WordPress plugin | Breaking Cybersecurity News | The Hacker News

WordPress has released version 6.4.2 with a patch for a critical security flaw that could be exploited by threat actors by combining it with another bug to execute arbitrary PHP code on vulnerable sites. "A remote code execution vulnerability that is not directly exploitable in core; however, the security team feels that there is a potential for high severity when combined with some plugins, especially in multisite installations," WordPress  said . According to WordPress security company Wordfence, the  issue  is rooted in the WP_HTML_Token class that was introduced in version 6.4 to improve HTML parsing in the block editor. A threat actor with the ability to exploit a PHP object injection vulnerability present in any other plugin or theme to chain the two issues to execute arbitrary code and seize control of the targeted site. "If a  POP [property-oriented programming] chain  is present via an additional plugin or theme installed on the target system, it could all

Multiple security vulnerabilities have been disclosed in the Ninja Forms plugin for WordPress that could be exploited by threat actors to escalate privileges and steal sensitive data. The flaws, tracked as CVE-2023-37979, CVE-2023-38386, and CVE-2023-38393, impact versions 3.6.25 and below, Patchstack  said  in a report last week. Ninja Forms is installed on over 800,000 sites. A brief description of each of the vulnerabilities is below - CVE-2023-37979  (CVSS score: 7.1) - A POST-based reflected cross-site scripting (XSS) flaw that could allow any unauthenticated user to achieve privilege escalation on a target WordPress site by tricking privileged users to visit a specially crafted website. CVE-2023-38386  and  CVE-2023-38393  - Broken access control flaws in the form submissions export feature that could enable a bad actor with Subscriber and Contributor roles to export all Ninja Forms submissions on a WordPress site. Users of the plugin are recommended to update to version

Compromising the browser is a high-return target for adversaries. Browser extensions, which are small software modules that are added to the browser and can enhance browsing experiences, have become a popular browser attack vector. This is because they are widely adopted among users and can easily turn malicious through developer actions or attacks on legitimate extensions. Recent incidents like  DataSpii  and the  Nigelthorn  malware attack have exposed the extent of damage that malicious extensions can inflict. In both cases, users innocently installed extensions that compromised their privacy and security. The underlying issue lies in the permissions granted to extensions. These permissions, often excessive and lacking granularity, allow attackers to exploit them. What can organizations do to protect themselves from the risks of browser extensions without barring them from use altogether (an act that would be nearly impossible to enforce)?  A new report by LayerX, "Unveiling the

A security flaw has been uncovered in the WooCommerce Stripe Gateway WordPress plugin that could lead to the unauthorized disclosure of sensitive information. The flaw, tracked as  CVE-2023-34000 , impacts versions 7.4.0 and below. It was addressed by the plugin maintainers in version 7.4.1, which shipped on May 30, 2023. WooCommerce Stripe Gateway  allows  e-commerce websites to directly accept various payment methods through Stripe's payment processing API. It boasts of over 900,000 active installations. According to Patchstack security researcher Rafie Muhammad, the plugin suffers from what's called an unauthenticated Insecure direct object references ( IDOR ) vulnerability, which allows a bad actor to bypass authorization and access resources. Specially, the problem stems from the insecure handling of order objects and a lack of adequate access control mechanism in the plugin's 'javascript_params' and 'payment_fields' functions of the plugin. &quo

Unknown threat actors are actively exploiting a recently patched security vulnerability in the Elementor Pro website builder plugin for WordPress. The flaw, described as a case of broken access control, impacts versions 3.11.6 and earlier. It was addressed by the plugin maintainers in version 3.11.7 released on March 22. "Improved code security enforcement in WooCommerce components," the Tel Aviv-based company  said  in its release notes. The premium plugin is  estimated  to be used on over 12 million sites. Successful exploitation of the high-severity flaw allows an authenticated attacker to complete a takeover of a WordPress site that has WooCommerce enabled. "This makes it possible for a malicious user to turn on the registration page (if disabled) and set the default user role to administrator so they can create an account that instantly has the administrator privileges," Patchstack  said  in an alert of March 30, 2023. "After this, they are likely t

Patches have been released for a critical security flaw impacting the WooCommerce Payments plugin for WordPress, which is installed on over 500,000 websites. The flaw, if left unresolved, could enable a bad actor to gain unauthorized admin access to impacted stores, the company said in an advisory on March 23, 2023. It impacts versions 4.8.0 through 5.6.1. Put differently, the issue could permit an "unauthenticated attacker to impersonate an administrator and completely take over a website without any user interaction or social engineering required," WordPress security company Wordfence  said . The vulnerability appears to reside in a PHP file called "class-platform-checkout-session.php," Sucuri researcher Ben Martin  noted . Credited with discovering and reporting the vulnerability is Michael Mazzolini of Swiss penetration testing company GoldNetwork. WooCommerce also  said  it worked with WordPress to auto-update sites using affected versions of the softwar

Researchers from Wordfence have  sounded  the alarm about a "sudden" spike in cyber attacks attempting to exploit an unpatched flaw in a WordPress plugin called  Kaswara Modern WPBakery Page Builder Addons . Tracked as  CVE-2021-24284 , the issue is rated 10.0 on the CVSS vulnerability scoring system and relates to an unauthenticated arbitrary file upload that could be abused to gain code execution, permitting attackers to seize control of affected WordPress sites. Although the bug was originally  disclosed  in April 2021 by the WordPress security company, it continues to remain unresolved to date. To make matters worse, the plugin has been closed and is no longer actively maintained. Wordfence, which is protecting over 1,000 websites that have the plugin installed, said it has blocked an average of 443,868 attack attempts per day since the start of the month. The attacks have emanated from 10,215 IP addresses, with a majority of the exploitation attempts narrowed down

As many as 47,337 malicious plugins have been uncovered on 24,931 unique websites, out of which 3,685 plugins were sold on legitimate marketplaces, netting the attackers $41,500 in illegal revenues. The findings come from a new tool called  YODA  that aims to detect rogue WordPress plugins and track down their origin, according to an 8-year-long study conducted by a group of researchers from the Georgia Institute of Technology. "Attackers impersonated benign plugin authors and spread malware by distributing pirated plugins," the researchers  said  in a new paper titled " Mistrust Plugins You Must ." "The number of malicious plugins on websites has steadily increased over the years, and malicious activity peaked in March 2020. Shockingly, 94% of the malicious plugins installed over those 8 years are still active today." The large-scale research entailed analyzing WordPress plugins installed in 410,122 unique web servers dating all the way back to 2012

Multiple versions of a WordPress plugin by the name of "School Management Pro" harbored a backdoor that could grant an adversary complete control over vulnerable websites. The issue, spotted in premium versions before 9.9.7, has been assigned the CVE identifier  CVE-2022-1609  and is rated 10 out of 10 for severity. The backdoor, which is believed to have existed since version 8.9, enables "an unauthenticated attacker to execute arbitrary PHP code on sites with the plugin installed," Jetpack's Harald Eilertsen  said  in a Friday write-up. School Management, developed by an India-based company called  Weblizar , is billed as a Wordpress add-on to "manage complete school operation." It also claims more than 340,000 customers of its premium and free WordPress themes and plugins. The WordPress security company noted that it uncovered the implant on May 4 after it was alerted to the presence of heavily obfuscated code in the license-checking code of t

Elementor, a WordPress website builder plugin with over five million active installations, has been found to be vulnerable to an authenticated remote code execution flaw that could be abused to take over affected websites. Plugin Vulnerabilities, which  disclosed  the flaw last week, said the bug was introduced in version 3.6.0 that was released on March 22, 2022. Roughly  37% of users  of the plugin are on version 3.6.x. "That means that malicious code provided by the attacker can be run by the website," the researchers said. "In this instance, it is possible that the vulnerability might be exploitable by someone not logged in to WordPress, but it can easily be exploited by anyone logged in to WordPress who has access to the WordPress admin dashboard." In a nutshell, the issue relates to a case of arbitrary file upload to affected websites, potentially leading to code execution. The bug has been addressed in the latest version of Elementor, with Patchstack 

Patches have been issued to contain a "severe" security vulnerability in UpdraftPlus, a WordPress plugin with over three million installations, that can be weaponized to download the site's private data using an account on the vulnerable sites. "All versions of UpdraftPlus from March 2019 onwards have contained a vulnerability caused by a missing permissions-level check, allowing untrusted users access to backups," the maintainers of the plugin said in an advisory published this week. Security researcher Marc-Alexandre Montpas of Automattic has been credited with discovering and reporting the vulnerability on February 14 that's been assigned the identifier  CVE-2022-0633  (CVSS score: 8.5). The issue impacts UpdraftPlus versions from 1.16.7 to 1.22.2. UpdraftPlus is a  backup and restoration solution  that's capable of performing full, manual, or scheduled backups of WordPress files, databases, plugins and themes, which can then be reinstated via th

Critical security vulnerabilities have been disclosed in a WordPress plugin known as PHP Everywhere that's used by more than 30,000 websites worldwide and could be abused by an attacker to execute arbitrary code on affected systems. PHP Everywhere is  used  to flip the switch on PHP code across WordPress installations, enabling users to insert and execute PHP-based code in the content management system's Pages, Posts, and Sidebar. The three issues, all rated 9.9 out of a maximum of 10 on the CVSS rating system, impact versions 2.0.3 and below, and are as follows - CVE-2022-24663  - Remote Code Execution by Subscriber+ users via shortcode CVE-2022-24664  - Remote Code Execution by Contributor+ users via metabox, and CVE-2022-24665  - Remote Code Execution by Contributor+ users via gutenberg block Successful exploitation of the three vulnerabilities could result in the execution of malicious PHP code that could be leveraged to achieve a complete site takeover. WordPres

A WordPress plugin with over one million installs has been found to contain a critical vulnerability that could result in the execution of arbitrary code on compromised websites. The plugin in question is  Essential Addons for Elementor , which provides WordPress site owners with a library of over 80 elements and extensions to help design and customize pages and posts. "This vulnerability allows any user, regardless of their authentication or authorization status, to perform a local file inclusion attack," Patchstack  said  in a report. "This attack can be used to include local files on the filesystem of the website, such as /etc/passwd. This can also be used to perform RCE by including a file with malicious PHP code that normally cannot be executed." That said, the vulnerability only exists if widgets like dynamic gallery and product gallery are used, which utilize the vulnerable function, resulting in local file inclusion – an attack technique in which a web

In yet another instance of software supply chain attack, dozens of WordPress themes and plugins hosted on a developer's website were backdoored with malicious code in the first half of September 2021 with the goal of infecting further sites. The backdoor gave the attackers full administrative control over websites that used 40 themes and 53 plugins belonging to AccessPress Themes, a Nepal-based company that boasts of no fewer than 360,000 active website installations. "The infected extensions contained a dropper for a web shell that gives the attackers full access to the infected sites," security researchers from JetPack, a WordPress plugin suite developer, said in a  report  published this week. "The same extensions were fine if downloaded or installed directly from the WordPress[.]org directory." The vulnerability has been assigned the identifier  CVE-2021-24867 . Website security platform Sucuri, in a separate analysis,  said  some of the infected websit

Researchers have disclosed a security shortcoming affecting three different WordPress plugins that impact over 84,000 websites and could be abused by a malicious actor to take over vulnerable sites. "This flaw made it possible for an attacker to update arbitrary site options on a vulnerable site, provided they could trick a site's administrator into performing an action, such as clicking on a link," WordPress security company Wordfence  said  in a report published last week. Tracked as CVE-2022-0215, the cross-site request forgery ( CSRF ) flaw is rated 8.8 on the CVSS scale and impacts three plugins maintained by  Xootix  — Login/Signup Popup  (Inline Form + Woocommerce), Side Cart Woocommerce  (Ajax), and Waitlist Woocommerce  (Back in stock notifier) Cross-site request forgery, also known as one-click attack or session riding, occurs when an authenticated end-user is tricked by an attacker into submitting a specially crafted web request. "If the victim i

As many as 1.6 million WordPress sites have been targeted by an active large-scale attack campaign originating from 16,000 IP addresses by exploiting weaknesses in four plugins and 15 Epsilon Framework themes. WordPress security company Wordfence, which  disclosed  details of the attacks, said Thursday it had detected and blocked more than 13.7 million attacks aimed at the plugins and themes in a period of 36 hours with the goal of taking over the websites and carrying out malicious actions. The plugins in question are Kiwi Social Share (<= 2.0.10), WordPress Automatic (<= 3.53.2), Pinterest Automatic (<= 4.14.3), and PublishPress Capabilities (<= 2.3), some of which have been patched dating all the way back to November 2018. The impacted Epsilon Framework themes and their corresponding versions are as follows — Activello (<=1.4.1) Affluent (<1.1.0) Allegiant (<=1.2.5) Antreas (<=1.0.6) Bonkers (<=1.0.5) Brilliance (<=1.2.9) Illdy (<=2.1.6) M

A recently discovered wave of malware attacks has been spotted using a variety of tactics to enslave susceptible machines with easy-to-guess administrative credentials to co-opt them into a network with the goal of illegally mining cryptocurrency. "The malware's primary tactic is to spread by taking advantage of vulnerable systems and weak administrative credentials. Once they've been infected, these systems are then used to mine cryptocurrency," Akamai security researcher Larry Cashdollar  said  in a write-up published last week. The PHP malware — codenamed "Capoae" (short for "Сканирование," the Russian word for "Scanning") — is said to be delivered to the hosts via a backdoored addition to a WordPress plugin called "download-monitor," which gets installed after successfully brute-forcing WordPress admin credentials. The attacks also involve the deployment of a  Golang binary  with decryption functionality, with the obfusc

Security researchers are sounding the alarm over newly discovered vulnerabilities in some popular online learning management system ( LMS ) plugins that various organizations and universities use to offer online training courses through their WordPress-based websites. According to the Check Point Research Team, the three WordPress plugins in question — LearnPress , LearnDash , and LifterLMS — have security flaws that could permit students, as well as unauthenticated users, to pilfer personal information of registered users and even attain teacher privileges. "Because of coronavirus, we're doing everything from our homes, including our formal learning," Check Point Research's Omri Herscovici said. "The vulnerabilities found allow students, and sometimes even unauthenticated users, to gain sensitive information or take control of the LMS platforms." The three LMS systems are installed on approximately 100,000 different educational platforms, includi

A popular WordPress theme plugin with over 200,000 active installations contains a severe but easy-to-exploit software vulnerability that, if left unpatched, could let unauthenticated remote attackers compromise a wide range of websites and blogs. The vulnerable plugin in question is ' ThemeGrill Demo Importer ' that comes with free as well as premium themes sold by the software development company ThemeGrill. ThemeGrill Demo Importer plugin has been designed to allow WordPress site admins to import demo content, widgets, and settings from ThemeGrill, making it easier for them to quickly customize the theme. According to a report WebARX security company shared with The Hacker News, when a ThemeGrill theme is installed and activated, the affected plugin executes some functions with administrative privileges without checking whether the user running the code is authenticated and is an admin. The flaw could eventually allow unauthenticated remote attackers to wipe the e

Attention WordPress users! Your website could easily get hacked if you are using " Ultimate Addons for Beaver Builder ," or " Ultimate Addons for Elementor " and haven't recently updated them to the latest available versions. Security researchers have discovered a critical yet easy-to-exploit authentication bypass vulnerability in both widely-used premium WordPress plugins that could allow remote attackers to gain administrative access to sites without requiring any password. What's more worrisome is that opportunistic attackers have already started exploiting this vulnerability in the wild within 2 days of its discovery in order to compromise vulnerable WordPress websites and install a malicious backdoor for later access. Both vulnerable plugins, made by software development company Brainstorm Force, are currently powering over hundreds of thousands of WordPress websites using Elementor and Beaver Builder frameworks, helping website admins and de

Security researchers have been warning about a critical vulnerability they discovered in one of a popular WordPress Live Chat plugin, which, if exploited, could allow unauthorized remote attackers to steal chat logs or manipulate chat sessions. The vulnerability, identified as CVE-2019-12498, resides in the "WP Live Chat Support" that is currently being used by over 50,000 businesses to provide customer support and chat with visitors through their websites. Discovered by cybersecurity researchers at Alert Logic , the flaw originates because of an improper validation check for authentication that apparently could allow unauthenticated users to access restricted REST API endpoints. As described by researchers, a potential remote attacker can exploit exposed endpoints for malicious purposes, including: stealing the entire chat history for all chat sessions, modifying or deleting the chat history, injecting messages into an active chat session, posing as a custome