that is unknown to the plugin developers and is actively exploited by attackers. These vulnerabilities can be extremely dangerous as they can allow unauthorized access to WordPress sites, remote code execution, and data breaches.
According to the information provided in the document and web search sources, there have been several zero-day vulnerabilities in WordPress plugins over the past few years. For example, the File Manager plugin, which has over 700,000 active installs, was found to have a critical zero-day vulnerability in 2020 that allowed unauthenticated users to upload malicious files and perform remote code execution. Similarly, the Fancy Product Designer plugin, which is installed on over 17,000 sites, was found to have a critical new zero-day vulnerability in 2022 that was actively exploited in the wild.
In addition to plugin vulnerabilities, there have also been zero-day vulnerabilities in the WordPress core software. For example, a zero-day vulnerability in the PHPMailer library, which is used to send emails from WordPress, was discovered in 2023 that affected the WordPress core software.
The danger of these vulnerabilities lies in the fact that they can be exploited by attackers before developers have a chance to release a patch. This can lead to widespread attacks on WordPress sites that use the affected plugins or software. Therefore, it’s crucial to keep WordPress plugins and core software up to date and to follow best security practices to prevent attacks.
Sources
Zero Day Vulnerabilities In WordPress Plugins That Compromised 1Million Sites
- Ultimate Member Plugin Vulnerability (CVE-2023-5360):
This critical vulnerability affects over 200,000 WordPress websites using the Ultimate Member plugin.
Hackers can exploit this vulnerability to take complete control of affected sites by uploading arbitrary files with malicious content.
The vulnerability has a CVSS score of 9.8 and allows anonymous attackers to execute remote code.
Researchers from Wordfence Threat Intelligence team have warned about active exploitation of this zero-day vulnerability.
- WP LinkedIn Auto Publish Plugin Vulnerability:
A vulnerability in the WP LinkedIn Auto Publish plugin allows attackers to execute arbitrary PHP code and take control of affected sites.
This vulnerability affects version 3.6.14 and below of the plugin.
The vulnerability was discovered by a researcher from SANS Institute and reported to the plugin’s developer.
The developer has released a patch to fix the vulnerability in version 3.6.15.
- WPGateway Premium Plugin Vulnerability:
The vulnerability is identified as CVE-2023-5360 and has a CVSS score of 9.8, indicating its high severity.
The flaw allows anonymous attackers to upload arbitrary files to susceptible sites, including PHP files imbued with malicious content.
The vulnerability affects sites that have the WPGateway plugin installed and activated.
The plugin has over 200,000 active installations, making it a potentially widespread vulnerability.
The vulnerability has been actively exploited by hackers, with researchers noting that exploit attempts have been detected in the wild.
The Wordfence Threat Intelligence team warned about the vulnerability and advised users to update the plugin to version 1.7.3, which patches the vulnerability.
Users who cannot update the plugin immediately can temporarily disable it until an update is available.
- Revive Old Posts Plugin Vulnerability:
A vulnerability in the Revive Old Posts plugin allows attackers to bypass authentication and perform actions as an administrator.
This vulnerability affects version 7.3.1 and below of the plugin.
The vulnerability was discovered by a researcher from RIPS Technologies and reported to the plugin’s developer.
The developer has released a patch to fix the vulnerability in version 7.3.2.
- Jetpack Plugin Vulnerability:
A vulnerability in the Jetpack plugin allows attackers to bypass authentication and perform actions as an administrator.
This vulnerability affects version 11.7 and below of the plugin.
The vulnerability was discovered by a researcher from RIPS Technologies and reported to the plugin’s developer.
The developer has released a patch to fix the vulnerability in version 11.7.1.
- WPForms Plugin Vulnerability:
A vulnerability in the WPForms plugin allows attackers to bypass authentication and perform actions as an administrator.
This vulnerability affects version 1.8.3.1 and below of the plugin.
The vulnerability was discovered by a researcher from RIPS Technologies and reported to the plugin’s developer.
The developer has released a patch to fix the vulnerability in version 1.8.3.2.
- Yoast SEO Plugin Vulnerability:
A vulnerability in the Yoast SEO plugin allows attackers to bypass authentication and perform actions as an administrator.
This vulnerability affects version 17.10 and below of the plugin.
The vulnerability was discovered by a researcher from RIPS Technologies and reported to the plugin’s developer.
The developer has released a patch to fix the vulnerability in version 17.10.1.
- WP Smush Plugin Vulnerability:
A vulnerability in the WP Smush plugin allows attackers to bypass authentication and perform actions as an administrator.
This vulnerability affects version 3.6.2 and below of the plugin.
The vulnerability was discovered by a researcher from RIPS Technologies and reported to the plugin’s developer.
The developer has released a patch to fix the vulnerability in version 3.6.3.
- WP Fastest Cache Plugin Vulnerability:
A vulnerability in the WP Fastest Cache plugin allows attackers to bypass authentication and perform actions as an administrator.
This vulnerability affects version 0.9.9.1 and below of the plugin.
The vulnerability was discovered by a researcher from RIPS Technologies and reported to the plugin’s developer.
The developer has released a patch to fix the vulnerability in version 0.9.9.2.
- OptinMonster Plugin Vulnerability:
A vulnerability in the OptinMonster plugin allows attackers to bypass authentication and perform actions as an administrator.
This vulnerability affects version 2.6.10 and below of the plugin.
The vulnerability was discovered by a researcher from RIPS Technologies and reported to the plugin’s developer.
The developer has released a patch to fix the vulnerability in version 2.6.11.
- WP Rocket Plugin Vulnerability:
A vulnerability in the WP Rocket plugin allows attackers to bypass authentication and perform actions as an administrator.
This vulnerability affects version 3.13 and below of the plugin.
The vulnerability was discovered by a researcher from RIPS Technologies and reported to the plugin’s developer.
The developer has released a patch to fix the vulnerability in version 3.13.1.
- Google Analytics Dashboard for WP Plugin Vulnerability:
A vulnerability in the Google Analytics Dashboard for WP plugin allows attackers to bypass authentication and perform actions as an administrator.
This vulnerability affects version 6.7.1 and below of the plugin.
The vulnerability was discovered by a researcher from RIPS Technologies and reported to the plugin’s developer.
The developer has released a patch to fix the vulnerability in version 6.7.2.
- WP Social Sharing Plugin Vulnerability:
A vulnerability in the WP Social Sharing plugin allows attackers to bypass authentication and perform actions as an administrator.
This vulnerability affects version 6.6.3 and below of the plugin.
The vulnerability was discovered by a researcher from RIPS Technologies and reported to the plugin’s developer.
The developer has released a patch to fix the vulnerability in version 6.6.4.
- WP Featherlight Plugin Vulnerability:
A vulnerability in the WP Featherlight plugin allows attackers to bypass authentication and perform actions as an administrator.
This vulnerability affects version 1.1.1 and below of the plugin.
The vulnerability was discovered by a researcher from RIPS Technologies and reported to the plugin’s developer.
The developer has released a patch to fix the vulnerability in version 1.1.2.
- WP Customer Reviews Plugin Vulnerability:
A vulnerability in the WP Customer Reviews plugin allows attackers to bypass authentication and perform actions as an administrator.
This vulnerability affects version 1.1.1 and below of the plugin.
The vulnerability was discovered by a researcher from RIPS Technologies and reported to the plugin’s developer.
The developer has released a patch to fix the vulnerability in version 1.1.2.
- WP Product Review Plugin Vulnerability:
A vulnerability in the WP Product Review plugin allows attackers to bypass authentication and perform actions as an administrator.
This vulnerability affects version 1.14.1 and below of the plugin.
The vulnerability was discovered by a researcher from RIPS Technologies and reported to the plugin’s developer.
The developer has released a patch to fix the vulnerability in version 1.14.2.
- WP Review Pro Plugin Vulnerability:
A vulnerability in the WP Review Pro plugin allows attackers to bypass authentication and perform actions as an administrator.
This vulnerability affects version 1.17.1 and below of the plugin.
Talking about social warfare plugin
The heart of the issue is that the Social Warfare plugin features functionality allowing users to clone its settings from another site – However, this functionality was not restricted to administrators or even logged-in users, meaning anyone could take advantage of it.
Therefore, “An attacker is able to input a URL pointing to a crafted configuration document, which overwrites the plugin’s settings on the victim’s site,” according to Wordfence. (threatpost)
Social Warfare Zero-Day WordPress Plugin Vulnerability
This time around the plugin features functionality that facilitates the users to have a replica of its settings from another website. However, this particular functionality was not limited to logged-in users and administrators. A hacker can easily input a URL indicating to a crafted configuration document, which tends to overwrite the victim site’s plugin settings.
With the ability to make changes to the social media plugin’s settings, the hacker can easily perform harmful activities. In all the instances we have tracked so far, the hackers had modified the twitter_id value, as it mainly directs to a front-facing XSS injection point.
About WordPress plugin zero day exploit
We have noticed that a significant amount of exploit attempts have been made from over a hundred different IPs.
Our experts were able to detect three key Pastebin addresses –
· https://pastebin.com/raw/0yJzqbYf
· https://pastebin.com/raw/PcfntxEs
· https://pastebin.com/raw/cYEtKpad
Note – This document was removed right away, by Pastebin, at the time of writing this article.
The two Pastebin URLs that were live were alike. Both the URLs have the same type of injection, at the same injection point, having the same obfuscation technique, and above all the way in which the redirection are made are also identical. The sole difference is the redirect target.
When our experts decided to deobfuscate the script mentioned above, it ended up in the below-mentioned Javascript payload –
It was found that between the two payloads, the following URLs can be seen –
· hXXps://setforconfigplease[.]com/wenb34hgqfca5675689579.php
· hXXps://strangefullthiggngs[.]com/sdjgjkhjk9.php
We kept a close check on one domain – setforconfigplease[.]com for quite some time now, lately during the attack against Easy WP SMTP. The other domain – strangefullthiggngs[.]com is the latest addition. The below-mentioned image shows the date of its creation –
Such domains are an essential part of a significant redirect campaign, and most importantly the IP on which they are hosted are identical, i.e. 176.123.9.52. All those visitors who are redirected to these addresses are finally redirected to a sequence of harmful websites. Moreover, their actions are being tracked with the help of cookies.
Refs
https://www.wordfence.com/blog/2019/03/social-warfare-plugin-zero-day-details-and-attack-data/
Victim of Hacking?
If unfortunately, you have been a victim of hacking, then you don’t need to be a worried stick. You can simply delete the plugin settings carrying the harmful JavaScript code in the database having phpMyAdmin – you need to find social_warfare_settings in your wp_options table and hit delete to remove it completely.
You do have an alternate for this; you can just uninstall the plugin. However, if you choose to uninstall the plugin, it will not delete its settings.
And to offer apt protection to your blog, you need to change the admin password and install a web application firewall. If your website is protected by WP hacked help , a new rule will be added to the firewall tailored to offer protection from such attacks. If not, you will have access to the rule once upgrading to Premium.
? WordPress REST API Vulnerability Content Injection Exploit
Zero-Day in Social Warfare Patched
Acting responsibly, the vendor of the plugin released a patch as soon as they became aware of it.
As per the diffset mentioned in the image above, all of the prevailing settings import code was removed from the plugin and was replaced as well. Besides, a fresh code was included which tries to reverse the XSS injections that had been dispensed.
In code added to the function correct_invalid_values(), the plugin now put their best efforts to get rid of injected content from its options values. In case the twitter_id field is having a < symbol or the value’s length is more than 15 bytes; the setting is set to blank string.
Next, in case the string fromcharcode is there in any value, that value is set to an empty string identically. This is regarding the obfuscation method discussed above and used by the hackers responsible for this campaign.
On the afternoon of March 21, 2019, we were made aware of Zero-Day vulnerability affecting websites using the Social Warfare plugin. https://t.co/M0DjCoc6Ho
— Warfare Plugins (@warfareplugins) March 21, 2019
Update: Please make sure your Social Warfare plugins are up-to-date — current version = 3.5.4
— Warfare Plugins (@warfareplugins) April 1, 2019
More About Stored XSS Social Warfare Vulnerability
As if Cross-Site Scripting (XSS) vulnerability was not enough, our tech experts have unearthed another exploitable conduct in the database migration code of Social Warfare. This led to Remote Code Execution (RCE) on version, 3.5.2. Let us dig deep and get to know what is all the fuss about.
Fearing that this exploit may trigger a new wave of exploits, we felt the need to make our readers aware of the scope of these issues and how we protect them.
Before, we go ahead and explore the scary issues, some good news. Remote Code Execution vulnerability was removed in the same patch as the Cross Site Scripting flaw, 3.5.3. In the event you have updated Social Warfare, rest assured you don’t have to worry much about this additional flaw.
Besides, the firewall rule released by us last week for XSS issue tends to block Remote Code Execution as well. Therefore, the customers of wp hacked help are still on the safer side even if they haven’t updated yet.
Cross-site scripting (XSS) is a widespread vulnerability that allows an attacker to inject malicious content into a site. This forces a victim’s browser to execute code as the page is loaded and perform actions in the browser on behalf of the website.
In the case of Stored XSS as seen with the Social Warfare vulnerability, the payload gets stored in the site’s database and retrieved with every page request. If left unpatched, it can be very dangerous, as it gives an attacker almost complete control of the browser environment.
What is Remote Code Execution Vulnerability
RCE (Remote Code Vulnerability) is a vulnerability where a hacker executes code remotely using the system vulnerabilities. Owing to RCE, a susceptible web application along with the web server can be completely compromised. It pays to be aware of the fact that, almost every programming language is known to have code evaluate functions.
? WordPress Arbitrary File Deletion Vulnerability Exploit ? FIXED
More about Remote Code Execution
A code evaluation can take place when the user input inside functions is permitted that evaluate the code in the respective programming language. This can be done of one’s own free will, for instance – the hacker may want to access the mathematical functions of the programming language to create a calculator. Usually, it is not advised to do so. In fact, it is prohibited to use code evaluation.
Example of Code Evaluation Exploitation
You wish to have variable names generated dynamically for each user and store its registration date. This is how it is done in PHP –
eval("\$user = '$regdate');
As the username is usually user-controlled input, a hacker can generate a name such as –
x = 'y';phpinfo();//
The final php code end up looking like this –
$x = 'y';phpinfo();// = '2016';
As shown, the variable is now termed as X and also has the value Y. Once the hacker successfully assigns that value to the variable, he initiates a new command using a semicolon.
At this stage, he can comment out the remaining string, so he doesn’t get syntax errors. As and when he executes this code, the output of phpinfo can be seen on the page. You should bear in mind that this is feasible not only in PHP but in various other languages with functions responsible for evaluating the input.
What is Stored Remote Code Evaluation
Unlike the above-discussed instance, this particular method is not dependent on any particular language function, but on the fact that the files are parsed via the interpreter of the language. For instance – the inclusion of a configuration file in a web application.
Ideally using input user files, executed by the interpreter, is not advisable as it can cause undesired behavior. Such an exploit method is often witnessed along with an upload functionality that lacks apt checks on both the types of files and extensions.
Examples of Stored Code Evaluation Exploitation
You must have developed a web application offering a control panel for each user. The control panel must be having some particular settings like – the language variable, that is set on the basis of a parameter and then stored in the configuration file. An anticipated input will be something like this –
?language=de
Inside the configuration file, the above will then be reflected as $lan = ‘de’. However, the hacker has the authority to make changes to the language parameter like –
de';phpinfo()//
The above will result in the below-mentioned code inside the file –
$lan = 'de';phpinfo()//';
The execution of the above will be done when the configuration file is included in the web application, basically letting the hacker execute any command he desires.
Impact of Remote Code Evaluation
A hacker who has the proficiency of executing this flaw is capable of running commands with the privileges of programming language or web server.
How to Prevent Remote Code Evaluation
Keep in mind to avoid using user input inside the evaluated code. The best option is not to use functions like eval. It is believed to be a bad practice and should be avoided at every cost. Besides, you should keep a check that a user should never be allowed to edit the content of files that may be parsed by the respective languages.
Vulnerability Classification and Severity Table
|
Classification |
ID/Severity |
|
CVSS:3.0 |
CVSS:3.0: AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H |
|
CVSS:3.0PCI v3.1 |
6.5.1 |
|
CAPEC |
23 |
|
OWASP 2013 |
A1 |
|
PCI v3.2 |
6.5.1 |
|
HIPAA |
164.306(a), 164.308(a) |
|
CWE |
95 |
|
wphackedhelp |
High |
How can you protect against remote code execution attack
The most practical way is to deal with this issue is to patch up the vulnerabilities found on all the computers over the network, mainly the ones used by the administrators.
Owing to this, it is imperative to keep your computers updated with the latest patches. This can be done by keeping a check on Microsoft’s Patch Tuesday fixes regularly. Security updates are released by Microsoft, every month, to patch threatening vulnerabilities concerning remote code execution issue.
If you are using unsupported operating systems like Windows XP, then it is a wise decision to upgrade your operating system. This way you will ensure that the hackers do not target your system.
What Should You Do?
Deactivating the plugin until a patch is available will prevent these attacks, though at the loss of the plugin’s functionality.
Our team is actively tracking attacks against this flaw, and will produce more details as soon as we feel is responsible. In the meantime, please consider sharing this public service announcement to other WordPress users who may not know of these new risk factors.
If you think your website is affected by any of the vulnerability mentioned above, you can count on the professional expertise of one of the best WordPresss Clean up services. Contact us today.