Skip to main content
Vulnerability litespeed-cache-for-wordpressjpg

4 Million WordPress Sites Affected by Stored Cross-Site Scripting Vulnerability in LightSpeed Cache

Written by zerophoid on . Posted in WordPress Alerts.

On August 14, 2023, our Wordfence Threat Intelligence team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) vulnerability in LiteSpeed Cache plugin, which is actively installed on more than 4,000,000 WordPress websites, making it the most popular cache plugin. The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using the plugin’s shortcode.

We contacted The LiteSpeed Cache Team on August 14, 2023, and we received a response on the same day. After providing full disclosure details, the developer team made a patch on August 16, 2023, and released it to the WordPress repository on October 10, 2023. We would like to commend the LiteSpeed Technologies for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of LiteSpeed Cache, version 5.7 at the time of this writing, as soon as possible.

Description:LiteSpeed Cache <= 5.6 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Plugin: LiteSpeed Cache
Plugin Slug: litespeed-cache
Affected Versions: <= 5.6
CVE ID: CVE-2023-4372
CVSS Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Researcher/s:Lana Codes
Fully Patched Version: <= 5.7

The LiteSpeed Cache plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘esi’ shortcode in versions up to, and including, 5.6 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Technical Analysis

The LiteSpeed Cache is a site acceleration plugin with server-level cache and optimization. It provides a shortcode ([esi]) that can be used to cache blocks with Edge Side Includes technology when added to a WordPress page, if ESI was previously enabled in the settings.

Unfortunately, insecure implementation of the plugin’s shortcode functionality allows for the injection of arbitrary web scripts into these pages. Examining the vulnerable code reveals that the shortcode method in the ESI class does not adequately sanitize the user-supplied ‘cache’ input, and then fails to escape the ‘control’ output derived from the ‘cache’ parameter when it builds the ESI block. This makes it possible to inject attribute-based Cross-Site Scripting payloads via the ‘cache’ attribute.

This makes it possible for threat actors to carry out stored XSS attacks. Once a script is injected into a page or post, it will execute each time a user accesses the affected page. While this vulnerability does require that a trusted contributor account is compromised, or a user be able to register as a contributor, successful threat actors could steal sensitive information, manipulate site content, inject administrative users, edit files, or redirect users to malicious websites which are all severe consequences.

Signs of Trouble: How to Detect Malware on Your WordPress Website

How to Detect Malware on Your WordPress Website

Written by zerophoid on . Posted in WordPress Alerts, WordPress Updates.

A WordPress website infected with malware can exhibit various signs and symptoms. Detecting malware early is crucial to prevent potential damage to your website and its visitors. Here are some telltale signs that your WordPress website might be infected with malware:

  1. Unexpected Behavior: If your website starts behaving strangely, such as loading slowly, redirecting to suspicious websites, or displaying incorrect content, it could indicate a malware infection.
  2. Unusual Traffic Patterns: A sudden increase in traffic, especially if it’s coming from unusual or unfamiliar sources, might indicate a malware infection. Malware can sometimes be used to drive fake traffic or perform malicious actions.
  3. Changes in Site Content: If you notice new, unauthorized, or unfamiliar content on your website, such as spammy links, hidden text, or injected ads, it’s a sign that your site might be compromised.
  4. Search Engine Warnings: If your website suddenly disappears from search engine results or is flagged with warnings like “This site may be hacked” in search results, it’s a strong indication of malware.
  5. Security Plugin Alerts: If you’re using a security plugin like Wordfence or Sucuri, they might provide alerts about suspicious activity, malware signatures, or changes to core files.
  6. Frequent Crashes or Errors: If your website experiences frequent crashes, errors, or downtime that can’t be attributed to regular maintenance or updates, malware might be causing instability.
  7. Unexpected Admin Accounts: Check your WordPress admin panel for any unfamiliar admin accounts. Hackers sometimes create these accounts to maintain control over your website.
  8. Suspicious File Changes: Regularly monitor your website’s core files, theme files, and plugins for any unauthorized changes or additions. Malware often involves modifying these files.
  9. Phishing Redirects: If your visitors are being redirected to phishing or malicious websites, your site might be compromised. This can severely damage your website’s reputation.
  10. Increased Resource Usage: Malware can cause your server’s resources (CPU, memory, bandwidth) to spike due to malicious activities. Keep an eye on your hosting account’s resource usage.
  11. Spam Emails: If your website is sending out spam emails without your knowledge, it’s a sign of a compromise. Malware can be used to send spam from your server.
  12. Blacklist Warnings: Google and other security services maintain blacklists of websites known to distribute malware. If your site is blacklisted, users might be warned before visiting.

If you suspect your WordPress website has been compromised, it’s important to take action promptly:

  1. Isolate the Website: Take your website offline temporarily to prevent further damage and protect your visitors.
  2. Scan with Security Plugins: Use security plugins to scan your website for malware and vulnerabilities. Many plugins can help you identify and clean malware infections.
  3. Update and Remove: Update WordPress, themes, and plugins to their latest versions. Remove any unauthorized or suspicious code or files.
  4. Change Credentials: Change all passwords and authentication keys, including for your hosting, WordPress admin accounts, FTP, and databases.
  5. Restore from Backup: If you have clean backups, restore your website to a point before the infection occurred.
  6. Seek Professional Help: If you’re unsure how to proceed or the infection is complex, consider seeking assistance from a professional or a security service.

Remember that prevention is key. Regularly updating your WordPress installation, themes, and plugins, using strong and unique passwords, and implementing security measures can significantly reduce the risk of malware infections.

With over 20 years of experience in resolving hacked websites, if you require assistance, please get in touch with us through the ‘Quick Fix’ link. We’re here to help restore and fortify your compromised WordPress website.

Quick Fix
WordPress Vulnerability Report - July 2023

WordPress Vulnerability Report – July 2023

Written by zerophoid on . Posted in WordPress Alerts.

Last week, there were 64 vulnerabilities disclosed in 66 WordPress Plugins and 3 WordPress themes

Securing your WordPress website is crucial to protect it from potential threats and vulnerabilities. Here are some basic steps you can take to enhance the security of your WordPress site:

  1. Keep WordPress Updated: Regularly update your WordPress core, themes, and plugins to ensure you have the latest security patches and bug fixes.
  2. Use Strong Login Credentials:
    • Set strong, unique usernames and passwords for your admin and user accounts.
    • Avoid using “admin” as the username.
    • Use a combination of uppercase, lowercase, numbers, and special characters in your passwords.
  3. Limit Login Attempts: Install a plugin that limits the number of login attempts and temporarily locks out IP addresses after a certain number of failed attempts.
  4. Implement Two-Factor Authentication (2FA): Use a 2FA plugin to add an extra layer of security by requiring a second form of verification, such as a code from a mobile app, in addition to the password.
  5. Secure Hosting and Server:
    • Choose a reputable hosting provider that offers security features and regular updates.
    • Keep your server software, such as PHP and MySQL, up to date.
  6. Use Secure Themes and Plugins:
    • Install themes and plugins only from trusted sources.
    • Delete unused themes and plugins to reduce potential attack vectors.
  7. Regular Backups:
    • Regularly back up your website and database, and store backups off-site.
    • This ensures you can restore your website to a working state if it’s compromised.
  8. Secure File Permissions:
    • Set appropriate file and directory permissions to prevent unauthorized access.
    • Avoid using overly permissive settings.
  9. Disable Directory Listing:
    • Prevent directory listings to avoid exposing sensitive files.
  10. Hide WordPress Version:
    • Remove or hide the WordPress version number from your website’s source code, as outdated versions can be targeted by attackers.
  11. Use HTTPS:
    • Secure your website with an SSL certificate to encrypt data between your server and users’ browsers.
  12. Update Your Security Keys:
    • Regularly update your unique security keys in the wp-config.php file to enhance authentication security.
  13. Install a Security Plugin:
    • There are several security plugins available that can help you with tasks like firewall protection, malware scanning, and more.
  14. Monitor for Suspicious Activity:
    • Set up website monitoring to receive alerts for unusual or suspicious activities.
  15. Regularly Review Logs:
    • Review your server and application logs to detect any signs of unauthorized access or suspicious behavior.
  16. Disable XML-RPC:
    • If you don’t need XML-RPC functionality, consider disabling it, as it can be exploited for attacks.
  17. Implement Content Security Policy (CSP):
    • Use CSP headers to control what sources of content are allowed to be loaded on your site, reducing the risk of cross-site scripting (XSS) attacks.

Remember that security is an ongoing process, and staying informed about the latest security best practices is essential to protect your WordPress website from evolving threats.

Should you require help, our hourly rate for website troubleshooting and security enhancement is €35. We’d be more than happy to support you in securing your website. Feel free to click the button below to request a quick quote for our swift resolution service.

Quick Fix
Hackers target 1.5M WordPress sites with cookie consent plugin exploit

Beautiful Cookie Consent Banner Large-Scale XSS Campaign

Written by zerophoid on . Posted in WordPress Alerts.

There has been an increase in attacks targeting a Cross-Site Scripting vulnerability in Beautiful Cookie Consent Banner, a WordPress plugin installed on over 40,000 sites. The vulnerability, which was fully patched in January in version 2.10.2, offers unauthenticated attackers the ability to add malicious JavaScript to a website, potentially allowing redirects to malvertizing sites as well as the creation of malicious admin users, both of which are appealing use cases for attackers.

Description: Beautiful Cookie Consent Banner <= 2.10.1 – Unauthenticated Stored Cross-Site Scripting
Affected Plugin:Beautiful Cookie Consent Banner 
Plugin Slug: beautiful-and-responsive-cookie-consent
Affected Versions: <= 2.10.1
CVE ID: Not Assigned
CVSS Score: 7.2 (High)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Unknown
Fully Patched Version: 2.10.2

The Beautiful Cookie Consent Banner for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘nsc_bar_content_href’ parameter in versions up to, and including, 2.10.1 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. A partial patch was made available in 2.10.1 and the issue was fully patched in 2.10.2.

The Attacks

According to our records, the vulnerability has been actively attacked since February 5, 2023, but this is the largest attack against it that we have seen. We have blocked nearly 3 million attacks against more than 1.5 million sites, from nearly 14,000 IP addresses since May 23, 2023, and attacks are ongoing.

Pictured: A chart showing sites attacked and total attacks targeting this vulnerability

We believe that this is the work of a single actor, as every single attack contained a partial payload of onmouseenter=” and no further functioning JavaScript. It is likely that this set of attacks is being performed using a misconfigured exploit that expects a customized payload, and that the attacker has simply failed to provide one.

Despite this fact, if your website is running a vulnerable version of the plugin and you are not currently using Wordfence or another Web Application Firewall, these attacks do have the potential to corrupt the configuration of the plugin which can break its intended functionality, so we still recommend updating to the latest version, which is 2.13.0 at the time of this writing, as soon as possible.

Indicators of Compromise

Requests

An example request showing the payload being used

POST requests to /wp-admin/admin-post.php from unrecognized IP addresses may appear in your server logs, or in your Live Traffic if you have the Wordfence plugin installed.

IP Addresses

We have included the top 20 attacking IP addresses, though there are many more:

If your site was impacted by this or an earlier attack campaign, it may have corrupted the ​​nsc_bar_bannersettings_json option in your database. The plugin’s developers have included functionality in patched versions to repair any changes made as a result of this exploit.

Stored XSS Vulnerability

W3 Eden’s Download Manager plugin – Cross-Site Scripting (XSS) vulnerability

Written by zerophoid on . Posted in WordPress Alerts.

On April 25, 2023, our team identified and began the responsible disclosure process for a stored Cross-Site Scripting (XSS) vulnerability in W3 Eden’s Download Manager plugin, which is actively installed on more than 100,000 WordPress websites, making it one of the most popular download management plugins. The vulnerability enables threat actors with contributor-level permissions or higher to inject malicious web scripts into pages using the plugin’s shortcode.

We contacted W3 Eden on April 25, 2023, and promptly received a response. After providing full disclosure details, the developer released a patch on May 1, 2023. We would like to commend the W3 Eden development team for their prompt response and timely patch.

We urge users to update their sites with the latest patched version of Download Manager, version 3.2.71 at the time of this writing, as soon as possible.

Vulnerability Summary from Wordfence Intelligence

Description: Download Manager <= 3.2.70 – Authenticated (Contributor+) Stored Cross-Site Scripting via Shortcode
Affected Plugin: Download Manager
Plugin Slug: download-manager
Affected Versions: <= 3.2.70
CVE ID: CVE-2023-2305
CVSS Score: 6.4 (Medium)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Researcher/s: Lana Codes
Fully Patched Version: 3.2.71

The Download Manager plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘wpdm_members’, ‘wpdm_login_form’, ‘wpdm_reg_form’ shortcodes in versions up to, and including, 3.2.70 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers with contributor-level and above permissions to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Technical Analysis

Download Manager is a plugin designed to allow WordPress users to manage, track and control file downloads. It provides a shortcode ([wpdm_members]) that lists the authors and the number of files they have added when added to a WordPress page. However, insecure implementation of the plugin’s shortcode functionality allows for the injection of arbitrary web scripts into these pages. Examining the code reveals that the members method in the User class did not adequately sanitize the user-supplied ‘sid’ input, and then loads the members.php view file, where it also did not adequately escape ‘sid’ output. This makes it possible to inject attribute-based Cross-Site Scripting payloads via the ‘sid’ attribute.

#image_title

There are two other shortcodes, a login form shortcode ([wpdm_login_form]) and a registration form shortcode ([wpdm_reg_form]), that add forms to a WordPress site. However, the insecure implementation of these two shortcode functions, similar to the previous example, also allows arbitrary web scripts to be inserted into these pages. Examining the code reveals that the functions of both forms do not adequately sanitize the user-supplied ‘logo’ input, and in the view files these ‘logo’ outputs are not adequately escaped.

[View the Code Snippets on the Blog] 

These make it possible for threat actors to carry out stored XSS attacks. Once a script is injected into a page or post, it will execute each time a user accesses the affected page. While this vulnerability does require that a trusted contributor account is compromised, or a user be able to register as a contributor, successful threat actors could steal sensitive information, manipulate site content, inject administrative users, edit files, or redirect users to malicious websites which are all severe consequences.

Disclosure Timeline

April 25, 2023 – Wordfence Threat Intelligence team discovers the stored XSS vulnerability in Download Manager and initiates responsible disclosure.
April 27, 2023 – We get in touch with the development team at W3 Eden and send full disclosure details.
May 1, 2023 – The fully patched version, 3.2.71, is released.
May 3, 2023 – The vendor notified Wordfence that they released the patch.
May 3, 2023 – Wordfence confirms the fix addresses the vulnerability.

Conclusion

In this blog post, we have detailed a stored XSS vulnerability within the Download Manager plugin affecting versions 3.2.70 and earlier. This vulnerability allows authenticated threat actors with contributor-level permissions or higher to inject malicious web scripts into pages that execute when a user accesses an affected page. The vulnerability has been fully addressed in version 3.2.71 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of Download Manager.

GoDaddy backdoor infections

Hundreds of GoDaddy-hosted sites backdoored in a single day

Written by zerophoid on . Posted in WordPress Alerts, WordPress Hosting.

In my opinion, hosting on big platforms like GoDaddy with all the features they showcase, but cost per application to use is pointless. Most website owners or developers think you’re secure by using the free Wordfence versions! 

We provide our managed dedicated servers in South Africa Xneelo and European server Hetzner to manage our client. All clients hosted on our servers @ €5.50 monthly includes updating theme, plugins, and core framework to the latest version of WordPress. We install Akeeba Backup and Akeeba admin Pro on all sites hosted and on a monthly bases as part of your hosting cost. In addition, we backup the sites to our external cloud servers.

View our WordPress Maintenace option or Hosted solution

Internet security analysts have spotted a spike in backdoor infections on WordPress websites hosted on GoDaddy’s Managed WordPress service, all featuring an identical backdoor payload.

The case affects internet service resellers such as MediaTemple, tsoHost, 123Reg, Domain Factory, Heart Internet, and Host Europe Managed WordPress.

The discovery comes from Wordfence, whose team first observed the malicious activity on March 11, 2022, with 298 websites infected by the backdoor within 24 hours, 281 of which were hosted on GoDaddy.

backdoor infecting all sites
Backdoor infections monitor (Wordfence)

Old template spammer

The backdoor infecting all sites is a 2015 Google search SEO-poisoning tool implanted on the wp-config.php to fetch spam link templates from the C2 that are used to inject malicious pages into search results.

The campaign uses predominately pharmaceutical spam templates, served to visitors of the compromised websites instead of the actual content.

The goal of these templates is likely to entice the victims to make purchases of fake products, losing money and payment details to the threat actors.

Additionally, the actors can harm a website’s reputation by altering its content and making the breach evident, but this doesn’t seem to be the actors’ aim at this time.

This type of attack is harder to detect and stop from the user’s side due to this taking place on the server and not on the browser, and as such, local internet security tools won’t detect anything suspicious.

Supply chain attack?

The intrusion vector hasn’t been determined, so while this looks suspiciously close to a supply chain attack, it hasn’t been confirmed.

Bleeping Computer has contacted GoDaddy to find out more about this possibility, but we have not heard back yet.

Notably, GoDaddy disclosed a data breach in November 2021 that affected 1.2 million customers and multiple Managed WordPress service resellers, including the six mentioned in the introduction.

That breach involved unauthorized access to the system that provisions the company’s Managed WordPress sites. As such, it’s not far-fetched to suggest that the two occurrences might be linked.

In any case, if your website is hosted on GoDaddy’s Managed WordPress platform, make sure to scan your wp-config.php file to locate potential backdoor injections.

spam search engine results
What the injected encoded backdoor looks like (Wordfence)

Wordfence also reminds admins that while removing the backdoor should be the first step, removing spam search engine results should also be a priority.

Looking Global – we have WordPress Updates South Africa – https://www.wordpressupdates.co.za, WordPress Updates Ireland – https://wordpressupdates.ie and Global WordPress Updates – https://wordpressupdates.com

Links to article:

Wordpress Updates South Africa

Origional article – click here