What To Know About Medium-Level WordPress Vulnerabilities via @sejournal, @martinibuster

The majority of WordPress vulnerabilities, about 67% of them discovered in 2023, are rated as medium level. Because of they’re the most common, it makes sense to understand what they are and when they represent an actual security threat. These are the facts about those kinds of vulnerabilities what you should know about them.

What Is A Medium Level Vulnerability?

A spokesperson from WPScan, a WordPress Security Scanning company owned by Automattic, explained that they use the Common Vulnerability Scoring System (CVSS Scores) to rate the severity of a threat. The scores are based on a numbering system from 1 – 10 and ratings from low, medium, high, and critical.

The WPScan spokesperson explained:

“We don’t flag levels as the chance of happening, but the severity of the vulnerability based on FIRST’s CVSS framework. Speaking broadly, a medium-level severity score means either the vulnerability is hard to exploit (e.g., SQL Injection that requires a highly privileged account) or the attacker doesn’t gain much from a successful attack (e.g., an unauthenticated user can get the content of private blog posts).

We generally don’t see them being used as much in large-scale attacks because they are less useful than higher severity vulnerabilities and harder to automate. However, they could be useful in more targeted attacks, for example, when a privileged user account has already been compromised, or an attacker knows that some private content contains sensitive information that is useful to them.

We would always recommend upgrading vulnerable extensions as soon as possible. Still, if the severity is medium, then there is less urgency to do so, as the site is less likely to be the victim of a large-scale automated attack.

An untrained user may find the report a bit hard to digest. We did our best to make it as suitable as possible for all audiences, but I understand it’d be impossible to cover everyone without making it too boring or long. And the same can happen to the reported vulnerability. The user consuming the feed would need some basic knowledge of their website setup to consider which vulnerability needs immediate attention and which one can be handled by the WAF, for example.

If the user knows, for example, that their site doesn’t allow users to subscribe to it. All reports of subscriber+ vulnerabilities, independent of the severity level, can be reconsidered. Assuming that the user maintains a constant review of the site’s user base.

The same goes for contributor+ reports or even administrator levels. If the person maintains a small network of WordPress sites, the admin+ vulnerabilities are interesting for them since a compromised administrator of one of the sites can be used to attack the super admin.”

Contributor-Level Vulnerabilities

Many medium severity vulnerabilities require a contributor-level access. A contributor is an access role that gives that registered user the ability to write and submit content, although in general they don’t have the ability to publish them.

Most websites don’t have to worry about security threats that require contributor level authentication because most sites don’t offer that level of access.

Chloe Chamberland – Threat Intelligence Lead at Wordfence explained that most site owners shouldn’t worry about medium level severity vulnerabilities that require a contributor-level access in order to exploit them because most WordPress sites don’t offer that permission level. She also noted that these kinds of vulnerabilities are hard to scale because exploiting them is difficult to automate.

Chloe explained:

“For most site owners, vulnerabilities that require contributor-level access and above to exploit are something they do not need to worry about. This is because most sites do not allow contributor-level registration and most sites do not have contributors on their site.

In addition, most WordPress attacks are automated and are looking for easy to exploit high value returns so vulnerabilities like this are unlikely to be targeted by most WordPress threat actors.”

Website Publishers That Should Worry

Chloe also said that publishers who do offer contributor-level permissions may have several reasons to be concerned about these kinds of exploits:

“The concern with exploits that require contributor-level access to exploit arises when site owners allow contributor-level registration, have contributors with weak passwords, or the site has another plugin/theme installed with a vulnerability that allows contributor-level access in some way and the attacker really wants in on your website.

If an attacker can get their hands on one of these accounts, and a contributor-level vulnerability exists, then they may be provided with the opportunity to escalate their privileges and do real damage to the victim. Let’s take a contributor-level Cross-Site Scripting vulnerability for example.

Due to the nature of contributor-level access, an administrator would be highly likely to preview the post for review at which point any injected JavaScript would execute – this means the attacker would have a relatively high chance of success due to the admin previewing the post for publication.

As with any Cross-Site Scripting vulnerability, this can be leveraged to add a new administrative user account, inject backdoors, and essentially do anything a site administrator could do. If a serious attacker has access to a contributor-level account and no other trivial way to elevate their privileges, then they’d likely leverage that contributor-level Cross-Site Scripting to gain further access. As previously mentioned, you likely won’t see that level of sophistication targeting the vast majority of WordPress sites, so it’s really high value sites that need to be concerned with these issues.

In conclusion, while I don’t think a vast majority of site owners need to worry about contributor-level vulnerabilities, it’s still important to take them seriously if you allow user registration at that level on your site, you don’t enforce unique strong user passwords, and/or you have a high value WordPress website.”

Be Aware Of Vulnerabilities

While the many of the medium level vulnerabilities may not be something to worry about it’s still a good idea to stay informed of them. Security Scanners like the free version of WPScan can give a warning when a plugin or theme becomes vulnerable. It’s a good way to have a warning system in place to keep on top of vulnerabilities.

WordPress security plugins like Wordfence offer a proactive security stance that actively blocks automated hacking attacks and can be further tuned by advanced users to block specific bots and user agents. The free version of Wordfence offers significant protection in the form of a firewall and a malware scanner. The paid version offers protection for all vulnerabilities as soon as they’re discovered and before the vulnerability is patched. I use Wordfence on all of my websites and can’t imagine setting up a website without it.

Security is generally not regarded as an SEO issue but it should be considered as one because failure to secure a site can undo all the hard word done to make a site rank well.

Featured Image by Shutterstock/Juan villa torres

2024 WordPress Vulnerability Report Shows Errors Sites Keep Making via @sejournal, @martinibuster

WordPress security scanner WPScan’s 2024 WordPress vulnerability report calls attention to WordPress vulnerability trends and suggests the kinds of things website publishers (and SEOs) should be looking out for.

Some of the key findings from the report were that just over 20% of vulnerabilities were rated as high or critical level threats, with medium severity threats, at 67% of reported vulnerabilities, making up the majority. Many regard medium level vulnerabilities as if they are low-level threats but they’re not and should be regarded as deserving attention.

The WPScan report advised:

“While severity doesn’t translate directly to the risk of exploitation, it’s an important guideline for website owners to make an educated decision about when to disable or update the extension.”

WordPress Vulnerability Severity Distribution

Critical level vulnerabilities, the highest level of threat, represented only 2.38% of vulnerabilities, which is (essentially good news for WordPress publishers. Yet as mentioned earlier, when combined with the percentages of high level threats (17.68%) the number or concerning vulnerabilities rises to almost 20%.

Here are the percentages by severity ratings:

• Critical 2.38%
• Low 12.83%
• High 17.68%
• Medium 67.12%

Authenticated Versus Unauthenticated

Authenticated vulnerabilities are those that require an attacker to first attain user credentials and their accompanying permission levels in order to exploit a particular vulnerbility. Exploits that require subscriber-level authentication are the most exploitable of the authenticated exploits and those that require administrator level access present the least risk (although not always a low risk for a variety of reasons).

Unauthenticated attacks are generally the easiest to exploit because anyone can launch an attack without having to first acquire a user credential.

The WPScan vulnerability report found that about 22% of reported vulnerabilities required subscriber level or no authentication at all, representing the most exploitable vulnerabilities. On the other end of the scale of the exploitability are vulnerabilities requiring admin permission levels representing a total of 30.71% of reported vulnerabilities.

Permission Levels Required For Exploits

Vulnerabilities requiring administrator level credentials represented the highest percentage of exploits, followed by Cross Site Request Forgery (CSRF) with 24.74% of vulnerabilities. This is interesting because CSRF is an attack that uses social engineering to get a victim to click a link from which the user’s permission levels are acquired. If they can trick an admin level user to follow a link then they will be able to assume that level of privileges to the WordPress website.

The following is the percentages of exploits ordered by roles necessary to launch an attack.

Ascending Order Of User Roles For Vulnerabilities

• Author 2.19%
• Subscriber 10.4%
• Unauthenticated 12.35%
• Contributor 19.62%
• CSRF 24.74%
• Admin 30.71%

Most Common Vulnerability Types Requiring Minimal Authentication

Broken Access Control in the context of WordPress refers to a security failure that can allow an attacker without necessary permission credentials to gain access to higher credential permissions.

In the section of the report that looks at the occurrences and vulnerabilities underlying unauthenticated or subscriber level vulnerabilities reported (Occurrence vs Vulnerability on Unauthenticated or Subscriber+ reports), WPScan breaks down the percentages for each vulnerability type that is most common for exploits that are the easiest to launch (because they require minimal to no user credential authentication).

The WPScan threat report noted that Broken Access Control represents a whopping 84.99% followed by SQL injection (20.64%).

The Open Worldwide Application Security Project (OWASP) defines Broken Access Control as:

“Access control, sometimes called authorization, is how a web application grants access to content and functions to some users and not others. These checks are performed after authentication, and govern what ‘authorized’ users are allowed to do.

Access control sounds like a simple problem but is insidiously difficult to implement correctly. A web application’s access control model is closely tied to the content and functions that the site provides. In addition, the users may fall into a number of groups or roles with different abilities or privileges.”

SQL injection, at 20.64% represents the second most prevalent type of vulnerability, which WPScan referred to as both “high severity and risk” in the context of vulnerabilities requiring minimal authentication levels because attackers can access and/or tamper with the database which is the heart of every WordPress website.

These are the percentages:

• Broken Access Control 84.99%
• SQL Injection 20.64%
• Cross-Site Scripting 9.4%
• Unauthenticated Arbitrary File Upload 5.28%
• Sensitive Data Disclosure 4.59%
• Insecure Direct Object Reference (IDOR) 3.67%
• Remote Code Execution 2.52%
• Other 14.45%

Vulnerabilities In The WordPress Core Itself

The overwhelming majority of vulnerability issues were reported in third-party plugins and themes. However, there were in 2023 a total of 13 vulnerabilities reported in the WordPress core itself. Out of the thirteen vulnerabilities only one of them was rated as a high severity threat, which is the second highest level, with Critical being the highest level vulnerability threat, a rating scoring system maintained by the Common Vulnerability Scoring System (CVSS).

The WordPress core platform itself is held to the highest standards and benefits from a worldwide community that is vigilant in discovering and patching vulnerabilities.

Website Security Should Be Considered As Technical SEO

Site audits don’t normally cover website security but in my opinion every responsible audit should at least talk about security headers. As I’ve been saying for years, website security quickly becomes an SEO issue once a website’s ranking start disappearing from the search engine results pages (SERPs) due to being compromised by a vulnerability. That’s why it’s critical to be proactive about website security.

According to the WPScan report, the main point of entry for hacked websites were leaked credentials and weak passwords. Ensuring strong password standards plus two-factor authentication is an important part of every website’s security stance.

Using security headers is another way to help protect against Cross-Site Scripting and other kinds of vulnerabilities.

Lastly, a WordPress firewall and website hardening are also useful proactive approaches to website security. I once added a forum to a brand new website I created and it was immediately under attack within minutes. Believe it or not, virtually every website worldwide is under attack 24 hours a day by bots scanning for vulnerabilities.

Read the WPScan Report:

WPScan 2024 Website Threat Report

Featured Image by Shutterstock/Ljupco Smokovski

WordPress Discovers XSS Vulnerability – Recommends Updating To 6.5.2 via @sejournal, @martinibuster

WordPress announced the 6.5.2 Maintenance and Security Release update that patches a store cross site scripting vulnerability and fixes over a dozen bugs in the core and the block editor.

The same vulnerability affects both the WordPress core and the Gutenberg plugin.

Cross Site Scripting (XSS)

An XSS vulnerability was discovered in WordPress that could allow an attacker to inject scripts into a website that then attacks site visitors to those pages.

There are three kinds of XSS vulnerabilities but the most commonly discovered in WordPress plugins, themes and WordPress itself are reflected XSS and stored XSS.

Reflected XSS requires a victim to click a link, an extra step that makes this kind of attack harder to launch.

A stored XSS is the more worrisome variant because it exploits a flaw that allows the attacker to upload a script into the vulnerable site that can then launch attacks against site visitors. The vulnerability discovered in WordPress is a stored XSS.

The threat itself is mitigated to a certain degree because this is an authenticated stored XSS, which means that the attacker needs to first acquire at least a contributor level permissions in order to exploit the website flaw that makes the vulnerability possible.

This vulnerability is rated as a medium level threat, receiving a Common Vulnerability Scoring System (CVSS) score of 6.4 on a scale of 1 – 10.

Wordfence describes the vulnerability:

“WordPress Core is vulnerable to Stored Cross-Site Scripting via user display names in the Avatar block in various versions up to 6.5.2 due to insufficient output escaping on the display name. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

WordPress.org Recommends Updating Immediately

The official WordPress announcement recommended that users update their installations, writing:

“Because this is a security release, it is recommended that you update your sites immediately. Backports are also available for other major WordPress releases, 6.1 and later.”

Read the Wordfence advisories:

WordPress Core < 6.5.2 – Authenticated (Contributor+) Stored Cross-Site Scripting via Avatar Block

Gutenberg 12.9.0 – 18.0.0 – Authenticated (Contributor+) Stored Cross-Site Scripting via Avatar Block

Read the official WordPress.org announcement:

WordPress 6.5.2 Maintenance and Security Release

Featured Image by Shutterstock/ivan_kislitsin

XSS Vulnerability Affects Beaver Builder WordPress Page Builder via @sejournal, @martinibuster

The popular Beaver Builder WordPress Page Builder was found to contain an XSS vulnerability that can allow an attacker to inject scripts into the website that will run when a user visits a webpage.

Beaver Builder

Beaver Builder is a popular plugin that allows anyone to create a professional looking website using an easy to use drag and drop interface. Users can start with a predesigned template or create a website from scratch.

Stored Cross Site Scripting (XSS) Vulnerability

Security researchers at Wordfence published an advisory about an XSS vulnerability affecting the page builder plugin. An XSS vulnerability is typically found in a part of a theme or plugin that allows user input. The flaw arises when there is insufficient filtering of what can be input (a process called input sanitization). Another flaw that leads to an XSS is insufficient output escaping, which is a security measure on the output of a plugin that prevents harmful scripts from passing to a website browser.

This specific vulnerability is called a Stored XSS. Stored means that an attacker is able to inject a script directly onto the webs server. This is different from a reflected XSS which requires a victim to click a link to the attacked website in order to execute a malicious script. A stored XSS (as affects the Beaver Builder), is generally considered to be more dangerous than a reflected XSS.

The security flaws that gave rise to an XSS vulnerability in the Beaver Builder were due to insufficient input sanitization and output escaping.

Wordfence described the vulnerability:

“The Beaver Builder – WordPress Page Builder plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the plugin’s Button Widget in all versions up to, and including, 2.8.0.5 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.”

The vulnerability is rated 6.4, a medium level threat. Attackers must gain at least contributor-level permission levels in order to be able to launch an attack, which makes this vulnerability a little harder to exploit.

The official Beaver Builder changelog, which documents what’s contained in an update, notes that a patch was issued in version 2.8.0.7.

The changelog notes:

“Fix XSS issue in Button & Button Group Modules when using lightbox”

Recommended action: It’s generally a good practice to update and patch a vulnerability before an attacker is able to exploit it. It’s a best-practice to stage the site first before pushing an update live in case that the updated plugin conflicts with another plugin or theme.

Read the Wordfence advisory:

Beaver Builder – WordPress Page Builder <= 2.8.0.5 – Authenticated (Contributor+) Stored Cross-Site Scripting via Button

See also:

Featured Image by Shutterstock/Prostock-studio

WordPress Backup Plugin DoS Vulnerability Affects +200,000 Sites via @sejournal, @martinibuster

A popular WordPress backup plugin installed in over 200,000 websites recently patched a high severity vulnerability that could lead to a denial of service attack. Wordfence assigned a CVSS severity level rating of High, with a score of 7.5/10, indicating that plugin users should take note and update their plugin.

Backuply Plugin

The vulnerability affects the Backuply WordPress backup plugin. Creating backups is a necessary function for every website, not just WordPress sites, because backups help publishers roll back to a previous version should the server fail and lose data in a catastrophic failure.

Website backups are invaluable for site migrations, hacking recovery and failed updates that render a website non-functional.

Backuply is an especially useful plugin because it backup data to multiple trusted third party cloud services and supports multiple ways to download local copies in order to create redundant backups so that if a cloud backup is bad the site can be recovered from another backup stored locally.

According to Backuply:

“Backuply comes with Local Backups and Secure Cloud backups with easy integrations with FTP, FTPS, SFTP, WebDAV, Google Drive, Microsoft OneDrive, Dropbox, Amazon S3 and easy One-click restoration.”

Vulnerability Affecting Backuply

The United States Government National Vulnerability Database warns that Backuply up to and including version 1.2.5 contains a flaw that can lead to denial of service attacks.

The warning explains:

“This is due to direct access of the backuply/restore_ins.php file and. This makes it possible for unauthenticated attackers to make excessive requests that result in the server running out of resources.”

Denial Of Service (DoS) Attack

A denial of service (DoS) attack is one in which a flaw in a software allows an attacker to make so many rapid requests that the server runs out of resources and can no longer process any further requests, including serving webpages to site visitors.

A feature of DoS attacks is that it is sometimes possible to upload scripts, HTML or other code that can then be executed, allowing the attacker to perform virtually any action.

Vulnerabilities that enable DoS attacks are considered critical, and steps to mitigate them should be taken as soon as possible.

Backuply Changelog Documentation

The official Backuply changelog, which announces the details of every update, notes that a fix was implemented in version of 1.2.6. Backuply’s transparency and rapid response is responsible and a sign of a trustworthy developer.

According to the Changelog:

“1.2.6 (FEBRUARY 08 2024)
[Security-Fix] In some cases it was possible to fill up the logs and has been fixed. Reported by Villu Orav (WordFence)”

Recommendations

In general it is highly recommended that all users of the Backuply plugin update their plugin as soon as possible in order to prevent an unwanted security event.

Read the National Vulnrability Database description of the vulnerability:

CVE-2024-0842

Read the Wordfence Backuply vulnerability report:

Backuply – Backup, Restore, Migrate and Clone <= 1.2.5 – Denial of Service

Featured Image by Shutterstock/Doppelganger4