WordPress Nested Pages Plugin High Severity Vulnerability via @sejournal, @martinibuster

The U.S. National Vulnerability Database (NVD) and Wordfence published a security advisory of a high severity Cross Site Request Forgery (CSRF) vulnerability affecting the Nested Pages WordPress plugin affecting up to +100,000 installations. The vulnerability received a Common Vulnerability Scoring System (CVSS) rating of 8.8 on a scale of 1 – 10, with ten representing the highest level severity.

Cross Site Request Forgery (CSRF)

The Cross Site Request Forgery (CSRF) is a type of attack that takes advantage of a security flaw in the Nested Pages plugin that allows unauthenticated attackers to call (execute) PHP files, which are the code level files of WordPress.

There is a missing or incorrect nonce validation, which is a common security feature used in WordPress plugins to secure forms and URLs. A second flaw in the plugin is a missing security feature called sanitization. Sanitization is a method of securing data that’s input or output which is also common to WordPress plugins but in this case is missing.

According to Wordfence:

“This is due to missing or incorrect nonce validation on the ‘settingsPage’ function and missing santization of the ‘tab’ parameter.”

The CSRF attack relies on getting a signed in WordPress user (like an Administrator) to click a link which in turn allows the attacker to complete the attack. This vulnerability is rated 8.8 which makes it a high severity threat. To put that into perspective, a score of 8.9 is a critical level threat which is an even higher level. So at 8.8 it is just short of a critical level threat.

This vulnerability affects all versions of the Nested Pages plugin up to and including version 3.2.7. The developers of the plugin released a security fix in version 3.2.8 and responsibly published the details of the security update in their changelog.

The official changelog documents the security fix:

“Security update addressing CSRF issue in plugin settings”

Read the advisory at Wordfence:

Nested Pages <= 3.2.7 – Cross-Site Request Forgery to Local File Inclusion

Read the advisory at the NVD:

CVE-2024-5943 Detail

Featured Image by Shutterstock/Dean Drobot

WordPress Takes Bite Out Of Plugin Attacks via @sejournal, @martinibuster

WordPress announced over the weekend that they were pausing plugin updates and initiating a force reset on plugin author passwords in order to prevent additional website compromises due to the ongoing Supply Chain Attack on WordPress plugins.

Supply Chain Attack

Hackers have been attacking plugins directly at the source using password credentials exposed in previous data breaches (unrelated to WordPress itself). The hackers are looking for compromised credentials used by plugin authors who use the same passwords across multiple websites (including passwords exposed in a previous data breach).

WordPress Takes Action To Block Attacks

Some plugins have been compromised by the WordPress community has rallied to clamp down on further plugin compromises by instituting a forced password reset and encouraging plugin authors to use 2 factor authentication.

WordPress also temporarily blocked all new plugin updates at the source unless they received team approval in order to make sure that a plugin is not being updated with malicious backdoors. By Monday WordPress updated their post to confirm that plugin releases are no longer paused.

The WordPress announcement on the forced password reset:

“We have begun to force reset passwords for all plugin authors, as well as other users whose information was found by security researchers in data breaches. This will affect some users’ ability to interact with WordPress.org or perform commits until their password is reset.

You will receive an email from the Plugin Directory when it is time for you to reset your password. There is no need to take action before you’re notified.”

A discussion in the comments section between a WordPress community member and the author of the announcement revealed that WordPress did not directly contact plugin authors who were identified as using “recycled” passwords because there was evidence that the list of users found in the data breach list whose credentials were in fact safe (false positives). WordPress also discovered that some accounts that were assumed to be safe were in fact compromised (false negatives). That is what led to to the current action of forcing password resets.

Francisco Torres of WordPress answered:

“You’re right that specifically reaching out to those individuals mentioning that their data has been found in data breaches will make them even more sensitive, but unfortunately as I’ve already mentioned that might be inaccurate for some users and there will be others that are missing. What we’ve done since the beginning of this issue is to individually notify those users that we’re certain have been compromised.”

Read the official WordPress announcement:

Password Reset Required for Plugin Authors

Featured Image by Shutterstock/Aleutie

WordPress Plugin Supply Chain Attacks Escalate via @sejournal, @martinibuster

WordPress plugins continue to be under attack by hackers using stolen credentials (from other data breaches) to gain direct access to plugin code.  What makes these attacks of particular concern is that these supply chain attacks can sneak in because the compromise appears to users as plugins with a normal update.

Supply Chain Attack

The most common vulnerability is when a software flaw allows an attacker to inject malicious code or to launch some other kind of attack, the flaw is in the code. But a supply chain attack is when the software itself or a component of that software (like a third party script used within the software) is directly altered with malicious code. This creates the situation where the software itself is delivering the malicious files.

The United States Cybersecurity and Infrastructure Security Agency (CISA) defines a supply chain attack (PDF):

“A software supply chain attack occurs when a cyber threat actor infiltrates a software vendor’s network and employs malicious code to compromise the software before the vendor sends it to their customers. The compromised software then compromises the customer’s data or system.

Newly acquired software may be compromised from the outset, or a compromise may occur through other means like a patch or hotfix. In these cases, the compromise still occurs prior to the patch or hotfix entering the customer’s network. These types of attacks affect all users of the compromised software and can have widespread consequences for government, critical infrastructure, and private sector software customers.”

For this specific attack on WordPress plugins, the attackers are using stolen password credentials to gain access to developer accounts that have direct access to plugin code to add malicious code to the plugins in order to create administrator level user accounts at every website that uses the compromised WordPress plugins.

Today, Wordfence announced that additional WordPress plugins have been identified as having been compromised. It may very well be the case that there will be more plugins that are or will be compromised. So it’s good to understand what is going on and to be proactive about protecting sites under your control.

More WordPress Plugins Attacked

Wordfence issued an advisory that more plugins were compromised, including a highly popular podcasting plugin called PowerPress Podcasting plugin by Blubrry.

These are the newly discovered compromised plugins announced by Wordfence:

• WP Server Health Stats (wp-server-stats): 1.7.6
  Patched Version: 1.7.8
  10,000 active installations
• Ad Invalid Click Protector (AICP) (ad-invalid-click-protector): 1.2.9
  Patched Version: 1.2.10
  30,000+ active installations
• PowerPress Podcasting plugin by Blubrry (powerpress): 11.9.3 – 11.9.4
  Patched Version: 11.9.6
  40,000+ active installations
• Latest Infection – Seo Optimized Images (seo-optimized-images): 2.1.2
  Patched Version: 2.1.4
  10,000+ active installations
• Latest Infection – Pods – Custom Content Types and Fields (pods): 3.2.2
  Patched Version: No patched version needed currently.
  100,000+ active installations
• Latest Infection – Twenty20 Image Before-After (twenty20): 1.6.2, 1.6.3, 1.5.4
  Patched Version: No patched version needed currently.
  20,000+ active installations

These are the first group of compromised plugins:

• Social Warfare
• Blaze Widget
• Wrapper Link Element
• Contact Form 7 Multi-Step Addon
• Simply Show Hooks

More information about the WordPress Plugin Supply Chain Attack here.

What To Do If Using A Compromised Plugin

Some of the plugins have been updated to fix the problem, but not all of them. Regardless of whether the compromised plugin has been patched to remove the malicious code and the developer password updated, site owners should check their database to make sure there are no rogue admin accounts that have been added to the WordPress website.

The attack creates administrator accounts with the user names of “Options” or “PluginAuth” so those are the user names to watch for. However, it’s probably a good idea to look for any new admin level user accounts that are unrecognized in case the attack has evolved and the hackers are using different administrator accounts.

Site owners that use the Wordfence free or Pro version of the Wordfence WordPress security plugin are notified if there’s a discovery of a compromised plugin. Pro level users of the plugin receive malware signatures for immediately detecting infected plugins.

The official Wordfence warning announcement about these new infected plugins advises:

“If you have any of these plugins installed, you should consider your installation compromised and immediately go into incident response mode. We recommend checking your WordPress administrative user accounts and deleting any that are unauthorized, along with running a complete malware scan with the Wordfence plugin or Wordfence CLI and removing any malicious code.

Wordfence Premium, Care, and Response users, as well as paid Wordfence CLI users, have malware signatures to detect this malware. Wordfence free users will receive the same detection after a 30 day delay on July 25th, 2024. If you are running a malicious version of one of the plugins, you will be notified by the Wordfence Vulnerability Scanner that you have a vulnerability on your site and you should update the plugin where available or remove it as soon as possible.”

Read more:

WordPress Plugins Compromised At The Source – Supply Chain Attack

3 More Plugins Infected in WordPress.org Supply Chain Attack Due to Compromised Developer Passwords

Featured Image by Shutterstock/Moksha Labs

WordPress Plugins Compromised At The Source via @sejournal, @martinibuster

WordPress.org and Wordfence have published warnings about hackers adding malicious code to plugins at the source, leading to widespread infections via updates.

Five Compromised Plugins… To Date

Typically what happens is that a plugin contains a weakness (a vulnerability) that allows an attacker to compromise individual sites that use that version of a plugin. But these compromises are different because the plugins themselves don’t contain a vulnerability. The attackers are directly injecting malicious code at directly at the source of the plugin, forcing an update which then spreads to all sites that use the plugin.

Wordfence first noticed one plugin that contained malicious code. When they uploaded the details to their database they then discovered four other plugins that were compromised with a similar kind of malicious code. Wordfence immediately notified WordPress about their findings.

Wordfence shared details of the affected plugins:

“Social Warfare 4.4.6.4 – 4.4.7.1
Patched Version: 4.4.7.3

Blaze Widget 2.2.5 – 2.5.2
Patched Version: None

Wrapper Link Element 1.0.2 – 1.0.3
Patched Version: It appears that someone removed the malicious code, however, the latest version is tagged as 1.0.0 which is lower than the infected versions. This means it may be difficult to update to the latest version, so we recommend removing the plugin until a properly tagged version is released.

Contact Form 7 Multi-Step Addon 1.0.4 – 1.0.5
Patched Version: None

Simply Show Hooks 1.2.1
Patched Version None”

WordPress shut down all five plugins directly at the official plugin repository and published a notification at each of the plugin pages that they are closed and unavailable.

Screenshot Of A Delisted WordPress Plugin

The infected plugins generate rogue admin accounts that phones home to a server. The attacked websites are altered with SEO spam links that are added to the footer. Sophisticated malware can be hard to catch because the hackers actively try to hide their code so that, for example, the code looks like a string of numbers, the malicious code is obfuscated. Wordfence noted that this specific malware was not sophisticated and was easy to identify and track.

Wordfence made an observation about this curious quality of the malware:

“The injected malicious code is not very sophisticated or heavily obfuscated and contains comments throughout making it easy to follow. The earliest injection appears to date back to June 21st, 2024, and the threat actor was still actively making updates to plugins as recently as 5 hours ago.”

WordPress Issues Advisory On Compromised Plugins

The WordPress advisory states that attackers are identifying plugin developers that have “committer access” (meaning that they can commit code to the plugin) and then in the next step they used credentials from other data breaches that match with those developers. The hackers use those credentials to directly access the plugin at the code level and inject their malicious code.

WordPress explained:

“On June 23 and 24, 2024, five WordPress.org user accounts were compromised by an attacker trying username and password combinations that had been previously compromised in data breaches on other websites. The attacker used access to these 5 accounts to issue malicious updates to 5 plugins those users had committer access to.

…The affected plugins have had security updates issued by the Plugins Team to protect user security.”

The fault of these compromises apparently lies with the plugin developer security practices. WordPress’ official announcement reminded plugin developers of best practices to use in order to prevent these kinds of compromises from happening.

How To Know If Your Site Is Compromised?

At this point in time there are only five plugins known to be compromised with this specific malicious code. Wordfence said that the hackers create admins with the user names of “Options” or “PluginAuth” so one way to double check if a site is compromised might be to look for any new admin accounts, especially ones with those user names.

Wordfence recommended that affected sites that use any of the five plugins to delete rogue administrator level user accounts and to run a malware scan with the Wordfence plugin and remove the malicious code.

Someone in the comments asked if they should be worried even if they don’t use any of the five plugins”

“Do you think we need to be worried about other plug-in updates? Or was this limited to these 5 plug-ins.”

Chloe Chamberland, the Threat Intelligence Lead at Wordfence responded:

“Hi Elizabeth, at this point it appears to be isolated to just those 5 plugins so I wouldn’t worry too much about other plugin updates. However, out of extra caution, I would recommend reviewing the change-sets of any plugin updates prior to updating them on any sites you run to make sure no malicious code is present.”

Two other commenters noted that they had at least one of the rogue admin accounts on sites that didn’t use any of the five known affected plugins. At this time it’s not known if any other plugins are affected.

Read Wordfence’s advisory and explanation of what is going on:

Supply Chain Attack on WordPress.org Plugins Leads to 5 Maliciously Compromised WordPress Plugins

Read the official WordPress.org announcement:

Keeping Your Plugin Committer Accounts Secure

Featured Image by Shutterstock/Algonga

New Bluehost Agency Partner Program For WordPress Agencies via @sejournal, @martinibuster

Bluehost announced a partner program that’s expressly designed to support WordPress agencies and freelancers that service small-to-medium size businesses (SMBs). The program offers revenue generating opportunities in the form of commissions, exclusive discounts, priority customer service, and other benefits that will help agencies grow their client base and earn more revenue.

Focus On WordPress Websites

Bluehost is an active member of the WordPress community, which includes helping to develop the WordPress core itself by directly sponsoring six WordPress core contributors. Bluehost is well-positioned to offer agencies the products, community, service and revenue generating opportunities that align with the goals of WordPress-based development agencies and freelancers that service SMBs.

A key element of the Agency Partner Program is Bluehost Cloud, a managed WordPress hosting platform that provides a 100% uptime SLA. Bluehost managed WordPress Cloud is designed as a secure high performance solution, which makes it ideal for freelancers and agencies that depend on performant hosting.

Exclusive Benefits for Partner Agencies

Acceptance into the program grants agencies early access to Bluehost’s referral program (commissions), product discounts, learning webinars, access to priority customer support, and membership in an exclusive LinkedIn network.

According to the Bluehost announcement:

“By partnering with Bluehost, agencies can now provide their clients with the highest quality customer service, WordPress expertise and some of the most comprehensive hosting products, including Bluehost Cloud, Yoast SEO and eCommerce plug-ins.”

The Bluehost Agency Partner Program offers the resources for WordPress agencies and freelancers to level up their service offerings, generate new revenue streams, and the resources to deliver superior results for their clients. It’s a win-win partnership that may be worth looking into.

Visit the Bluehost Partner Program page:

Early Applications: Introducing the Bluehost Agency Partner Program.

Read the official announcement here:

Bluehost Unlocks New Opportunities For WordPress Agencies

Featured Image by Shutterstock/Shift Drive

Vulnerabilities In WooCommerce And Dokan Pro Plugins via @sejournal, @martinibuster

WooCommerce published an advisory about an XSS vulnerability while Wordfence simultaneously advised about a critical vulnerability in a WooCommerce plugin named Dokan Pro. The advisory about Dokan Pro warned that a SQL Injection vulnerability allows unauthenticated attackers to extract sensitive information from a website database.

Dokan Pro WordPress Plugin

The Dokan Pro plugin allows user to transform their WooCommerce website into a multi-vendor marketplace similar to sites like Amazon and Etsy. It currently has over 50,000 installations Plugin versions up to and including 3.10.3 are vulnerable.

According to WordFence, version 3.11.0 represents the fully patched and safest version.

WordPress.org lists the current number of plugin installations of the lite version at over 50,000 and a total all-time number of installations of over 3 million. As of this moment only 30.6% of installations were using the most up to date version, 3.11 which may mean that 69.4% of all Dokan Pro plugins are vulnerable.

Screenshot Of Dokan Plugin Download Statistics

Changelog Doesn’t Show Vulnerability Patch

The changelog is what tells users of a plugin what’s contained in an update. Most plugin and theme makers will publish a clear notice that an update contains a vulnerability patch. According to Wordfence, the vulnerability affects versions up to and including version  3.10.3. But the changelog notation for version 3.10.4 that was released Apr 25, 2024 (which is supposed to be patched) does not show that there’s a patch. It’s possible that the publisher of Dokan Pro and Dokan Lite didn’t want to alert hackers to the critical vulnerability.

Screenshot Of Dokan Pro Changelog

CVSS Score 10

The Common Vulnerability Scoring System (CVSS) is an open standard for assigning a score that represents the severity of a vulnerability. The severity score is based on how exploitable it is, the impact of it, plus supplemental metrics such as safety and urgency which together add up to a total score from least severe (1) to the highest severity (10).

The Dokan Pro plugin received a CVSS score of 10, the highest level severity, which means that any users of the plugin are recommended to take immediate action.

Screenshot Of Dokan Pro Vulnerability Severity Score

Description Of Vulnerability

Dokan Pro was found to contain an Unauthenticated SQL Injection vulnerability. There are authenticated and unauthenticated vulnerabilities. Unauthenticated means that an attacker does not need to acquire user credentials in order to launch an attack. Between the two kinds of vulnerabilities, unauthenticated is the worst case scenario.

A WordPress SQL Injection vulnerability is one in which a plugin or theme allows an attacker to manipulate the database. The database is the heart of every WordPress website, where every password, login names, posts, themes and plugin data. A vulnerability that allows anyone to manipulate the database is considerably severe – this is really bad.

This is how Wordfence describes it:

“The Dokan Pro plugin for WordPress is vulnerable to SQL Injection via the ‘code’ parameter in all versions up to, and including, 3.10.3 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query. This makes it possible for unauthenticated attackers to append additional SQL queries into already existing queries that can be used to extract sensitive information from the database.”

Recommended Action For Dokan Pro Users

Users of the Dokan Pro plugin are recommended to consider updating their sites as soon as possible. It’s always prudent to test updates before their uploaded live to a website. But due to the severity of this vulnerability, users should consider expediting this update.

WooCommerce published an advisory of a vulnerability that affects versions 8.8.0 and higher. The vulnerability is rated 5.4 which is a medium level threat, and only affects users who have the Order Attribute feature enabled activated. Nevertheless, WooCommerce “strongly” recommends users update as soon as possible to the most current version (as of this writing), WooCommerce 8.9.3.

WooCommerce Cross Site Scripting (XSS) Vulnerability

The type of vulnerability that affects WooCommerce is called Cross Site Scripting (XSS) which is a type of vulnerability that depends on a user (like a WooCommerce store admin) to click a link.

According to WooCommerce:

“This vulnerability could allow for cross-site scripting, a type of attack in which a bad actor manipulates a link to include malicious content (via code such as JavaScript) on a page. This could affect anyone who clicks on the link, including a customer, the merchant, or a store admin.

…We are not aware of any exploits of this vulnerability. The issue was originally found through Automattic’s proactive security research program with HackerOne. Our support teams have received no reports of it being exploited and our engineering team analyses did not reveal it had been exploited.”

Should Web Hosts Be More Proactive?

Web developer and search marketing expert Adam J. Humphreys, Of Making 8, inc. (LinkedIn profile), feels that web hosts should be more proactive about patching critical vulnerabilities, even though that may cause some sites to lose functionality if there’s a conflict with some other plugin or theme in use.

Adam observed:

“The deeper issue is the fact that WordPress remains without auto updates and a constant vulnerability which is the illusion their sites are safe. Most core updates are not performed by hosts and almost every single host doesn’t perform any plugin updates even if they do them until a core update is performed. Then there is the fact most premium plugin updates will often not perform automatically. Many of which contain critical security patches.”

I asked if he meant a push update, where an update is forced onto a website.

“Correct, many hosts will not perform updates until a WordPress core update. Softaculous engineers confirmed this for me. WPEngine which claims fully managed updates doesn’t do it on the frequency to patch in a timely fashion for said plugins. WordPress without ongoing management is a vulnerability and yet half of all websites are made with it. This is an oversight by WordPress that should be addressed, in my opinion.”

Read more at Wordfence:

Dokan Pro <= 3.10.3 – Unauthenticated SQL Injection

Read the official WooCommerce vulnerability documentation:

WooCommerce Updated to Address Cross-site Scripting Vulnerability

Featured Image by Shutterstock/New Africa

Automattic For Agencies: A New Way To Monetize WordPress via @sejournal, @martinibuster

Automattic, the company behind WordPress.com, Jetpack, WooCommerce and more, have announced a new program to woo Agencies into their ecosystem of products with more ways to earn revenue.

This new program could be seen as putting Automattic into direct competition with closed source systems like Wix and Duda but there are clear differences between all three products and services.

Automattic For Agencies

Automattic for Agencies brings together multiple Automattic products into a single service with a dashboard for managing multiple client sites and billing. The program offers a unified locations for managing client sites as well as discounted pricing and revenue sharing opportunities. Aside from the benefits of streamlining the program also offers technical support across all of the Automattic products that are a part of the program. Lastly the program offers agencies managed security and performance improvements.

According to the announcement:

“We worry about site performance and security so you don’t have to. When you connect your sites to the Automattic for Agencies dashboard, you’ll receive instant notifications about updates and alerts, so your sites stay problem-free and your clients stay happy.”

Revenue Share And Discounts

Agencies can now earn a revenue share of the Automattic products used by clients. For example, agencies can earn a 50% revenue share on Jetpack product referrals, including renewals. As part of the program Jetpack also offers discounts on licenses, starting at 10% off for five licenses and to as high as 50% off for 100 licenses.

As part of the new program there are similar benefits for agencies that build or manage WooCommerce sites, with discounted agency pricing and a referral program

WordPress.com, the managed WordPress hosting subsidiary of Automattic, is offering a 20% revenue share on new subscriptions and a 50% share on migrations from other hosts.

A tweet from WordPress.com described the new program:

“Agencies, we’ve got some news for you!

Our new referral program is live, and as a referrer of http://WordPress.com’s services, your agency will receive a 20% revenue share on new subscriptions and 50% on new migrations to http://WordPress.com from other hosting providers.”

New Directory For Agencies

A forthcoming benefit of the Autommatic For Agencies program is a business directory that lists agencies that are a part of the program. The benefit of the directory is presumably that it may lead to business referrals to the agencies.

The Jetpack announcement describes the new directory:

“Gain heightened visibility through multiple directory listings across Automattic’s business units. This increased exposure creates more opportunities for potential clients to find and engage with your services, helping you grow your agency’s reach and reputation.”

The WooCommerce announcement describes the directory like this:

“Expand your reach
Increase your visibility with partner directory listings across multiple Automattic brands.”

Automattic Affiliate Program

The Automattic for Agencies announcement follows the rollout of a separate affiliate program which offers up to 100% referral bonus for affiliates who refer new hosting clients, with a limit of $300 payout per item, and up to 50% referral bonus for Jetpack plugin subscriptions. The program has a 30 day cookie conversion period which provides affiliates the opportunity to earn referral bonuses on any additional sales within a 30 day period.

Read more about the new program:

Live the Suite Life With Automattic For Agencies

Featured Image by Shutterstock/Volodymyr TVERDOKHLIB