Multiple Vulnerabilities Patched in Orbit Fox by ThemeIsle Plugin

On November 19, 2020, our Threat Intelligence team responsibly disclosed two vulnerabilities in Orbit Fox by ThemeIsle, a WordPress plugin used by over 400,000 sites. One of these flaws made it possible for attackers with contributor level access or above to escalate their privileges to those of an administrator and potentially take over a WordPress site. The other flaw made it possible for attackers with contributor or author level access to inject potentially malicious JavaScript into posts. These types of malicious scripts can be used to redirect visitors to malvertising sites or create new administrative users, amongst many other actions. […]

Who Attacked SolarWinds and Why WordPress Users Need to Know

Chloe Chamberland is a threat analyst and member of the Wordfence Threat Intelligence Team. She holds the following certifications: OSCP, OSWP, OSWE, Security+, CySA+, PenTest+, CASP+, SSCP, Associate of (ISC)2, CEH, ECSA and eWPT. Many of these are advanced certifications including OSCP and OSWE which are 24 and 48 hour exams respectively, that require hands-on hacking skills to pass. Chloe works full-time at Wordfence to identify and reverse engineer emerging threats facing WordPress. She works closely with vendors to remediate vulnerabilities they have, develops firewall rules for Wordfence, and publishes her research here, once the affected software has been patched […]

SolarWinds and Supply Chain Attacks: Could it happen to WordPress?

The SolarWinds supply chain attack is all over the news, impacting government agencies, telecommunications firms, and other large organizations. The security firm FireEye was the first victim of the attack, disclosing that they had been hacked on December 8, 2020. On December 13th the US Treasury Department announced that it had also been compromised. At that time SolarWinds Orion was officially reported as the intrusion vector. SolarWinds has since stated that “fewer than 18,000” firms were affected. Companies impacted by the SolarWinds supply chain attack include Intel, NVidia and Cisco. What is a supply chain attack? A supply chain attack […]

Episode 99: SolarWinds Supply Chain Attack Affects Government and Fortune 500 Businesses

Earlier this week, we learned that SolarWinds, the largest provider of network management tools for government and enterprise organizations fell victim to a supply chain attack. This attack affected their Orion network management system. Reportedly, 18,000 enterprise and government customers installed malware that was digitally signed by a valid certificate as part of an update from SolarWinds’ servers. Microsoft took control of one of the primary command-and-control domains, and a security researcher stated that he alerted the company in 2019 that anyone could access SolarWinds’ update server by using the password “solarwinds123.” We also talk about a vulnerability in the […]

A Challenging Exploit: The Contact Form 7 File Upload Vulnerability

Contact Form 7, arguably the most widely used WordPress plugin, released a security patch for an unrestricted file upload vulnerability in all versions 5.3.1 and lower. The WordPress plugin directory lists 5+ million sites using Contact Form 7, but we estimate that it has at least 10 million installations. One of the important features of Contact Form 7 is the ability to allow file uploads as a part of a form submission. While uploaded filenames are sanitized during the upload process, reviewing the patch indicates that an attacker could potentially bypass some of Contact Form 7’s filename sanitization protections when […]

The NoneNone Brute Force Attacks: Even Hackers Need QA

For the last few weeks we’ve seen and blocked an increase in brute-force, credential stuffing, and dictionary attacks targeting the WordPress xmlrpc.php endpoint, on some days exceeding 150 million attacks against 1.9 million sites in a 24-hour period. These attacks attempt to guess the password of an authorized user on a site, and some of our users have noticed an odd phenomenon:  brute force attacks with the username and password set to “None” or “NoneNone”. Since these requests are targeted against xmlrpc.php, changing the admin URL won’t prevent attackers from sending these requests. What’s going on? Because these attacks are […]

Episode 98: How Application Passwords Work in WordPress 5.6

WordPress 5.6 was released this week with a new feature called application passwords. In this episode we talk about how application passwords work, where to find them in your WordPress installation, and why Wordfence decided to turn these off by default in version 7.4.14. We also talk about a new Magecart attack that places card skimmers inside of CSS files, MailPoet joining WooCommerce and what this means for eCommerce on WordPress sites. FireEye, one of the largest security firms, reported they were hacked by a nation state APT group. And a wormable zero-click vulnerability was found in Microsoft Teams. Here […]

Reflected XSS in PageLayer Plugin Affects Over 200,000 WordPress Sites

On November 4, 2020, the Wordfence Threat Intelligence team found two reflected Cross-Site Scripting (XSS) vulnerabilities in PageLayer, a WordPress plugin installed on over 200,000 sites. These vulnerabilities could lead to an attacker executing malicious Javascript in an administrator’s browser, which could lead to takeover of a vulnerable WordPress site. We contacted the plugin’s publisher, Softaculous, on November 6, 2020, received a response over the weekend, and submitted the full disclosure on November 8, 2020. A patch was released the next day, November 9, 2020. All sites running Wordfence, including Wordfence Premium customers as well as those still running the […]

WordPress 5.6 Introduces a New Risk to Your Site: What to Do

WordPress 5.6, the final major release planned for 2020, comes out today, on December 8, 2020. It includes a few major features and updates, as well as a huge number of minor enhancements and bug fixes. A few changes have immediate implications for security and compatibility which we’ve highlighted in this post for WordPress users. Application Passwords add functionality, and risk WordPress 5.6 will come with a new feature that allows external applications to request permission to connect to a site and generate a password specific to that application. Once the application has been granted access, it can perform actions […]

Episode 97: The Future of WordPress with PHP 8 and WordPress 5.6

With WordPress 5.6’s imminent release and the recent release of PHP 8, we talk about the rapid changes affecting the future of WordPress with new security features and new functionality available to both WordPress users and developers. We also review a recent vulnerability found by Google Project Zero researchers in iPhones. A social engineering attack on GoDaddy targeted numerous cryptocurrency exchange sites, and what we can learn from these types of attacks. Here are timestamps and links in case you’d like to jump around, and a transcript is below. 0:48 PHP 8: What WordPress Users Need to Know, Reddit discussion […]