WordPress SiteOrigin Widgets Bundle Plugin Vulnerability Affects +600,000 Sites via @sejournal, @martinibuster

SiteOrigin Widgets Bundle WordPress plugin with over 600,000 installations patched an authenticated stored cross-site scripting (XSS) vulnerability that could allow attackers to upload arbitrary files and expose site visitors to malicious scripts.

SiteOrigin Widgets Bundle Plugin

The SiteOrigins Widgets plugin, with +600,000 active installations, provides a way to easily add a multitude of widget functions like sliders, carousels, maps, change the way blog posts are displayed, and other useful webpage elements.

Stored Cross-Site Scripting Vulnerability

A Cross-Site Scripting (XSS) vulnerability is a flaw allows a hacker to inject (upload) malicious scripts. In WordPress plugins, these kinds of vulnerabilities arise from flaws in how data that’s input is not properly sanitized (filtered for untrusted data) and also from improperly securing output data (called escaping data).

This particular XSS vulnerability is called a Stored XSS because the attacker is able to inject the malicious code to the server.  According to the non-profit Open Worldwide Application Security Project (OWASP), the ability to launch an attack directly from the website makes it particularly concerning.

OWASP describes the stored XSS threat:

“This type of exploit, known as Stored XSS, is particularly insidious because the indirection caused by the data store makes it more difficult to identify the threat and increases the possibility that the attack will affect multiple users. “

In an XSS attack, where a script has successfully been injected, the attacker sends a harmful script to an unsuspecting site visitor. The user’s browser, because it trusts the website, executes the file. This can allow the attacker to access cookies, session tokens, and other sensitive website data.

Vulnerability Description

The vulnerability arose because of flaws in sanitizing inputs and escaping data.

The WordPress developer page for security explains sanitization:

“Sanitizing input is the process of securing/cleaning/filtering input data. Validation is preferred over sanitization because validation is more specific. But when “more specific” isn’t possible, sanitization is the next best thing.”

Escaping data in a WordPress plugin is a security function that filters out unwanted output.

Both of those functions needed improvement in the SiteOrigins Widgets Bundle plugin.

Wordfence described the vulnerability:

“The SiteOrigin Widgets Bundle plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the onclick parameter in all versions up to, and including, 1.58.3 due to insufficient input sanitization and output escaping.”

This vulnerability requires authentication before it can be executed, which means the attacker needs at least a contributor level access in order to be able to launch an attack.

Recommended action:

The vulnerability was assigned a medium CVSS severity level, scoring 6.4/10. Plugin users should consider updating to the latest version, which is version 1.58.5, although the vulnerability was patched in version 1.58.4.

Read the Wordfence vulnerability advisory:

SiteOrigin Widgets Bundle <= 1.58.3 – Authenticated (Contributor+) Stored Cross-Site Scripting

WordPress Website Builder Vulnerability Affects Nearly 1 Million Websites via @sejournal, @martinibuster

A significant vulnerability has been patched in the Website Builder by SeedProd that has over 900,000 installations. This vulnerability, present in versions up to and including 6.15.21, poses a risk for unauthorized data modification on WordPress sites.

Vulnerability Details: Missing Capability Check

The vulnerability that was discovered is called a missing capability check within the ‘seedprod_lite_new_lpage’ function.

Capabilities are specific actions that users or roles are allowed to perform. A capability check is an important security feature in WordPress for managing permissions and access controls. They determine if a user has the authority to perform specific action.

It’s similar to a role check in that a role check verifies the user’s role (like administrator, editor, etc.), while a capability check verifies whether the user has specific permissions. A capability check provides a more granular control over permissions compared to a role check.

The missing capability check allows unauthenticated attackers to potentially modify the content of various pages created using the plugin, such as coming-soon or maintenance pages. The absence of this security feature exposes websites to risks of data tampering.

Unauthorized Data Modification

Unauthorized modification of data is a serious security issue. It arises from a flaw where unauthorized individuals can alter data, leading to potential exploits. Addressing this kind of vulnerability in the Website Builder plugin is highly recommended.

Severity and Impact: High-Risk Exposure

The vulnerability is rated 8.2 out of a scale of 1- 10, with a severity rating classified as ‘High’ according to the Common Vulnerability Scoring System (CVSS). The high rating indicates how serious the potential impact is.

This vulnerability is so new that there is currently no entry in the National Vulnerability Database for the assigned CVE number CVE-2024-1072.

However, Wordfence WordPress security researchers emphasized the seriousness of the Website Builder by SeedProd vulnerability:

“This makes it possible for unauthenticated attackers to change the contents of coming-soon, maintenance pages, login and 404 pages set up with the plugin.”

Recommendation For Website Builder Plugin Users

The publisher of the Website Builder by SeedProd has responded by releasing an updated version, 6.15.22, which addresses this vulnerability. The update includes a security nonce to mitigate the risk, and users of the plugin are strongly advised to update immediately to secure their website against attacks.

Regarding the nonce, WordPress explains what it is:

A nonce is a “number used once” to help protect URLs and forms from certain types of misuse, malicious or otherwise.

…They help protect against several types of attacks…”

Read the announcement by Wordfence:

Website Builder by SeedProd — Theme Builder, Landing Page Builder, Coming Soon Page, Maintenance Mode <= 6.15.21 – Missing Authorization via seedprod_lite_new_lpag

Read the official SeedProd Changelog

Featured Image by Shutterstock/Nikulina Tatiana

WordPress 6.4.3 Security Release Fixes Two Vulnerabilities via @sejournal, @martinibuster

WordPress announced a security release version 6.4.3 as a response to two vulnerabilities discovered in WordPress plus 21 bug fixes.

PHP File Upload Bypass

The first patch is for a PHP File Upload Bypass Via Plugin Installer vulnerability. It’s a flaw in WordPress that allows an attacker to upload PHP files via the plugin and theme uploader. PHP is a scripting language that is used to generate HTML. PHP files can also be used to inject malware into a website.

However, this vulnerability is not as bad as it sounds because the attacker needs administrator level permissions in order to execute this attack.

PHP Object Injection Vulnerability

According to WordPress the second patch is for a Remote Code Execution POP Chains vulnerability which could allow an attacker to remotely execute code.

An RCE POP Chains vulnerability typically means that there’s a flaw that allows an attacker, typically through manipulating input that the WordPress site deserializes, to execute arbitrary code on the server.

Deserialization is the process where data is converted into a serialized format (like a text string) deserialization is the part when it’s converted back into its original form.

Wordfence describes this vulnerability as a PHP Object Injection vulnerability and doesn’t mention the RCE POP Chains part.

This is how Wordfence describes the second WordPress vulnerability:

“The second patch addresses the way that options are stored – it first sanitizes them before checking the data type of the option – arrays and objects are serialized, as well as already serialized data, which is serialized again. While this already happens when options are updated, it was not performed during site installation, initialization, or upgrade.”

This is also a low threat vulnerability in that an attacker would need administrator level permissions to launch a successful attack.

Nevertheless, the official WordPress announcement of the security and maintenance release recommends updating the WordPress installation:

“Because this is a security release, it is recommended that you update your sites immediately. Backports are also available for other major WordPress releases, 4.1 and later.”

Bug Fixes In WordPress Core

This release also fixes five bugs in the WordPress core:

1. Text isn’t highlighted when editing a page in latest Chrome Dev and Canary
2. Update default PHP version used in local Docker Environment for older branches
3. wp-login.php: login messages/errors
4. Deprecated print_emoji_styles produced during embed
5. Attachment pages are only disabled for users that are logged in

In addition to the above five fixes to the Core there are an additional 16 bug fixes to the Block Editor.

Read the official WordPress Security and Maintenance Release announcement

WordPress descriptions of each of the 21 bug fixes

The Wordfence description of the vulnerabilities:

The WordPress 6.4.3 Security Update – What You Need to Know

Featured Image by Shutterstock/Roman Samborskyi

Better Search Replace WordPress Vulnerability Affects Up To +1 Million Sites via @sejournal, @martinibuster

A critical severity vulnerability was discovered and patched in the Better Search Replace plugin for WordPress which has over 1 million active website installs. Successful attacks could lead to arbitrary file deletions, sensitive data retrieval and code execution.

Severity Level Of Vulnerability

The severity of vulnerabilities are scored on a point system with ratings described as ranging from low to critical:

• Low 0.1-3.9
• Medium 4.0-6.9
• High 7.0-8.9
• Critical 9.0-10.0

The severity of the vulnerability discovered in the Better Search Replace plugin is rated as Critical, which is the highest level, with a score of 9.8 on the severity scale of 1-10.

Illustration by Wordfence

Better Search Replace WordPress Plugin

The plugin is developed by WP Engine but it was originally created by the Delicious Brains development company that was acquired by WP Engine. Better Search Replace is a poplar WordPress tool that simplifies and automates the process of running a search and replace task on a WordPress website database, which is useful in a site or server migration task. The plugin comes in a free and paid Pro version.

The plugin website lists the following features of the free version:

• “Serialization support for all tables
• The ability to select specific tables
• The ability to run a “dry run” to see how many fields will be updated
• No server requirements aside from a running installation of WordPress
• WordPress Multisite support”

The paid Pro version has additional features such as the ability to track what was changed, ability to backup and import the database while the plugin is running, and extended support.

The plugin’s popularity is due to the ease of use, usefulness and a history of being a trustworthy plugin.

PHP Object Injection Vulnerability

A PHP Object Injection vulnerability, in the context of WordPress, occurs when a user-supplied input is unsafely unserialized. Unserialization is a process where string representations of objects are converted back into PHP objects.

The non-profit Open Worldwide Application Security Project (OWASP) offers a general description of the PHP Object Injection vulnerability:

“PHP Object Injection is an application level vulnerability that could allow an attacker to perform different kinds of malicious attacks, such as Code Injection, SQL Injection, Path Traversal and Application Denial of Service, depending on the context.

The vulnerability occurs when user-supplied input is not properly sanitized before being passed to the unserialize() PHP function. Since PHP allows object serialization, attackers could pass ad-hoc serialized strings to a vulnerable unserialize() call, resulting in an arbitrary PHP object(s) injection into the application scope.

In order to successfully exploit a PHP Object Injection vulnerability two conditions must be met:

• The application must have a class which implements a PHP magic method (such as __wakeup or __destruct) that can be used to carry out malicious attacks, or to start a ‘POP chain’.
• All of the classes used during the attack must be declared when the vulnerable unserialize() is being called, otherwise object autoloading must be supported for such classes.”

If an attacker can upload (inject) an input to include a serialized object of their choosing, they can potentially execute arbitrary code or compromise the website’s security. As mentioned above, this type of vulnerability usually arises due to inadequate sanitization of user inputs. Sanitization is a standard process of vetting input data so that only expected types of input are allowed and unsafe inputs are rejected and blocked.

In the case of the Better Search Replace plugin, the vulnerability was exposed in the way it handled deserialization during search and replace operations. A critical security feature missing in this scenario was a POP chain – a series of linked classes and functions that an attacker can use to trigger malicious actions when an object is unserialized.

While the Better Search Replace plugin did not contain such a chain, but the risk remained that if another plugin or theme installed on the same website contained a POP chain that it could then allow an attacker to launch attacks.

Wordfence describes the vulnerability:

“The Better Search Replace plugin for WordPress is vulnerable to PHP Object Injection in all versions up to, and including, 1.4.4 via deserialization of untrusted input.
This makes it possible for unauthenticated attackers to inject a PHP Object.

No POP chain is present in the vulnerable plugin. If a POP chain is present via an additional plugin or theme installed on the target system, it could allow the attacker to delete arbitrary files, retrieve sensitive data, or execute code.”

In response to this discovery, WP Engine promptly addressed the issue. The changelog entry for the update to version 1.4.5, released on January 18, 2024, highlights the measures taken:

“Security: Unserializing an object during search and replace operations now passes ‘allowed_classes’ => false to avoid instantiating the object and potentially running malicious code stored in the database.”

This update came after Wordfence’s responsible disclosure of the vulnerability on December 18, 2023, which was followed by WP Engine’s development and testing of the fix.

What To Do In Response

Users of the Better Search Replace plugin are urged to update to the latest version immediately to protect their websites from unwanted activities.

WordPress Releases Two Plugins For Speeding Up Webpages via @sejournal, @martinibuster

The WordPress Core Performance Team released two plugins that speed up webpages with new technologies that pre-render URLs before a user clicks on a link and speeds up lazy-loaded images.

WordPress Core Performance Team

The WordPress Core Performance Team is responsible for coordinating with the different WordPress core development teams for the purpose of improving performance and also to work on projects that directly impact improving core WordPress performance.

The initial plan for the Performance Team consisted of:

• lead the working groups formation
• coordinate the initial administrative tasks (slack channel, weekly meetings, schedule working groups representative nominations, etc.)
• create a mission statement for the team
• coordinate the areas to tackle
• outline the scope and the roadmap

WordPress Performance Plugins

Some of the performance improvements to WordPress are first tested in plugins before they are subsequently integrated into a future version of WordPress.

Users who download the plugins are able to be the first in the world to use and benefit from the webpage speed improvements and it is expected (hoped) that those who are using the plugins will also provide feedback on their experiences, both positive and negative.

The first and most popular plugin released by the Performance Team is the Performance Lab plugin that features five modules that can be turned on or off depending on user needs.

The current modules of the Performance Lab plugin are:

• Dominant Color Images:
  Adds support to store the dominant color of newly uploaded images and create a placeholder background of that color.
• WebP Support Health Check:
  Adds a WebP support check in Site Health status.
• WebP Uploads:
  Creates WebP versions for new JPEG image uploads if supported by the server.
• Enqueued Assets Health Check:
  Adds a CSS and JS resource check in Site Health status.
• Autoloaded Options Health Check:
  Adds a check for autoloaded options in Site Health status

Two New Performance Plugins

The two brand new plugins that were announced today are:

1. Auto-sizes for Lazy-loaded Images
2. Speculation Rules

The two plugins improve performance in two different ways which means that they can both be used to gain the most amount of improvements.

New WordPress Auto-Sizes Plugin

Lazy-loading is a performance optimization technique that defers (pauses) the loading of non-critical images to improve page loading times. Images that are necessary for rendering the visible part of the webpage are loaded first while the ones that are not necessary are deferred until the user scrolls and the images are needed.

What this plugin does is integrates a new lazy loading HTML attribute called sizes=”auto” that sets the “sizes” attribute to “auto” for lazy-loaded images using ‘srcset’ and speeds up the downloading for images that will be needed when the user scrolls down the page.

The sizes=”auto” attribute for images is a part of the responsive images specification in HTML, but it is not specifically related to lazy-loading. Instead, the sizes attribute is used with srcset to provide the browser with the image size dimensions needed to display the image at different viewport sizes. The browser is then able to select the most appropriate image source from the srcset.

New WordPress Speculation Rules Plugin

The Speculation Rules plugin leverages the Speculation Rules API in order to download the resources of webpages that a user is likely to request. The Speculation Rules plugin essentially predicts that a page will be requested and will begin pre-rendering the webpage before a user clicks a link.

The official plugin description explains:

“Uses the Speculation Rules API to prerender linked URLs upon hover by default.”

The Speculation Rules API is a feature designed to improve the performance of web browsing by allowing web pages to provide hints to the browser about potential links that a user might click to navigate to a different webpage. The browser can then prefetch or pre-render resources based on the likelihood of a site visitor clicking a link to navigate to a new webpage.

The Mozilla developer page for the Speculation Rules API explains:

“The Speculation Rules API is designed to improve performance for future navigations. It targets document URLs rather than specific resource files, and so makes sense for multi-page applications (MPAs) rather than single-page applications (SPAs).

The Speculation Rules API provides an alternative to the widely-available feature and is designed to supersede the Chrome-only deprecated feature. It provides many improvements over these technologies, along with a more expressive, configurable syntax for specifying which documents should be prefetched or prerendered.”

The plugin implementation requires the use of at least Chrome 121. Users that visit a site while using a different browser that does not support the Speculation Rules API won’t be affected in any way, the webpage will render as it normally would.

According to the plugin documentation:

“By default, the plugin is configured to prerender WordPress frontend URLs when the user hovers over a relevant link. This can be customized via the “Speculation Rules” section under Settings > Reading.

A filter can be used to exclude certain URL paths from being eligible for prefetching and prerendering (see FAQ section). Alternatively, you can add the ‘no-prerender’ CSS class to any link ( tag) that should not be prerendered.”

Read more about the new WordPress performance plugins and download them here:

WordPress Auto-sizes for Lazy-loaded Images Plugin

WordPress Speculation Rules Plugin

Featured Image by Shutterstock/Haali

WordPress File Manager Plugin Vulnerability Affects +1 Million Websites via @sejournal, @martinibuster

A significant security vulnerability has been identified and patched in the widely used File Manager plugin for WordPress, affecting over 1 million websites. The vulnerability is rated 8.1 out of 10 in severity and could potentially allow unauthenticated attackers to gain access to sensitive information including data contained in site backups.

Unauthenticated Attack Vulnerabilities

What makes this vulnerability a high concern is the fact that a hacker does not need login credentials in order to launch an attack, which is what is meant by the term unauthenticated.

In the context of a WordPress plugin vulnerability, an attacker can gain access to sensitive information without needing to log in or authenticate their identity. This kind of attack exploits a security gap the File Manager plugin referred to as Use of Insufficiently Random Values.

The Common Weakness Enumeration security website describes this kind of vulnerability:

“The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers.

When product generates predictable values in a context requiring unpredictability, it may be possible for an attacker to guess the next value that will be generated, and use this guess to impersonate another user or access sensitive information.”

This category of vulnerability is due to a weakness in the File Manager plugin’s backup filename generation algorithm. The algorithm combines a timestamp with a four-digit random number but that amount of randomization is not random enough to keep an attacker from successfully guessing the file names and as a consequence enables attackers to gain access to backup files in configurations where there is no .htaccess file to block access.

Use of Insufficiently Random Values Vulnerability

The Use of Insufficiently Random Values vulnerability type is a flaw in the plugin that relies on generating random and unpredictable file numbers in order to prevent attackers from guessing what a backup file name is. The plugins lack of randomization allows an attacker to figure out the file names and gain access to sensitive information.

Vulnerable Versions Of The Plugin

The security vulnerability is found in all versions up to and including 7.2.1 and was patched in the latest update of the plugin, with the release of version 7.2.2.

The update, as noted in the File Manager WordPress Plugin Changelog Documentation, includes a fix for the security issue. Users of the plugin are strongly advised to consider updating to this latest version to protect their websites from potential exploits.

Read the Wordfence advisory for more information:

File Manager <= 7.2.1 – Sensitive Information Exposure via Backup Filenames

Featured Image by Shutterstock/Perfect_kebab

ACF WordPress Plugin Vulnerability Affects Up To 2+ Million Sites via @sejournal, @martinibuster

Advanced Custom Fields (ACF) WordPress plugin with over 2 million installations announced the release of a security update, version 6.2.5 that patches a vulnerability, the severity of which is not known and only limited details were released about the vulnerability.

While it’s not known what kind of exploits are possible or the extent of damage that an attacker could cause, ACF did advise that the vulnerability requires a contributor level access or higher, which to a certain extent makes it more difficult to launch an attack.

ACF 6.2.5 May Introduce Breaking Changes

The security release announcement warned that the changes introduced by the update patch had the potential to cause websites to break and offered instructions on how to debug the changes.

The version 6.2.5 update introduces a significant change in how the ACF shortcode processes and outputs potentially unsafe HTML content. The output will now be escaped, a security process that typically removes unwanted HTML like malicious scripts or malformed HTML so that rendered HTML is secure.

However, this change, while enhancing security, might disrupt sites using the shortcode for rendering complex HTML elements like scripts or iframes.

Tags with a potential for misuse, such as

Complianz WordPress GDPR Compliance Plugin Vulnerability via @sejournal, @martinibuster

A popular WordPress plugin for privacy compliance with over 800,000 installations recently patched a stored XSS vulnerability that could allow an attacker to upload malicious scripts for launching attacks against site visitors.

Complianz | GDPR/CCPA Cookie Consent WordPress Plugin

The Complianz plugin for WordPress is a powerful tool that helps website owners comply with privacy regulations such as the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

The plugin manages multiple facets of user privacy including blocking third-party cookies, managing cookie consent (including per subregion), and managing multiple aspects related to cookie banners.

It’s versatility and usefulness may account for the popularity of the tool which currently has over 800,000 installations.

Complianz Plugin Stored XSS Vulnerability

The Complianz WordPress plugin was discovered to have a stored XSS vulnerability which is a type of vulnerability that allows a user to upload a malicious script directly to the website server. Unlike a reflected XSS that requires a website user to click a link, a stored XSS involves a malicious script stored and served from the target website’s server.

The vulnerability is in the Complianz admin settings which is in the form of a lack of two security functions.

1. Input Sanitization
The plugin lacked sufficient input sanitization and output escaping. Input sanitization is a standard process for checking what’s input into a website, like into a form field, to make sure that what’s input is what’s expected, like a text input as opposed to a script upload.

The official WordPress developer guide describes data sanitization as:

“Sanitizing input is the process of securing/cleaning/filtering input data. Validation is preferred over sanitization because validation is more specific. But when “more specific” isn’t possible, sanitization is the next best thing.”

2. Escaping Output
The plugin lacked Output Escaping which is a security process that removes unwanted data before it gets rendered for a user.

How Serious Is The Vulnerability?

The vulnerability requires the attacker to obtain admin permission levels and higher in order to execute the attack. That may be the reason why this vulnerability is scored 4.4 out of 10, with ten representing the highest level of vulnerability.

The vulnerability only affects specific kinds of installations, too.

According to Wordfence:

“This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

This only affects multi-site installations and installations where unfiltered_html has been disabled.”

Update To Latest Version

The vulnerability affects Complianz versions equal to or less than version 6.5.5. Users are encouraged to update to version 6.5.6 or higher.

Read the Wordfence advisory about the vulnerability:

Complianz | GDPR/CCPA Cookie Consent <= 6.5.5 – Authenticated(Administrator+) Stored Cross-site Scripting via settings