Login

Tag Archives: Cross-Site Request Forgery (CSRF)/Remote Code Execution (RCE)

1 Nov 2019

Authenticated Remote Code Execution (RCE) Vulnerability Exists in WordPress Plugin Being Targeted By Hacker

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may be using we monitor for what look to be hackers probing for usage of plugins to make sure we quickly can warn our customers of unfixed vulnerabilities that hackers are likely targeting. A month ago through that we saw an apparent ongoing hacker campaign exploiting previously undisclosed vulnerabilities involving nine plugins. Recently that has started up again, with the plugin MobiLoud News being one of the new plugins. There was probing on our website two days for that plugin by requesting these files:

  • /wp-content/plugins/mobiloud-mobile-app-plugin/description.txt
  • /wp-content/plugins/mobiloud-mobile-app-plugin/readme.txt

In beginning to check over the plugin figure out what a hacker would be interested in exploiting we found multiple vulnerabilities. What might be the most serious is an authenticated remote code execution (RCE) vulnerability that would allow an attacker to run arbitrary PHP code on the website. It could also be exploited through cross-site request forgery (CSRF). [Read more]

2 Jul 2019

There is Also an Authenticated Remote Code Execution (RCE) Vulnerability in Newsletters

Yesterday we noted a reflected cross-site scripting (XSS) vulnerability in the WordPress plugin Newsletters, which was closed on Friday, that we happened across. Subsequent to that in our monitoring to keep track of indications that new versions of plugins have security fixes we noticed that a new version of the plugin had been submitted with “Security fixes”. That version doesn’t fix the vulnerability we had mentioned yesterday. When we started looking over that to see if there was something else that was fixed that we should add to the data set of plugin vulnerabilities for our service, we came across more unfixed vulnerabilities.

What we first ran across is a fairly serious vulnerability, an authenticated remote code execution (RCE) vulnerability, which is included in code that seems like shouldn’t exist even if better secured. [Read more]

5 Apr 2019

Our Proactive Monitoring Caught an Authenticated Remote Code Execution (RCE) Vulnerability Being Introduced in to Groundhogg

Occasionally our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities catches an easy to confirm vulnerability and that was the case with an authenticated remote code execution (RCE) vulnerability being introduced in to the plugin Groundhogg, which is also exploitable through cross-site request forgery (CSRF).

Since our Plugin Security Checker utilizes the same checks, it will alert you if plugins you use possibly contain the same type vulnerable code (and other types of vulnerable code). From there if you are a paying customer of our service you can suggest/vote for it to receive a security review that will check over that or you can order the same type of review separately. [Read more]

20 Feb 2019

Just Closed File Manager WordPress Plugin with 300,000+ Installs Contains Authenticated Remote Code Execution (RCE) Vulnerability

Due to our monitoring for closures of the 1,000 most popular WordPress plugins we were notified that the plugin File Manager (WP File Manager), which has 300,000+ installs, was closed today. That a security vulnerability could have led to it being closed wouldn’t be surprising. That is in part due to one of the other plugins from the same developer, Duplicate Page, which has 700,000+ installs, being publicly known to contain multiple unfixed vulnerabilities for over a year (which no one on the WordPress side of things seems to care about), two of which we disclosed in October of 2017 after the developer didn’t respond to our notification to them of the issues. That is also in part due to the continued poor security of this plugin as well, including that it used to be fundamentally insecure and even when that was fixed it wasn’t fixed properly.

Once we were notified of the closure we started checking over the plugin to see if it had any obvious security issues. One of the things we do is to run the plugin through our Plugin Security Checker tool, which allows anyone to check for the possibility of some instances of security issues in WordPress plugins. That flagged that a function, mk_check_filemanager_php_syntax_callback(), was accessible through WordPress’ AJAX functionality to those logged in as well those logged out. The function named hinted that there might be something that shouldn’t be accessible to those not logged in at the very least. [Read more]

17 Jan 2019

Vulnerability Details: Cross-Site Request Forgery (CSRF)/Remote Code Execution (RCE) in Companion Revision Manager

The changelog entry for the latest version of Companion Revision Manager is “Security update”. Looking at the changes made in that version we saw that protection against cross-site request forgery (CSRF) was added in one location and user input was being sanitized. In then looking at those changes we found that there had previously been remote code execution (RCE) vulnerability that had been exploitable through CSRF.

[Read more]

16 Jan 2019

Our Proactive Monitoring Caught an Authenticated Remote Code Execution (RCE) Vulnerability in WP-Stateless

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through a recently added improvement to that we continue to find more remote code execution (RCE) related vulnerabilities, which isn’t a great sign about the security of WordPress plugins. This time it led to us finding an authenticated variant, which can also be exploited through cross-site request forgery (CSRF), which has been in the plugin WP-Stateless for six months.

Since our Plugin Security Checker utilizes the same checks, it will alert you if plugins you use possibly contain the same type vulnerable code (and possibly contain more serious vulnerable code). From there if you are a paying customer of our service you can suggest/vote for it to receive a security review that will check over that or you can order the same type of review separately. [Read more]

20 Nov 2018

Our Plugin Security Checker Already Detected a Remote Code Execution (RCE) Vulnerability in a WordPress Plugin with 100,000+ Installs

Last Friday after we discovered a remote code execution (RCE) vulnerability in a WordPress plugin through our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities we noted that we had updated our Plugin Security Checker to have the same check:

Now that we have actually run across a plugin that got flagged by the check that spotted this we have now added it to our Plugin Security Checker, so when you run plugins through that they will now get check for this as well (though hopefully there are not other plugins that are this insecure). [Read more]