The Autoptimize WordPress plugin before 3.1.1 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2022-2635

The WBW Currency Switcher for WooCommerce WordPress plugin before 1.6.6 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup)

CVE-2022-2575

The Migration, Backup, Staging WordPress plugin before 0.9.76 does not sanitise and validate a parameter before using it to read the content of a file, allowing high privilege users to read any file from the web server via a Traversal attack

CVE-2022-2863

Bug spawned by parsing problem in upstream package

Adam Bannister 15 September 2022 at 15:48 UTC

Bug spawned by parsing problem in upstream package

The maintainers of venerable open source content management system (CMS) TYPO3 have fixed a cross-site scripting (XSS) flaw with a raft of software updates.

The XSS mechanism of PHP package typo3/html-sanitizer was bypassed due to a parsing problem in upstream package masterminds/html5, whereby a “malicious markup used in a sequence with special HTML comments cannot be filtered and sanitized”, explained a GitHub advisory published on Tuesday (September 13).

The issue has been patched in 7.6.58, 8.7.48, 9.5.37, 10.4.32, and 11.5.16 of typo3/cms-core. All prior versions on these release lines are affected.

DON’T MISS WordPress project WPHash harvests 75 million hashes for detecting vulnerable plugins

With user interaction required the bug is classed as only moderate severity, notching a CVSS score of 6.1.

Nevertheless, even with a modest market share TYPO3 accounts for a huge number of active installations.

Launched in 1997, the free-to-use CMS has 2.43% of the CMS market, which translates to more than 230,000 customers, 46% of which are based in Germany.

The TYPO3 Association, which has around 900 members, funds development via donations and membership subscriptions.

Credit for bug discovery goes to security researcher David Klein, while Oliver Hader, TYPO3 security team lead and core developer, developed the patch.

RECOMMENDED Six-year-old blind SSRF vulnerability in WordPress Core feature could enable DDoS attacks

Open source CMS TYPO3 tackles XSS vulnerability

Researchers link the APT to an attack on a Hong Kong university, which compromised multiple key servers using advanced Linux malware.

A new Linux version of the SideWalk backdoor has been deployed against a Hong Kong university in a persistent attack that's compromised multiple servers key to the institution's network environment.

Researchers from ESET attributed the attack and the backdoor to SparklingGoblin, an advanced persistent threat (APT) group that targets organizations mostly in East and Southeast Asia, with a focus on the academic sector, they said in a blog post published Sept. 14.

The APT also has been linked to attacks on a broad range of organizations and vertical industries around the world, and is known for using the SideWalk and Crosswalk backdoors in its arsenal of malware, researchers said.

In fact, the attack on the Hong Kong university is the second time SparklingGoblin has targeted this particular institution; the first was in May 2020 during student protests, with ESET researchers first detecting the Linux variant of SideWalk in the university's network in February 2021 without actually identifying it as such, they said.

The latest attack appears to be part of a continuous campaign that initially may have started with the exploitation either of IP cameras and/or network video recorder (NVR) and DVR devices, using the Specter botnet or through a vulnerable WordPress server found in the victim's environment, researchers said.

"SparklingGoblin has continuously targeted this organization over a long period of time, successfully compromising multiple key servers, including a print server, an email server, and a server used to manage student schedules and course registrations," researchers said.

Moreover, it now appears that the Specter RAT, first documented by researchers at 360 Netlab, is actually a SideWalk Linux variant, as shown by multiple commonalities between the sample identified by ESET researchers, they said.

**SideWalk Links to SparklingGoblin**

SideWalk is a modular backdoor that can dynamically load additional modules sent from its command-and-control (C2) server, makes use of Google Docs as a dead-drop resolver, and uses Cloudflare as a C2 server. It can also properly handle communication behind a proxy.

There are differing opinions among researchers as to which threat group is responsible for the SideWalk backdoor. While ESET links the malware to SparklingGoblin, researchers at Symantec said it is the work of Grayfly (aka GREF and Wicked Panda), a Chinese APT active since at least March 2017.

ESET believes that SideWalk is exclusive to SparklingGoblin, basing its "high confidence" in this assessment on "multiple code similarities between the Linux variants of SideWalk and various SparklingGoblin tools," researchers said. One of the SideWalk Linux samples also uses a C2 address (66.42.103\[.\]222) that was previously used by SparklingGoblin, they added.

In addition to using the SideWalk and Crosswalk backdoors, SparklingGoblin also is known for deploying Motnug and ChaCha20-based loaders, the PlugX RAT (aka Korplug), and Cobalt Strike in its attacks.

**Inception of SideWalk Linux**

ESET researchers first documented the Linux variant of SideWalk in July 2021, dubbing it "StageClient" because they did not at the time make the connection to SparklingGoblin and the SideWalk backdoor for Windows.

They eventually linked the malware to a modular Linux backdoor with flexible configuration being used by the Specter botnet that was mentioned in a blog post by researchers at 360 Netlab, finding "a huge overlap in functionality, infrastructure, and symbols present in all the binaries," the ESET researchers said.

"These similarities convince us that Specter and StageClient are from the same malware family," they added. In fact, both are just Linux various of SideWalk, researchers eventually found. For this reason, both are now referred to under the umbrella term SideWalk Linux.

Indeed, given the frequent use of Linux as the basis for cloud services, virtual machine hosts, and container-based infrastructure, attackers are increasingly targeting Linux environments with sophisticated exploits and malware. This has given rise to Linux malware that's both unique to the OS or built as a complement to Windows versions, demonstrating that attackers see a growing opportunity to target the open source software.

**Comparison to Windows Version**

For its part, SideWalk Linux has numerous similarities to the Windows version of the malware, with researchers outlining only the most "striking" ones in their post, researchers said.

One obvious parallel is the implementations of ChaCha20 encryption, with both variants using a counter with an initial value of "0x0B" — a characteristic previously noted by ESET researchers. The ChaCha20 key is exactly the same in both variants, strengthening the connection between the two, they added.

Both versions of SideWalk also use multiple threads to execute specific tasks. They each have exactly five threads — StageClient::ThreadNetworkReverse, StageClient::ThreadHeartDetect, StageClient::ThreadPollingDriven, ThreadBizMsgSend, and StageClient::ThreadBizMsgHandler — executed simultaneously that each perform a specific function intrinsic to the backdoor, according to ESET.

Another similarity between the two versions is that the dead-drop resolver payload — or adversarial content posted on Web services with embedded domains or IP addresses — is identical in both samples. The delimiters — characters chosen to separate one element in a string from another element — of both versions also are identical, as well as their decoding algorithms, researchers said.

Researchers also found key differences between SideWalk Linux and its Windows counterpart. One is that in SideWalk Linux variants, modules are built in and cannot be fetched from the C2 server. The Windows version, on the other hand, has built-in functionalities executed directly by dedicated functions within the malware. Some plug-ins also can be added through C2 communications in the Windows version of SideWalk, researchers said.

Each version performs defense evasion in a different way as well, researchers found. The Windows variant of SideWalk "goes to great lengths to conceal the objectives of its code" by trimming out all data and code that was unnecessary for its execution, encrypting the rest.

The Linux variants make detection and analysis of the backdoor "significantly easier" by containing symbols and leaving some unique authentication keys and other artifacts unencrypted, researchers said.

"Additionally, the much higher number of inlined functions in the Windows variant suggests that its code was compiled with a higher level of compiler optimizations," they added.

SparklingGoblin Updates Linux Version of SideWalk Backdoor in Ongoing Cyber Campaign

WordPress WPGateway plugin versions 3.5 and below suffer from an unauthenticated privilege escalation vulnerability.

    Description: Unauthenticated Privilege EscalationAffected Plugin: WPGatewayPlugin Slug: wpgatewayPlugin Developer: Jack Hopman/WPGatewayAffected Versions: <= 3.5CVE ID: CVE-2022-3180CVSS Score: 9.8 (Critical)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HFully Patched Version: N/AThe WPGateway plugin is a premium plugin tied to the WPGateway cloud service, which offers its users a way to setup and manage WordPress sites from a single dashboard. Part of the plugin functionality exposes a vulnerability that allows unauthenticated attackers to insert a malicious administrator.We obtained a current copy of the plugin on September 9, 2022, and determined that it is vulnerable, at which time we contacted the plugin vendor with our initial disclosure. We have reserved vulnerability identifier CVE-2022-3180 for this issue.As this is an actively exploited zero-day vulnerability, and attackers are already aware of the mechanism required to exploit it, we are releasing this public service announcement (PSA) to all of our users. We are intentionally withholding certain details to prevent further exploitation. As a reminder, an attacker with administrator privileges has effectively achieved a complete site takeover.Indicators of compromiseIf you are working to determine whether a site has been compromised using this vulnerability, the most common indicator of compromise is a malicious administrator with the username of rangex.If you see this user added to your dashboard, it means that your site has been compromised.Additionally, you can check your site’s access logs for requests to //wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp_new_credentials=1If these requests are present in your logs, they indicate that your site has been attacked using an exploit targeting this vulnerability, but do not necessarily indicate that it has been successfully compromised.ConclusionIn today’s post, we detailed a zero-day vulnerability being actively exploited in the WPGateway plugin.Wordfence Premium, Wordfence Care, and Wordfence Response customers received a firewall rule on September 8, 2022, protecting against this vulnerability, while sites still using the free version of Wordfence will receive the same protection 30 days later, on October 8, 2022.If you have the WPGateway plugin installed, we urge you to remove it immediately until a patch is made available and to check for malicious administrator users in your WordPress dashboard.If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected, as this is a serious vulnerability that is actively being exploited in the wild. Please help make the WordPress community aware of this issue.If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.Our investigation is ongoing, and we will provide more information in an additional blog post when it becomes available.Special thanks to Threat Intelligence Lead Chloe Chamberland for spotting this exploit in the wild.

WordPress WPGateway 3.5 Privilege Escalation

Categories: News
Tags: WPGateway

Tags:  WordPress

Tags:  plugin

Tags:  vulnerability

Tags:  CVE

We take a look at a vulnerability being exploited in the wild related to the WPGateway WordPress plugin.



(Read more...)




The post WPGateway WordPress plugin vulnerability could allow full site takeover appeared first on Malwarebytes Labs.

There’s been a few WordPress plugin vulnerabilities in the wild recently, and today we have another one to add to the list. Sometimes when word breaks of a WordPress plugin issue, a fix is already available and all you have to do is perform an update. On other occasions, the attack is live and out there doing damage with no fix yet available. Sadly, this current exploit is an example of the latter.

WPGateway allows WordPress users to run WordPress sites from one dashboard. Unfortunately, research shows that part of this functionality puts both the site and the site’s users at risk.

**Beware of rogue admins**

The issue in question allows unauthenticated individuals to add rogue users to the site. Those unauthorised users have full admin privileges, which essentially results in a full site takeover thanks to the plugin.

At this point, the compromiser can do what they want with the hijacked website. They are in full control, which is not a great situation for anybody. The vulnerability is listed on the Common Vulnerabilities and Exposures site as CVE-2022-3180. However, no additional information is forthcoming yet as the page has merely been reserved at this point.

**Active exploitation**

The issue was first discovered on September 8, and is being actively exploited. There is very little additional information to go on at this point, as the specifics of the vulnerability are being withheld. As a result, people will largely be reliant on the WPGateway team to get a patch put together.

**Detecting and avoiding compromise**

Options are limited, but for now the main advice from Wordfence is this:

*   Remove the plugin installation until a patch is made available.
    
*   Check for malicious admin accounts in your WordPress dashboard. The username  “rangex” is a common indicator of compromise.
    

You can also check site access logs for requests to: //wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp\_new\_credentials=1. This indicates an attack attempt was made, but does not mean your site has been compromised. This is why checking for the “rangex” username is so important. Fingers crossed that this issue will receive a speedy patch from the plugin developers.

Stay safe out there!

WPGateway WordPress plugin vulnerability could allow full site takeover

Tech giant Microsoft on Tuesday shipped fixes to quash 64 new security flaws across its software lineup, including one zero-day flaw that has been actively exploited in real-world attacks.
Of the 64 bugs, five are rated Critical, 57 are rated Important, one is rated Moderate, and one is rated Low in severity. The patches are in addition to 16 vulnerabilities that Microsoft addressed in its

Tech giant Microsoft on Tuesday shipped fixes to quash 64 new security flaws across its software lineup, including one zero-day flaw that has been actively exploited in real-world attacks.

Of the 64 bugs, five are rated Critical, 57 are rated Important, one is rated Moderate, and one is rated Low in severity. The patches are in addition to 16 vulnerabilities that Microsoft addressed in its Chromium-based Edge browser earlier this month.

"In terms of CVEs released, this Patch Tuesday may appear on the lighter side in comparison to other months," Bharat Jogi, director of vulnerability and threat research at Qualys, said in a statement shared with The Hacker News.

"However, this month hit a sizable milestone for the calendar year, with MSFT having fixed the 1000th CVE of 2022 – likely on track to surpass 2021 which patched 1,200 CVEs in total."

The actively exploited vulnerability in question is CVE-2022-37969 (CVSS score: 7.8), a privilege escalation flaw affecting the Windows Common Log File System (CLFS) Driver, which could be leveraged by an adversary to gain SYSTEM privileges on an already compromised asset.

"An attacker must already have access and the ability to run code on the target system. This technique does not allow for remote code execution in cases where the attacker does not already have that ability on the target system," Microsoft said in an advisory.

The tech giant credited four different sets of researchers from CrowdStrike, DBAPPSecurity, Mandiant, and Zscaler for reporting the flaw, which may be an indication of widespread exploitation in the wild, Greg Wiseman, product manager at Rapid7, said in a statement.

CVE-2022-37969 is also the second actively exploited zero-day flaw in the CLFS component after CVE-2022-24521 (CVSS score: 7.8), the latter of which was resolved by Microsoft as part of its April 2022 Patch Tuesday updates.

It's not immediately clear if CVE-2022-37969 is a patch bypass for CVE-2022-24521. Other critical flaws of note are as follows -

*   **CVE-2022-34718** (CVSS score: 9.8) - Windows TCP/IP Remote Code Execution Vulnerability
*   **CVE-2022-34721** (CVSS score: 9.8) - Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability
*   **CVE-2022-34722** (CVSS score: 9.8) - Windows Internet Key Exchange (IKE) Protocol Extensions Remote Code Execution Vulnerability
*   **CVE-2022-34700** (CVSS score: 8.8) - Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability
*   **CVE-2022-35805** (CVSS score: 8.8) - Microsoft Dynamics 365 (on-premises) Remote Code Execution Vulnerability

"An unauthenticated attacker could send a specially crafted IP packet to a target machine that is running Windows and has IPSec enabled, which could enable a remote code execution exploitation," Microsoft said about CVE-2022-34721 and CVE-2022-34722.

Also resolved by Microsoft are 15 remote code execution flaws in Microsoft ODBC Driver, Microsoft OLE DB Provider for SQL Server, and Microsoft SharePoint Server and five privilege escalation bugs spanning Windows Kerberos and Windows Kernel.

The September release is further notable for patching yet another elevation of privilege vulnerability in the Print Spooler module (CVE-2022-38005, CVSS score: 7.8) that could be abused to obtain SYSTEM-level permissions.

Lastly, included in the raft of security updates is a fix released by chipmaker Arm for a speculative execution vulnerability called Branch History Injection or Spectre-BHB (CVE-2022-23960) that came to light earlier this March.

"This class of vulnerabilities poses a large headache to the organizations attempting mitigation, as they often require updates to the operating systems, firmware and in some cases, a recompilation of applications and hardening," Jogi said. "If an attacker successfully exploits this type of vulnerability, they could gain access to sensitive information."

**Software Patches from Other Vendors**

Aside from Microsoft, security updates have also been released by other vendors since the start of the month to rectify dozens of vulnerabilities, including —

*   Adobe
*   Android
*   Apache Projects
*   Apple
*   Cisco
*   Citrix
*   Dell
*   F5
*   Fortinet
*   GitLab
*   Google Chrome
*   HP
*   IBM
*   Lenovo
*   Linux distributions Debian, Oracle Linux, Red Hat, SUSE, and Ubuntu
*   MediaTek
*   NVIDIA
*   Qualcomm
*   Samba
*   SAP
*   Schneider Electric
*   Siemens
*   Trend Micro
*   VMware, and
*   WordPress (which is dropping support for versions 3.7 through 4.0 starting December 1, 2022)

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Microsoft's Latest Security Update Fixes 64 New Flaws, Including a Zero-Day

A zero-day flaw in the latest version of a WordPress premium plugin known as WPGateway is being actively exploited in the wild, potentially allowing malicious actors to completely take over affected sites.
Tracked as CVE-2022-3180 (CVSS score: 9.8), the issue is being weaponized to add a malicious administrator user to sites running the WPGateway plugin, WordPress security company Wordfence

A zero-day flaw in the latest version of a WordPress premium plugin known as WPGateway is being actively exploited in the wild, potentially allowing malicious actors to completely take over affected sites.

Tracked as **CVE-2022-3180** (CVSS score: 9.8), the issue is being weaponized to add a malicious administrator user to sites running the WPGateway plugin, WordPress security company Wordfence noted.

"Part of the plugin functionality exposes a vulnerability that allows unauthenticated attackers to insert a malicious administrator," Wordfence researcher Ram Gall said in an advisory.

WPGateway is billed as a means for site administrators to install, backup, and clone WordPress plugins and themes from a unified dashboard.

The most common indicator that a website running the plugin has been compromised is the presence of an administrator with the username "rangex."

Additionally, the appearance of requests to "//wp-content/plugins/wpgateway/wpgateway-webservice-new.php?wp\_new\_credentials=1" in the access logs is a sign that the WordPress site has been targeted using the flaw, although it doesn't necessarily imply a successful breach.

Wordfence said it blocked over 4.6 million attacks attempting to take advantage of the vulnerability against more than 280,000 sites in the past 30 days.

Further details about the vulnerability have been withheld owing to active exploitation and to prevent other actors from taking advantage of the shortcoming. In the absence of a patch, users are recommended to remove the plugin from their WordPress installations until a fix is available.

The development comes days after Wordfence warned of in-the-wild abuse of another zero-day flaw in a WordPress plugin called BackupBuddy.

The disclosure also arrives as Sansec revealed that threat actors broke into the extension license system of FishPig, a vendor of popular Magento-WordPress integrations, to inject malicious code that's designed to install a remote access trojan called Rekoobe.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

Over 280,000 WordPress Sites Attacked Using WPGateway Plugin Zero-Day Vulnerability

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in RD Station plugin <= 5.2.0 at WordPress.

 Verified

 Fixed

**5.4**

CVSS 3.1 score Medium severity

Report  

Monitoring Not reported to be exploited

Vulnerable versions

<= 5.2.0

PSID 

e5e265f65534

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Publicly disclosed

2022-09-11

**Details**

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities were discovered by Rasi Afeef (Patchstack Alliance) in the WordPress RD Station plugin (versions <= 5.2.0).

**Solution**

Update the WordPress RD Station plugin to the latest available version (at least 5.2.1).

**References**

Tag

#wordpress