WordPress Websites Continue to Get Hacked via MailPoet Plugin Vulnerability

The popular Mailpoet(wysija-newsletters) WordPress plugin had a serious file upload vulnerability a few months back, allowing an attacker to upload files to vulnerable sites.

This issue was disclosed months ago and the MailPoet team patched it promptly. It seems, though, that many website owners have still not gotten the word, or are blatantly not updating, because we are seeing another string of mass exploitation attempts against WordPress websites. Those that are not or have not updated are getting infected repeatedly via this vector. The issue is compounded further because the attackers are using it as a spring board into the rest of their account further compromising their entire account.

Please, we cannot stress the importance of updating enough, and not just your active website, but any other websites you have in your stack, under the same account. Cross-site contamination is a very serious issue. If you can’t update for whatever reason, employ the use of a Website Firewall, at a minimum, and stop the attackers before they get in.

The Payload

We are lucky because the volume of infected websites we see daily allows us to analyze and clean hundreds of websites which then allows us to establish processes that escalate cases if they trigger specific similarities. It’s part of our pattern recognition process. It’s at this point that our Research team gets involved to better understand the cause and introduce new solutions to 1) clean it faster and 2) see if there is something we can do to get ahead of it (it’s what leads to these posts).

Read More

Vulnerability found in the All in One SEO Pack WordPress Plugin

The team behind the All in One SEO Pack just released a new version of their popular WordPress plugin.

It is a security release patching two privilege escalation vulnerabilities we discovered earlier this week that may affect any web site running it.

The risks

If your site has subscribers, authors and non-admin users logging in to wp-admin, you are a risk. If you have open registration, you are at risk, so you have to update the plugin now.

While auditing their code, we found two security flaws that allows an attacker to conduct privilege escalation and cross site scripting (XSS) attacks.

In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags. All of which could decrease one’s website’s Search Engine Results Page (SERP) ranking if used maliciously.

While it does not necessarily look that bad at first (yes, SERP rank loss is no good, but no one’s hurt at this point, right?), we also discovered this bug can be used with another vulnerability to execute malicious Javascript code on an administrator’s control panel. Now, this means that an attacker could potentially inject any javascript code and do things like changing the admin’s account password to leaving some backdoor in your website’s files in order to conduct even more “evil” activities later.

How to prevent this from happening

We’re not going to reinvent the wheel on this one: upgrade to the latest version available for this plugin.

In the event where you could not do this, we highly recommend you to have a look at our CloudProxy WAF which has been updated to protect our customers from this threat.

WordPress Themes: XSS Vulnerabilities and Secure Coding Practices

As many might imagine, my life revolves around Information Security. If you’re like me, you’re undoubtedly seeing all these new posts talking to insecurities in WordPress themes, specifically a plethora of Cross-Site Scripting (XSS) vulnerabilities. Surprise, surprise, right? Yeah, no, not so much.

WordPress Theme XSS Vulnerabilities

Here are some of the posts I am referring to:

Read More