Search This Blog

Showing posts with label WordPress. Show all posts

WordPress Sites Affected by Bugs in Gutenberg Template Library and Redux Framework

 

The Gutenberg Template Library & Redux Framework plugin for WordPress, which is deployed on over 1 million websites, has two vulnerabilities. According to the researchers, these might enable arbitrary plugin installation, post deletions, and access to potentially sensitive information about a site's configuration. Redux.io's plugin provides a variety of templates and building blocks for developing web pages in WordPress' Gutenberg editor. 

This plugin is a collection of WordPress Gutenberg blocks that allow publishers to quickly create websites using pre-built “blocks” while utilizing the Gutenberg interface. 

The first vulnerability (CVE-2021-38312) is rated as high-severity on the CVSS scale, with a score of 7.1 out of 10. It's caused by the plugin's use of the WordPress REST API, which handles requests to install and manage blocks. According to Wordfence, it fails to properly allow user permissions. 

The WordPress REST API allows apps to communicate with the user's WordPress site by sending and receiving data in JSON (JavaScript Object Notation) objects. It's the backbone of the WordPress Block Editor, and it may also help the user's theme, plugin, or custom app create new, more sophisticated interfaces for managing and publishing the user's site's content. 

“While the REST API Endpoints registered under the redux/v1/templates/ REST Route used a permission_callback to verify a user’s permissions, this call-back only checked whether or not the user sending the request had the edit_posts capability,” Wordfence researchers said in a Wednesday posting. Users with lower rights, such as contributors and authors, may utilize the redux/v1/templates/plugin-install endpoint to install any plugin from the WordPress repository, or the redux/v1/templates/delete_saved_block endpoint to delete posts, according to the researchers. 

The second vulnerability, a medium-severity flaw (CVE-2021-38314), has a CVSS score of 5.3. It exists because the Gutenberg Template Library & Redux Framework plugin registers numerous AJAX actions that are available to unauthenticated users, one of which is deterministic and predictable, allowing for the discovery of a site's $support_hash. 

“This $support_hash AJAX action, which was also available to unauthenticated users, called the support_args function in redux-core/inc/classes/class-redux-helpers.php, which returned potentially sensitive information such as the PHP version, active plugins on the site and their versions, and an unsalted md5 hash of the site’s AUTH_KEY and SECURE_AUTH_KEY,” according to Wordfence. An attacker may use the information to plot a website takeover using other vulnerable plugins, according to the researchers.

WooCommerce Patched a Bug that Threatened Databases of Prominent Sites

 

According to researchers, a significant SQL-injection security vulnerability in the WooCommerce e-commerce platform and a related plugin has been exploited as a zero-day flaw. WooCommerce released an emergency remedy for the bug late on Wednesday as a result of the exploitation. Unauthenticated cyber attackers might use the flaw to steal a slew of data from an online store's database, including customer information, payment card information, and employee credentials. 

WooCommerce, a prominent open-source e-commerce platform for WordPress websites, is used by over 5 million websites worldwide. It enables online merchants to establish storefronts with a variety of customisable features, such as accepted payment kinds, shipping options, and sales tax calculations, among others. The WooCommerce Blocks feature, which is installed on over 200,000 sites, is the linked plugin affected by the flaw. It aids retailers in displaying their goods on websites. 

“Our investigation into this vulnerability and whether data has been compromised is ongoing,” Beau Lebens, head of engineering for WooCommerce, said in an advisory. “We will be sharing more information with site owners on how to investigate this security vulnerability on their site. If a store was affected, the exposed information will be specific to what that site is storing but could include order, customer, and administrative information.” According to Wordfence experts, there is “extremely limited evidence of [exploitation] attempts and it is likely that such attempts were highly targeted.”

However, one user commented in the WooCommerce advisory's comments section that strange activity had been seen. “Just hours before your announcement and email, the site I manage saw a massive spike in network traffic before effectively locking out administrative logins and presenting various bizarre messages,” the user said. “When I SSH’d into the live environment, the console reported that there were 4 failed login attempts since my last login. So far as I could tell there was no apparent vandalism and the failed logins had their IP banned. It seems a little too coincidental.” 

The issue affects WooCommerce plugin versions 3.3 to 5.5, as well as WooCommerce Blocks 2.5 to 5.5. According to Lebens, the company developed a patch remedy “for every impacted version (90+ releases) that was automatically sent to vulnerable stores.” However, because the automatic deployment isn't instantaneous, and users in the advisory's comments section were claiming that they hadn't received the upgrades as of Thursday afternoon, WooCommerce advised that "we're urging everyone to check and manually update if needed just in case."

800+ Million WordPress Users Records Leaked Online

 

On 16 April 2021, security researcher Jeremiah Fowler together with the Website Planet Research Team revealed a non-password secured database with less than one billion records. The leaked documents included WordPress account user names, display names, and emails. 

Over 800 million WordPress-linked records are leaked in this misconfigured cloud database. There are many internal documents leaked that should not be available to the general public in the monitoring and file logs. 

Multiple references to DreamHost were discovered upon further study. The well-known hosting company for over 1.5 million websites is also an easy way to install, the famous WordPress blog platform. DreamPress is Dream Host's Managed WordPress hosting, as per their website. It's a scalable solution that can administer WordPress websites for users. 

They uncovered 814 million records from the managed WordPress hosting company DreamPress, which appeared to be from 2018. 

Allegedly, there were administration and user data in the 86GB database, containing URLs for WordPress login, first and last names, email addresses, user names, roles, IP addresses of the Host, time stamps, and settings and security information. 

Fowler said that some of the disclosed data were associated with users using .gov and .edu email addresses. 

Nevertheless, within hours of receiving a timely notice by Dream Host from Fowler, the database was secured. 

However, the study stated the duration of exposure was not apparent, and users could be in danger of phishing. Threat actors that scan for unprotected databases such as this have also seized and ransomed the data contained within. 

Fowler also pointed out "actions," for example domain registers and renewals, in a database record.

“These could potentially give an estimated timeline of when the next payment was due and the bad guys could try to spoof an invoice or create a man-in-the-middle attack,” he argued. “Here, a cyber-criminal could manipulate the customer using social engineering techniques to provide billing or payment information to renew the hosting or domain registration.” 

This type of problem becomes increasingly widespread due to the complexity of modern cloud environments.

Blind SQL Injection Flaw in WP Statistics Affected 600K+ Sites

 

According to researchers from Wordfence Threat Intelligence, WP Statistics has a Time-Based Blind SQL Injection vulnerability which is a WordPress plugin with over 600,000 active downloads. VeronaLabs developed the plugin, which provides site owners with comprehensive website statistics.

An unauthenticated attacker may use the vulnerability to extract sensitive information from a WordPress website using the vulnerable plugin. The vulnerability has a CVSS score of 7.5 (high severity), and it affects plugin versions prior to 13.0.8. 

Accessing the WP Statistics "Pages" menu item, which produces a SQL query to provide statistics, allows site administrators to see comprehensive statistics about their site's traffic. Researchers discovered that even without admin rights, it was possible to access the WP Statistics "Pages." 

The analysis published by Wordfence states, “While the “Pages” page was intended for administrators only and would not display information to non-admin users, it was possible to start loading this page’s constructor by sending a request to wp-admin/admin.php with the page parameter set to wps_pages_page.” 

“Since the SQL query ran in the constructor for the “Pages” page, this meant that any site visitor, even those without a login, could cause this SQL query to run. A malicious actor could then supply malicious values for the ID or type parameters.” 

As the SQL query did not use a prepared statement, an attacker could easily exploit the input parameter to circumvent the esc sql function and generate queries that could enable an attacker to extract sensitive data from the site, such as user addresses, password hashes, and encryption keys and salts. 

“In a targeted attack, this vulnerability could be used to extract personally identifiable information from commerce sites containing customer information. This underscores the importance of having security protections with an endpoint firewall in place wherever sensitive data is stored,” the post further read. 

The timeline for the vulnerability is as follows: 

March 13, 2021 – The Wordfence Threat Intelligence team finishes researching a vulnerability in the WP Statistics plugin and contacts VeronaLabs. VeronaLabs responds and Security Affairs provides full disclosure. 

March 15, 2021 – VeronaLabs replies with a fixed version for Security Affairs to test and they verify that it corrects the issue. 

March 25, 2021 – A patched version of the plugin, 13.0.8, is released.