Think Like a Hacker with Wordfence

Three critical privilege escalation vulnerabilities in the Ultimate Member plugin put over 100,000 sites at risk. We also talk about the Page Experience metric to be added as a ranking signal for Google search and what this means for WordPress sites using page builders or Gutenberg. Microsoft warns against using telephone/SMS-based multi-factor authentication, and a number of zero day vulnerabilities were patched in Google Chrome and Windows.

A hosting provider exposed 63+ million customer records via an open elastic search database containing exposed username/password credentials for numerous WordPress, Magento and other sites. We also talk about the security updates in WordPress 5.5.2/5.5.3, about object injection vulnerabilities like the one discovered in the Welcart e-Commerce plugin, and how POP chain attacks work. And Google's Project Zero finds a high-severity vulnerability in GitHub Actions not fixed within the disclosure grace period.

We cover a couple of breaking stories this week, including the emergency release of WordPress 5.5.3 on October 30, with a number of sites autoupdating to version 5.5.3-alpha. We also look at the the defacement of the Trump Campaign website, and how 2FA could have prevented it. We also look at the implications of a massive Nitro database impacting large organizations. A botnet is targeting a number of content management systems, including WP sites. AdWare is found on the Google Play Store targeting kids. 

An easily exploitable SQL injection vulnerability was discovered in the Loginizer plugin installed on over 1 million WordPress sites, causing the WordPress team to force an update to sites using the vulnerable version. The Justice department is filing antitrust suit against Google for allegedly monopolizing search and search advertising markets. Google Chrome gets an update to fix an actively exploited zero-day vulnerability. And a new feature in Jetpack allows users to post Tweetstorms through WordPress.

This week, we chat about the CSRF vulnerability found in the Child Theme Creator by Orbisius and how attackers could use a vulnerability like this with spearphishing to wreak havoc, much like the phishing campaigns now being found on the Canva design platform. We discuss the benefits of adding application passwords for REST API authentication planned for WordPress version 5.6, and the ramifications of the critical, wormable RCE bug patched by Microsoft.

A vulnerability discovered by the Wordfence Threat Intelligence team in the WPBakery plugin exposes over 4 million sites. High severity vulnerabilities were discovered in the Post Grid and Team Showcase plugins. The online avatar service Gravatar, has been exposed to a user enumeration technique, which could be abused to collect data on its users' profiles, and a card skimmer was found on Boom! Mobile's web site, putting customer card data at risk.

Shopify reports that rogue employees stole data from 200 merchants on their platform. A security researcher found a vulnerability in the Medium Partner Program could have allowed an attacker to steal writers' earnings. Symantec reports that a state-sponsored hacking group has been hiding out in company networks as a part of an information-stealing campaign. And Twitter reports that an API bug exposed app keys and tokens via a caching issue.

Our Threat Intelligence team discovered vulnerabilities in XCloner Backup and Restore, affecting 30K+ sites. CISA is warning of persistent malicious activity connected to LokiBot. An API change will break Facebook & Instagram oEmbed links after October 24. Google has launched the Web Stories for WordPress plugin making full-screen, tappable content possible. Drupal patches a critical reflected XSS vulnerability, & a critical stored XSS vulnerability in Instagram's Spark AR Studio nets a 14-year-old $25,000.

Vulnerabilities were patched in the Discount Rules for WooCommerce plugin installed on 40k+ WordPress sites. Developers from OWASP said ModSecurity v3 is exposed to denial of service exploits, though maintainers of ModSecurity reject that claim. A severe vulnerability in Windows Netlogon was patched in August; this bug could be exploited to attack enterprise servers. A researcher discovered that the Windows TCPIP Finger command can function as a file downloader & a makeshift command & control server.

Millions of attacks have been targeting the recent File Manager plugin vulnerability, and 2 attackers are vying for control over sites compromised through the vulnerability. A security researcher revealed that specially crafted Windows 10 themes can be used to perform Pass-the-Hash attacks. A database belonging to the Digital Point webmaster forum leaked records of 800k+ members. Visa is warning of a new Baka Javascript credit card skimmer that removes itself from memory after exfiltrating stolen data.

Over 700,000 WordPress users were affected by a zero-day vulnerability in the File Manager plugin, and the WordPress 5.5.1 release fixed millions of sites affected by deprecation of jQuery Migrate. SendGrid is under siege from spammers using hacked accounts, and Apple approves a notorious malware variant to run on Macs.

The Google Chrome web browser has a high-severity vulnerability that could be used to execute arbitrary code. Google also announced that Chrome 86 will alert users if a form submission is using the insecure HTTP protocol. Safari has a zero-day vulnerability affecting the Mac OS and iOS browsers that could allow an attacker to access files on the device. The FBI and CISA have issued a joint alert to warn about the growing threat from vishing attacks targeting companies.

The Wordfence Threat Intelligence team discovered vulnerabilities in the Advanced Access Manager plugin installed on over 100k sites. Critical vulnerabilities found in the Quiz and Survey Master plugin were found in 30k+ WP sites using the vulnerable version. Thousands of sites broke after updating to WordPress 5.5 due to deprecated support for jQuery Migrate. A botnet campaign named Fritzfrog was discovered breaching SSH servers dating back to at least January 2020.

WordPress 5.5 was released on August 11 with many important updates, including a new feature allowing auto-updates of themes & plugins. The popular Astra theme was suspended from the repository for having affiliate links in the code. A vulnerability found in Chromium browsers could allow attackers to bypass content security policy in order to steal data & execute rogue code, affecting billions of users. The Wall Street Journal reported that government tracking software is embedded in over 500 mobile apps.

Our Threat Intelligence team disclosed numerous vulnerabilities this week, including a critical one in the Divi & Extra themes, and the Divi Builder plugin. In total, this vulnerability affected over 700k sites. A vulnerability in The Official Facebook Chat Plugin created a vector for social engineering attacks. Object injection vulnerabilities discovered in the Newsletter plugin affected over 300k sites. We also look at the charges brought against 3 people in connection with the recent Twitter hack.