Unpatched WordPress Plugin Code-Injection Bug Afflicts 50K Sites

[mood]

Unpatched WordPress Plugin Code-Injection Bug Afflicts 50K Sites

 

 

An CRSF-to-stored-XSS security bug plagues 50,000 ‘Contact Form 7’ Style users.

 

A security bug in Contact Form 7 Style, a WordPress plugin installed on over 50,000 sites, could allow for malicious JavaScript injection on a victim website.

 

The latest WordPress plugin security vulnerability is a cross-site request forgery (CSRF) to stored cross-site scripting (XSS) problem in Contact Form 7 Style, which is an add-on to the well-known Contact Form 7 umbrella plugin. It ranks 8.8 out of 10 on the CVSS vulnerability-severity scale (CVE is pending).

 

CSRF allows an attacker to induce a victim user to perform actions that they do not intend to. XSS allows an attacker to execute arbitrary JavaScript within the browser of a victim user. This bug connects the two approaches.

 

Researchers at Wordfence said that there’s no patch yet available, and versions 3.1.9 and below are affected. WordPress removed the plugin from the WordPress plugin repository on Feb. 1.

Vulnerable Contact Form 7 Style

Contact Form 7 is used to create, as its name suggests, contact forms used by websites. The vulnerable Contact Form 7 Style is an add-on that can be used to add additional bells and whistles to those forms that are made with Contact Form 7.

 

It does this by allowing users to customize a site’s Cascading Style Sheets (CSS) code, which is used to dictate the appearance of WordPress-based websites. This is where the vulnerability lies, according to Wordfence researchers.

“Due to the lack of sanitization and lack of nonce protection on this feature, an attacker could craft a request to inject malicious JavaScript on a site using the plugin,” they explained, in a posting this week, adding that further details will be withheld to give site owners a chance to address the issue. “If an attacker successfully tricked a site’s administrator into clicking a link or attachment, then the request could be sent and the CSS settings would be successfully updated to include malicious JavaScript.”

 

Since the number of installed instances for the plugin is so high, Due to the number of sites affected by this plugin’s closure, we are intentionally providing minimal details about this vulnerability to provide users ample time to find an alternative solution. We may provide additional details later as we continue to monitor the situation.

 

To exploit the flaw, cyberattackers would need to convince a logged-in administrator to click on a malicious link, which can be done via any of the common social-engineering approaches (i.e., through a fraudulent email or instant message).

 

Wordfence notified the plugin’s developer about the bug in early December; after receiving no response, the researchers then escalated the issue to the WordPress Plugins team in early January. The WordPress Plugins team also contacted the developer with no response, leading to the disclosure this week.

How to Protect Against Malicious JavaScript Injection

Because, as with all CSRF vulnerabilities, the bug can only be exploited if an admin user performs an action while authenticated to the vulnerable WordPress site, admins should always be wary when clicking on any links.

“If you feel you must click a link, we recommend using incognito windows when you are unsure about a link or attachment,” according to Wordfence. “This precaution can protect your site from being successfully exploited by this vulnerability along with all other CSRF vulnerabilities.”

 

In this case, users should also deactivate and remove the Contact Form 7 Style plugin and find a replacement, researchers added, since no patch appears to be forthcoming.

 

 

Source: Unpatched WordPress Plugin Code-Injection Bug Afflicts 50K Sites

[Karlston]

Critical vulnerability fixed in WordPress plugin with 800K installs

 

The NextGen Gallery development team has addressed two severe CSRF vulnerabilities to protect sites from potential takeover attacks.

 

NextGen Gallery, a WordPress plugin used for creating image galleries, currently has over 800,000 active installs, making this security update a top priority for all site owners that have it installed.

Backdoor injection and site takeover

The two NextGEN Gallery security vulnerabilities are rated as high and critical severity by Wordfence's Threat Intelligence team who discovered them.

 

Both of them are Cross-Site Request Forgery (CSRF) bugs which, in the case of the critical vulnerability tracked as CVE-2020-35942, can lead to Reflected Cross-Site Scripting (XSS) and remote code execution (RCE) attacks via file upload or Local File Inclusion (LFI).

 

Attackers can exploit these security flaws by tricking WordPress admins into clicking specially crafted links or attachments to execute malicious code in their browsers.

 

Luckily, "[t]his attack would likely require some degree of social engineering, as an attacker would have to trick an administrator into clicking a link that submitted crafted requests to perform these actions," Wordfence threat analyst Ram Gall said.

Buggy NextGEN Gallery function (Wordfence)

Following successful exploitation, the vulnerabilities can let hackers set up malicious redirects, inject spam, abuse compromised sites for phishing, and, ultimately, take over the sites completely.

 

As Gall further explains, "once an attacker achieves Remote Code Execution on a website, they have effectively taken over that site."

 

However, XSS can also be used to take over sites if the attacker tricks logged-in admins to visit pages running malicious scripts or, as seen in attacks targeting XSS vulnerabilities, it can also be used to inject backdoors on compromised sites.

Over 530,000 sites still exposed to attacks

"We initially reached out to the plugin’s publisher, Imagely, the same day, and provided full disclosure the next day, on December 15, 2020," Gall added.

 

"Imagely sent us patches for review on December 16, and published the patched version, 3.5.0, on December 17, 2020."

 

While NextGEN Gallery was released in December, it only has just over 266,000 new downloads until yesterday according to raw download stats for the WordPress plugin's repository, including both updates and new installs.

 

This translates into more than 530,000 WordPress sites with active NextGEN Gallery installations potentially exposed to takeover attacks if attackers start exploiting the two bugs.

 

 

Critical vulnerability fixed in WordPress plugin with 800K installs