Wordpress Themes and Plugins Vulnerabilities

Risk:
high
Damage:
high
Platform(s):
Web Servers
Advisory ID:
ngCERT-2022-0065
Version:
N/A
CVE:
CVE-2021-24867
Published:
January 25, 2022

Summary


A recent discovery revealed that dozens of WordPress themes and plugins had been backdoored with malicious code in order to infect additional sites. Also disclosed was a security flaw affecting three different WordPress plugins that affected over 84,000 websites and could be exploited by a malicious actor to take over vulnerable sites.

Description & Consequence


The infected extensions contained a dropper for a web shell that gives the attackers full access to the infected sites. When downloaded or installed directly from the WordPress[.]org directory, the same extensions worked fine. Some of the infected websites discovered using this backdoor had spam payloads dating back nearly three years, indicating that the actors behind the operation were selling access to the sites to operators of other spam campaigns. Cybersecurity firm eSentire revealed how compromised WordPress websites belonging to legitimate businesses are used as a hotbed for malware delivery, serving an implant called GootLoader to unsuspecting users searching for postnuptial or intellectual property agreements on search engines like Google. A total of 10,359 WordPress plugin vulnerabilities have been discovered to date. Among the plugins affected are Login/Signup Popup (Inline Form + Woocommerce), Side Cart Woocommerce (Ajax), and Waitlist Woocommerce (Back in stock notifier). The vulnerability stems from a lack of validation when processing AJAX requests, allowing an attacker to set the "users can register" (i.e., anyone can register) option on a site to true and the "default role" setting (i.e., the default role of users who register at the blog) to administrator, granting complete control.

This flaw made it possible for an unauthenticated attacker to inject malicious JavaScript that would execute whenever a site administrator accessed the template editor.

This vulnerability would also allow them to modify the email template to contain arbitrary data that could be used to perform a phishing attack against anyone who received emails from the compromised site.

This flaw made it possible for an attacker to update arbitrary site options on a vulnerable site

Solution


  1. Site owners are advised to upgrade immediately to a safe version, or replace it with the latest version from WordPress[.]org.
  2. Site owners can install a clean version of WordPress to revert the modifications done during the installation of the backdoor.
  3. Report any incident of system compromise to ngCERT on incident@cert.gov.ng for technical assistance.

Reference


  1. https://thehackernews.com/2022/01/high-severity-vulnerability-in-3.html   
  2. https://thehackernews.com/2022/01/hackers-planted-secret-backdoor-in.html 

Revision


Related Articles