[German]Vulnerabilities in WordPress-Plugins like Flexible Checkout Fields for WooCommerce puts hundreds of thousands of WordPress pages at risk to be hijacked. Here is some information that I received during the days around this topic.
Advertising
Campaign to hijack WordPress pages
WordFence Security researchers warns of an ongoing campaign where WordPress installations are hijacked by multiple 0-day vulnerabilities and taken over by attackers. This takeover is made possible by the outdated plugin Flexible Checkout Fields for WooCommerce, which had the vulnerabilities. The plugin is in use on more than 20,000 sites.
The plugin Flexible Checkout Fields for WooCommerce received a critical update to version 2.3.4 a few days ago to patch a zero-day vulnerability that allowed attackers to change the settings of the plugin.
When the WordFence Threat Intelligence team investigated the scope of an attack campaign on this plugin, they discovered three other zero-day vulnerabilities in popular WordPress plugins that are being exploited. The plugins are affected:
Details about this campaign and the vulnerabilities are covered by the WordFence Threat Intelligence team in this blog post. Bleeping Computer has this blog post about that topic.
Vulnerabilities in WordPress Pricing Table-Plugin
Already on February 25, 2020 I received another security advice from WordFence. The WordFence Threat Intelligence Team discovered several vulnerabilities in the WordPress Pricing Table-Plugin. The WordPress-Plugin from Supsystic is installed on over 40.000 websites.
Advertising
These vulnerabilities allowed an unauthenticated user to perform multiple AJAX actions due to an insecure permissions weakness. The attackers were also able to inject malicious Javascript due to a Cross-Site Scripting (XSS) vulnerability, access the pricing table data, and forge requests on behalf of a site administrator due to a Cross-Site Request Forgery (CSRF) vulnerability.
There is an update for the plugin for version 1.8.2, which should be installed immediately, if not already done. Details about this security issue can be found in the Wordfence blog.
Further campaigns
Already last Monday the WordFence team reported in this blog post about further attacks, e.g. about the vulnerable ThemeGrill Demo Importer. I had taken up the topic in the German blog post WordPress ThemeGrill-Plugin mit gravierender Schwachstelle. And there were attacks on websites with outdated Profile Builder plugin. In my German blog there was the postSchwachstellen in WordPress-Plugins: GDPR Cookie Consent und Profile Builder.
Addendum: Catalin Cimpanu has published an article that covers even more attack vectory. A must read.
There's been some serious WordPress pwnage going on in the past month.
I've summarized all the new WordPress plugins that have come under attack.
Counted at least 5 zero-days. One remains unpatched.https://t.co/xmMCwbichq pic.twitter.com/IYh9QJeACH
— Catalin Cimpanu (@campuscodi) March 2, 2020
