Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Plugins. Show all posts

Infostealer-Injecting Plugins infect Thousands of WordPress Sites

 

Hackers are using WordPress sites to install malicious plugins that propagate malware that steals information by displaying fake updates and errors.

Infostealing malware has become a global nuisance for security defenders in recent years, as compromised credentials are used to infiltrate networks and steal data. 

Since 2023, a malicious campaign known as ClearFake has been used to display bogus web browser update banners on compromised sites that spread data-stealing malware. 

A new campaign named ClickFix was launched in 2024; it is quite similar to ClearFake, but it poses as software error warnings with fixes included. These "fixes" are actually PowerShell scripts that, when executed, will download and install malware that steals data. 

This year has seen a rise in ClickFix attacks, in which threat actors hack websites to show banners displaying fake issues for Facebook, Google Meet conferences, Google Chrome, and even captcha pages. 

Malicious WordPress plugins

Last week, GoDaddy disclosed that the ClearFake/ClickFix threat actors had infiltrated over 6,000 WordPress sites, installing malicious plugins that displayed the fake alerts associated with these operations. 

"The GoDaddy Security team is tracking a new variant of ClickFix (also known as ClearFake) fake browser update malware that is distributed via bogus WordPress plugins," notes GoDaddy security researcher Denis Sinegubko. "These seemingly legitimate plugins are designed to appear harmless to website administrators but contain embedded malicious scripts that deliver fake browser update prompts to end-users.” 

Sucuri, a website security firm, has also identified a fraudulent plugin called "Universal Popup Plugin" as part of this operation. When installed, the malicious plugin will hook into various WordPress activities, depending on the type, and inject a malicious JavaScript script into the site's HTML.

Sinegubko's analysis of web server access logs indicates that the threat actors are using stolen admin credentials to enter into the WordPress site and install the plugin in an automated manner. Threat actors log in with a single POST HTTP request rather than first accessing the site's login page. This shows that the process is automated after the credentials have been received. 

Although it's unknown how the threat actors are getting the credentials, the researcher points out that it might be through information-stealing malware, phishing, and brute force attempts in the past.

WordPress Vulnerabilities, Exploiting LiteSpeed Cache and Email Subscribers Plugins

 

In recent cybersecurity developments, hackers have been leveraging a critical vulnerability within the LiteSpeed Cache plugin for WordPress to exploit websites running outdated versions. LiteSpeed Cache, a popular caching plugin utilized by over five million WordPress sites, is designed to enhance page load times, improve user experience, and boost search engine rankings. 

However, security experts at Automattic's security team, WPScan, have observed a significant increase in malicious activities targeting WordPress sites with versions of the LiteSpeed Cache plugin older than 5.7.0.1. The vulnerability in question, tracked as CVE-2023-40000, is a high-severity unauthenticated cross-site scripting flaw. 

Attackers are taking advantage of this vulnerability to inject malicious JavaScript code into critical WordPress files or the database of vulnerable websites. By doing so, they are able to create administrator-level user accounts with specific names like 'wpsupp-user' or 'wp-configuser.' Additionally, the presence of certain strings, such as "eval(atob(Strings.fromCharCode," within the database, serves as an indicator of an ongoing compromise. 

Despite efforts by many LiteSpeed Cache users to update to newer, non-vulnerable versions, an alarming number of sites—up to 1,835,000—still operate on outdated releases, leaving them susceptible to exploitation. In a separate incident, hackers have turned their attention to another WordPress plugin called "Email Subscribers," exploiting a critical SQL injection vulnerability, CVE-2024-2876. 

This vulnerability, affecting plugin versions 5.7.14 and older, allows attackers to execute unauthorized queries on databases, thereby creating new administrator accounts on vulnerable WordPress sites. Although "Email Subscribers" boasts a significantly lower number of active installations compared to LiteSpeed Cache, with approximately 90,000, the observed attacks highlight the opportunistic nature of cybercriminals. 

To address these threats effectively, WordPress site administrators are urged to promptly update plugins to the latest versions, remove unnecessary components, and remain vigilant for signs of suspicious activity, such as the sudden creation of new admin accounts. In the event of a confirmed breach, comprehensive cleanup measures are essential, including the deletion of rogue accounts, password resets for all existing accounts, and the restoration of clean backups for both the database and site files. By staying proactive and implementing robust security practices, website owners can minimize the risk of falling victim to such malicious activities and safeguard their online assets effectively.

Security Flaws Discovered in ChatGPT Plugins

 


Recent research has surfaced serious security vulnerabilities within ChatGPT plugins, raising concerns about potential data breaches and account takeovers. These flaws could allow attackers to gain control of organisational accounts on third-party platforms and access sensitive user data, including Personal Identifiable Information (PII).

According to Darren Guccione, CEO and co-founder of Keeper Security, the vulnerabilities found in ChatGPT plugins pose a significant risk to organisations as employees often input sensitive data, including intellectual property and financial information, into AI tools. Unauthorised access to such data could have severe consequences for businesses.

In November 2023, ChatGPT introduced a new feature called GPTs, which function similarly to plugins and present similar security risks, further complicating the situation.

In a recent advisory, the Salt Security research team identified three main types of vulnerabilities within ChatGPT plugins. Firstly, vulnerabilities were found in the plugin installation process, potentially allowing attackers to install malicious plugins and intercept user messages containing proprietary information.

Secondly, flaws were discovered within PluginLab, a framework for developing ChatGPT plugins, which could lead to account takeovers on third-party platforms like GitHub.

Lastly, OAuth redirection manipulation vulnerabilities were identified in several plugins, enabling attackers to steal user credentials and execute account takeovers.

Yaniv Balmas, vice president of research at Salt Security, emphasised the growing popularity of generative AI tools like ChatGPT and the corresponding increase in efforts by attackers to exploit these tools to gain access to sensitive data.

Following coordinated disclosure practices, Salt Labs worked with OpenAI and third-party vendors to promptly address these issues and reduce the risk of exploitation.

Sarah Jones, a cyber threat intelligence research analyst at Critical Start, outlined several measures that organisations can take to strengthen their defences against these vulnerabilities. These include:


1. Implementing permission-based installation: 

This involves ensuring that only authorised users can install plugins, reducing the risk of malicious actors installing harmful plugins.

2. Introducing two-factor authentication: 

By requiring users to provide two forms of identification, such as a password and a unique code sent to their phone, organisations can add an extra layer of security to their accounts.

3. Educating users on exercising caution with code and links: 

It's essential to train employees to be cautious when interacting with code and links, as these can often be used as vectors for cyber attacks.

4. Monitoring plugin activity constantly: 

By regularly monitoring plugin activity, organisations can detect any unusual behaviour or unauthorised access attempts promptly.

5. Subscribing to security advisories for updates:

Staying informed about security advisories and updates from ChatGPT and third-party vendors allows organisations to address vulnerabilities and apply patches promptly.

As organisations increasingly rely on AI technologies, it becomes crucial to address and mitigate the associated security risks effectively.


ChatGPT: Security and Privacy Risks

ChatGPT is a large language model (LLM) from OpenAI that can generate text, translate languages, write different kinds of creative content, and answer your questions in an informative way. It is still under development, but it has already been used for a variety of purposes, including creative writing, code generation, and research.

However, ChatGPT also poses some security and privacy risks. These risks are highlighted in the following articles:

  • Custom instructions for ChatGPT: This can be useful for tasks such as generating code or writing creative content. However, it also means that users can potentially give ChatGPT instructions that could be malicious or harmful.
  • ChatGPT plugins, security and privacy risks:Plugins are third-party tools that can be used to extend the functionality of ChatGPT. However, some plugins may be malicious and could exploit vulnerabilities in ChatGPT to steal user data or launch attacks.
  • Web security, OAuth: OAuth, a security protocol that is often used to authorize access to websites and web applications. OAuth can be used to allow ChatGPT to access sensitive data on a user's behalf. However, if OAuth tokens are not properly managed, they could be stolen and used to access user accounts without their permission.
  • OpenAI disables browse feature after releasing it on ChatGPT app: Analytics India Mag discusses OpenAI's decision to disable the browse feature on the ChatGPT app. The browse feature allowed ChatGPT to generate text from websites. However, OpenAI disabled the feature due to security concerns.

Overall, ChatGPT is a powerful tool with a number of potential benefits. However, it is important to be aware of the security and privacy risks associated with using it. Users should carefully consider the instructions they give to ChatGPT and only use trusted plugins. They should also be careful about what websites and web applications they authorize ChatGPT to access.

Here are some additional tips for using ChatGPT safely:

  • Be careful what information you share with ChatGPT. Do not share any sensitive information, such as passwords, credit card numbers, or personal health information.
  • Use strong passwords and enable two-factor authentication on all of your accounts. This will help to protect your accounts from being compromised, even if ChatGPT is compromised.
  • Keep your software up to date. Software updates often include security patches that can help to protect your devices from attack.
  • Be aware of the risks associated with using third-party plugins. Only use plugins from trusted developers and be careful about what permissions you grant them.
While ChatGPT's unique instructions present intriguing potential, they also carry security and privacy risks. To reduce dangers and guarantee the safe and ethical use of this potent AI tool, users and developers must work together.

Defective WordPress Plugin Permits Full Invasion

 

According to security researchers, a campaign scanning almost 1.6 million websites was made to take advantage of an arbitrary file upload vulnerability in a previously disclosed vulnerable WordPress plugin.

Identified as CVE-2021-24284, the vulnerability that affects Kaswara Modern WPBakery Page Builder Addons, when exploited, gives an unauthorized attacker access to sites using any version of the plugin and enables them to upload and delete files or instead gain complete control of the website.

Wordfence reported the vulnerability over three months ago, and in a new alert this week it warned that attackers are scaling up their attacks, which began on July 4 and are still active. The WordPress security provider claims to have halted 443,868 attacks on client websites per day and strives to do the same till date. Daily, on average, 443,868 tries are made.

Malicious code injection  

The hacker attempts to upload a spam ZIP payload that contains a PHP file using the plugin's 'uploadFontIcon' AJAX function by sending a POST request to 'wp-admin/admin-ajax/php'.

Afterward, this file pulls the NDSW trojan, which inserts code into the target sites' legitimate Javascript files to reroute users to dangerous websites including phishing and malware-dropping sites. You've likely been infected if any of your JavaScript files contain the string "; if(ndsw==" or if these files themselves contain the "; if(ndsw==" string.

All versions of the software are vulnerable to an attack because the bug was never patched by the software creators, and the plugin is currently closed. The bug hunters stated that although 1,599,852 different sites were hit, a bulk of them wasn't hosting the plugin, and they believed that between 4,000 and 8,000 sites still have the vulnerable plugin installed.

Blocking the attackers' IP addresses is advised even if you are not utilizing the plugin. Visit Wordfence's blog for additional information on the indicators and the sources of requests that are the most common.

If you're still using it, you need to remove the Kaswara Modern WPBakery Page Builder Addons plugin from your WordPress website.

Brizy WordPress Plugin Exploit Chains Permit Full Site Takeovers

 

According to researchers, flaws in the Brizy Page Builder plugin for WordPress sites may be linked together to allow attackers to totally take over a website. 

Brizy (or Brizy - Page Builder) is used on over 90,000 websites. It's advertised as an easy-to-use website builder for individuals with no technical knowledge. It has over 500 pre-designed blocks, maps and video integration, and drag-and-drop creation capability. 

Before version 2.3.17, it also had a stored cross-site scripting (XSS) vulnerability and an arbitrary file-upload vulnerability, according to researchers. 

“During a routine review of our firewall rules, we found traffic indicating that a vulnerability might be present in the Brizy – Page Builder plugin, though it did not appear to be under active attack,” researchers at Wordfence explained in a Wednesday posting. 

“This led us to discover two new vulnerabilities as well as a previously patched access-control vulnerability in the plugin that had been reintroduced.” 

According to the researchers, the two new flaws may be chained together with the reintroduced access control weakness to enable total site takeover. Any logged-in user, in combination with the stored XSS flaw, would be able to edit any published post and inject malicious JavaScript into it. Meanwhile, a combination with the other flaw may allow any logged-in user to post potentially executable files and achieve remote code execution. 

A Reintroduced Access Control Bug Serves as the Attack's Foundation

The previous access-control problem (now listed as CVE-2021-38345) was fixed in June 2020 but reappeared this year in version 1.0.127. According to Wordfence, it's a high-severity problem caused by a lack of adequate authorisation checks, allowing attackers to edit posts. The plugin used a pair of administrator functions for a wide range of authorization checks, and any user that passed one of these tests was considered to be an administrator.

"Being logged in and visiting any endpoint in the wp-admin directory was sufficient to pass this check," as per the researchers. 

As a result, all logged-in users, such as newsletter subscribers, were able to alter any post or page made or updated with the Brizy editor, even if it had already been published. 

According to Wordfence’s analysis, “While this vulnerability might only be a nuisance on its own, allowing attackers to replace the original contents of pages, it enabled two additional vulnerabilities that could each be used to take over a site.” 
 
The first follow-on bug (CVE-2021-38344) is a medium-severity stored XSS flaw that allows intruders to insert malicious scripts into web pages. Because it is a stored XSS issue rather than a reflected one, victims are only required to visit the affected page to be attacked. 

The flaw allows a less-privileged user (such as a contributor or subscriber) to attach JavaScript to an update request, which is subsequently executed if the post is read or previewed by another user, such as an administrator. It becomes hazardous, however, when paired with the authorisation bypass, according to the researchers. 

The second new vulnerability is a high-severity arbitrary file-upload flaw (CVE-2021-38346), which might allow authenticated users to post files to a website. According to Wordfence researchers, the authorization check vulnerability allows subscriber-level users to elevate their privileges and subsequently upload executable files to a place of their choice via the brizy_create_block_screenshot AJAX method. According to the evaluation, other types of assaults are also possible.

“While the plugin appended .JPG to all uploaded filenames, a double extension attack was also possible,” researchers explained. 

“For instance, a file named shell.php would be saved as shell.php.jpg, and would be executable on a number of common configurations, including Apache/modPHP with an AddHandler or unanchored SetHandler directive. An attacker could also prepend their filename with ../ to perform a directory traversal attack and place their file in an arbitrary location, which could potentially be used to circumvent execution restrictions added via .htaccess.” 

Thus, “by supplying a file with a .PHP extension in the id parameter, and base64-encoded PHP code in the ibsf parameter, an attacker could effectively upload an executable PHP file and obtain full remote code execution on a site, allowing site takeover,” they added. 

Users can protect themselves by switching to the most recent version of the plugin, 2.3.17.

WooCommerce Multi Currency Bug Allows Customers to Modify the Cost of Items on Online Stores

 

A security flaw in the WooCommerce Multi Currency plugin might allow any consumer to alter product prices in online stores. WooCommerce Multi Currency enables consumers to switch currencies and assists the shop in accepting multi-currency payments. It is possible to set the exchange rate manually or automatically. The plugin may automatically detect the customer's location and display the price in their local currency. 

WooCommerce is a WordPress-based eCommerce plugin; the Multi Currency plugin from Envato, on the other hand, allows WooCommerce users to customise prices for foreign customers. On the Envato Marketplace, it has a total of 7,700 sales. 

According to Ninja Technologies Network (NinTechNet), the problem is a broken access-control vulnerability in Multi Currency version 2.1.17 and lower, which affects the “Import Fixed Price” feature, which allows eCommerce sites to set custom prices, overwriting any prices calculated automatically by exchange rate. 

“The import function, import_csv(), is loaded by the wmc_bulk_fixed_price AJAX hook in the “woocommerce-multi-currency/includes/import-export/import-csv.php” script,” according to a NinTechNet analysis on Monday. “The function lacks a capability check and a security nonce, and therefore is accessible to all authenticated users, which includes WooCommerce customers.” 

Cybercriminals might take advantage of the flaw by uploading a specially prepared CSV file to the site that contains the current currency of a product as well as the product ID. According to experts, this permits them to modify the price of one or more items. A comma-separated values (CSV) file allows you to save data in a tabular format. Most spreadsheet programmes, such as Microsoft Excel or Google Spreadsheets, can open SV files. They vary from other spreadsheet file types in that they can only contain a single sheet and do not store cell, column, or row information. In addition, formulas cannot be saved in this format. 

“The vulnerability is particularly damaging for online shops selling digital goods because the attacker will have time to download the goods,” they said. “It is important to verify every order because the hack doesn’t change the product’s price in the backend, hence the shop manager may unlikely notice it immediately.” 

Patching needs for WooCommerce users have been increasing recently. Envato's WooCommerce Dynamic Pricing and Discounts plugin was discovered to have two security vulnerabilities in late August, which may allow unauthenticated attackers to inject malicious code onto websites running unpatched versions. This can lead to a number of assaults, such as website redirection to phishing pages, the injection of malicious scripts on product pages, and so on.

WordPress Sites Affected by Bugs in Gutenberg Template Library and Redux Framework

 

The Gutenberg Template Library & Redux Framework plugin for WordPress, which is deployed on over 1 million websites, has two vulnerabilities. According to the researchers, these might enable arbitrary plugin installation, post deletions, and access to potentially sensitive information about a site's configuration. Redux.io's plugin provides a variety of templates and building blocks for developing web pages in WordPress' Gutenberg editor. 

This plugin is a collection of WordPress Gutenberg blocks that allow publishers to quickly create websites using pre-built “blocks” while utilizing the Gutenberg interface. 

The first vulnerability (CVE-2021-38312) is rated as high-severity on the CVSS scale, with a score of 7.1 out of 10. It's caused by the plugin's use of the WordPress REST API, which handles requests to install and manage blocks. According to Wordfence, it fails to properly allow user permissions. 

The WordPress REST API allows apps to communicate with the user's WordPress site by sending and receiving data in JSON (JavaScript Object Notation) objects. It's the backbone of the WordPress Block Editor, and it may also help the user's theme, plugin, or custom app create new, more sophisticated interfaces for managing and publishing the user's site's content. 

“While the REST API Endpoints registered under the redux/v1/templates/ REST Route used a permission_callback to verify a user’s permissions, this call-back only checked whether or not the user sending the request had the edit_posts capability,” Wordfence researchers said in a Wednesday posting. Users with lower rights, such as contributors and authors, may utilize the redux/v1/templates/plugin-install endpoint to install any plugin from the WordPress repository, or the redux/v1/templates/delete_saved_block endpoint to delete posts, according to the researchers. 

The second vulnerability, a medium-severity flaw (CVE-2021-38314), has a CVSS score of 5.3. It exists because the Gutenberg Template Library & Redux Framework plugin registers numerous AJAX actions that are available to unauthenticated users, one of which is deterministic and predictable, allowing for the discovery of a site's $support_hash. 

“This $support_hash AJAX action, which was also available to unauthenticated users, called the support_args function in redux-core/inc/classes/class-redux-helpers.php, which returned potentially sensitive information such as the PHP version, active plugins on the site and their versions, and an unsalted md5 hash of the site’s AUTH_KEY and SECURE_AUTH_KEY,” according to Wordfence. An attacker may use the information to plot a website takeover using other vulnerable plugins, according to the researchers.

WordPress Websites Infected with Malware Via Fake jQuery Files


Cybersecurity experts discovered fake variants of the jQuery Migrate plugin inserted in various sites that had unclear codes to launch malware. The files are tagged as jquery-migrate.min.js and jquery-migrate.js, currently located where Java files are generally found on WordPress websites but in reality are fake. Presently, around 7 Million websites use the jQuery Migrate plugin, the popularity of the plugin may have led hackers to use it as a decoy to plant their malware under the plugin name. 

Cybersecurity experts Adrian Stoian and Denis Sinegubko earlier this week discovered fake jQuery files pretending to be jQuery migrate plugins on several websites. To avoid getting caught, the infected files interchange with legitimate files having ./wp-includes/js/jquery/ directory where all the WordPress files are present. 

These counterfeit files have further muddled the codes using an anonymous analytics.js file containing malicious codes. As of now, the threat level of this attack is yet to be determined, but a search query shared by Sinegubko revealed that the malicious code infected around forty web pages.  

The filename 'analytics' however, has nothing to do with the metrics of websites. Bleeping computer enquired some infected file codes. "The code has references to "/wp-admin/user-new.php" which is the WordPress administration page for creating new users. Moreover, the code accesses the _wpnonce_create-user variable which WordPress uses to enforce Cross-Site Request Forgery (CSRF) protections," reports Bleeping Computer. 

In general, if the hackers get the CSRF tokens, it allows them to imitate fake requests from the user end. Attaching these malicious scripts on WordPress websites allows hackers to deploy various cyberattacks using that may vary from credit card skimming for Megacart scams or redirecting users to scammed websites. Here, the victims may be led to fake survey forums, tech assistance frauds, requests for subscribing to spam notifications, or installing malicious browser extensions.  

Helpnet Security reports, "everyone with half a mind for security will tell you not to click on links in emails, but few people can explain exactly why you shouldn’t do that. Clicking on that link means that an attacker can fake any user-supplied input on a site and make it indistinguishable from a user doing it themselves."

The “Real-Time Find and Replace” Wordpress Plugin Updated To Address A High Severity Vulnerability



So as to address a high severity vulnerability, the “Real-Time Find and Replace” WordPress plugin was updated as of late in order to forestall the exploitation to infuse code into sites.

The plugin, accessible as open source and has over 100,000 installations is intended to permit WordPress site admins to dynamically supplant HTML content from themes and different plugins with the content on their personal preference before the page is served to users.

The vulnerability recognized by the name of 'Cross-Site Request Forgery (CSRF)' prompting Cross-Site Scripting (XSS), could have permitted an attacker to infuse malignant JavaScript code on a target site, yet just by fooling the administrator into performing explicit actions, such as clicking a link.

The core of the plugin's 'functionality' for including the find and replace rules in the function far_options_page, which didn't confirm the integrity of a request's source, since it didn't utilize nonce verification, WordPress Security Company Defiant had discovered.

 By supplanting an HTML tag like <head> with noxious JavaScript, an attacker would ensure that their code executes on about each page of the targeted site. Utilizing the infused code, the attacker could make another administrative account; steal session cookies, or direct clients to a malevolent site.

Defiant detailed the vulnerability to the plugin's developer on April 22 and the security flaw was tended to the same day.

The security company Defiant says, “Any attacker capable of tricking a site owner into executing an unwanted action could replace any content or HTML on a vulnerable site with new content or malicious code. This replacement code or content would then execute anytime a user navigated to a page that contained the original content. ”

“In the most up to date version, a nonce has been added along with a check_admin_referer nonce verification function to ensure the legitimacy of the source of a request,” Defiant explained further.

Version 4.0.2 or newer of the Real-Time Find and Replace plugin includes a patch for the bug, and users are advised to update the plugin as soon as possible to ensure their WordPress websites are protected.