{"id":13430,"date":"2020-02-29T11:52:32","date_gmt":"2020-02-29T10:52:32","guid":{"rendered":"http:\/\/159.69.82.204\/win\/?p=13430"},"modified":"2022-06-26T12:57:06","modified_gmt":"2022-06-26T10:57:06","slug":"critical-vulnerabilities-in-wordpress-plugins-feb-29-2020","status":"publish","type":"post","link":"https:\/\/borncity.com\/win\/2020\/02\/29\/critical-vulnerabilities-in-wordpress-plugins-feb-29-2020\/","title":{"rendered":"Critical vulnerabilities in WordPress plugins (Feb. 29, 2020)"},"content":{"rendered":"<p><img loading=\"lazy\" decoding=\"async\" style=\"float: left; margin: 0px 10px 0px 0px; display: inline;\" src=\"http:\/\/www.borncity.com\/blog\/wp-content\/uploads\/2014\/07\/wp_thumb.jpg\" alt=\"\" width=\"64\" height=\"64\" align=\"left\" \/>[German]Vulnerabilities in WordPress-Plugins like <a href=\"https:\/\/de.wordpress.org\/plugins\/flexible-checkout-fields\/\" target=\"_blank\" rel=\"noopener noreferrer\">Flexible Checkout Fields for WooCommerce<\/a> puts\u00a0 hundreds of thousands of WordPress pages at risk to be hijacked. Here is some information that I received during the days around this topic.<\/p>\n<p><!--more--><\/p>\n<h2>Campaign to hijack WordPress pages<\/h2>\n<p><img loading=\"lazy\" decoding=\"async\" src=\"https:\/\/vg08.met.vgwort.de\/na\/61de69b9f808433bb4b2842f4e8068a2\" alt=\"\" width=\"1\" height=\"1\" \/>WordFence Security researchers warns of an ongoing campaign where WordPress installations are hijacked by multiple 0-day vulnerabilities and taken over by attackers. This takeover is made possible by the outdated plugin <em><a href=\"https:\/\/de.wordpress.org\/plugins\/flexible-checkout-fields\/\" target=\"_blank\" rel=\"noopener noreferrer\">Flexible Checkout Fields for WooCommerce<\/a><\/em>, which had the vulnerabilities. The plugin is in use on more than 20,000 sites.<\/p>\n<p>The plugin <em>Flexible Checkout Fields for WooCommerce<\/em> received a critical update to version 2.3.4 a few days ago to patch a zero-day vulnerability that allowed attackers to change the settings of the plugin.<\/p>\n<p>When the WordFence Threat Intelligence team investigated the scope of an attack campaign on this plugin, they discovered three other zero-day vulnerabilities in popular WordPress plugins that are being exploited. The plugins are affected:<\/p>\n<ul>\n<li><a href=\"https:\/\/wordpress.org\/plugins\/async-javascript\/\" target=\"_blank\" rel=\"noopener noreferrer\">Async JavaScript<\/a>,<\/li>\n<li><a href=\"https:\/\/wordpress.org\/plugins\/modern-events-calendar-lite\/\">Modern Events Calendar Lite<\/a>,<\/li>\n<li><a href=\"https:\/\/wordpress.org\/plugins\/wd-google-maps\/\">10Web Map Builder for Google Maps<\/a><\/li>\n<\/ul>\n<p>Details about this campaign and the vulnerabilities are covered by the WordFence Threat Intelligence team in <a href=\"https:\/\/www.wordfence.com\/blog\/2020\/02\/site-takeover-campaign-exploits-multiple-zero-day-vulnerabilities\/\" target=\"_blank\" rel=\"noopener noreferrer\">this blog post<\/a>. Bleeping Computer has <a href=\"https:\/\/www.bleepingcomputer.com\/news\/security\/critical-bugs-in-wordpress-plugins-let-hackers-take-over-sites\/\" target=\"_blank\" rel=\"noopener noreferrer\">this blog post<\/a> about that topic.<\/p>\n<h2>Vulnerabilities in WordPress Pricing Table-Plugin<\/h2>\n<p>Already on February 25, 2020 I received another security advice from WordFence. The WordFence Threat Intelligence Team discovered several vulnerabilities in the WordPress Pricing Table-Plugin. The WordPress-Plugin from Supsystic is installed on over 40.000 websites.<\/p>\n<p>These vulnerabilities allowed an unauthenticated user to perform multiple AJAX actions due to an insecure permissions weakness. The attackers were also able to inject malicious Javascript due to a Cross-Site Scripting (XSS) vulnerability, access the pricing table data, and forge requests on behalf of a site administrator due to a Cross-Site Request Forgery (CSRF) vulnerability.<\/p>\n<p>There is an update for the plugin for version 1.8.2, which should be installed immediately, if not already done. Details about this security issue can be found in the <a href=\"https:\/\/www.wordfence.com\/blog\/2020\/02\/multiple-vulnerabilities-patched-in-pricing-table-by-supsystic-plugin\/\" target=\"_blank\" rel=\"noopener noreferrer\">Wordfence blog<\/a>.<\/p>\n<h2>Further campaigns<\/h2>\n<p>Already last Monday the WordFence team reported in <a href=\"https:\/\/www.wordfence.com\/blog\/2020\/02\/multiple-attack-campaigns-targeting-recent-plugin-vulnerabilities\/\" target=\"_blank\" rel=\"noopener noreferrer\">this blog post<\/a> about further attacks, e.g. about the vulnerable ThemeGrill Demo Importer. I had taken up the topic in the German blog post <a href=\"https:\/\/www.borncity.com\/blog\/2020\/02\/18\/wordpress-themegrill-plugin-mit-gravierender-schwachstelle\/\" target=\"_blank\" rel=\"noopener noreferrer\">WordPress ThemeGrill-Plugin mit gravierender Schwachstelle<\/a>. And there were attacks on websites with outdated Profile Builder plugin. In my German blog there was the post<a href=\"https:\/\/www.borncity.com\/blog\/2020\/02\/14\/schwachstellen-in-wordpress-plugins-gdpr-cookie-consent-und-profile-builder\/\">Schwachstellen in WordPress-Plugins: GDPR Cookie Consent und Profile Builder<\/a>.<\/p>\n<p><strong>Addendum:<\/strong> Catalin Cimpanu has published an article that covers even more attack vectory. A must read.<\/p>\n<blockquote class=\"twitter-tweet\">\n<p dir=\"ltr\" lang=\"en\">There's been some serious WordPress pwnage going on in the past month.<\/p>\n<p>I've summarized all the new WordPress plugins that have come under attack.<\/p>\n<p>Counted at least 5 zero-days. One remains unpatched.<a href=\"https:\/\/t.co\/xmMCwbichq\">https:\/\/t.co\/xmMCwbichq<\/a> <a href=\"https:\/\/t.co\/IYh9QJeACH\">pic.twitter.com\/IYh9QJeACH<\/a><\/p>\n<p>\u2014 Catalin Cimpanu (@campuscodi) <a href=\"https:\/\/twitter.com\/campuscodi\/status\/1234353994950033408?ref_src=twsrc%5Etfw\">March 2, 2020<\/a><\/p><\/blockquote>\n<p><script async src=\"https:\/\/platform.twitter.com\/widgets.js\" charset=\"utf-8\"><\/script><\/p>\n","protected":false},"excerpt":{"rendered":"<p>[German]Vulnerabilities in WordPress-Plugins like Flexible Checkout Fields for WooCommerce puts\u00a0 hundreds of thousands of WordPress pages at risk to be hijacked. Here is some information that I received during the days around this topic.<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[580,1547],"tags":[69,359],"class_list":["post-13430","post","type-post","status-publish","format-standard","hentry","category-security","category-software","tag-security","tag-wordpress"],"_links":{"self":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/13430","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/comments?post=13430"}],"version-history":[{"count":0,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/posts\/13430\/revisions"}],"wp:attachment":[{"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/media?parent=13430"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/categories?post=13430"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/borncity.com\/win\/wp-json\/wp\/v2\/tags?post=13430"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}