Critical RCE vulnerability affects thousands of WordPress sites

A cybersecurity researcher has recently discovered a critical vulnerability called CVE-2024-5932. It has a CVSS score of 10.0 (max possible), and seriously compromises more than 100,000 WordPress sites using the GiveWP plugin version 3.14.1 and earlier. The issue involves a PHP Object Injection (POI) vulnerability in the GiveWP plugin, widely used by donation and fundraising platforms. The vulnerability is exploited by deserialization of untrusted data, in particular through the ‘give_title’ parameter. Attackers can inject a maliciously crafted PHP object. When combined with an existing object-oriented programming (OOP) chain in the plugin, this leads to full remote code execution (RCE).

In addition to remote code execution (RCE), this vulnerability allows for unauthorized file deletion without any authentication. In practice, this may allow attackers to gain full control over the affected WordPress site by deleting critical files from the server. Given the role of the plugin in managing financial transactions and sensitive donor information, the consequences of such an exploit are exceptionally serious.

Detection And Response

A security researcher nicknamed villu164 discovered the vulnerability on May 26, 2024, and reported it through the Wordfence Bug Bounty Program. On June 13, 2024, Wordfence notified the plugin developer of the vulnerability, but they did not receive any feedback. On July 6, 2024, the company informed the WordPress.org team. A month later, on August 7, 2024, the developer released a fully patched version 3.14.2. Fortunately, there are currently no reports or evidence that the vulnerability has been exploited in the wild. But as it usually happens, the exploitation will inevitably follow the public disclosure of the flaw.

As the plugin is described on the official website, GiveWP is the highest-rated, most downloaded, and best-supported donation plugin for WordPress. With GiveWP, users accept gifts for charity or other purposes through customizable donation forms. The donation plugin also allows you to view donor data and fundraising reports, manage donors, and integrate with various third-party gateways and services. In other words, the site interacts with finance and the people involved. It’s no surprise that it scored 10/10 on the CVSS scale – both the ease of exploitation and the amount of data it can expose are nothing to mess around with.

Recommendations

To protect their WordPress site, site masters should update the plugin to 3.14.2. Since there is no workaround available, websites running older versions remain highly vulnerable to exploitation, especially now that the vulnerability has been made public.

Still, a proactive approach towards picking plugins is a must. Even the well-known apps may be vulnerable, leave alone no-name plugins that were posted 2 years ago and never updated since. Tricks like typosquatting or supply chain attacks are applicable here as well, so stay updated on the latest WP security news.

The post Critical RCE Vulnerability in GiveWP WordPress Plugin appeared first on Gridinsoft Blog.

WordPress RCE Vulnerability Fixed

The WordPress security team advises administrators to update to version 6.4.2 promptly, even though the RCE vulnerability isn’t directly exploitable in the core. Manual verification of completed updates is recommended to ensure the patch’s successful installation.

In light of the vulnerability, security companies, including Wordfence and Patchstack, offer guidance to users and developers. Wordfence advises users to manually check and update their WordPress sites to the latest version. Additionally, developers are encouraged to replace function calls to “unserialize()” with alternatives such as JSON encoding/decoding using ‘json_encode’ and ‘json_decode’ PHP functions.

WordPress Vulnerability Analysis

The security team identified a Property Oriented Programming (POP) chain vulnerability introduced in WordPress core 6.4. This vulnerability, rooted in the “WP_HTML_Token” class, surfaced in an effort to enhance HTML parsing within the block editor. While not directly exploitable in the core, the security team emphasizes the potential for high severity when combined with specific plugins, particularly in multisite installations.

A POP chain relies on an attacker controlling all properties of a deserialized object, achievable through PHP’s “unserialize()” function. Also, the vulnerability exposes the possibility of hijacking the application’s flow by manipulating values sent to magic methods like “__wakeup()”. To exploit this flaw, a PHP object injection vulnerability on the target site is required. It could exist in a plugin or theme add-on.

The new ”__wakeup” method ensures that any serialized object with the WP_HTML_Token class throws an error as soon as it is unserialized. This prevents the ” __destruct” function from executing:

Recommendations

WordPress users are urged to remain vigilant, implement recommended mitigation measures, and follow official channels for the latest updates.

It is highly recommended that you manually check if your site has been updated to WordPress 6.4.2. Even though most sites should automatically update. Also, it is crucial to secure your WordPress site in today’s threat landscape. To protect your digital assets and yourself, staying informed about the latest security updates and best practices is essential.

The post WordPress Critical Vulnerability Fixed in Patch 6.4.2 appeared first on Gridinsoft Blog.

Hackers Use Poorly-protected Sites in Phishing Scams

Cybercriminals often target abandoned WordPress websites with poor maintenance and security patches, making even smaller sites attractive targets for long-lasting phishing pages.

Malicious actors can still target actively maintained websites, even though they are kept up to date. Websites with low traffic and smaller audiences are also vulnerable to hacking attempts. Some website owners might need more financial resources to invest in robust information security measures or hire dedicated security professionals. They could also have limited knowledge about security configurations, or they might wrongly assume that their small website wouldn’t attract hackers’ attention. However, for phishers, the potential to exploit a website is more significant than its popularity. This is because they can use compromised sites to distribute links to scam pages through emails or instant messaging platforms, regardless of size. Consequently, even smaller websites present an appealing opportunity for scammers.

According to researchers, most websites on the Internet are powered by the WordPress content management system. This platform boasts an extensive array of third-party plugins aimed at enhancing its functionality. Unfortunately, both plugins and WordPress are frequently found to have new vulnerabilities that hackers can exploit.

WordPress-Based Websites In The Scope

Phishers exploit security holes to hack WordPress websites. After a successful exploitation attempt, they upload a WSO web shell, which allows them to bypass the authentication step and gain access to the website control panel. This gives them full control over the website.

Nevertheless, the majority of compromised websites exhibit broken links leading to various sections of their homepage. This arises because hackers often remove the original directories and substitute them with phishing materials. When users input data, like website credentials or even sensitive information like CVV numbers from bank cards, depending on the specific scam, this data gets stored within the control panel of the deceptive page. In cases where the website is equipped with a web shell and its content is accessible to anyone, the victim’s data becomes readily visible to all.

Signs of a hacked WordPress site

Several fairly obvious signs suggest you are looking at a phishing page hosted on a compromised website.

• The URLs of these pages encompass folders such as /wp-Config/, /wp-content/, /wp-admin/, /wp-includes/, or equivalents, and within these directories exists a PHP file. Although web pages with the .php extension can be legitimate components of websites, their presence in conjunction with the aforementioned directory names unequivocally indicates a phishing endeavor.
• The content displayed on the homepage seems disconnected from the phishing page.
• The URL includes the service’s accurate (or altered) name that the scammers aim to mimic. However, this name is unrelated to the actual name of the website.

How to recognize phishing with hacked sites

Despite hackers’ diligent efforts to fabricate convincing replicas of popular websites that their targeted users frequent, there are telltale signs of phishing on a hacked site. It’s particularly important to be vigilant for the following indicators:

1. The presence of default names of WordPress directories in the URL.
2. Inclusion of the imitated brand’s name within one of the directory names.
3. Page content that appears unrelated to the website’s overall theme.

How to protect yourself against phishing attacks?

Most phishing cases are conducted mostly thanks to the victim’s inattentiveness. Hence, you may suppose an easy solution – being attentive at each questionable moment. You can find a lot of things spoofed, and with the special tools that are available nowadays, this form of fraud is very easy to perform.

1. Use two-factor authentication. That won’t let anyone except the one who has your mobile phone (hopefully, yourself) log into your account. However, your phone might have yet another authentication procedure to unblock it, which would make the authentication to your account multi-factor, which is even better for tackling the consequences of a successful phishing attack.
2. Should you fall victim to a phishing attack, better have all your valuable data backed up on a hard drive or cloud storage. Phishing attacks may have various consequences, but data protection is the most maintainable countermeasure.
3. Protecting your personal information is crucial for maintaining your privacy and security. Think twice before sharing personal information in casual conversations, both online and offline. Avoid posting sensitive details like your full address, phone number, and financial information.
4. Use a spam filter. With spam filters and anti-spam features, it’s possible to stop receiving unwanted emails. Opt into text lists that allow you to unsubscribe from future messages. This will help minimize the damage from phishing.
5. Ultimate counteraction method for any form of phishing on the computer is anti-malware software. Of course, it is important to note that not each security tool will fit you – programs with an online protection function guarantee the best protection. GridinSoft Anti-Malware may offer you such a function. Moreover, it is also able to get rid of the virus that helps the fraudsters to fool you.

The post Phishing With Hacked Sites Becomes a Massive Menace appeared first on Gridinsoft Blog.

WooCommerce Payments is a popular WordPress plugin that allows websites to accept credit cards as a payment method in WooCommerce stores. According to official statistics, the plugin has over 600,000 active installations.

By the way, we wrote that this plugin was recognized as one of the most vulnerable, and also reported that the Woocommerce store was attacked by web skimmers. Let me also remind you of very fresh attacks on the Elementor Pro plugin.

In March of this year, the developers released an updated version of the plugin (5.6.2), which eliminated the critical vulnerability CVE-2023-28121. The vulnerability affected WooCommerce Payment version 4.8.0 and higher and was fixed in versions 4.8.2, 4.9.1, 5.0.4, 5.1.3, 5.2.2, 5.3.1, 5.4.1, 5.5.2 and 5.6.2.

Since the vulnerability allows anyone to impersonate a site administrator and take full control of WordPress, the company behind the development of the CMS, Automattic, forced updates to hundreds of thousands of sites running the popular payment system.

Then the creators of WooCommerce stated that they had no data about attacks on this vulnerability, but information security specialists warned that due to the critical nature of the error, hackers would certainly be interested in it.

Now researchers from RCE Security have analyzed the issue and published a technical report on CVE-2023-28121 on their blog, explaining exactly how the vulnerability can be exploited.

Attackers can simply add X-WCPAY-PLATFORM-CHECKOUT-USER to the request header and set it to the user ID of the account they wish to masquerade as, experts say. Given this header, WooCommerce Payments will treat the request as if it came from the specified ID, including all privileges for that user.

To its analysis, RCE Security attached a PoC exploit that uses a vulnerability to create a new administrator user on vulnerable sites and allows taking full control over the resource.

As a result, WordPress security company Wordfence warned this week that attackers are already exploiting the vulnerability as part of a massive campaign targeting more than 157,000 sites.

According to experts, the attackers use the exploit to install the WP Console plugin on vulnerable sites or create administrator accounts. On systems where the WP Console was installed, the attackers used a plugin to execute PHP code that installed a file uploader on the server and could subsequently be used as a backdoor even after the vulnerability was fixed.

To scan vulnerable WordPress sites, attackers try to access the /wp-content/plugins/woocommerce-payments/readme.txt file and, if it exists, proceed to exploit the vulnerability.

In their report, the researchers shared seven IP addresses from which the attacks are carried out, and especially highlighted the IP address 194.169.175.93, which crawled 213,212 sites.

Site owners are encouraged to update WooCommerce Payment as soon as possible if they haven’t done already, and to check their resources for unusual PHP files and suspicious admin accounts, removing any that can be found.

The post Vulnerability in WordPress Plugin WooCommerce Payments Is Actively Used to Hack Sites appeared first on Gridinsoft Blog.

Ultimate Member WordPress Plugin 0-day Vulnerability

That is not the first case when a WordPress plugin appears to contain a 0-day exploit. In particular, hackers used GoTrim malware to hack into WP-based sites. The scale of hackers’ interest in hacking such websites is confirmed by the number of sites they scanned looking for vulnerabilities.

The used-in-the-wild vunerability received the identifier CVE-2023-3460 and a score of 9.8 on the CVSS scale. The max score is 10, so you can undestand how critical it is. The problem affects all Ultimate Member versions, including the latest version 2.6.6. The developers initially tried to fix the vulnerability in versions 2.6.3, 2.6.4, 2.6.5 and 2.6.6. Though, it appears that the vulnerability resides deeper. The authors of the plugin declare that they continue to work on solving the remaining problems and hope to release a new patch in the nearest future.

How does that work?

Attacks on a vulnerability in Ultimate Member were detected by Wordfence specialists, who warn that criminals use a bug in the plugin’s registration form to set arbitrary meta-values for their accounts.

In particular, hackers set the wp_capabilities meta-value to assign themselves the role of administrator. Obviously, that gives them full access to the vulnerable resource. The plugin has a black list of keys that users can’t update, which may ease the problem. Nonetheless, researchers say that it’s quite easy to bypass this protective measure.

Sites hacked using CVE-2023-3460 will have the following indicators of compromise:

1. the appearance of new administrative records on the site;
2. use of wpenginer, wpadmins, wpengine_backup, se_brutal, segs_brutal;
3. logs showing that IP-addresses known to be malicious have accessed the Ultimate Member registration page;
4. logs that fixed access with 146.70.189.245, 103.187.5.128, 103.30.11.160, 103.30.11.146 and 172.70.147.176;
5. the appearance of a record with an email address associated with exelica.com;
6. installation of new plugins and those on the site.

The critical vulnerability remains unfixed and extremely easy to use. WordFence recommends all administrators to immediately remove the Ultimate Member plugin. Experts explain that even the specific firewall setups do not cover all possible scenarios of exploitation. So for now, removing the plugin remains the only possible solution.

The post Hackers Actively Exploit the 0-Day Vulnerability in the Ultimate Member WordPress Plugin appeared first on Gridinsoft Blog.

One of the world’s largest hosters and domain name registrars, GoDaddy, reports that hackers have compromised the company’s infrastructure. Worse, the company concluded that this was just one in a series of related incidents. It turns out that unknown attackers had access to the company’s systems for several years, were able to install malware on its servers, and stole the source code.

Let me remind you that we also reported that the Epik hoster hack affected 15 million users, not just the company’s clients, and also that Fosshost, an Open-Source Project Hosting, Is Closing Down as Its Leader Disappeared.

According to a report filed by the company with the U.S. Securities and Exchange Commission, the security breach was discovered in December 2022, when customers began reporting that their sites were being used to redirect visitors to random domains. After conducting an investigation, GoDaddy experts came to disappointing conclusions:

It turned out that in December 2022, an attacker gained access to cPanel hosting servers, which customers use to manage sites hosted by GoDaddy. Then the hackers installed some kind of malware on the servers, and the malware “periodically redirected random client sites to malicious ones.”

In addition, incidents dated November 2021 and March 2020 are also reported to have been linked to these attackers.

Let me remind you that in 2021 it became known about the strange compromise of 1.2 million sites running on WordPress. All affected resources were hosted by GoDaddy, and then the company claimed that there was a hack and data leakage: the attackers gained access to the email addresses of all affected clients, their WordPress administrator passwords, sFTP and database credentials, and private SSL keys.

In 2020, GoDaddy notified 28,000 customers that in October 2019, attackers used their credentials to log into a hosting account and connect to their account via SSH.

Now, GoDaddy says it has found additional evidence linking these attackers to a larger malware campaign that has been going on for years against other hosting companies around the world.

GoDaddy is known to have engaged third-party security experts in the ongoing investigation and is also working with law enforcement around the world to uncover the source of these years-long attacks.

The post Hackers Attacked GoDaddy and Stayed on the Company’s Systems for Several Years appeared first on Gridinsoft Blog.

Three popular WordPress plugins, with tens of thousands of active installations, at once turned out to have critical SQL injection vulnerabilities. In addition, PoC exploits for these bugs are now publicly available.

The vulnerabilities were discovered by Tenable, who notified WordPress developers about them back in mid-December 2022, providing them with proof-of-concept exploits. Currently, plugin authors have already released patches to solve problems, so the researchers have revealed the technical details of the bugs found.

Let me remind you that we also wrote that GoTrim Malware Hacks WordPress Sites, and also that Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites.

Information security specialists also informed that Hackers Scanned 1.6 Million WordPress Sites Looking for a Vulnerable Plugin.

The first plugin vulnerable to SQL injection is Paid Memberships Pro, a membership and subscription management plugin used by over 100,000 sites.

The vulnerability is being tracked as CVE-2023-23488 (CVSS score 9.8, i.e. critical) and affects all plugin versions older than 2.9.8. The issue has been fixed with the release of version 2.9.8.

The second vulnerable plugin is Easy Digital Downloads, an e-commerce and digital file selling plugin with over 50,000 active installations.

The vulnerability is being tracked as CVE-2023-23489 (also 9.8 on the CVSS scale) and affects all versions of the plugin older than 3.1.0.4 released before January 5, 2023.

Tenable also discovered a CVE-2023-23490 issue in the Survey Marker plugin used by 3,000 survey sites. The vulnerability received a CVSS score of 8.8, as an attacker must be authenticated (at least as a subscriber) in order to exploit the bug. Unfortunately, this condition can be easily met, since many sites allow visitors to register as members.

The vulnerability in the plugin was fixed with the release of version 3.1.2 at the end of December 2022.

The post Exploits for Vulnerabilities in Three Popular WordPress Plugins Appeared on the Network appeared first on Gridinsoft Blog.

Fortinet specialists have discovered a new GoTrim malware written in Go that scans the Internet for WordPress sites and brute-forces them by guessing the administrator password.

Such attacks can lead to the deployment of malware, the introduction of scripts on websites to steal bank cards, the placement of phishing pages, and other attack scenarios that potentially affect millions of users (depending on the popularity of the hacked resources).

Let me remind you that we also wrote that New Version of Truebot Exploits Vulnerabilities In Netwrix Auditor And Raspberry Robin Worm, and also that Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites.

Experts write that GoTrim is still in development, but already has powerful features. Botnet attacks began at the end of September 2022 and are still ongoing.

Malware operators provide their bots with a long list of target resources and a list of credentials, after which the malware connects to each site and tries to brute force administrator accounts using logins and passwords from the existing list.

If successful, GoTrim logs in to the hacked site and sends information about the new infection to the command and control server (including the bot ID in the form of an MD5 hash). The malware then uses PHP scripts to extract the GoTrim bot client from a hard-coded URL, and then removes both the script and the brute force component from the infected system.

Actually, GoTrim can work in two modes: “client” and “server”. In client mode, the malware initiates a connection to the botnet’s control server, while in server mode it launches an HTTP server and waits for incoming requests. For example, if a hacked endpoint is directly connected to the Internet, the malware uses server mode by default.

GoTrim sends requests to the attacker’s server every few minutes, and if the bot does not receive a response after 100 attempts, it will stop working.

The C&C server can send the following encrypted commands to GoTrim:

1. check provided credentials for WordPress domains;
2. check provided credentials for Joomla! (not yet implemented);
3. check provided credentials for OpenCart domains;
4. verify provided credentials for Data Life Engine domains (not yet implemented);
5. detect installations of CMS WordPress, Joomla!, OpenCart or Data Life Engine in the domain;
6. eliminate malware.

Interestingly, the botnet tried to avoid the attention of the WordPress security team and did not attack sites hosted on WordPress.com, only targeting sites with their own servers. This is implemented by checking the Referer HTTP header for “wordpress.com”.

It is also noted that if the target site uses a CAPTCHA plugin to fight bots, the malware will detect it and download the appropriate solver. GoTrim currently supports seven popular CAPTCHA plugins.

In addition, experts noticed that the botnet avoids attacking sites hosted on 1gb.ru, but the exact reasons for this behavior have not been established, although it is very possible that the hackers who created the malware are simply in Russia, but are looking for an opportunity to launder money.

To protect against GoTrim and other similar threats, experts recommend that site administrators use strong passwords, do not reuse passwords, and always use two-factor authentication, if possible.

The post GoTrim Malware Hacks WordPress Sites appeared first on Gridinsoft Blog.

Let me remind you that we also wrote that 0-day Vulnerability in WordPress BackupBuddy Plugin Attacked Over 5 million Times, and also that Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites.

Attackers use compromised resources for “black hat SEO”, adding about 20,000 files to each site and redirecting visitors to fake Q&A forums¹.

Fake Q&A Forum

Researchers believe that with the help of these files, attackers are trying to increase the number of indexed pages and thus improve the ranking of their fake question-and-answer sites in search engines. Apparently, in the future, these sites are planned to be used to distribute malware or phishing campaigns, since even a short hit on the first page of Google search results can lead to many infections. Another scenario is also possible when an ads.txt file found on fake resources. It is likely that the operators of this company intend to attract traffic for advertising fraud.

Researchers say that on hacked sites, hackers modify WordPress PHP files, including wp-singup.php, wp-cron.php, wp-settings.php, wp-mail.php, and wp-blog-header.php, injecting redirects to fake Q&A forums. Also, in some cases, attackers place their own PHP files on victims’ sites using random or pseudo-legitimate names, such as wp-logln.php.

Malicious PHP

All of these files contain malicious code that checks if the visitor is logged into WordPress, and if the answer is negative, the user is redirected to https://ois[.]is/images/logo-6.png. This PNG file uses the window.location.href function to generate Google Search redirects to one of the following target domains:

1. en.w4ksa[.]com
2. peace.yomeat[.]com
3. qa.bb7r[.]com
4. en.ajeel[.]store
5. qa.istisharaat[.]com
6. en.photolovegirl[.]com
7. en.poxnel[.]com
8. qa.tadalafilhot[.]com
9. questions.rawafedpor[.]com
10. qa.elbwaba[.]com
11. questions.firstgooal[.]com
12. qa.cr-halal[.]com
13. qa.aly2um[.]com

Since attackers use many subdomains, the full list of target domains contains more than 1000 entries.

Thus, instead of the image (logo-6.png), JavaScript will be loaded in browsers, which will redirect the visitor to a URL that simulates a click on a Google search result, which, in turn, already leads to a Q&A site promoted by attackers. In this way, hackers try to trick the system and pretend that their sites are popular, in the hope of increasing their ranking in search results.

In addition, such redirects make the traffic look more like normal traffic, which is likely to bypass some security solutions.

PNG file

At the same time, it must be said that nothing will happen to a user logged into WordPress, since the site administrator should not detect suspicious activity. After all, then he can get rid of malicious PHP files.

Since most of the malicious sites hide their servers behind Cloudflare, Sucuri analysts were unable to learn more about the operators of this campaign. Judging by the fact that all sites use the same templates, and all of them are created using automated tools, there is clearly one group behind this massive campaign.

Also, the researchers were unable to find out exactly how the attackers hacked into the sites of the victims, which they then used for their redirects. Most likely, hackers exploit vulnerable plugins or simply brute force administrator passwords.

The post Attackers Hacked 15,000 Websites to Poison SEO appeared first on Gridinsoft Blog.

The BackupBuddy plugin allows users to backup their entire WordPress installation right from the dashboard, including theme files, pages, posts, widgets, users and media files and so on.

Let me remind you that we also talked about Ukraine Was Hit by DDoS Attacks from Hacked WordPress Sites, and also that About 30% of critical vulnerabilities in WordPress plugins remain unpatched.

The 0-day vulnerability has been identified as CVE-2022-31474 (CVSS 7.5) and affects BackupBuddy versions 8.5.8.0 through 8.7.4.1. The problem was fixed in early September, with the release of version 8.7.5.

The researchers explain that the bug allows unauthorized parties to download arbitrary files from the vulnerable site that may contain sensitive information. It is known that the problem is related to the Local Directory Copy function, which is designed to store a local copy of backups.

According to Wordfence, the attacks on CVE-2022-31474 began on August 26, 2022, and since that date, nearly five million hack attempts have been recorded. Most hackers tried to read the following files:

1. /etc/passwd
2. /wp-config.php
3. .my.cnf
4. .accesshash

BackupBuddy users are now strongly advised to update the plugin to the latest version. If users believe that they may have been compromised, it is recommended to immediately reset the database password, change the WordPress salts and API keys stored in wp-config.php.

The post 0-day Vulnerability in WordPress BackupBuddy Plugin Attacked Over 5 million Times appeared first on Gridinsoft Blog.