Search This Blog

Showing posts with label Wordpress Security. Show all posts

Update your Wordpress, Prevent Your website from Being Hacked

WordPress has come up with its 4.2.2 version in order to increase its users security. It has also urged people to update their sites immediately.

Samuel Sidler, researcher at WordPress.org, wrote that the new version is aimed to address two security issues.

The first one is the Genericons icon font package, used in themes and plugins, which contained an HTML file vulnerable to a cross-site scripting attack. 

On May 7 all affected themes and plugins including twenty fifteen default theme have been updated by the WordPress security team after a DOM-based Cross-Site Scripting (XSS) vulnerability was discovered.

Security researchers from Sucuri warned that the vulnerability is being exploited in the wild days before disclosure.

Robert Abela of Netsparker reported that in a bid to protect other Genericons usage, WordPress 4.2.2 scans the wp-content directory for this HTML file and removes it.

Secondly, WordPress versions 4.2 and previous versions are affected by a critical cross-site scripting vulnerability, which could enable anonymous users to compromise a site. So, WordPress 4.2.2 includes a comprehensive fix for this issue according to a separate report by Rice Adu and Tong Shi.

WordPress 4.2.2 also contains fixes for 13 bugs from 4.2.

People just have to download WordPress 4.2.2 or venture over to Dashboard. Then click “Update Now” button. 

Sites that support automatic background updates have begun to update to WordPress 4.2.2.

Multiple vulnerabilities in TheCartPress WordPress plugin

Multiple vulnerabilities has been discovered in TheCartPress WordPress plugin by the High-Tech Bridge Security Research Lab.

The vulnerabilities can be exploited to execute arbitrary PHP code, disclose sensitive data, improper access control, and to perform Cross-Site Scripting attacks against users.

To exploit the local PHP File Inclusion vulnerability, an attacker needs to have administrator privileges on WordPress installation. PHP does not properly verify the URL before being used in  ‘include()’ function , and can be abused to include arbitrary local files via directory traversal sequences.

HTTP POST parameters are supplied by many users during the checkout process. These parameters are not being sanitized before being stored in the local database.  Which can be easily exploited by a non-authenticated attacker, they  may inject malicious HTML and JS code that will be stored in the application database, and made available to any non-authenticated user on the following URL:
http://wordpress/wp-admin/admin-ajax.php?order_id=[order_id]&action=tcp_print_or der

Due to broken authentication mechanism any non-authenticated user may browse orders of other users. They easily predict the order ID, enables them to steal all currently-existing orders.

The vulnerability can be reproduced by opening the  following URL:
http://wordpress/shopping-cart/checkout/?tcp_checkout=ok&order_id=[order_id]

And full details of the orders can be viewed by opening the following URL
http://wordpress/wp-admin/admin-ajax.php?order_id=[order_id]&action=tcp_print_or der

Inputs  can be passed via the "search_by", "address_id", "address_name", "firstname", "lastname", "street", "city", "postcode", "email", "post_id" and "rel_type", and "post_type"  GET parameter. These are not properly verified before being returned to the user. An attacker can logged-in as  administrator to open a link, and execute arbitrary HTML and script code in browser in context of the vulnerable website.

WordPress Plugins containing Backdoor distributed via phishing emails

What would you do when you receive an email offering Pro version of Wordpress plugin for free, if you are a WordPress user? Don't get tempted by such kind of emails, they also give malicious code for free!

Sucuri reported about a phishing emails asking their clients to download Pro-version of "All in one SEO Pack" WordPress plugin.  The email claims that the plugin is $79.00 worth and giving it for free.

"You have been chosen by WordPress to take part in our Customer Rewarding Program.  You are the 23rd from 100 uniques winners." The phishing email reads.

Credit : Sucuri

The download link provided in the email is not linked to WordPress plugin store, it is linked to a zip file hosted in a compromised website.

Security researchers at Sucuri analyzed the plugin and found out that it is modified with a Backdoor which gives attackers full access to the server.

The malicious code in the plugin replaces the index.php file with the malicious code retrieved from the attacker's server.  So, when user visit the site, they either redirected to SPAM sites or to Exploit kits where it will infect the visitor's system.

Infected Social media widget plugin puts spam link in 1000s of WordPress sites



If you are using Social Media widget plugin in your WordPress site, make sure to remove it immediately.  Sucuri has discovered that the plugin is being used to inject spam into your site.

The Social Media Widget is a simple sidebar widget that allows users to input their social media website profile URLs and other subscription options to show an icon on the sidebar to that social media site and more that open up in a separate browser window.


It is one of the popular plugin with more than 935,000 downloads, it means thousands of WordPress sites are affected.

According to Sucuri malware report, the plugin has a hidden call to a malicious url "hxxp://i.aaur.net/i.php", which is used to inject "Pay Day Loan" spam into the websites running the plugin.

The malicious code was added only in the latest version of the plugin , SMW 4.0.  Users are recommended to remove the plugin from their sites. The plugin has been removed from the WordPress Plugin repository.

WordPress.com boosts security with Two Step authentication


WordPress.com , a blog web hosting service provided, announced that they have enabled Two-step authentication feature to keep your blogger account secure.

Two factor authentication is a security feature that prompts you to enter a temporary secret number sent to your phone whenever you log into your account.

How to enable Two step authentication in Wordpress?
To enable this feature, go to the new Security tab in your WordPress.com account settings, and go through the setup wizard.

"We know your blog is important to you, and today we’re proud to announce Two Step Authentication: an optional new feature to help you keep your WordPress.com account secure." Wordpress.com blog post reads.