Vulnerabilities Patched in WP Page Builder

https://www.wordfence.com/blog/2021/04/vulnerabilities-patched-in-wp-page-builder/

On February 15, 2021, the Wordfence Threat Intelligence team began the responsible disclosure process for several vulnerabilities in WP Page Builder, a plugin installed on over 10,000 sites. These vulnerabilities allowed any logged-in user, including subscribers, to access the page builder’s editor and make changes to existing posts on the site by default. Additionally, any logged-in user could add malicious JavaScript to any post, potentially resulting in site takeover. We initially contacted Themeum, the plugin’s publisher, on February 15, 2021 and received a response that evening. We provided full disclosure the next day, on February 16, 2021. A patched version […]

Episode 111: PHP Git Repository Compromised

https://www.wordfence.com/blog/2021/04/episode-111-php-git-repository-compromised/

The self-hosted Git repository for PHP was compromised, with attackers adding a backdoor to a development version of PHP 8.1. The intrusion was detected by the PHP community quickly, and no production environments were affected. Ubiquiti experienced an intrusion in January that was far worse than originally reported; attackers gained access to nearly all of the AWS assets for the company who has shipped 85 million IoT devices. Some OpenSSL vulnerabilities were recently patched, and two new vulnerabilities in Linux-based operating systems could let attackers circumvent Spectre mitigations to obtain sensitive information from kernel memory. Here are timestamps and links […]

PHP Compromised: What WordPress Users Need to Know

https://www.wordfence.com/blog/2021/03/php-compromised-what-wordpress-users-need-to-know/

Late Sunday night, on March 28, 2021, Nikita Popov, a core PHP committer, released a statement indicating that two malicious commits had been pushed to the php-src git repository. These commits were pushed to create a backdoor that would have effectively allowed attackers to achieve remote code execution through PHP and an HTTP header. Remote Code Execution makes it possible to issue commands to a server remotely which allows attackers to do things like create new files, steal data on the server, delete files, and essentially take over the affected server by any websites powered by PHP. In this post, […]

Episode 110: Active Exploitation Continues on Unpatched Thrive Themes

https://www.wordfence.com/blog/2021/03/episode-110-active-exploitation-continues-on-unpatched-thrive-themes/

Attackers continue to exploit recently patched vulnerabilities in Thrive Themes, though not all of them are successful. Two vulnerabilities are patched in the Facebook for WordPress plugin installed on over half a million sites. Google Chrome version 90 will use HTTPS by default, bringing significant improvements to speed and security. A ransomware insurance provider experiences a breach that could affect customers, and Slack’s new “Slack Connect” feature has some security concerns. Here are timestamps and links in case you’d like to jump around, and a transcript is below. 0:13 Recently Patched Vulnerability in Thrive Themes Actively Exploited in the Wild […]

Two Vulnerabilities Patched in Facebook for WordPress Plugin

https://www.wordfence.com/blog/2021/03/two-vulnerabilities-patched-in-facebook-for-wordpress-plugin/

On December 22, 2020, our Threat Intelligence team responsibly disclosed a vulnerability in Facebook for WordPress, formerly known as Official Facebook Pixel, a WordPress plugin installed on over 500,000 sites. This flaw made it possible for unauthenticated attackers with access to a site’s secret salts and keys to achieve remote code execution through a deserialization weakness. In addition, on January 27, 2021, we disclosed a separately identified vulnerability in Facebook for WordPress that was introduced in the rebranding of the plugin in version 3.0.0. This flaw made it possible for attackers to inject malicious JavaScript into the plugin’s settings, if […]

Recently Patched Vulnerability in Thrive Themes Actively Exploited in the Wild

https://www.wordfence.com/blog/2021/03/recently-patched-vulnerability-in-thrive-themes-actively-exploited-in-the-wild/

On March 23, 2021, the Wordfence Threat Intelligence Team discovered two recently patched vulnerabilities being actively exploited in Thrive Theme’s “Legacy” Themes and Thrive Theme plugins that were chained together to allow unauthenticated attackers to upload arbitrary files on vulnerable WordPress sites. We estimate that more than 100,000 WordPress sites are using Thrive Theme products that may still be vulnerable. Patches were released on March 12, 2021 for the vulnerable themes and plugins. We are seeing these vulnerabilities being actively exploited in the wild, and we urge users to update to the latest versions available immediately since they contain a […]

Episode 109: This Attack Will Make You Want to Stop Using SMS 2FA

https://www.wordfence.com/blog/2021/03/episode-109-this-attack-will-make-you-want-to-stop-using-sms-2fa/

An attack shows how a SMS enablement service was used to bypass SMS 2FA for $16. We discuss the recently patched vulnerabilities in Elementor affecting over 7 million WordPress sites and how easily these cross-site scripting vulnerabilities can be exploited. We also talk about the SQL Injection vulnerabilities in Tutor LMS. The data center fire at OVH in France that took 3.5 million sites offline also took down some advanced persistent threat (APT) actors. And there’s yet another Chrome use-after-free zero-day vulnerability being actively exploited. Here are timestamps and links in case you’d like to jump around, and a transcript […]

Cross-Site Scripting Vulnerabilities in Elementor Impact Over 7 Million Sites

https://www.wordfence.com/blog/2021/03/cross-site-scripting-vulnerabilities-in-elementor-impact-over-7-million-sites/

On February 23, 2021, the Wordfence Threat Intelligence team responsibly disclosed a set of stored Cross-Site Scripting vulnerabilities in Elementor, a WordPress plugin which “is now actively installed and used on more than 7M websites” according to a recent announcement on the Elementor blog. These vulnerabilities allowed any user able to access the Elementor editor, including contributors, to add JavaScript to posts. This JavaScript would be executed if the post was viewed, edited, or previewed by any other site user, and could be used to take over a site if the victim was an administrator. As Elementor has a contact […]

Several Vulnerabilities Patched in Tutor LMS Plugin

https://www.wordfence.com/blog/2021/03/several-vulnerabilities-patched-in-tutor-lms-plugin/

On December 15, 2020, our Threat Intelligence team responsibly disclosed several vulnerabilities in Tutor LMS, a WordPress plugin installed on over 20,000 sites. The first five flaws made it possible for authenticated attackers to inject and execute arbitrary SQL statements on WordPress sites. This made it possible for attackers to obtain information stored in a site’s database, including user credentials, site options, and other sensitive information. The remaining flaws made it possible for authenticated attackers to perform several unauthorized actions like escalate user privileges and modify course settings through the use of various AJAX actions. We initially reached out to […]

Episode 108: Hack Exposes 150,000 Security Cameras at Tesla, Cloudflare and Others

https://www.wordfence.com/blog/2021/03/episode-108-hack-exposes-150000-security-cameras-at-tesla-cloudflare-and-others/

A data breach exposes 150,000 security cameras used by organizations around the world, including Tesla and Cloudflare. State-sponsored hacking groups exploit Microsoft Exchange vulnerabilities. A fire in a French data center belonging to hosting company OVH affects millions of websites, including some prominent WordPress services like Imagify and WP Rocket. WordPress 5.7 was released this week with many new features.  A zero-day vulnerability was listed for sale in a new way, as an NFT on the OpenSea NFT marketplace. Here are timestamps and links in case you’d like to jump around, and a transcript is below. 0:19 Defiant is hiring, […]