Yet Another WordPress Hack Exploiting Plugin Vulnerabilities
Here comes news about another WordPress website security breach carried out by exploiting plugin vulnerabilities.
Reports say that hackers have been exploiting vulnerabilities in a popular social media sharing plugin on WordPress. The Hacker News reports, “Hackers have been found exploiting a pair of critical security vulnerabilities in one of the popular social media sharing plugins to take control over WordPress websites that are still running a vulnerable version of the plugin.”
Hackers have been exploiting vulnerabilities in the Social Warfare plugin, which is downloaded and used on a large scale. There have been over 900,000 downloads of the plugin, which is used to add social share buttons to WordPress websites and blogs.
It was in the last week of March that an updated version of the Social Warfare plugin was released. The updated version, 3.5.3, was released with two security vulnerabilities patched. The vulnerabilities- a stored cross-site scripting (XSS) flaw and a remote code execution (RCE) flaw- were both tracked by the same identifier- CVE-2019-9978. Hackers, by exploiting these vulnerabilities, could run arbitrary PHP code and take complete control over WordPress websites and servers without authentication. They could then use such compromised websites for malicious activities, including cryptocurrency mining, hosting malicious exploit code etc. On the same day that the updated version of Social Warfare was released, an unnamed security researcher published a full disclosure and proof-of-concept for the XSS vulnerability, following which hackers started exploiting the vulnerability.
However, Palo Alto Network Unit 42 researchers have now found several exploits that take advantage of these two WordPress plugin vulnerabilities in the wild. These include an exploit for the XXL vulnerability that would redirect users of affected websites to an ads website and another exploit for the RCE vulnerability that would manipulate a one-line webshell which would then allow hackers to control affected websites.
Both these vulnerabilities in the Social Warfare plugin had originated as a result of improper input handling, the misuse of a WordPress function that should actually be preventing unauthorized visits. A blog post authored by Palo Alto Network Unit 42 researchers Qi Deng, Zhibin Zhang and Hui Gao says, “The root cause of each of these two vulnerabilities is the same: the misuse of the is_admin() function in WordPress. Is_admin only checks if the requested page is part of admin interface and won’t prevent any unauthorized visit.”
As regards the number of affected websites, the Palo Alto blog post says, “We found about 40,000 sites that have installed this plugin, most of which are running a vulnerable version, including education sites, finance sites, and news sites.” They have clarified that many of these affected websites receive high traffic, based on Alexa’s global traffic-related data).
The researchers also note- “There are many exploits in the wild for the Social Warfare plugin and it is likely they will continue to be used maliciously. Since over 75 million websites are using WordPress and many of the high traffic WordPress websites are using the Social Warfare plugin, the users of those websites could be exposed to malware, phishing pages or miners. Website administrators should update the Social Warfare plugin to 3.5.3 or newer version.”