Tag Archive for: plugin

Hackers exploit zero-day in WordPress plugin Ultimate Member

/in


Hackers have once again found a way to break into WordPress accounts. This time, a zero-day in the Ultimate Member plugin grants access.

Hackers can penetrate 200,000 WordPress websites through a zero-day in the Ultimate Member plugin. The plugin serves website visitors with a simple account registration.

No secure version

All versions of the plugin contain the zero-day. However the developers have been trying to eliminate the vulnerability since version 2.6.3, but they failed. “Versions 2.6.4, 2.6.5, 2.6.6 partially close this vulnerability, but we are still working with the WPScan team to get the best result,” writes a developer from the company.

In the meantime, the high vulnerability score of 9.8 indicates that the security incident deserves attention. Through the zero-day, hackers can make themselves administrators of the vulnerable website, writes Chloe Chamberland, a cybersecurity researcher at Wordfence. Her team discovered the zero-day first.

V2.6.6 at risk

Ultimate Member recommends users of the plugin keep up with updates: “All previous versions are vulnerable so we highly recommend to upgrade your websites to 2.6.6 and keep updates in the future for getting the recent security and feature enhancements.”

According to Chamberland, however, that leaves too much risk. “Since the latest version of the plugin, 2.6.6, has not been fully patched, we recommend removing the plugin until a full patch is released.”

WordPress in 2023

This is already the ninth vulnerability in WordPress we have reported on this year. In two cases, it was an old vulnerability for which users had not yet bothered to install the patch. Still, the number of security risks for 2023 in the CMS (Content Management System) is already climbing toward ten. So the software appears to be an interesting target for hackers, but not all vulnerabilities pose equally big problems.

Big problems form with bugs that affect many WordPress websites. Among these, we can already count for 2023 the vulnerability in the WordPress plugin Elementor. More than 1 million websites were vulnerable to the flaw. The news followed an earlier vulnerability in the Pro version of…

Source…

Backdoor baked into premium school management plugin for WordPress

/in


Backdoor baked into premium WordPress plugin for school management

Security researchers have discovered a backdoor in a premium WordPress plugin designed as a complete management solution for schools. The malicious code enables a threat actor to execute PHP code without authenticating.

The name of the plugin is “School Management,” published by Weblizar, and multiple versions before 9.9.7 were delivered with the backdoor baked into its code.

Although the latest version is clean, the developer failed to determine the source of the compromise.

The plugin allows schools to manage live classes, send email or SMS notifications, keep attendance boards and manage noticeboards, accept payments and issue invoices, manage exams, set up online lending libraries, and even manage transport vehicle fleets.

It is a complete solution that comes with an Android and iOS app to provide various access levels to users such as admins, teachers, accountants, students, parents, librarians, and receptionists.

PHP backdoor

Jetpack started to take a look at “School Management” (site not secure at the time of writing) after the WordPress.com support team reported finding malicious code in several sites using the plugin.

When looking at the lightly obfuscated code, Jetpack found a backdoor injected into the license-checking code of the plugin, which allows any attacker to execute PHP code.

The backdoor code after reversing obfuscation
The backdoor code after reversing obfuscation (Jetpack)

The backdoor can let an attacker access or alter the website’s contents, elevate privileges, and assume complete control of the site.

This is a critical security problem that is currently tracked as CVE-2022-1609, and received the maximum severity score of 10 out of 10.

Because the backdoor is injected in the license checking part of the plugin, the free version that doesn’t have one doesn’t contain the backdoor either, so it’s not impacted.

Discovery and fixing

Jetpack assumed that the presence of the backdoor was a case of a nulled plugin – a premium plugin that has been hacked or modified (pirated), distributed through third-party websites, that often work without a license

However, after discussing with the site owners, the analysts learned that the plugin was sourced directly from the vendor, so the backdoor…

Source…

Critical vulnerability in popular WordPress plugin exposes millions of sites to hacking

/in


A critical vulnerability in a highly popular WordPress plugin has exposed millions of websites to hacking.

Discovered by researchers at Plugin Vulnerabilities and detailed April 12, the vulnerability was found in Elementor, a WordPress plugin that allows users to build websites with more than 5 million active installations. The vulnerability was found in version 3.6.0 of the plugin, introduced on March 22, with about a third of the sites using Elemantor to run the vulnerable version when the vulnerability was found.

The vulnerability is caused by an absence of a critical access check in one of the plugin’s files, which is loaded on every request, even if users are not logged in. Because the check does not occur, access to the file and hence the plugin is open to all and sundry, including bad actors.

Exploiting the vulnerability opens the door for anyone to make changes to the site, including uploading arbitrary files. As a result, hackers could exploit the vulnerability for remote code execution and takeover of a site running the plugin. “Based on just what we saw in our very limited checking, we would recommend not using this plugin until it has had a thorough security review and all issues are addressed,” the researchers noted.

The vulnerability has since been addressed in the latest update to Elementor version 3.6.3. Naturally, anyone running a WordPress install with Elementor  3.6.0 to 3.6.2 is encouraged to update to the latest version to address the critical vulnerability.

“WordPress powers as much as a third of all websites on the Internet, including some of the most highly trafficked sites and a large percentage of e-commerce sites, so why aren’t they better equipped to protect against attack?”  Pravin Madhani, co-founder and chief executive of application security platform provider K2 Cyber Security Inc., told SiliconANGLE. “In particular, RCE is one of the most dangerous flaws because it gives the attacker the ability to run almost any code on the hacked site.”

Madhani explained that traditional application security tools like Web Application Firewalls have difficulty in dealing with RCE attacks because they rely on understanding a past RCE…

Source…