Weaponized WordPress Tools

 
WordPress is a free, open source content management system (CMS) for creating websites, and is considered to be the most popular blogging system in use. WordPress' appeal to website developers stems from its  free plugins and themes that are easily installed over the basic platform. These add-ons allow WordPress users to personalize and expand their websites and blogs. There are currently over 60 million WordPress websites worldwide.   Why Target WordPress? The availability of the platform’s code and its popularity make WordPress sites appealing targets for hacking and exploitation. In the past year, we have seen many WordPress attacks. One example is the April 2016 ...

Campaign Targeting WordPress: Users being Redirected to Angler Exploit Kit

 
In the past week, a massive campaign targeting WordPress-based websites has been reported by several security vendors, including Sucuri and Malwarebytes. In the previous iteration, unsuspecting victims were redirected to domains hosting ads which, if clicked, sent them to the Nuclear Exploit Kit landing page. Check Point security analysts have recently observed a change in the process – victims are now sent to the notorious Angler Exploit Kit landing page. An obfuscated malicious script is appended to the end of the infected websites’ JS files. When the user’s browser loads the page, the script redirects to a gate controlled by the malicious actor. This is the obfuscated script; ...

Finding Vulnerabilities in Core WordPress: A Bug Hunter’s Trilogy, Part III – Ultimatum

 
In this series of blog posts, Check Point vulnerability researcher Netanel Rubin tells a story in three acts – describing his long path of discovered flaws and vulnerabilities in core WordPress, leading him from a read-only ‘Subscriber’ user, through creating, editing and deleting posts, and all the way to performing SQL injection and persistent XSS attacks on 20% of the popular web. “Part III – Ultimatum” will describe and analyze CVE-2015-5714 and CVE-2015-5715, allowing XSS attacks, as well as another privilege escalation. Both vulnerabilities are now patched, please ensure you upgrade to WordPress 4.3.1 as soon as possible.   In Part I, we showed a privilege ...

Finding Vulnerabilities in Core WordPress: A Bug Hunter’s Trilogy, Part II – Supremacy

 
In this series of blog posts, Check Point vulnerability researcher Netanel Rubin tells a story in three acts – describing his long path of discovered flaws and vulnerabilities in core WordPress, leading him from a read-only ‘Subscriber’ user, through creating, editing and deleting posts, and all the way to performing SQL injection and persistent XSS attacks on 20% of the popular web. “Part II – Supremacy” will describe and analyze CVE-2015-2213, a SQL injection vulnerability recently patched in WordPress 4.2.4.   In “Part I – Identity”, we showed how any Subscriber user could bypass multiple permission checks and access code to create and edit posts, ...

Finding Vulnerabilities in Core WordPress: A Bug Hunter’s Trilogy, Part I

 
In this series of blog posts, Check Point vulnerability researcher Netanel Rubin tells a story in three acts – describing his long path of discovered flaws and vulnerabilities in core WordPress, leading him from a read-only ‘Subscriber’ user, through creating, editing and deleting posts, and all the way to performing SQL injection and persistent XSS attacks on 20% of the popular web.   Executive Summary A number of critical vulnerabilities exist in default WordPress installations, allowing potential compromise of millions of live web sites. MITRE has assigned CVE-2015-5623, CVE-2015-2213, CVE-2015-5714, CVE-2015-5715, CVE-2015-5716 as identifiers for these ...

New Vulnerabilities Discovered In WordPress

 
Not Just Another Broken Link…   Introduction     Check Point researcher Dikla Barda recently discovered critical vulnerabilities in two widely used WordPress plugins: the Broken Link Checker and the Download Manager. These vulnerabilities allow: Access to private data by unauthenticated users via Path Traversal. Execution of malicious code and theft of user sessions via a stored XSS vulnerability.   Both plugins are widely deployed over 1.4 million web sites & they already issued a patch for these vulnerabilities.   Vulnerable WordPress plugins:   Broken Link Checker   Broken Link Checker is a plugin that ...

Threat Alert: WordPress Cross-Site Scripting

 
Overview   The WordPress content management system used by millions of websites is vulnerable to two newly discovered threats that allow attackers to take full control of the Web server. The attack code targets one of the latest versions of WordPress, making it a zero-day exploit that could set off a series of site hijackings throughout the Internet.   Both vulnerabilities are known as stored, or persistent, cross-site scripting (XSS) bugs. They allow an attacker to inject code into the HTML content received by the administrators who maintain the website. Both attacks embed malicious code into the comments section that appears at the bottom of a WordPress blog or ...

Plugging the Security Hole in a WordPress Plug-In

 
Check Point researcher, Roi Paz recently discovered a critical vulnerability that would have enabled attackers to steal personal and financial data from thousands of websites and their visitors via the LiveSupporti WordPress plug-in. After being alerted to the situation, LiveSupporti plugged the security hole. LiveSupporti is a software service that enables website visitors to engage in a live chat with representatives (or “agents”) of the site. The cloud-based service promises to increase sales by helping to convert site visitors into customers through text-based live chat. Adding LiveSupporti to a website is just a matter of adding a snippet of code to the website’s ...