Security researchers from Wordfence and WebARX have identified several dangerous vulnerabilities in five plugins for the WordPress web content management system, totaling more than a million installations.
- in the plugin , which has more than 700 thousand installations. The issue is rated Severity Level 9 out of 10 (CVSS). The vulnerability allows an authenticated user with subscriber rights to delete or hide (change the status to unpublished draft) any page of the site, as well as substitute their own content on the pages.
Vulnerability in release 1.8.3. - in the plugin , numbering more than 200 thousand installations (real attacks on sites were recorded, after the start of which and the appearance of data about the vulnerability, the number of installations has already decreased to 100 thousand). The vulnerability allows an unauthenticated visitor to clear the contents of the site's database and reset the database to a fresh installation state. If there is a user named admin in the database, then the vulnerability also allows you to gain full control over the site. The vulnerability is caused by a failure to authenticate a user attempting to issue privileged commands via the /wp-admin/admin-ajax.php script. The problem is fixed in version 1.6.2.
- in the plugin , used on 44 thousand sites. The issue is assigned a severity level of 9.8 out of 10. The vulnerability allows an unauthenticated user to execute their PHP code on the server and substitute the site administrator account by sending a special request via REST-API.
Cases of exploitation of the vulnerability have already been recorded on the network, but an update with a fix is not yet available. Users are advised to remove this plugin as quickly as possible. - in the plugin , numbering 60 thousand installations. The issue has been assigned a severity level of 8.8 out of 10. The vulnerability allows any authenticated visitor, including those with subscriber rights, to escalate their privileges to site administrator or gain access to the wpCentral control panel. The problem is fixed in version 1.5.1.
- in the plugin , with about 65 thousand installations. The issue is assigned a severity level of 10 out of 10. The vulnerability allows an unauthenticated user to create an account with administrator rights (the plugin allows you to create registration forms and the user can simply pass an additional field with the user's role, assigning it the administrator level). The problem is fixed in version 3.1.1.
In addition, it can be noted networks for distributing Trojan plugins and WordPress themes. The attackers placed pirated copies of paid plugins on fictitious directory sites, having previously integrated a backdoor into them to gain remote access and download commands from the control server. Once activated, the malicious code was used to insert malicious or deceptive advertising (for example, warnings about the need to install an antivirus or update your browser), as well as for search engine optimization to promote sites that distribute malicious plugins. According to preliminary data, more than 20 thousand sites were compromised using these plugins. Among the victims were a decentralized mining platform, a trading firm, a bank, several large companies, a developer of solutions for payments using credit cards, IT companies, etc.
Source: opennet.ru