Search This Blog
Powered by Blogger.

Blog Archive

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label Patchstack. Show all posts
Wordpress Vulnerability
brute-force protection CVE-2024-50550 Cyber Security LiteSpeed Cache plugin Patchstack plugin security role simulation Security flaw Unauthorized access update LiteSpeed Cache Wordpress Vulnerability

Critical Security Vulnerability Found in LiteSpeed Cache Plugin: Urgent Update Advised for WordPress Users

 

A significant security flaw has been uncovered in the LiteSpeed Cache plugin, used by over 6 million WordPress sites, which could allow unauthorized visitors to gain administrator-level access. The vulnerability stems from a weakness in the plugin's role simulation feature, making it possible for attackers to bypass security and install harmful plugins.

The LiteSpeed Cache plugin, popular for site performance enhancements, is compatible with widely-used WordPress plugins like WooCommerce, bbPress, and Yoast SEO.

According to cybersecurity firm Patchstack, this vulnerability results from weak hash checks, which can be exploited under certain administrator-defined configurations. The issue is particularly pronounced when high run durations and minimal load limits are applied within the plugin's Crawler feature.

Listed as CVE-2024-50550, the vulnerability is concerning due to its susceptibility to brute-force attacks, enabling attackers to bypass essential security mechanisms.

Specific configurations that make this vulnerability more likely include:
  • Enabling the Crawler feature with run durations between 2500-4000 seconds
  • Setting the server load limit to 0
  • Activating role simulation for administrator-level users
  • Recommended Actions to Mitigate the Risk
  • In response, LiteSpeed has removed the role simulation feature and enhanced hash generation processes. The company has also shared plans with Patchstack to introduce more sophisticated random value generation in future updates to further safeguard against brute-force exploits.
Patchstack recommends that all LiteSpeed Cache users update to version 6.5.2 or later to mitigate these risks.

"This vulnerability underscores the importance of strong, unpredictable values for security hashes or nonces," Patchstack noted, adding that features like role simulation should always include robust access controls.

Additionally, administrators are advised to review plugin settings, optimizing configurations like Crawler run duration and load limits to strengthen security.
Read more »
SQL
2FA CVE CVE vulnerability CVEs Cyber Security E-Commerce Websites Patchstack PII Plugin Plugin Flaws SQL

Critical Vulnerability in TI WooCommerce Wishlist Plugin Exposes 100K+ Sites to SQL Attacks

 

A critical vulnerability in the widely-used TI WooCommerce Wishlist plugin has been discovered, affecting over 100,000 WordPress sites. The flaw, labeled CVE-2024-43917, allows unauthenticated users to execute arbitrary SQL queries, potentially taking over the entire website. With a severity score of 9.3, the vulnerability stems from a SQL injection flaw in the plugin’s code, which lets attackers manipulate the website’s database. This could result in data breaches, defacement, or a full takeover of the site. As of now, the plugin remains unpatched in its latest version, 2.8.2, leaving site administrators vulnerable. 

Cybersecurity experts, including Ananda Dhakal from Patchstack, have highlighted the urgency of addressing this flaw. Dhakal has released technical details of the vulnerability to warn administrators of the potential risk and has recommended immediate actions for website owners. To mitigate the risk of an attack, website owners using the TI WooCommerce Wishlist plugin are urged to deactivate and delete the plugin as soon as possible. Until the plugin is patched, leaving it active can expose websites to unauthorized access and malicious data manipulation. If a website is compromised through this flaw, attackers could gain access to sensitive information, including customer details, order histories, and payment data. 

This could lead to unauthorized financial transactions, stolen identities, and significant reputational damage to the business. Preventing such attacks requires several steps beyond removing the vulnerable plugin. Website administrators should maintain an updated security system, including regular patching of plugins, themes, and the WordPress core itself. Using a Web Application Firewall (WAF) can help detect and block SQL injection attempts before they reach the website. It’s also advisable to back up databases regularly and ensure that backups are stored in secure, off-site locations. Other methods of safeguarding include limiting access to sensitive data and implementing proper data encryption, particularly for personally identifiable information (PII). 

Website administrators should also audit user roles and permissions to ensure that unauthorized users do not have access to critical parts of the site. Implementing two-factor authentication (2FA) for site logins can add an extra layer of protection against unauthorized access. The repercussions of failing to address this vulnerability could be severe. Aside from the immediate risk of site takeovers or data breaches, businesses could face financial loss, including costly recovery processes and potential fines for not adequately protecting user data. Furthermore, compromised sites could suffer from prolonged downtime, leading to lost revenue and a decrease in user trust. Rebuilding a website and restoring customer confidence after a breach can be both time-consuming and costly, impacting long-term growth and sustainability.  

In conclusion, to safeguard against the CVE-2024-43917 vulnerability, it is critical for website owners to deactivate the TI WooCommerce Wishlist plugin until a patch is released. Administrators should remain vigilant by implementing strong security practices and regularly auditing their sites for vulnerabilities. The consequences of neglecting these steps could lead to serious financial and reputational damage, as well as the potential for legal consequences in cases of compromised customer data. Proactive protection is essential to maintaining business continuity in the face of ever-evolving cybersecurity threats.
Read more »
WordPress
Cache Plugin Cyber Attacks CyberCrime Cyberhackers Cybersecurity CyberThreat LitesSpeed Patchstack Vulnerabilities WordPress

Critical LiteSpeed Cache Plugin Flaw CVE-2024-28000 Sparks a Surge in Cyberattacks

 


According to cyber security researchers, there is a critical security flaw in the LiteSpeed Cache plugin for WordPress that users can exploit without authentication to gain administrative privileges on the site. It is an all-in-one site acceleration plugin that features an exclusive server-level cache along with a suite of optimization features designed to make the websites more efficient with LiteSpeed Cache for WordPress. As a WordPress Multisite plugin, LowSide supports a wide range of plugins, including WooCommerce, bbPress, and Yoast SEO, for the best possible experience. 

There is no compatibility issue with ClassicPress when using LiteSpeed Cache for WordPress. In LiteSpeed Cache, which comes bundled with WordPress, there is a critical vulnerability that can allow attackers to take full control of millions of sites once a rogue admin account is created. This is an open-source and almost universally popular WordPress site acceleration plugin with over 5 million active installations, and it also supports WooCommerce, bbPress, ClassicPress, and Yoast SEO. It is available as a free download. 

In LiteSpeed Cache versions 6.3.0.1 and earlier, the plugin's user simulation feature has an unauthenticated privilege escalation vulnerability (CVE-2024-28000). As a result of this vulnerability, the highest bounty has been awarded in the history of bug bounty hunting for WordPress. This researcher has been rewarded USD 14,400 in cash through the Patchstack Zero Day program as part of this award. It would be great if anyone else interested in joining the community as well would be able to benefit from the program. 

This vulnerability has been automatically protected for all Patchstack users who have enabled protection, so they are no longer at risk. For only $5 per site per month, Patchstack offers a free Community account, where users can scan for vulnerabilities and apply protection for only $5 / site per month by creating a PatchStack account. It is the plugin's user simulation feature that is vulnerable to the vulnerability, as it uses a weak security hash as part of its security process. 

It must be said that the hash value is generated by using an insecure random number generator and the value is stored without being salted or related to a particular request made by the user.  The Patchstack security research tool warns that the hash is relatively easy to guess due to the limited number of possible values, which allows attackers to iterate through all possible hashes to discover the appropriate one and to simulate a user who is an administrator. 

This vulnerability affects all versions of the LiteSpeed Cache plugin for WordPress, from version 6.3.0.1 onwards. In addition, the plugin is susceptible to privilege escalation attacks. Certainly! Here is the rewritten information in a formal, expanded, and third-person tone: --- The security vulnerability identified as CVE-2024-28000 in the LiteSpeed Cache plugin has been linked to a critical issue concerning the improper restriction of role simulation functionality. This flaw allows a user with access to a valid hash—discoverable through debug logs or susceptible to brute-force attacks—to alter their current user ID to that of an administrator. 

This, in turn, enables unauthenticated attackers to impersonate an administrator and utilize the `/wp-json/wp/v2/users` REST API endpoint to create a new user account with administrative privileges. The vulnerability is present in all versions of the LiteSpeed Cache plugin up to and including version 6.3.0.1. The vulnerability was addressed in LiteSpeed Cache version 6.4, released on August 13, 2024. Website administrators utilizing the plugin are strongly advised to update to this latest version to prevent exploitation. 

The urgency of this update is underscored by a report from Wordfence, a leading WordPress security provider, which disclosed that over 30,000 attacks targeting CVE-2024-28000 were blocked within a single day. This surge in attacks illustrates the swift adoption of this exploit by cybercriminals, who are leveraging the vulnerability to compromise WordPress installations. Currently, the attacks are predominantly directed at non-Windows-based WordPress sites. This is because the vulnerability exploits a PHP method called `sys_getloadavg()`, which is not available on Windows systems. 

Consequently, while Windows-based WordPress installations are not vulnerable to this specific exploit, other systems remain at significant risk. The flaw was reported to Patchstack's bug bounty program by security researcher John Blackbourn on August 1, 2024. The LiteSpeed development team promptly created and released a patch with LiteSpeed Cache version 6.4 on August 13. Successful exploitation of this vulnerability can grant unauthenticated visitors administrator-level access, potentially allowing them to fully control compromised websites. 

This control includes installing malicious plugins, altering critical settings, redirecting traffic to harmful sites, distributing malware to visitors, or stealing user data. Additionally, in June 2024, the Wordfence Threat Intelligence team reported that a threat actor had compromised at least five plugins on WordPress.org, adding malicious PHP scripts to enable the creation of administrator accounts on affected websites. 

To protect against this vulnerability, Wordfence Premium, Wordfence Care, and Wordfence Response users were provided with a firewall rule effective from August 20, 2024. Users of the free version of Wordfence will receive similar protection starting on September 19, 2024.
Read more »
WordPress Plugin
Avada Builder Plugin Avada Theme Patchstack Security flaw Vulnerabilities and Exploits WordPress Plugin

Avada Theme and Plugin Witnesses Critical Vulnerabilities


Several vulnerabilities have been discovered in the popular Avada theme and its companion Avada Builder plugin by security researcher Rafie Muhammad from Patchstack, who revealed that many WordPress websites are vulnerable to these flaws. 

Avada Theme and Plugin

Avada theme – the most popular theme in WordPress – is the top-selling theme in ThemeForest, selling over 900,000 copies. The theme is paired with an Avada Builder plugin, developed by ThemeFusion.

This theme calls itself "The Complete WordPress Website Building Toolkit," and is geared for premium website builders. Without ever writing a single line of code, it can create everything from one-page business websites to an online marketplace.

Security Flaws

Among the many vulnerabilities exhibited in the Avada Builder plugin, the first is the Authentic SQL Injection(CVE-2023-39309). By exploiting this flaw, the threat actors may enable authentication access, followed by compromising sensitive data and may execute remote code. 

The second vulnerability, named ‘Reflected Cross-Site Scripting (XSS)’ vulnerability (identified as CVE-2023-39306) enables unauthenticated attackers to steal sensitive data and perhaps elevate their privileges on affected WordPress sites.

Additionally, Patchstack found a number of flaws in the Avada theme. A Contributor+ Arbitrary File Upload vulnerability (CVE-2023-39307) is the first among them. In this case, Contributors are given the authority to upload whatever file they choose, including potentially harmful PHP scripts, allowing remote code execution and jeopardizing the integrity of the site.

The discovery of a similar Author+ bug (CVE-2023-39312) is also significant. Here, Authors are given the option to post malicious zip files, potentially introducing the website as susceptible to vulnerabilities and remote code execution.

Also, this series of vulnerabilities include the Contributor+ Server-Side Request Forgery (SSRF) vulnerability (CVE-2023-39313). This flaw allows Contributors to send requests to internal WordPress services, which could lead to illegal actions or data access within the organizational structure.

The vulnerabilities were first discovered and reported to the Avada vendor on July 6, 2023, following which patched versions were made available on July 11. The security alert was made public on August 10, 2023, and Patchstack added the flaws to their database of vulnerabilities.

In order to address the flaws, users are advised to update their Avada Builder plugin to version 3.11.2 and the Avada theme to version 7.11.2, ensuring website security.

Read more »
Subscribe to: Posts (Atom)