SweetCAPTCHA Returns Hijacking Another Plugin

Yesterday we observed a strange short return of the SweetCaptcha plugin to WordPress.org repository.

In June we reported that SweetCaptcha injected third-party ad code to their scripts which lead to malvertising problems on the sites that used this CAPTCHA service. After that incident, the SweetCaptcha WordPress plugin had been removed from the official plugin repository.

To our surprise, we noticed SweetCaptcha in the WordPress repository on July 22 2015. To even greater surprise, the plugin page URL was https://wordpress.org/plugins/jumpple/.
Read More

Understanding WordPress Plugin Vulnerabilities

The last 7 days have been very busy with a number of WordPress plugin vulnerabilities being disclosed on multiple WordPress plugins. Some of them are minor issues, some are more relevant, while others are what we’d categorize as noise. How are you supposed to make sense of all this?

To help provide some clarity on the influx of data, we want to provide some insights to help you, the website owner, navigate and understand these vulnerabilities. We will provide a summary and an explanation of the ones that matter and the ones that do not.

Read More

Security Advisory: MainWP-Child WordPress Plugin

Disclosure-Image-Wordpress

Security Risk: Critical
Exploitation Level: Very Easy/Remote
DREAD Score: 9/10
Vulnerability: Password bypass / Privilege Escalation
Patched Version:  2.0.9.2

During a routine audit of our Website Firewall (WAF), we found a critical vulnerability affecting the popular MainWP Child WordPress plugin. According to WordPress.org, it is installed on more than 90,000 WordPress websites as as remote administration tool. We contacted the MainWP team last week and they patched the vulnerability in version 2.0.9.2 last Friday.

Per the developers request, which follows guidance provided in our note to developers about how to disclose a vulnerability, we delayed our disclosure to allow users time to update.

Read More

Bogus Mobile-Shortcuts WordPress Plugin Injects SEO Spam

Here at Sucuri we see countless cases of SEO spam where a website is compromised in order to spread pharmaceutical advertisements or backlinks to sites selling luxury goods. Most of the time this involves injecting hundreds of spam links into the site’s database but in this case a deceptive, fake plugin called mobile-shortcuts was able to be a bit more discreet. Below I go over the process by which this SEO spam injection was uncovered and identified.

Site (SEO Spam) Unseen

Recently I came across a website displaying a (BlackHat) SEO spam warning – pretty typical in terms of what we see day to day:

https://team.sucuri.net/wp-content/uploads/2015/01/seo.png

Malicious Code Warning – via SiteCheck by Sucuri

Our first analysis of the site cleared quite a few backdoors and a few known hack tools but, even so, this SEO spam persisted.


Read More

Understanding the WordPress Security Plugin Ecosystem

This post is available in Spanish (Este post está disponible en español).


As a child, did you ever play that game where you sit in a circle and one person is responsible for whispering something into one persons ear, and that message gets relayed around the circle? Wasn’t it always funny to see what the final message received would be? Oh and how it would have morphed as it was processed and conveyed by each individual in the group.

This is what I see when I look at the WordPress Security Ecosystem.

The biggest challenge the ecosystem faces is product and service confusion. This is compounded by a variety of factors. I often categorize them, generally into two buckets – deliberate and non-deliberate confusion. For me deliberate product confusion comes often by marketeers and those looking to make a quick buck on what they perceive to be the next virtual gold rush. While non-deliberate confusion is introduced by those that mean well, or were once affected, and have come up with a genuine solution that likely addresses a very narrow issue.

An easy way to better appreciate this is to look at the WordPress Security Plugins specifically, as they’re tangible and that makes it easier to truly appreciate the nuances of the security space.

Contrary to popular belief, not all plugins are the same or created equal and you can’t compare them as that would not be an apples to apples comparison.

Interestingly enough, there are often pretty unique differentiating factors between each of the security plugins in the market, although in many cases there are one to one correlations. Human nature is also one of the contributing factors to confusion. As humans we are often configured to go the easiest route. We’re always looking for the one with the biggest audience, or the one that is pushed on us the most. If everyone else is using it, I should too. Rarely do we truly understand or give much thought to this phenomena.

Read More

Critical Vulnerability Disclosed on WordPress Custom Contact Forms Plugin

If you’re a using the Custom Contact Forms WordPress plugin, you need to update it right away.

During a routine audit for our WAF, we found a critical vulnerability that allows an attacker to download and modify your database remotely (no authentication required).

The vulnerability was disclosed to the plugin developer a few weeks ago, but they were unresponsive. So, we engaged the WordPress Security team. They were able to close the loops with the developer and get a patch released, but you might have missed it:

Sucuri - Custom Contact Form Crictial Vulnerability
Read More

Vulnerability found in the All in One SEO Pack WordPress Plugin

The team behind the All in One SEO Pack just released a new version of their popular WordPress plugin.

It is a security release patching two privilege escalation vulnerabilities we discovered earlier this week that may affect any web site running it.

Are You At Risk?

If your site has subscribers, authors and non-admin users logging in to wp-admin, you are at risk. If you have open registration, you are at risk. You have to update the plugin as soon as possible.

While auditing their code, we found two security flaws that allows an attacker to conduct privilege escalation and cross site scripting (XSS) attacks.

In the first case, a logged-in user, without possessing any kind of administrative privileges (like an author of subscriber), could add or modify certain parameters used by the plugin. It includes the post’s SEO title, description and keyword meta tags. All of which could decrease one’s website’s Search Engine Results Page (SERP) ranking if used maliciously.

While it does not necessarily look that bad at first (yes, SERP rank loss is no good, but no one’s hurt at this point, right?), we also discovered this bug can be used with another vulnerability to execute malicious Javascript code on an administrator’s control panel. Now, this means that an attacker could potentially inject any javascript code and do things like changing the admin’s account password to leaving some backdoor in your website’s files in order to conduct even more “evil” activities later.

How to Prevent This From Happening

We’re not going to reinvent the wheel on this one: upgrade to the latest version available for this plugin.

In the event where you could not do this, we highly recommend you to have a look at our CloudProxy WAF which has been updated to protect our customers from this threat.