Critical SQL Injection Vulnerability Patched in WooCommerce

https://www.wordfence.com/blog/2021/07/critical-sql-injection-vulnerability-patched-in-woocommerce/

On July 14, 2021, WooCommerce released an emergency patch for a SQL Injection vulnerability reported by security researcher Thomas DeVoss (dawgyg). This vulnerability allowed unauthenticated attackers to access arbitrary data in an online store’s database. WooCommerce is the leading e-Commerce platform for WordPress and is installed on over 5 million websites. Additionally, the WooCommerce Blocks feature plugin, installed on over 200,000 sites, was affected by the vulnerability and was patched at the same time. The Wordfence Threat Intelligence team was able to develop proofs of concept for time-based and boolean-based blind injections and released an initial firewall rule to our […]

Common WordPress Vulnerabilities and Prevention Through Secure Coding Best Practices

https://www.wordfence.com/blog/2021/07/common-wordpress-vulnerabilities-and-prevention-through-secure-coding-best-practices/

WordPress has experienced exponential growth in the past several years and now holds over 42% of the CMS market share for all major sites. There are over 50,000 plugins available to download in the WordPress repository. That does not include the thousands of premium or open source plugins available outside of the repository, along with the thousands of themes that site owners can use to customize their WordPress site. With the vast assortment of plugins and themes, there are thousands of developers with unique backgrounds, coding styles, and preferences contributing to the WordPress ecosystem. The vast differences in developers’ styles […]

Episode 124: PrintNightmare 0Day Exploit Accidentally Leaked Online

https://www.wordfence.com/blog/2021/07/episode-124-printnightmare-0day-exploit-accidentally-leaked-online/

Security researchers accidentally leaked zero-day exploit code for a new Windows bug, now called PrintNightmare, while easily exploitable vulnerabilities in the ProfilePress plugin, previously called WP User Avatar, were patched quickly. An unprotected cloud database containing over 814 million DreamHost user records was found online. Google Chrome is getting a HTTPS-only feature in an upcoming version, and two bugs, one of which is a zero-day, are leading to attackers fighting over control of internet-connected Western Digital My Book Live devices. Here are timestamps and links in case you’d like to jump around, and a transcript is below. 0:15 Researchers accidentally […]

Easily Exploitable Critical Vulnerabilities Patched in ProfilePress Plugin

https://www.wordfence.com/blog/2021/06/easily-exploitable-critical-vulnerabilities-patched-in-profilepress-plugin/

On May 27, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for several vulnerabilities that were discovered in ProfilePress, formerly WP User Avatar, a WordPress plugin installed on over 400,000 sites. These flaws made it possible for an attacker to upload arbitrary files to a vulnerable site and register as an administrator on sites even if user registration was disabled, all without requiring any prior authentication. We initially reached out to the plugin’s developer on May 27, 2021. After receiving confirmation of an appropriate communication channel, we provided the full disclosure details the same day. An updated […]

Episode 123: Over 30 Million Dell Devices at Risk for Remote BIOS Attacks

https://www.wordfence.com/blog/2021/06/episode-123-over-30-million-dell-devices-at-risk-for-remote-bios-attacks/

Over 30 million Dell devices are at risk for remote BIOS attacks due to four separate security bugs, which can have far reaching effects for enterprise organizations heavily invested in Dell devices. VMware Carbon Black App Control has been updated this week to fix a critical-severity vulnerability that allows authentication bypass. Antivirus creator John McAffee dies in a Spanish jail, and a bug found by a security researcher in Atlassian’s authentication could have led to a supply chain attack. A security update is planned for Google Drive that could break shared links. And a number of organizations were affected by […]

Episode 122: Largest Password Dump in History Fuels Credential Stuffing Extravaganza

https://www.wordfence.com/blog/2021/06/episode-122-largest-password-dump-in-history-fuels-credential-stuffing-extravaganza/

Sites running Jetpack are being infected via compromised WordPress.com credentials. The largest password dump ever with 8.4 billion passwords is used in credential stuffing attacks. Wordfence Threat Intelligence discloses new plugin vulnerabilities as well as a vulnerability at tsoHost. Data Breaches impact VW and EA, REvil compromises a nuclear weapons contractor, and TurboTax accounts are taken over. Ransomware surveys show conflicting results. Chrome and iOS Safari are both patched against 0-days. Here are timestamps and links in case you’d like to jump around, and a transcript is below. 0:28 Malicious Attack Campaign Targeting Jetpack Users Reusing Passwords 3:24 Largest Password […]

Service Vulnerabilities: Shared Hosting Symlink Security Issue Still Widely Exploited on Unpatched Servers

https://www.wordfence.com/blog/2021/06/service-vulnerabilities-shared-hosting-symlink-security-issue-still-widely-exploited-on-unpatched-servers/

The Wordfence site cleaning team helps numerous customers recover from malware infections and site intrusions. While doing so, Wordfence Security Analysts perform a detailed forensic investigation in order to determine how the site was compromised by attackers. In a set of recent cases, we were able to identify a service vulnerability allowing malicious attackers to use symlinks to compromise numerous sites on the tsoHost Managed cPanel VPS platform. In our investigation, we validated the vulnerability by creating a proof of concept and reached out to tsoHost, who promptly secured their systems against further attacks. These service vulnerabilities are not unique […]

High Severity Vulnerability Patched in WooCommerce Stock Manager Plugin

https://www.wordfence.com/blog/2021/06/high-severity-vulnerability-patched-in-woocommerce-stock-manager-plugin/

On May 21, 2021, the Wordfence Threat Intelligence team initiated the responsible disclosure process for a vulnerability that we discovered in WooCommerce Stock Manager, a WordPress plugin installed on over 30,000 sites. This flaw made it possible for an attacker to upload arbitrary files to a vulnerable site and achieve remote code execution, as long as they could trick a site’s administrator into performing an action like clicking on a link. We initially reached out to the plugin’s developer on May 21, 2021. After receiving confirmation of an appropriate communication channel, we provided the full disclosure details on May 24, […]

Malicious Attack Campaign Targeting Jetpack Users Reusing Passwords

https://www.wordfence.com/blog/2021/06/malicious-attack-campaign-targeting-jetpack-users-reusing-passwords/

The Wordfence Threat Intelligence and Site Cleaning teams have been tracking a malware campaign that redirects all site visitors to malvertising domains, while attempting to keep site administrators unaware of the infection. Since June 1, 2021, the number of sites we are tracking that have been infected with this malware has more than doubled, and we expect this campaign to continue gaining momentum as it relies on a mechanism that is difficult to block directly. Jetpack is one of the most popular plugins in the WordPress repository, and it has a dizzying array of features that require users to connect […]

Episode 120: Jetpack Autoupdate Security Patch Bypasses Local Settings

https://www.wordfence.com/blog/2021/06/episode-120-jetpack-autoupdate-security-patch-bypasses-local-settings/

A security fix for an information leak vulnerability was pushed out to WordPress sites using Jetpack that bypassed local settings preventing autoupdates. A ransomware attack on JBS that shut down meat processing operations in the United States has been attributed to REvil, a private Russian ransomware-as-​a-service operation. A critical zero-day vulnerability was discovered by the Wordfence site cleaning team in the Fancy Product Manager plugin, used by 17,000 WordPress sites. Amazon devices will soon automatically share your Internet with neighbors, unless you opt out by June 8. Google PPC ads are serving up malicious content targeting searches for AnyDesk, Dropbox […]