Login

Tag Archives: Remote Code Execution (RCE)

17 Jan 2024

Hacker Targeting Vulnerability Fixed in WordPress Plugin LearnPress Late Last Month

On Monday, our Plugin Vulnerabilities Firewall plugin blocked a couple of exploit attempts on our website that we didn’t already have data to identify the WordPress plugin being targeted. In investigating that, we found they were attempts to exploit a remotedcode execution (RCE) vulnerability in the 90,000+ install WordPress plugin LearnPress, which was fixed on December 25 in version 4.2.5.8. The developer disclosed there was a security fix in that version, but barely. One of the changelog entries for that version reads “Fixed: security.”. The vulnerability allows an attacker to run arbitrary PHP code on the website.

This may be connected to CVE-2023-6634, though the record for it is lacking the information needed to be sure of that. If it is connected to that, the CVE Record is wrong, as it says “all versions up to, and including, 4.2.5.7” are vulnerable, but the code attempted to be exploited was added in 4.2.5.7. [Read more]

18 Jun 2023

Remote Code Execution (RCE) Vulnerability in Template Debugger

Today, Patchstack claimed there was a cross-site request forgery (CSRF) vulnerability in the latest version of the WordPress plugin Template Debugger, but didn’t provide the information needed to check on their claim. In looking into this, we found what probably is what they are labeling as a CSRF vulnerability, but it is actually a much more serious vulnerability. The vulnerability allows an attacker to run arbitrary code on the website.

[Read more]

8 Dec 2022

Remote Code Execution (RCE) Vulnerability in CX Easy Contact Form

One way we help to improve the security of WordPress plugins, not just for customers of our service, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that, we caught a variant of one of those vulnerabilities, a remote code execution (RCE) vulnerability in a brand new plugin, CX Easy Contact Form.

We now are also running all the plugins used by our customers through the same system used for the proactive monitoring on a weekly basis to provide additional protection for them. [Read more]

17 Jun 2022

Clearing Up Some Claims Made About the Remote Code Execution (RCE) Vulnerability Fixed in Ninja Forms

Two days ago, WPScan described a vulnerability fixed in the WordPress plugin Ninja Forms the day before this way:

The plugin does not validate merge tags provided in the request, which could allow unauthenticated attackers to call any static method present in the blog. One from the plugin in particular could allow for PHP Object Injection when a suitable gadget is also present on the blog. Attackers have been exploiting such issue since June 9th, 2022 [Read more]

14 Feb 2022

Despite “Manual Security Review”, Brand New WordPress Plugin Contains Remote Code Execution (RCE) Vulnerability

Before new plugins are allowed in to WordPress’ plugin directory, they are claimed to go through a manual review:

After your plugin is manually reviewed, it will either be approved or you will be emailed and asked to provide more information and/or make corrections. [Read more]

15 Aug 2019

Vulnerability Details: Remote Code Execution (RCE) in WordPress to Jekyll Exporter (Jekyll Exporter)

A frequent problem when it comes to security is that people assume that other people won’t do things that are a bad idea. An example of that involves a remote code execution vulnerability that was in the plugin WordPress to Jekyll Exporter (Jekyll Exporter). In data from the website AbuseIPDB there have recent reported probing for a file from that plugin:

[Read more]

9 May 2019

Our Proactive Monitoring Caught a Remote Code Execution (RCE) Vulnerability in Kanzu Support Desk

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Through that we caught a remote code execution (RCE) vulnerability in the plugin Kanzu Support Desk.

The possibility of this vulnerability is also flagged by our Plugin Security Checker, so you can check plugins you use to see if they might have similar issues with that tool. [Read more]

11 Jan 2019

Our Proactive Monitoring Caught a Remote Code Execution (RCE) Vulnerability in an Unreleased Version of MailPress

In a reminder of the negative impact of WordPress intentionally leaving those using vulnerable plugins unaware of it, there are still 3,000+ active installs, according to wordpress.org, of the plugin MailPress. Back in July of 2016 we noted that it appeared that hackers were targeting it, while disclosing a vulnerability we had found in it after noticing the apparent hacker interest. At the time the plugin had already been removed from the Plugin Directory and remains so today. The hacker interest has continued as well, as multiple times in the last week we have seen probing for usage of the plugin on our website.

In the meantime the developer has at various times submitted changes to the plugin and one of the recent changes was flagged by our proactive monitoring of changes being made to WordPress plugins to try to catch serious vulnerabilities when they are introduced in to plugins. Maybe not surprisingly considering that the plugin appears to have had a vulnerability that was serious enough that hackers would be interested in exploiting it and that the developer has yet to get the issue resolved that lead to the plugin being removed, it turns out that versions of the plugin that have not been released contain a remote code execution vulnerability. [Read more]

30 Nov 2018

Our Proactive Monitoring Caught a Remote Code Execution (RCE) Vulnerability in the WordPress Plugin PropertyHive

With the recently widely exploited WordPress plugin WP GDPR Compliance there were two serious vulnerabilities that were fixed before one of them was widely exploited, there was also another issue that was fixed and brought up in passing at the time, but we were left unclear as the seriousness of, that being ability to pass arbitrary values to the do_action() WordPress function. We really should put a post on what we found when we went to look further in to that, but the short version is that it looks like at least with what code you can cause to execute from WordPress, that this is threat looks to be somewhat limited and even more limited if user input is only used to specify the action to be executed and not additional arguments. But in any case that type of issue would be a remote code execution (RCE) vulnerability, so we updated a check included in our proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities and Plugin Security Checker to spot possible instances of that type of vulnerability. That led to us spotting an instance of the vulnerability in the plugin PropertyHive through our proactive monitoring.

This vulnerability has been in the plugin for 18 months without being noticed before. [Read more]

16 Nov 2018

Our Proactive Monitoring Caught a Remote Code Execution Vulnerability Being Added to the Feedify WordPress Plugin

One of the ways we help to improve the security of WordPress plugins, not just for our customers, but for everyone using them, is the proactive monitoring of changes made to plugins in the Plugin Directory to try to catch serious vulnerabilities. Most of the vulnerabilities caught by that are due to only a few checks that we run over those changes, but one that we can’t recall flagging anything before did for a change made yesterday and it identified a serious issue. The new version of the Feedify plugin it turns out introduced a remote code execution (RCE) vulnerability.

In the new version of the plugin has the function feedify_run_cmd() run “once WP, all plugins, and the theme are fully loaded and instantiated“: [Read more]