Login

Tag Archives: Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS)

24 Feb 2020

Hackers May Already Be Targeting This Authenticated Persistent XSS Vulnerability in PW WooCommerce Bulk Edit

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may be using we monitor for what look to be hackers probing for usage of plugins to make sure we quickly can warn our customers of unfixed vulnerabilities that hackers are likely targeting. There was probing on our website several days ago for the plugin PW WooCommerce Bulk Edit by requesting these files:

  • /wp-content/plugins/pw-bulk-edit/readme.txt
  • /wp-content/plugins/pw-bulk-edit/assets/js/results.js
  • /wp-content/plugins/pw-bulk-edit/license.txt

In a quick check over the plugin we found that it contains multiple security issues. The most likely obvious security issue that hackers would be interested on targeting based on what we saw is that anyone logged in to WordPress can change the name of a WooCommerce product to include malicious JavaScript code, which is an authenticated persistent cross-site scripting (XSS) vulnerability (through the same functionality the price and other product attributes can be changed as well).  Since the plugin extends WooCommerce and WooCommerce by default allows the public access to WordPress accounts, the access needed to exploit this would usually be easily accessible. [Read more]

18 Nov 2019

Vulnerability Details: Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) in WP Maintenance

One of the changelog entries for the latest version of the plugin WP Maintenance is “SECURITY UPDATE : Adding NONCE to forms”. Looking at the changes made in that version we found that referred to adding checks for nonces to prevent cross-site request forgery (CSRF) on the plugin’s admin pages. We found that on one of those pages the lack of that could previously lead to cross-site scripting (XSS) being able to occur.

[Read more]

24 Oct 2019

Hackers May Already be Targeting this Authenticated Persistent XSS Vulnerability in a WordPress Plugin with 200,000+ Installs

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may be using we monitor for what look to be hackers probing for usage of plugins to make sure we quickly can warn our customers of unfixed vulnerabilities that hackers are likely targeting. A month ago through that we saw an apparent ongoing hacker campaign exploiting previously undisclosed vulnerabilities involving nine plugins. It looks like that has started up again, with the plugin Astra Starter Sites being one of the new plugins. There was probing on our website yesterday for that plugin by requesting these files:

  • /wp-content/plugins/astra-sites/inc/assets/js/admin-page.js
  • /wp-content/plugins/astra-sites/inc/assets/css/admin.css
  • /wp-content/plugins/astra-sites/readme.txt

That plugin has 200,000+ installs according to wordpress.org, so you might imagine that it at least had a cursory security review by now, but it doesn’t appear to be the case because we found numerous security issue that would have been flagged by the type of security review of WordPress plugins we do just in our limited checking to figure out what a hacker would be interested in exploiting. Considering that persistent cross-site scripting (XSS) vulnerability have existed in multiple of the others plugin being targeted we were most focused on seeing if has that type of vulnerability and we found it contains an authenticated variant of that. While that requires someone to have access to a WordPress account, which limits it exploitability, with 200,000+ installs that would be something that hackers have previously shown an interest in exploiting. [Read more]

27 Sep 2019

Our Proactive Monitoring Caught an Authenticated Persistent XSS Vulnerability in Request a Quote

One of the ways we help to improve the security of WordPress plugins, not just for the customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught an authenticated persistent cross-site scripting (XSS) vulnerability in the plugin Request a Quote. That is a type of vulnerability appears to have been a type that hackers have been looking for undisclosed vulnerabilities to exploit recently, so finding it before them is a very good thing. The vulnerability is identical to the vulnerability we found in another plugin by the same developer through this same monitoring last week.

The vulnerability is due to multiple security failures, as if often the case. The plugin registers the function emd_insert_new_shc() to be accessible by those logged in to WordPress: [Read more]

23 Sep 2019

Vulnerability Details: Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) in WooCommerce One Click Upsell Funnel

One of the changelog entries for the latest version of WooCommerce One Click Upsell Funnel is “Improved: Better Security and Performance”. Looking at the changes made in that version we found there were a lot of unnecessary security changes being made, but we did find that a cross-site request forgery (CSRF)/cross-site scripting (XSS) vulnerability had been fixed.

[Read more]

19 Sep 2019

Our Proactive Monitoring Caught an Authenticated Persistent XSS Vulnerability in a WordPress Plugin with 6,000+ Installs

One of the ways we help to improve the security of WordPress plugins, not just for the customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught an authenticated persistent cross-site scripting (XSS) vulnerability in the plugin Youtube Showcase (YouTube Gallery). That is a type of vulnerability appears to have been a type that hackers have been looking for undisclosed vulnerabilities to exploit recently, so finding it before them is a very good thing.

The vulnerability is due to multiple security failures, as if often the case. The plugin registers the function emd_insert_new_shc() to be accessible by those logged in to WordPress: [Read more]

16 Sep 2019

Authenticated Persistent Cross-Site Scripting (XSS) Vulnerability in Font

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may be using we noticed what look to be a hacker probing if the following file on our website:

/wp-content/plugins/font/akismets417.php [Read more]

13 Sep 2019

Hackers May Already be Targeting this Authenticated Persistent XSS Vulnerability in FileBird Lite

As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may be using, we found that yesterday a hacker looked to be probing for usage of the plugin FileBird Lite, which has 10,000+ installs, by requesting the following files:

  • /wp-content/plugins/filebird/admin/css/filebird-upload.css
  • /wp-content/plugins/filebird/readme.txt
  • /wp-content/plugins/filebird/admin/js/filebird-util.js

In looking into what the hacker might be interested in exploiting in that we found right away that there is an authenticated persistent cross-site scripting (XSS) vulnerability in the current version of the plugin that is similar to vulnerabilities that hackers have widely exploited recently. We saw other insecure code in the plugin and there look to be additional vulnerabilities, so the plugin should be more thoroughly reviewed and secured before being used. [Read more]

3 Sep 2019

Cross-Site Request Forgery (CSRF)/Cross-Site Scripting (XSS) Vulnerability in Ultimate Google Analytics

The plugin Ultimate Google Analytics was closed on the WordPress Plugin Directory on Friday. That is one of the 1,000 most popular plugins with 50,000+ installs, so we were alerted to its closure. While we were looking in to the plugin to see if there were any serious vulnerabilities we should be warning users of the plugin that also use our service, we found that it contains a less serious one related to a more serious one, a cross-site site request forgery (CSRF)/cross-site scripting (XSS) vulnerability.

The plugin has an options page that causes the function uga_options() to run: [Read more]