Jump to content

Search the Community

Showing results for tags 'wordpress'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Site Related
    • News & Updates
    • Site / Forum Feedback
    • Member Introduction
  • News
    • General News
    • FileSharing News
    • Mobile News
    • Software News
    • Security & Privacy News
    • Technology News
  • Downloads
    • nsane.down
  • General Discussions & Support
    • Filesharing Chat
    • Security & Privacy Center
    • Software Chat
    • Mobile Mania
    • Technology Talk
    • Entertainment Exchange
    • Guides & Tutorials
  • Off-Topic Chat
    • The Chat Bar
    • Jokes & Funny Stuff
    • Polling Station


  • Drivers
  • Filesharing
    • BitTorrent
    • eDonkey & Direct Connect (DC)
    • NewsReaders (Usenet)
    • Other P2P Clients & Tools
  • Internet
    • Download Managers & FTP Clients
    • Messengers
    • Web Browsers
    • Other Internet Tools
  • Multimedia
    • Codecs & Converters
    • Image Viewers & Editors
    • Media Players
    • Other Multimedia Software
  • Security
    • Anti-Malware
    • Firewalls
    • Other Security Tools
  • System
    • Benchmarking & System Info
    • Customization
    • Defrag Tools
    • Disc & Registry Cleaners
    • Management Suites
    • Other System Tools
  • Other Apps
    • Burning & Imaging
    • Document Viewers & Editors
    • File Managers & Archivers
    • Miscellaneous Applications
  • Linux Distributions


  • General News
  • File Sharing News
  • Mobile News
  • Software News
  • Security & Privacy News
  • Technology News

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...

  1. WordPress force installs Jetpack security update on 5 million sites Automattic, the company behind the WordPress content management system, force deploys a security update on over five million websites running the Jetpack WordPress plug-in. Jetpack is a remarkably popular WordPress plug-in that provides free security, performance, and website management features, including brute-force attack protection, site backups, secure logins, and malware scanning. The plugin has more than 5 million active installations, and it is developed and maintained by Automattic, the company behind WordPress. No in the wild exploitation The vulnerability was found in the Carousel feature and its option to display comments for each image, with nguyenhg_vcs being the one credited for responsibly disclosing the security bug. No other details are available regarding this security flaw to protect the sites that haven't yet been updated. However, we do know that Automattic addressed it with added authorization logic. The announcement made by Automattic says the bug impacts all versions starting with the Jetpack 2.0 release and going back to November 2012. The Jetpack development team added that it found no evidence that the vulnerability has been exploited in the wild. "However, now that the update has been released, it is only a matter of time before someone tries to take advantage of this vulnerability," the developers warn. Jetpack patch Automattic is force installing patched versions on all websites running vulnerable Jetpack versions, with most sites already having been updated. "To help you in this process, we worked with the WordPress.org Security Team to release patched versions of every version of Jetpack since 2.0," Automattic said. "Most websites have been or will soon be automatically updated to a secured version." Currently, download stats available on the WordPress Plugins site confirm that the security updates have been pushed to most if not all exposed websites. Jetpack downloads history Forced updates used to patch critical bugs affecting millions This is not the first time Automattic used the automated deployment of security updates to patch vulnerable plug-ins or WordPress installations. WordPress lead developer Andrew Nacin stated in 2015 that the company had used automated updates only five times since its launch. Samuel Wood, another WordPress developer, added in October 2020 that Automattic used the forced security updates feature to push "security releases for plugins many times" since WordPress 3.7 was released. This hints at the fact that Automattic deploys forced updates to patch plug-ins used by millions of sites against critical security vulnerabilities. For instance, in 2019, Jetpack received a critical security update to fix a bug in the way the plug-in processed embed code. Another security update addressed an issue found during an internal audit of the Contact Form block in December 2018. A May 2016 critical security update patched a vulnerability in the way some Jetpack shortcodes were processed. In related news, in 2018, threat actors also found a method to install backdoored plugins on WordPress websites using weakly protected WordPress.com accounts and Jetpack's remote management feature. WordPress force installs Jetpack security update on 5 million sites
  2. Critical WordPress plugin zero-day under active exploitation Threat actors are scanning for sites running the Fancy Product Designer plugin to exploit a zero-day bug allowing them to upload malware. Fancy Product Designer is a visual product configurator plugin for WordPress, WooCommerce, and Shopify, and it allows customers to customize products using their own graphics and content. According to sales statistics for the plugin, Fancy Product Designer has been sold and installed on more than 17,000 websites. Zero-day also impacts WooCommerce sites Zero-days are publicly disclosed vulnerabilities vendors haven't patched, which, in some cases, are also actively exploited in the wild or have publicly available proof-of-concept exploits. The security flaw is a critical severity remote code execution (RCE) vulnerability discovered by Wordfence security analyst Charles Sweethill on Monday. "The WordPress version of the plugin is the one used in WooCommerce installations as well and is vulnerable," threat analyst Ram Gall told BleepingComputer. When it comes to the plugin's Shopify version, attacks would likely be blocked, given that Shopify uses stricter access controls for sites hosted and running on its platform. Vulnerable sites exposed to complete takeover Attackers who successfully exploit the Fancy Product Designer bug can bypass built-in checks blocking malicious files uploading to deploy executable PHP files on sites where the plugin is installed. This allows the threat actors to completely take over vulnerable sites following remote code execution attacks. "Due to this vulnerability being actively attacked, we are publicly disclosing with minimal details even though it has not yet been patched in order to alert the community to take precautions to keep their sites protected," Gall said. While the vulnerability has only been exploited on a small scale, the attacks targeting the thousands of sites running the Fancy Product Designer plugin have started more than two weeks ago, on May 16, 2021. Since the vulnerability is under active exploitation and was rated as critical severity, customers are advised to uninstall the plugin until a patched release is available. Indicators of compromise, including IP addresses used to launch these ongoing attacks, are available at the end of WordFence's report. The Fancy Product Designer development team did not reply to BleepingComputer's request for comment before the article was published. Critical WordPress plugin zero-day under active exploitation
  3. WordPress Rejected 83% of all DMCA Takedown Notices Last Year WordPress parent company Automattic reports that the number of DMCA takedown notices it received increased by more than 50% last year. What stands out most, however, is the fact that 83% of all notices were rejected, often as a result of inaccurate automated takedown processes. Automattic, the company behind the popular blogging platform WordPress.com, receives thousands of takedown requests from copyright holders. Compared to other online services such as Google and Reddit, the numbers are relatively low. That said, there are some figures that clearly stand out. 50% Increase This week Automattic published its latest transparency report, revealing that it had processed 18,594 DMCA takedown notices during 2020. That is more than a 50% increase compared to last year. Unlike other services, the company doesn’t report how many URLs are targeted. A single notice can include dozens or hundreds of links, which means that the number of targeted WordPress pages is much higher. 83% Rejected That said, there is one figure that immediately caught our eye – the rejection rate. Last year, Automattic rejected 83% of all DMCA notices in their entirety. This rejection rate clearly stands out, when compared to other online services. For example, last year Reddit rejected 27% of all takedown requests, for Google this number is roughly 10%, while Bing rejects less than 0.5% of all requests. Commenting on the data, Stephen Blythe, Community Guardian at Automattic, informs TorrentFreak that they have seen a significant bump in rejections last year. This is mainly due to an increase in automated takedown notices. “Many of these are duplicates, target content which has already been removed, content which we do not host, or content which the notices haven’t accurately identified,” Blythe says. Manual Reviews of Automated Notices Unlike the name of the company suggests, Automattic doesn’t process these requests automatically. In fact, all DMCA notices are reviewed by humans, who spot plenty of errors. This leads to a relatively high rejection rate. “Our team manually scrutinizes takedown reports and rejects any which we identify as failing to meet the requirements of the DMCA – rather than simply processing takedowns automatically. By its nature, that will result in a higher rate of rejection,” Blythe confirms. Automattic is trying to get a number of prolific takedown senders to change their practices to reduce these kinds of notices. They have booked some success on this front. For example, the Spanish anti-piracy company ‘3ants’ adjusted its takedown process, which benefited both parties. Not All Senders are Open to Change However, other companies are not as open to change and continue to send automated takedown notices in bulk. “Unfortunately not every complainant is as cooperative as 3ants. For years we’ve been speaking out against abuses of the DMCA such as the use of automated systems which flood platforms with takedown notices regardless of context,” Automattic previously noted. “These methods are often prone to error and make it difficult for platforms to prioritize valid notices submitted by individual rights holders.” In 2021 Automattic is expected to reach the 100,000 takedown notice milestone. Since the company began counting complaints in 2014, it has processed 93,430 DMCA takedown requests, of which 70% were rejected. WordPress Rejected 83% of all DMCA Takedown Notices Last Year
  4. WordPress 5.7.1 Patches XXE Flaw in PHP 8 WordPress has released version 5.7.1 of its popular content management system (CMS), which brings more than 25 bug fixes, including patches for two security vulnerabilities. One of the patched security flaws is an XML External Entity (XXE) vulnerability in the ID3 library in PHP 8, which is used by WordPress. Tracked as CVE-2021-29447, the vulnerability is considered high severity. Designed to parse ID3 tags from MP3 audio files, the library did not explicitly disable XML entities in PHP 8, which rendered WordPress 5.7 and older versions vulnerable to XXE attacks via MP3 file uploads. The issue was introduced in August 2020 and could be exploited by any user who has the ability to upload files. Only WordPress deployments that use PHP 8 (0.3%) are affected, so the vast majority of websites are safe from exploitation attempts of this vulnerability. The bug was reported by code quality and security provider SonarSource, which last year acquired code security testing company RIPS Technologies, which also specializes in PHP code testing. Affecting the REST API, the second vulnerability could be exploited to access sensitive data. Tracked as CVE-2021-29450 and reported by Mikael Korpela, the security bug is considered medium severity. The issue, WordPress explains, exists in a block in the WordPress editor, which could be exploited by attackers to expose password-protected posts and pages. Successful exploitation of the flaw requires for the attacker to have at least contributor privileges. To further improve the security of WordPress, its developers are considering treating Google’s Federated Learning of Cohorts (FLoC) as a security threat and automatically blocking it on websites. Meant as a replacement for third-party cookies, FLoC brings into the mix interest-based advertising, where users are placed into large groups based on their interests, thus providing businesses with new ways to target them with their ads. While FLoC is more private than cookies, it does have its own privacy implications, including the fact that users are being tracked and data on their browsing habits is being shared with third-parties. WordPress is powering nearly half of the websites out there, and its developers are looking at FLoC as a possible security concern when it comes to users’ privacy. WordPress, however, is not the only Internet entity to view FLoC as a potential privacy threat. While Google is including the feature in Chrome, other browser vendors have not adopted it. In an advisory on Friday, the Cybersecurity and Infrastructure Security Agency (CISA) warned that the vulnerabilities addressed in WordPress 5.7.1 affect versions 4.7 to 5.7 and that attackers able to successfully exploit one of these could take control of an affected website. Source: WordPress 5.7.1 Patches XXE Flaw in PHP 8
  5. WordPress to automatically disable Google FLoC on websites WordPress announced today that they plan on treating Google's new FLoC tracking technology as a security concern and plans to block it by default on WordPress sites. For some time, browsers have begun to increasingly block third-party browser cookies [1, 2, 3] used by advertisers for interest-based advertising. In response, Google introduced a new ad tracking technology called Federated Learning of Cohorts, or FLoC, that uses a web browser to anonymously place users into interest or behavioral buckets based on how they browse the web. After Google began testing FLoC this month in Google Chrome, there has been a consensus among privacy advocates that Google's FLoC implementation just replaces one privacy risk with another one. "FLoC is meant to be a new way to make your browser do the profiling that third-party trackers used to do themselves: in this case, boiling down your recent browsing activity into a behavioral label, and then sharing it with websites and advertisers." "The technology will avoid the privacy risks of third-party cookies, but it will create new ones in the process. It may also exacerbate many of the worst non-privacy problems with behavioral ads, including discrimination and predatory targeting," the Electronic Frontier Foundation (EFF) explained in a recent blog post. Since then, other privacy browser and search engine developers, such as Brave Browser, DuckDuckGo, and Vivaldi, have all removed FLoC from their software or created tools to block it. WordPress plans on blocking FLoC In a new announcement today, WordPress states that they consider Google's FLoC technology a security concern and will begin to block it in future versions. "WordPress powers approximately 41% of the web – and this community can help combat racism, sexism, anti-LGBTQ+ discrimination and discrimination against those with mental illness with four lines of code," says WordPress. Wordpress plans to disable FLoC using the following four lines of code, which will cause the blogging platform to issue a HTTP request header tells the browser that FLoC should be disabled for the site. function disable_floc($headers) { $headers['Permissions-Policy'] = 'interest-cohort=()'; return $headers; } add_filter('wp_headers', 'disable_floc'); WordPress explains that though some admins will likely want to enable this technology, those admins probably have the tech know-how to override the above code. WordPress also indicated that they might add a setting that allows admins to control whether FLoC is permitted. However, WordPress's concern is that those unaware of this new tracking technology will automatically opt into it without fully understanding what it entails. Therefore, it is in these users' best interest for WordPress to automatically disable the technology. "When balancing the stakeholder interests, the needs of website administrators who are not even aware that this is something that they need to mitigate – and the interests of the users and visitors to those sites, is simply more compelling," WordPress explains. WordPress states that this code is planned for WordPress 5.8, scheduled for release in July 2021. As FLoC is expected to roll out sooner, WordPress is considering back-porting this code to earlier versions to "amplify the impact" on current versions of the blogging platform. Source: WordPress to automatically disable Google FLoC on websites
  6. WordPress Considers Dropping Support for IE 11 After Usage Falls Below 1% A new proposal on WordPress.org explores the ramifications of dropping support for Internet Explorer 11 (IE11). Héctor Prieto summarized the current state of IE usage among WordPress users, citing three metrics that demonstrate declining usage that is now cumulatively below ~1%: 0.71% from StatCounter’s GlobalStats 1.2% from W3 Counter 0.46% from WordPress.com StatCounter’s GlobalStats record IE11 having dipped below 1.0% for the first time in August 2020, and it has continued declining steadily since then. The numbers cited in the proposal are similar to those contributors used when WordPress 4.8 officially dropped support for IE versions 8, 9, and 10 in 2017. These types of browser support decisions are always carefully considered, as they affect more users than one might guess, given the scale of a software project with more than 40% market share of all websites. “It’s important to keep in mind that when viewing these statistics in the context of WordPress, these percentages represent tens (if not hundreds) of thousands of users that could potentially be left behind if support for IE11 is dropped,” Prieto said. Most of the people still using IE11 are doing so because of forces outside their control. They may not have the ability to simply download an alternative browser. This is more common for users working inside major institutions like banking, government, and education. At this point in WordPress’ history, the benefits for the web seem to heavily outweigh the negative impacts on a small percentage of users who might be affected by lack of IE11 support. Improving the performance of the editor is one driving factor in this decision. Prieto shared stats from an exploration by Gutenberg developer Riad Benguella, where he measured the impact of dropping IE11 support, demonstrating an 84.9 kB (7%) reduction in Gutenberg JavaScript build files. “Dropping support would result in smaller scripts, lower maintenance burden, and decrease build times,” Prieto said. “The smaller downloads would positively impact all users, especially those on slower networks, or computing devices. We expect a result of dropping IE11 support to improve performance for the vast majority of users.” Most of those participating in the discussion on WordPress.org are strongly in favor of dropping support for IE11, but a few cautioned that it must be done in a controlled way, with an EOL date announced months in advance. There are some institutions that selected WordPress for their projects based solely on the fact that it offers IE11 support, and they need time to plan a transition. “I can see the crowd cheering for finally getting rid of IE and trust me I’ll be the first to pop champagne when that day has finally come,” WordPress developer Thomas Kräftner said. “Still I believe we need to make sure this is done in a slow, controlled and careful way so the effort saved for not supporting IE doesn’t backfire with extra, even more hellish work for those that don’t yet have the choice to drop IE.” Approximately 16 months ago, Riad Benguella proposed WordPress add a notice to discourage Internet Explorer usage. Shortly thereafter, the Browse Happy API was updating to consider all versions of Internet Explorer as insecure. In the most recent conversation on WordPress.org, contributors suggested taking it a step further and change the notice to state that IE11 support will be dropped in WP-Admin by the end of year. Many shared additional benefits not outlined in the proposal. “There’s lots of things we can’t use right now because of the IE11 constraint: CSS Variables, CSS grid, Modern JS are just the 1st things that come to mind,” Ari Stathopoulos commented. “We would be able to ship smaller files to 40% of the web, so the environmental impact of this change would be quite big, a huge win for our sustainability efforts! 99% of WP’s userbase has suffered enough already because of the IE limitation, and removing support for it can really make a dent and urge the few remaining IE users to use a better/newer browser.” Prieto said the initial proposal was just to get the conversation started and was not meant to go into technical implementation details. WordPress contributors are invited to offer feedback about the proposal in the comments before March 18. Source: WordPress Considers Dropping Support for IE 11 After Usage Falls Below 1%
  7. WordPress now powers 40% of the world's websites The world's most popular CMS continues to grow (Image credit: Pixabay) The world's most popular CMS continues to grow and new data from W3Techs has revealed that 40 percent of the web or two out of every five websites now use WordPress. While there are plenty of WordPress alternatives including Shopify and Squarespace, WordPress is still in a league of its own. This is because in addition to the sites powered by WordPress, an ecosystem has been built up around the CMS which includes more than 58,000 WordPress plugins and more than 8,000 WordPress themes. At the same time though, many companies and organizations make a living creating WordPress sites or helping users do so. These include both WordPress hosting and managed WordPress hosting providers like Bluehost, Dreamhost and even the company behind WordPress, Automattic. However, the biggest one is still WP Engine which is known for its WordPress expertise. Growing market share To come up with its latest statistics on WordPress usage, W3Techs used data from the Alexa top 10 million websites as well as Tranco's top one million list to avoid counting parked domains, spam sites and those with little to no content. According to the data, WordPress has grown from being used on over 10m sites in 2011 to 40m sites today. It also controls 64.3 percent of the CMS market. Of the sites that use WordPress, the .blog top level domain has the highest market share at 92.2 percent followed by the .news domain at 87.1 percent. The .mil top level domain on the other hand has the lowest WordPress usage as the military prefers to use DotNetNuke instead. When it came to the countries with the highest WordPress usage, South Africa leads the way followed by Iran, Israel and Spain. China, South Korea and Russia though are the countries with the lowest WordPress usage. One of the biggest drivers of WordPress' recent growth is likely due to the fact that many consumers and businesses created new websites during the pandemic. Via W3Techs WordPress now powers 40% of the world's websites
  8. WordPress founder claims Apple cut off updates to his completely free app because it wants 30 percent This sounds ridiculous Photo Illustration by Rafael Henrique/SOPA Images/LightRocket via Getty Images WordPress, the iOS app, lets you build and manage a website right from your iPhone or iPad, for free. Separately, WordPress.com also happens to sell domain names and fancier website packages. Now, WordPress founding developer Matt Mullenweg is accusing Apple of cutting off the ability to update that app — until or unless he adds in-app purchases so the most valuable company in the world can extract its 30 percent cut of the money. Here’s the thing: the WordPress app on iOS doesn’t sell anything. I just checked, and so did Stratechery’s Ben Thompson. The app simply lets you make a website for free. There isn’t even an option to buy a unique dot-com or even dot-blog domain name from the iPhone and iPad app — it simply assigns you a free WordPress domain name and 3GB of space. Apple admitted to The Verge that it’s involved, reminding us that in-app purchases are required whenever apps “allow users to access content, subscriptions, or features they have acquired in your app on other platforms or your web site.” But again, the WordPress app doesn’t sell anything itself, and it sounds like you can’t do anything special with anything you’ve purchased from WordPress.com (beyond uploading additional files or selecting website themes) from the app, either. While Mullenweg says there technically was a roundabout way for an iOS user to find out that WordPress has paid tiers (they could find it buried in support pages, or by navigating to WordPress’s site from a preview of their own webpage), he says that Apple rejected his offer to block iOS users from seeing the offending pages. Mullenweg tells The Verge he’s not going to fight it anymore, though — he will add brand-new in-app purchases for WordPress.com’s paid tiers, which include domain names, within 30 days. Apple has agreed to allow Automattic to update the app while it waits. (The last update was issued yesterday.) In other words, Apple won: the richest company in the world just successfully forced an app developer to monetize an app so it could make more money. It’s just the latest example of Apple’s fervent attempts to guard its cash cow resulting in a decision that doesn’t make much sense and doesn’t live up to Apple’s ethos (real or imagined) of putting the customer experience ahead of all else. Mullenweg, of course, is only one of those speaking out publicly about the Apple tax and the company’s uneven enforcement of its rules. Yesterday, a group of major news publishers banded together to ask why Amazon, and not them, should get a sweetheart deal that allows the giant e-tailer to pay 15 percent instead of 30 percent for Prime Video. And all of this, of course, is happening in the shadow of Epic Games’ gigantic fight against Apple, one that Apple responded to this very afternoon, complete with a cache of emails from Epic’s own Tim Sweeney. You might want to give these links a look: Interestingly, Mullenweg tells us his tweet was really for the WordPress community, not necessarily to rile up anger against the Apple tax; he says he anticipates pushback from the community when they suddenly see WordPress asking them if they’d like to purchase a .com upgrade. Update, 6:44 PM ET: Added comment and confirmation from WordPress’s Mullenweg that the company has already caved; it has agreed to add in-app purchases within 30 days. Update, 7:50 PM ET: Added that WordPress will specifically be adding in-app purchases for its paid plans (which include domain names), not simply its domain name purchases. Update, 9:11 PM ET: Added Apple comment, and more details from Mullenweg about what Apple rejected. WordPress founder claims Apple cut off updates to his completely free app because it wants 30 percent
  9. Apple apologizes to WordPress, won’t force the free app to add purchases after all “We [...] apologize for any confusion that we have caused” Illustration by Alex Castro / The Verge On Friday, the internet erupted in a small way to learn that Apple had successfully forced WordPress to monetize its free app — forcing it to sell premium plans and custom domain names seemingly just so that Apple could get its traditional 30 percent cut. But one afternoon and evening of surprise and outrage later, Apple is backing off. The company is issuing a rare on-the-record apology, and it says that WordPress will no longer have to add in-app purchases now that all is said and done. Here’s Apple’s full statement: We believe the issue with the WordPress app has been resolved. Since the developer removed the display of their service payment options from the app, it is now a free stand-alone app and does not have to offer in-app purchases. We have informed the developer and apologize for any confusion that we have caused. You’ll notice that Apple is positioning this as the developer — WordPress — having done the right thing and removed the “display of their service payment options from the app,” and to my knowledge that is technically true. But as far as I’m aware, that didn’t happen today: it happened weeks or months ago. While as of yesterday, the WordPress app didn’t sell a single thing and didn’t so much as mention a paid “Wordpress.com” plan unless you followed an unlikely workaround, I was able to track down a fellow journalist this weekend who had a much older version of the app, one with a dedicated “Plans” tab that listed some of the different plans available to premium customers: It was already a “free stand-alone app,” no? That said, my source told me there was no ability to purchase any of those plans — and I can confirm the entire “Plans” section had already been removed by the time WordPress developer Matt Mullenweg told us Apple had successfully forced him to add Apple’s in-app purchases (IAP). (Originally, he’d said Apple locked him out of updating the app unless he added Apple IAP within 30 days.) What’s more, Mullenweg told us that he had previously offered to strip other mentions of the paid plans out of the app (even workarounds like when a user views a preview of their own WordPress webpage and then navigates to WordPress.com), only to have those suggestions rejected by Apple. So, to the best of my knowledge, this isn’t WordPress caving yet again. Apple simply seems to have decided that trying to extract its cut from a free app — by forcing in-app purchases — isn’t a hill worth dying on today. Update, 8:52 PM ET: The news apparently came as a surprise to WordPress’s Matt Mullenweg, who has a new Twitter thread here. Apple apologizes to WordPress, won’t force the free app to add purchases after all
  10. WordPress team wants to forcibly auto-update older WordPress versions to newer releases. The developers behind the WordPress open-source content management system (CMS) are working on a plan to forcibly auto-update older versions of the CMS to more recent releases. The goal of this plan is to improve the security of the WordPress ecosystem, and the internet as a whole, since WordPress installations account for more than 34% of all internet websites. Officially supported versions include only the last six WordPress major releases, which currently are all the versions between v4.7 and v5.2. The plan is to slowly auto-update old WordPress sites, starting with v3.7, to the current mimum supported version, which is the v4.7 release. This will be done in multiple stages, as follows: 2% of all WP 3.7 sites will be auto-updated to WP 3.8 After a week, another 18% will be auto-updated to WP 3.8 After two weeks, 80% of WP 3.7 sites will be auto-updated to WP 3.8. Repeat the same steps as above, but migrating sites from WP 3.8 to WP 3.9; WP3.9 to WP 4.0; and so on. The WordPress team said it plans to monitor this tiered forced auto-update process for errors and site breakage. If there's something massively wrong, then auto-update can be stopped altogether. If only a few individual sites break, than those site will be rolled back to their previous versions and the owner will be notified via email. "The email should be a strongly-worded warning, letting them know that their site could not be upgraded to a secure version, and that they should manually update immediately. If they don't update, it's almost guaranteed that their site will be hacked eventually," said Ian Dunn, a member of the WordPress dev team. A first auto-update plan would have wreaked havoc on the internet This looks like a sensible solution, but an earlier proposal had the WordPress team forcibly update all old WordPress sites to version 4.7 at once. This idea was quickly scraped after an avalanche of negative feedback from WordPress site owners who warned that millions of sites would have gone down with WSOD (white screen of death) errors caused by incompatibilities between themes, plugins and the newer WordPress core version. The tiered forced auto-update is the result of the feedback, and one that takes possible site breakage into account. Furthermore, the WordPress team plans to allow site owners to opt out of this forced update process. The WordPress team plans to send emails to website administrators and show a stern warning in websites' dashboards before starting the auto-update process. These warnings will also include opt-out instructions, and will be shown/sent at least six weeks before a site is forcibly auto-updated. "They'll be warned about the security implications of opting-out," Dunn said. More than 3% of the internet runs outdated WordPress sites The finer details of the auto-update process have not been finalized yet, but a source has told ZDNet that the WordPress security team hopes to auto-update all old sites within a year. Versions prior to v3.7 will not be auto-updated because v3.7 is the version in which the auto-update mechanism was included in the CMS. These older versions only support manual updates and can't be auto-updated. Versions prior to v3.7 account for under 1% of all WordPress installations, though, so this won't be a big issue. WordPress sites running versions from v3.7 to v4.7 account for 11.7% of all WordPress sites, which is roughly in the tens of millions of sites range. That's about 3% of all internet sites, currently running extremely old WordPress versions. WordPress 3.7 was released in October 23, 2013, while the current minimum "safe" version, v4.7, was released in December 2016. It was foreshadowed last year While the plans to go with a forced update has shocked some members of the webdev community, it has not surprised ZDNet. We knew it was coming because the WordPress security team hinted about it last year. In a talk at the DerbyCon 2018 security conference, WordPress Security Team lead Aaron Campbell said his team was working on "wiping older versions from existence on the internet." This is what he meant. The reason behind the WordPress dev team's desire to forcibly update all older CMS versions to the new one is because of man-power. For the past six years, WordPress developers have been backporting every single security patch for all versions going back to WordPress 3.7. While this was doable in the beginning, as the WordPress CMS moved forward, it took up more and more time because WordPress devs had to convert newer PHP code into one that's compatible with the older WordPress codebase. "That sucks for us as a security team," Campbell said about this process, last year at DerbyCon. "But it's absolutely the best thing for our users. And because that's where we set the measure of success, that's what we do." By moving all users to WordPress 4.7 (and then 4.8, 4.9, etc), developers are also making their lives easier, but also keeping the internet more secure, as a whole. Currently, WordPress is the most targeted CMS today, mainly due to its large adoption and huge attack surface. Reducing the attack surface is the easier way to combat malware botnets that take over WordPress sites and use them to host malware, SEO spam, or launch DDoS attacks. Source
  11. WordPress sites under attack as hacker group tries to create rogue admin accounts Hackers exploit vulnerabilities in more than ten WordPress plugins to plant backdoor accounts on unpatched sites. A hacker group is exploiting vulnerabilities in more than ten WordPress plugins to create rogue admin accounts on WordPress sites across the internet. The attacks are an escalation part of a hacking campaign that started last month. During previous attacks, the hackers exploited vulnerabilities in the same plugins to plant malicious code on the hacked sites. This code was meant to show popup ads or to redirect incoming visitors to other websites. However, two weeks ago, the group behind these attacks changed its tactics. Mikey Veenstra, a threat analyst with cybersecurity firm Defiant, told ZDNet today that starting with August 20, the hacker group modified the malicious code planted on hacked sites. Instead of just inserting pop-ups and redirects, the malicious code also ran a function in order to test if the site visitor had the ability to create user accounts on the site, a feature only available for WordPress admin accounts. Basically, this malicious code waited for the site owner to access their own websites. When they did, the malicious code created a new admin account named wpservices, using the email address of [email protected], and password of w0rdpr3ss. By creating these accounts, the hacker group behind this campaign changed tactics from exploiting sites for monetary profits, to also adding backdoors for future use, and for a more persistence foothold. According to Veenstra, these recent attacks are targeting older vulnerabilities in the following plugins. Bold Page Builder Blog Designer Live Chat with Facebook Messenger Yuzo Related Posts Visual CSS Style Editor WP Live Chat Support Form Lightbox Hybrid Composer All former NicDark plugins (nd-booking, nd-travel, nd-learning, et. al.) The plugins are linked to their respective vulnerabilities, so readers can determine the version to which they need to update, to prevent attacks, in case they're using one of the plugins. After updating the following plugins, site owners are also advised to check admin usernames registered on their sites. Removing these accounts is imperative, as their sole purpose was to create a way back into websites after users updated the vulnerable plugins. Cleaning infected WordPress sites can be quite complicated, as site owners will also have to scan their websites with WordPress security plugins in search for various other backdoor mechanisms the hackers might have left behind. Non-technical users are advised to seek professional help. Source: WordPress sites under attack as hacker group tries to create rogue admin accounts
  12. Hackers actively exploit WordPress plugin flaw to send visitors to bad sites If you're seeing more malicious redirects than usual, now you know why. Enlarge / A redirection from a site still running a vulnerable version of the plugin. Hackers have been actively exploiting a recently patched vulnerability in some websites that causes the sites to redirect to malicious sites or display misleading popups, security researchers warned on Wednesday. The vulnerability was fixed two weeks ago in WP Live Chat Support, a plugin for the WordPress content management system that has 50,000 active installations. The persistent cross-site scripting vulnerability allows attackers to inject malicious JavaScript into sites that use the plugin, which provides an interface for visitors to have live chats with site representatives. Researchers from security firm Zscaler's ThreatLabZ say attackers are exploiting the vulnerability to cause sites using unpatched versions of WP Live Chat Support to redirect to malicious sites or to display unwanted popups. While the attacks aren't widespread, there have been enough of them to raise concern. "Cybercriminals actively look for new vulnerabilities in popular content management systems such as WordPress and Drupal, as well as popular plugins that are found in many websites," Zscaler's Prakhar Shrotriya wrote in a post. "An unpatched vulnerability in either the CMS or associated plugins provides an entry point for attackers to compromise the website by injecting malicious code and impacting the unsuspecting users visiting these sites." The vulnerability lets anyone visiting the site update the plugin settings by calling an unprotected "admin_init hook" and injecting malicious JavaScript anywhere the Live Chat Support icon appears. The attacks observed by Zscaler use the injected script to send a request to hxxps://blackawardago[.]com to execute the main script. Visitors are then redirected to multiple URLs that push unwanted popup ads, fake error messages, and requests to let certain sites send browser notifications. Whois records show that the domain was created on May 16. That's one day after the WP Live Chat Support developers released version 8.0.27, which fixed the vulnerability. Shrotriya published a list of 47 sites he said had been hit by the exploit. While some caused malicious redirects, others didn't and reported they were using patched versions of the plugin. Source: Hackers actively exploit WordPress plugin flaw to send visitors to bad sites (Ars Technica)
  13. This WordPress update might have caused your website to go berserk WordPress auto-update pushed a new alpha version by mistake (Image credit: Shutterstock) The WordPress development team inadvertently caused chaos for a number of website owners after a planned series of updates went wrong. The update, WordPress 5.5.2, was meant to patch critical security issues but also made it impossible to install WordPress on new sites that did not have a database connection configured. The WordPress team pressed pause on any more updates but didn’t factor in the auto-update feature, which subsequently pushed an alpha version of the platform to users. The alpha release introduced new themes and a spam protection plugin. Users who do not delete them will have to keep them updated to ensure they don’t one day pose a security risk. “While work was being done to prepare for WordPress 5.5.3, the release team attempted to make 5.5.2 unavailable for download on WordPress.org to limit the spread of the issue noted in the section above, as the error only affected fresh installations,” Jake Spurlock, Security Release Lead at WordPress, explained. “This action resulted in some installations being updated to a pre-release '5.5.3-alpha' version.” A flawed update The latest update, Version 5.5.3, fixes all the aforementioned problems, although WordPress users may have to carry out a manual update by visiting the platform dashboard and clicking “Update Now.” WordPress users that had the alpha update forced upon them received a message that read: “BETA TESTERS: This site is set up to install updates of future beta versions automatically.” Apart from that, and the annoyance of having to delete unwanted themes, the update didn’t cause too much carnage. However, the incident may have damaged user trust in WordPress and the auto-update process in particular. WordPress may need to put better policies in place to ensure that the update process can be stopped without causing unnecessary disruption. This WordPress update might have caused your website to go berserk
  14. Millions of WordPress sites hit in wide-ranging attack Vulnerable WordPress themes are leaving millions of sites at risk (Image credit: Pixabay) A WordPress vulnerability present across millions of sites is being targeted by threat actors, according to security researchers. A number of the security bugs have only recently been patched, leaving a huge number of sites at risk. The security flaw in question affects WordPress sites with Epsilon Framework themes installed. Wordfence, the WordPress security plugin provider that discovered the recent attacks, has not revealed much information about the exploit as it does not seem to have reached a mature stage of development. “On November 17, 2020, our Threat Intelligence team noticed a large-scale wave of attacks against recently reported Function Injection vulnerabilities in themes using the Epsilon Framework, which we estimate are installed on over 150,000 sites,” Ram Gall, a Wordfence QA engineer and threat analyst, explained. “So far today, we have seen a surge of more than 7.5 million attacks against more than 1.5 million sites targeting these vulnerabilities, coming from over 18,000 IP addresses.” Vulnerable themes According to Wordfence, the following versions of the Epsilon Framework themes continue to be at risk: Shapely <=1.2.7 NewsMag <=2.4.1 Activello <=1.4.0 Illdy <=2.1.4 Allegiant <=1.2.2 Newspaper X <=1.3.1 Pixova Lite <=2.0.5 Brilliance <=1.2.7 MedZone Lite <=1.2.4 Regina Lite <=2.0.4 Transcend <=1.1.8 Affluent <1.1.0 Bonkers <=1.0.4 Antreas <=1.0.2 NatureMag Lite <=1.0.5 It appears that the majority of attacks are simply probing for further vulnerabilities, although a remote code execution exploit is possible that would allow an attacker to take over a compromised site. If an individual’s website is running one of the vulnerable themes, it is essential that they update to a patched version if available. If not, it is probably best to temporarily switch to another theme. Alternatively, adopting a WordPress firewall plugin should offer protection. Via BleepingComputer Millions of WordPress sites hit in wide-ranging attack
  15. In all, WordPress patched 10 security bugs as part of the release of version 5.5.2 of its web publishing software. WordPress released a 5.5.2 update to its ubiquitous web publishing software platform. The update patches a high-severity bug, which could allow a remote unauthenticated attacker to take over a targeted website via a narrowly tailored denial-of-service attack. In all, the WordPress Security and Maintenance Release tackled 10 security bugs and also brought a bevy of feature enhancements to the platform. WordPress said the update was a “short-cycle security and maintenance release” before the next major release version 5.6. With the update, all versions since WordPress 3.7 will also be current. Of the ten security bugs patched by WordPress a standout flaw, rated high-severity, could be exploited to allow an unauthenticated attacker to execute remote code on systems hosting the vulnerable website. “The vulnerability allows a remote attacker to compromise the affected website,” WordPress wrote in its bulletin posted Friday. “The vulnerability exists due to improper management of internal resources within the application, which can turn a denial of service attack into a remote code execution issue.” The researcher who found the bug, Omar Ganiev, founder of DeteAct, told Threatpost that the vulnerability’s impact may be high, but the probability an adversary could reproduce the attack in the wild is low. “The attack vector is pretty interesting, but very hard to reproduce. And even when the right conditions exist, you have to be able to produce a very accurate DoS attack,” he told Threatpost via a chat-based interview. “The principle is to trigger the DoS on the MySQL so that WordPress will think that it’s not installed and then un-DoS on the DB under the same execution thread,” Ganiev said. The bug was found by Ganiev three years ago, however he only reported it to WordPress on July 2019. The delay, he said, was to research different types of proof-of-concept exploits. Neither WordPress or Ganiev believe the vulnerability has been exploited in the wild. Four bugs rated “medium risk” by WordPress were also patched. All of the flaws affected WordPress versions 5.5.1 and earlier. Three of the four vulnerabilities – a cross-site scripting flaw, improper access control bug and a cross-site request forgery vulnerability – can each be exploited by a “non-authenticated user via the internet.” The fourth medium-severity bug, a security restriction bypass vulnerability, can be triggered only by a remote authenticated user. Of the medium-severity bugs the cross-site scripting flaw is potentially the most dangerous. A successful attack lets a remote attacker steal sensitive information, change appearance of the web page, perform phishing and drive-by-download attacks, according to WordPress. Because of insufficient WordPress data sanitization of user-supplied data to an affected website, the security release said a remote attacker “can trick the victim to follow a specially crafted link and execute arbitrary HTML and script code in user’s browser in context of vulnerable website.” Source
  16. Hackers are exploiting a critical flaw affecting >350,000 WordPress sites Flaw is in File Manager, a plugin with more than 700,000 users; 52% are affected. Enlarge StickerGiant / Flickr 13 with 12 posters participating Hackers are actively exploiting a vulnerability that allows them to execute commands and malicious scripts on Websites running File Manager, a WordPress plugin with more than 700,000 active installations, researchers said on Tuesday. Word of the attacks came a few hours after the security flaw was patched. Attackers are using the exploit to upload files that contain webshells that are hidden in an image. From there, they have a convenient interface that allows them to run commands in plugins/wp-file-manager/lib/files/, the directory where the File Manager plugin resides. While that restriction prevents hackers from executing commands on files outside of the directory, hackers may be able to exact more damage by uploading scripts that can carry out actions on other parts of a vulnerable site. NinTechNet, a website security firm in Bangkok, Thailand, was among the first to report the in-the-wild attacks. The post said that a hacker was exploiting the vulnerability to upload a script titled hardfork.php and then using it to inject code into the WordPress scripts /wp-admin/admin-ajax.php and /wp-includes/user.php. Backdooring vulnerable sites at scale In email, NinTechNet CEO Jerome Bruandet wrote: It's a bit too early to know the impact because when we caught the attack, hackers were just trying to backdoor websites. However, one interesting thing we noticed is that attackers were injecting some code to password-protect the access to the vulnerable file (connector.minimal.php) so that other groups of hackers could not exploit the vulnerability on the sites that were already infected. All commands can be run in the /lib/files folder (create folders, delete files etc), but the most important issue is that they can upload PHP scripts into that folder too, and then run them and do whatever they want to the blog. So far, they are uploading "FilesMan", another file manager often used by hackers. This one is heavily obfuscated. In the next few hours and days we'll see exactly what they will do, because if they password-protected the vulnerable file to prevent other hackers to exploit the vulnerability it is likely they are expecting to come back to visit the infected sites. Fellow website security firm Wordfence, meanwhile, said in its own post that it had blocked more than 450,000 exploit attempts in the past few days. The post said that the attackers are trying to inject various files. In some cases, those files were empty, most likely in an attempt to probe for vulnerable sites and, if successful, inject a malicious file later. Files being uploaded had names including hardfork.php, hardfind.php, and x.php. "A file manager plugin like this would make it possible for an attacker to manipulate or upload any files of their choosing directly from the WordPress dashboard, potentially allowing them to escalate privileges once in the site's admin area," Chloe Chamberland, a researcher with security firm Wordfence, wrote in Tuesday's post. "For example, an attacker could gain access to the admin area of the site using a compromised password, then access this plugin and upload a webshell to do further enumeration of the server and potentially escalate their attack using another exploit." 52% of 700,000 = potential for damage The File Manager plugin helps administrators manage files on sites running the WordPress content management system. The plugin contains an additional file manager known as elFinder, an open source library that provides the core functionality in the plugin, along with a user interface for using it. The vulnerability arises from the way the plugin implemented elFinder. "The core of the issue began with the File Manager plugin renaming the extension on the elFinder library's connector.minimal.php.dist file to .php so it could be executed directly, even though the connector file was not used by the File Manager itself," Chamberland explained. "Such libraries often include example files that are not intended to be used 'as is' without adding access controls, and this file had no direct access restrictions, meaning the file could be accessed by anyone. This file could be used to initiate an elFinder command and was hooked to the elFinderConnector.class.php file." Sal Aguilar, a contractor who sets up and secures WordPress sites, took to Twitter to warn of attacks he's seeing. "Oh crap!!!" he wrote. "The WP File Manager vulnerability is SERIOUS. Its spreading fast and I'm seeing hundreds of sites getting infected. Malware is being uploaded to /wp-content/plugins/wp-file-manager/lib/files." The security flaw is in File Manager versions ranging from 6.0 to 6.8. Statistics from WordPress show that currently about 52 percent of installations are vulnerable. With more than half of File Manager's installed base of 700,000 sites vulnerable, the potential for damage is high. Sites running any of these versions should updated to 6.9 as soon as possible. Hackers are exploiting a critical flaw affecting >350,000 WordPress sites
  17. Fake WordPress Plugin Comes with Cryptocurrency Mining Function Malicious plugins for WordPress websites are being used not just to maintain access on the compromised server but also to mine for cryptocurrency. Researchers at website security company Sucuri noticed the number of malicious plugins increase over the past months. The components are clones of legitimate software, altered for nefarious purposes. Normally, these fake plugins are used to give attackers access to the server even after the infection vector is removed. But they can include code for other purposes, too, such as encrypting content on a blog. Double hedging One of the plugins discovered by Sucuri to have a double purpose is a clone of "wpframework." It was found in September and attackers used it to "gain and maintain unauthorized access to the site environment," the researchers say. It is unclear which plugin it impersonates, but one with this name exists in the WordPress public repository but its development seems to have stopped in 2011. Despite this, it still has more than 400 active installations. Apart from scanning for functions that allow command execution at the server level and restricting this privilege to the botmaster, the plugin also carried code to run a Linux binary that mines for cryptocurrency. When the researchers checked the referenced domain hosting the binary it was no longer active. However, the backdoor functionality of the component was still present. The mining component was added to the Virus Total antivirus scanning platform on September 18 and is currently detected by 25 out of 56 engines. Generating malicious plugins Although Sucuri does not provide details about the reason for the increased frequency of malicious plugins, it is worth noting that creating them is far from being an effort. Instead of creating a malicious WordPress plugin from scratch, attackers can modify the code of an existing one to include malicious components. Additionally, automated tools exist that can generate a plugin with a name given by the attacker and lace it with an arbitrary payload, such as a reverse shell. Furthermore, the web offers the necessary tutorial for low-skilled attackers to learn how to create these fake website components. Sucuri advises webmasters to also check the additional site components when doing a malware cleanup since many times this procedure is limited to WordPress core files. Themes and plugins are often migrated without any prior scrutiny. This way, attackers maintain their grip on the new site through the backdoor planted in third-party extensions. Source: Fake WordPress Plugin Comes with Cryptocurrency Mining Function
  18. Sustaining a content site can be a challenge especially if you’re doing it full time. Ad revenue might not be sufficient and the next best option is to charge subscriptions for selected content, which is a model that’s adopted by a number of mainstream news websites. Now content creators on WordPress or Jetpack-powered websites are able to charge subscriptions easily with its new Recurring Payments feature. It is available now and it is supported in 135 countries. The Recurring Payments is introduced as a monetisation tool for content creators and it can be used to charge for newsletters, monthly donations or sell access to exclusive content through a simplified payment system. It is available to bloggers or creators on any paid WordPress.com plan which starts from USD 49 per year for the personal option. Although the login uses WordPress.com, the payment is handled by Stripe. You can get started by going to the Earn section of WordPress and a Stripe account is needed in order to receive payments. Depending on which WordPress or Jetpack plan you’re on, WordPress will get a cut between 0-8%. On top of that, there are additional transaction fees for Stripe where they will charge 2.9% + USD0.30 per transaction. Overall, it is a hassle-free way for content creators to get monetary support from its readers. The only complaint is the high transaction fees above 10% if you’re on the entry-level WordPress or Jetpack plan. On top of that, it currently accepts credit and debit cards only. If you’re interested, you can check out this guide on WordPress.com. Another alternative for content creators is to go on Patreon which charges a lower 5% fee on monthly income for the basic plan. Would you pay for website content subscription? Let us know in the comments below. Source: 1. Bloggers on WordPress can now charge readers for subscription (via SoyaCincau) - main article 2. A New Way to Earn Money on WordPress.com (via WordPress Blog) - reference to the main article 3. WordPress introduces a new way for bloggers to get paid (via The Verge) - secondary reference to the main article
  19. WordPress has unveiled a new feature no website builder can match WordPress and Twitter are integrating further (Image credit: Pixabay) WordPress has announced a killer new feature that provides greater integration for Twitter users. Now, WordPress content creators can publish an entire blog post as a Twitter thread, with just two extra clicks. The new feature means that integration between the two platforms has come full circle, after WordPress announced that entire Twitter threads, also known as tweetstorms, could easily be embedded in blog posts earlier this year. WordPress promises to leave nothing out when you republish a blog on Twitter: images, videos and other embeds will all be carried across. A special preview function will show users exactly how their content will appear once it is in tweet form. How it works In order to publish a blog post as a Twitter thread, users first need to click on the Jetpack icon on the far right of the header menu. Then they simply connect to their Twitter account and decide whether they want to share a link to their blog or the entirety of the post’s content as a thread. “We know that Twitter threads work best without breaks and other quirks,” WordPress explained in a blog post. “That’s why, in building this feature, we paid special attention to formatting. If a paragraph is too long for a single tweet, for instance, it will automatically be split into multiple tweets. And rather than squishing as many words as possible into the first tweet and letting the rest spill to the second one, the break will come at the end of a sentence. Also, if you have a list block in your post, it will be formatted as a list on Twitter.” The new functionality provides a great way for WordPress users to amplify who sees their content. Plus, at the bottom of every tweetstorm, Twitter users will be shown a link that allows them to view the blog in its original WordPress format. WordPress has unveiled a new feature no website builder can match
  20. Stealthy Malware Disguises Itself as a WordPress License Key A spam injector hides in plain site within WordPress theme files. A spam-injecting malware is targeting WordPress site owners by disguising itself as a legitimate license key for a WordPress design theme. According to analysis from Sucuri, a customer opened a malware removal ticket reporting “some weird spam URLs injected onto their WordPress website.” After further investigation into the files on the website, analysts uncovered a hidden encoded spam injector malware in the “./wp-content/themes/toolbox/functions.php” WordPress theme, masquerading as a license key. WordPress themes are essentially website templates, specifying the fonts, colors, image placement and other design elements for a site. They can also be customized with tailored elements. When a customer orders a theme, it comes with a license key, like any software would. This key is required for any future updates, features and security patches. “A license key is a place where a webmaster might not expect to find an infection,” said Moe Obaid, security analyst at Sucuri, in a Wednesday post. “The attacker formatted the encoded injector to look like a theme’s license key in order to distract the eyes of a less-trained security analyst from suspecting this to be malicious code.” Interestingly, in addition to targeting a normally non-suspicious file, the attacker didn’t apply that much encoding to obfuscate the code – meaning that it essentially hides in plain sight. Obaid said that it was a simple process to decode the malware, which is housed in base64-encoded text within the $token variable. Diving more into the malicious code itself, Sucuri found that the malware displays spam links to most user agents (i.e., browsers and plug-ins that retrieve, render and facilitate end-user interaction with a site’s web content), with a few exceptions. User agents are browsers and different types of plug-ins that display a website’s content to a visitor. The malware checked to see what kind of user agent was visiting the infected site. If it was the Baidu or Yandex browser or web-based link-analyzing tools MJ12, Ezooms, Solomono, Roger, Linkpad, Semrush, Prodvigator the malware wouldn’t display the spam links. “The reason behind this step is to avoid the client being notified [of the malware] by these tools,” Obaid explained. In general, the spam links that the malware serves up are hard-coded. Obaid believes the hard-coded links may be different for different sites however, even as the offending spam domains remain mostly the same. Malware obfuscation continues to be a creative hotspot for cybercriminals, with new techniques cropping up on a regular basis. For instance, last week researchers said they had detected 191,970 weaponized ads impacting around 1 million Mac users, which use a steganography technique to hide the Shlayer trojan ware inside the ads’ image files. And last fall, a malware was seen employing a VBS script with rudimentary Base64 encoding to obfuscate the first layer. However, that VBS script then downloaded and executed a DAT file via PowerShell. Researchers found that the script used techniques like string-splitting through concatenation and variable assignment, as well as the use of tick marks and random letter capitalization to split up the words or common antivirus signatures. Source
  21. WordPress PHP minimum requirement to change to PHP 5.6 in April and PHP 7.0 in December. The WordPress open-source content management system (CMS) will show warnings in its backend admin panel if the site runs on top of an outdated PHP version. The current plan is to have the warnings appear for sites using a PHP version prior to the 5.6.x branch (<=5.6). The warnings will contain a link to a WordPress support page with information on how site owners can update their server's underlying PHP version. In instances where site owners are running their WordPress portals on top of tightly-controlled web hosting environments, the web host has the option to change this link with a custom URL pointing at its own support site. The warning will ship and start appearing with WordPress 5.1, scheduled for release early this spring. The decision to start showing this warning was taken in December 2018, after the release of the WordPress 5.0 branch. Upgrade statistics compiled days after the WP 5.0 release revealed that 85 percent of WordPress 5.0 users were running their sites on PHP versions of 5.6 and later, hence only a small subset of the active WordPress community will see these warnings in the first place. We said "active WordPress community" because there are still millions of sites running old WordPress versions, many of them abandoned or forgotten. The short-term plan is to migrate as many active users to more recent versions of PHP as possible so that the WordPress team can drop support for older PHP versions altogether. The WordPress team would like to officially modify the WordPress CMS minimum PHP version requirement from PHP 5.2 (the current) to PHP 5.6 by April 2019. A similar minimum requirement version bump is also planned for MySQL, with MySQL 5.5 becoming the new minimum requirement. The long-term plan is to have PHP 7.0 become the minimum PHP version needed to run a WordPress site by December 2019. Yesterday's announcement from the WordPress team came as a surprise for the WordPress community. The minimum PHP version needed to run a WordPress site hasn't been modified for years. The reason why the WordPress team wants to push site owners to update their underlying PHP servers is because the PHP team has recently dropped support for security fixes for the PHP 5.6.x and PHP 7.0.x branches. These older PHP servers are now vulnerable to attacks and mass-exploitation, as several security researchers have told ZDNet last fall. Around 66.7 percent of all Internet sites run an unsupported PHP version, according to W3Techs. Almost a quarter of all internet sites run on top of a WordPress CMS. The WordPress team is the first major CMS project to announce a concerted plan to migrate users towards currently-supported PHP versions. "The threshold for the PHP notice will increase granularly, with the goal to over time catch up with the actual PHP version progress," said Felix Arntz, a member of the WordPress open-source CMS team. Source
  22. The flaws have been patched, but download figures show many sites remain vulnerable. Enlarge Michael Theis / Flickr Attackers have been actively exploiting serious vulnerabilities in two widely used WordPress plugins to compromise websites that run the extensions on top of the content management system. The two affected plugins are Easy WP SMTP with 300,000 active installations and Social Warfare, which has about 70,000 active installations. While developers have released patches for both exploited flaws, download figures indicate many vulnerable websites have yet to install the fixes. Figures for Easy WP SMTP, which was fixed five days ago, show the plugin has just short of 135,000 downloads in the past seven days. Figures for Social Warfare show it has been downloaded fewer than 20,000 times since a patch was published on WordPress on Friday. Sites that use either plugin should disable them immediately and then ensure they have been updated to version of Easy WP SMTP and 3.5.3 of Social Warfare. Attacks exploiting Easy WP SMTP were first reported by security firm NinTechNet on Sunday, the same day a patch became available. On Wednesday, a different security firm, Defiant, also reported the vulnerability was under active exploit despite the availability of the patch. The exploits allow attackers to create rogue administrative accounts on vulnerable websites. Two competing groups appear to be carrying out the attacks, Defiant reported. One group stops after creating the administrative accounts. The other group uses the rogue accounts to make site changes that redirect visitors to malicious sites. Interestingly, both groups create the accounts using the same attack code, which was initially published as a proof-of-concept exploit by NinTechNet. The latter group uses two domains—setforconfigplease[.]com, and getmyfreetraffic[.]com—to track redirected users. As of Thursday, researchers with security firm Sucuri said they also continued to detect exploits in the wild. Attacks against Social Warfare, meanwhile, are permitting serious hacks against vulnerable sites. According to Defiant, attackers are exploiting a flaw that allowed anyone visiting a vulnerable site to overwrite its plugin settings. The attackers use that ability to make the site vulnerable to a cross-site scripting attack that pulls malicious payloads off Pastebin pages and execute them in visitors’ browsers. The payloads redirect visitors to malicious sites. At the time this post was going live, two of the malicious Pastebin pages—https://pastebin.com/raw/0yJzqbYf and https://pastebin.com/raw/PcfntxEs—had yet to be taken down. One of the two domains contained in the payloads is setforconfigplease[.]com, which is being used in some of the exploits against Easy WP SMTP. “These domains are part of a larger redirect campaign, and are both hosted on the same IP address,,” Defiant researcher Mikey Veenstra wrote. “Visitors who are redirected to these addresses are subsequently redirected to a series of malicious sites, and their individual activity is tracked via cookies. Reports have indicated a variety of eventual redirect targets, from pornography to tech support scams.” As noted earlier, sites that use either of these WordPress plugins are at immediate risk of being compromised and should update at once. In the event updating isn’t immediately possible—for instance, if updates cause crashes as some users of Social Warfare claim—website developers should disable the plugin until an update is successful. The attacks are a good reminder to end users that they can be redirected to malicious sites even when visiting trusted sites that have had good track records with security in the past. Web users should remember, too, that malicious sites are often designed to look identical to operating system warnings that there is a serious problem. The best thing someone can do when redirected to a malicious site is to attempt to force quit the browser or browser tab. If that doesn’t work, consider leaving the page alone and seeking help from someone else. Under no circumstances should people call displayed numbers or download or install software linked in one of these redirects despite urgently worded advisements to the contrary. Source: Two serious WordPress plugin vulnerabilities are being exploited in the wild (Ars Technica)
  23. WordPress shopping sites under attack Hackers using cross-site scripting (XSS) flaw in abandoned cart plugin to take over vulnerable sites. WordPress-based shopping sites are under attack from a hacker group abusing a vulnerability in a shopping cart plugin to plant backdoors and take over vulnerable sites. Attacks are currently ongoing, according to Defiant, the company behind Wordfence, a firewall plugin for WordPress sites. Hackers are targeting WordPress sites that use the "Abandoned Cart Lite for WooCommerce," a plugin installed on over 20,000 WordPress sites, according to the official WordPress Plugins repository. HOW THE VULNERABILITY WORKS These attacks are one of those rare cases where a mundane and usually harmless cross-site scripting (XSS) vulnerability can actually lead to serious hacks. XSS flaws are rarely weaponized in such a dangerous manner. These hacks are occurring because of the plugin and vulnerability's mode of operation, both of which combine to create the perfect storm. The plugin, as its name implies, allows site administrators to view abandoned shopping carts --what products users added in their carts before they suddenly left the site. Site owners use this plugin to infer a list of potentially popular products that a store might want to have on stock in the future. These lists of abandoned carts are only accessible in the WordPress site's backend, and usually only to admins or other users with high-privileged accounts. HOW HACKERS ARE EXPLOITING THE FLAW According to a report from Defiant security researcher Mikey Veenstra, hackers are automating operations against WordPress WooCommerce-based stores to generate shopping carts that contain products with malformed names. They add exploit code in one of the shopping cart's fields, then leave the site, an action that ensures the exploit code gets stored in the shop's database. When an admin accesses the shop's backend to view a list of abandoned carts, the hackers' exploit code is executed as soon as a particular backend page is loaded on the user's screen. Veenstra said that Wordfence has detected several exploitation attempts against using this technique in the past few weeks. The attacks the company spotted used exploit code that loaded a JavaScript file from a bit.ly link. This code tried to plant two different backdoors on sites running the vulnerable plugin. The first backdoor takes the form of a new admin account that hackers create on the site. This new admin user is named "woouser," is registered with the "[email protected]" email address, and uses a password of "K1YPRka7b0av1B". The second backdoor is very clever, and is a technique that's been rarely seen. Veenstra told ZDNet the malicious code lists all the site's plugins and looks for the first one that's been disabled by the site admin. Hackers don't re-enable it, but instead, they replace the content of its main file with a malicious script that works as a backdoor for future access. The plugin will remain deactivated, but since its files are still on disk and reachable by web requests, the hackers can send malicious instructions to this second backdoor in case site owners remove the "woouser" account. Image: ZDNet The bit.ly link used for this campaign has been accessed more than 5,200 times, suggesting that the number of infected sites is most likely in the thousands. However, the 5,200+ number isn't entirely accurate. Veenstra explains. "The Bit.ly stats can be misleading because one infected site can source that link several times if the XSS payload stays in the abandoned cart dashboard and the admin frequents it," Veenstra told ZDNet in an interview. "It's also hard to tell how many successful XSS injections are sitting around waiting for an admin to open that page for the first time," the researcher also added, suggesting that many sites might have already attacked, but a backdoor has yet to be deployed on them, and hence the bit.ly link has not yet been loaded. Right now, Veenstra and the rest of the Defiant staff can't say for sure what hackers are trying to achieve by hacking into all these WordPress-based shopping carts. "We don't have a lot of data about successful exploits because our WAF stopped any of our active users from getting compromised," Veenstra said. Hackers could be using these sites for anything from SEO spam to planting card skimmers. The "Abandoned Cart Lite for WooCommerce" plugin received a fix for the XSS attack vector hackers are exploiting during these recent attacks in version 5.2.0, released on February 18. WordPress shopping sites owners using the plugin are advised to update their sites and review their control panel's admin account list for suspicious entries. The "woouser" might not be present, but hackers could have also changed it to something else. Source
  24. Hackers Actively Exploiting Widely-Used Social Share Plugin for WordPress Hackers have been found exploiting a pair of critical security vulnerabilities in one of the popular social media sharing plugins to take control over WordPress websites that are still running a vulnerable version of the plugin. The vulnerable plugin in question is Social Warfare which is a popular and widely deployed WordPress plugin with more than 900,000 downloads. It is used to add social share buttons to a WordPress website or blog. Late last month, maintainers of Social Warfare for WordPress released an updated version 3.5.3 of their plugin to patch two security vulnerabilities—stored cross-site scripting (XSS) and remote code execution (RCE)—both tracked by a single identifier, i.e., CVE-2019-9978. Hackers can exploit these vulnerabilities to run arbitrary PHP code and take complete control over websites and servers without authentication, and then use the compromised sites to perform digital coin mining or host malicious exploit code. However, the same day when Social Warfare released the patched version of its plugin, an unnamed security researcher published a full disclosure and a proof-of-concept for the stored Cross-Site Scripting (XSS) vulnerability. Soon after the full disclosure and PoC release, attackers started attempting to exploit the vulnerability, but fortunately, it was only limited to the injected JavaScript redirect activity, with researchers finding no in-the-wild attempts to exploit the RCE vulnerability. Now, Palo Alto Network Unit 42 researchers found several exploits taking advantage of these vulnerabilities in the wild, including an exploit for the RCE vulnerability which allows the attacker to control the affected website and an exploit for the XSS vulnerability which redirects victims to an ads site. Though both flaws originated because of improper input handling, using a wrong, insufficient function eventually made it possible for remote attackers to exploit them without requiring any authentication. "The root cause of each of these two vulnerabilities is the same: the misuse of the is_admin() function in WordPress," the researchers say in a blog post. "Is_admin only checks if the requested page is part of admin interface and won't prevent any unauthorized visit." At the time of writing, more than 37,000 WordPress websites out of 42,000 active sites, including education, finance, and news sites (some Alexa's top ranking websites), are still using an outdated, vulnerable version of the Social Warfare plugin, leaving hundreds of millions of their visitors at the risk of hacking through various other vectors. Since it is likely the attackers will continue to exploit the vulnerabilities to target WordPress users, website administrators are highly recommended to update the Social Warfare plugin to 3.5.3 or newer version as soon as possible. Source
  25. Arbitrary directory deletion vulnerability in WP Fastest Cache plugin patched The vulnerability CVE-2019-6726 is present during the installation alongside the WP PostRatings plugin. The flaw can lead to data loss and a potential DoS attack against vulnerable websites. The WP Fastest Cache plugin authors have released an update to fix a vulnerability in the plugin. The vulnerability in question is CVE-2019-6726, present during the installation alongside the WP PostRatings plugin. What is the flaw - According to seclists.org, the flaw can enable an unauthenticated attacker to create a path directory from which files and directories are to be deleted. It can lead to data loss and a potential DoS attack against vulnerable websites. “A successful attack allows an unauthenticated attacker to specify a path to a directory from which files and directories will be deleted recursively. The vulnerable code path extracts the path portion of the referrer header and then uses string concatenation to build an absolute path. This path is then passed to the 'rm_folder_recursively' function which deletes folders and their files in a recursive manner,” seclists.org wrote in its report. What is its impact - In detailed research, Sebastian Neef, a zero-day vulnerability explorer, reported that the flaw may have affected close to 10,000 websites. While WP-Fastest-Cache has over 900,000 installs, WP-PostRatings plugin has around 100,000 installs. An attacker can leverage the flaw to delete files from directories. Sucuri researchers noted that WP PostRatings is not vulnerable by itself. Its presence is just a condition for the exploit to work. The vulnerability can not be exploited if the plugin is not installed. What can be done about it - Users using WP Fastest Cache plugin are urged to update it to the latest version as soon as possible. Webmasters are advised to use only the required few plugins and keep them all updated. Source
  • Create New...