Cross-Site Request Forgery (CSRF) vulnerability in Social Share Buttons by Supsystic plugin <= 2.2.2 at WordPress.

 Not fixed

**4.3**

CVSS 3.1 score Medium severity

Monitoring Coming soon

Software

Social Share Buttons by Supsystic

Vulnerable versions

<= 2.2.2

PSID 

55c61e6d8a44

Classification 

Cross Site Request Forgery (CSRF)

OWASP Top 10 

A5: Broken Access Control

Credits

 Rasi Afeef (Patchstack Alliance)

Publicly disclosed

2022-05-27

**Details**

Cross-Site Request Forgery (CSRF) vulnerability was discovered by Rasi Afeef (Patchstack Alliance) in the WordPress Social Share Buttons by Supsystic plugin (versions <= 2.2.2).

**Solution**

Deactivate and delete. No reply from the vendor. Plugin closed.

**References**

CVE-2021-36890 Plugin page

CVE-2021-36890: WordPress Social Share Buttons by Supsystic plugin <= 2.2.2 - Cross-Site Request Forgery (CSRF) vulnerability - Patchstack

Authenticated (author or higher role) Stored Cross-Site Scripting (XSS) vulnerability in Fatcat Apps Easy Pricing Tables plugin <= 3.1.2 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

*   The **Easy Pricing Tables** WordPress Plugin makes it easy to create and publish beautiful pricing tables and comparison tables on your WordPress site. You can build, customize and publish a pricing table in just a few minutes, straight from the post editor, with zero coding required.

View screenshots of WordPress pricing tables built with this plugin.

View Easy Pricing Tables Premium Live Demo »

> **Gutenberg Compatible**
> 
> This plugin is fully compatible with WordPress 5.0’s new block editor (“Gutenberg”). You can build and edit pricing tables directly in the post editor. Also features support for classic editor and page builders.
> 
> **Easy Pricing Tables Premium**
> 
> Easy Pricing Tables Premium comes with the following features.
> 
> Six Gorgeous Pricing Table Designs.  
> Comparison Tables.  
> Fully Customize your Pricing Table (Colors, etc…).  
> Choose From 15 Font Options.  
> Add Inline Images to Pricing Tables.  
> One-Click WooCommerce Integration.  
> Priority Email Support.  
> Pricing Toggles (switch between multiple pricing tables – eg. currencies or monthly/yearly pricing.  
> And much more….
> 
> Learn more about Easy Pricing Tables Premium >>

**Overview**

Easy Pricing Tables is the first WordPress pricing table plugin built specifically for the block editor.

Building pricing tables on your site has never been easier. Simply add the pricing table block to your post, fill in your prices and features, and publish.

No coding required. Easy Pricing Tables lets anyone create a responsive pricing table in just a few minutes.

**Easy Pricing Tables – WordPress Pricing Table Plugin Features**

*   Build beautiful WordPress pricing tables in minutes.
    
*   Works with any WordPress theme.
    
*   Responsive WordPress Pricing Tables – responds to fit any device.
    
*   Easy Pricing Tables implements conversion rate optimization (CRO) best practices and guides you through the process of creating a pricing table that converts.
    
*   Easy Pricing Tables works with any WordPress theme you have installed. Use the pricing table block to build pricing tables in the post editor, or build in the plugin dashboard and add to your page via shortcode.
    
*   Gutenberg / WordPress 5.0 compatible. Not just compatible. Easy Pricing Tables is built specifically for the block editor.
    
*   Intuitive User Interface – building pricing tables has never been easier. Point and click to edit your table.
    
*   Create unlimited pricing table rows.
    
*   Customize your pricing table design with color pickers, font pickers and native design settings.
    
*   Reorder pricing table columns with one click.
    
*   Featured Column – draw people to your most popular products by highlighting a featured column.
    
*   Save pricing tables as reusable blocks to add in multiple posts or pages.
    
*   Shortcode support for use with classic editor and page builders.
    
*   Add PayPal payment links, Stripe payment links, or any other checkout link to your pricing table buttons.
    
*   Automatically match column heights to keep rows aligned.
    
*   Customize text size and formatting with one click.
    
*   Check out Easy Pricing Tables Premium
    

**WordPress.org Support**

> As this is the lite version of this WordPress pricing table plugin, the only support we offer through these forums is for bugs. Support for questions regarding modifying your pricing tables, writing custom CSS, etc is available for customers of Easy Pricing Tables Premium.

**Privacy Disclosure**

This plugin does not store any personal data.

Our full privacy policy is available here: https://fatcatapps.com/legal/privacy-policy/

This plugin provides 2 blocks.

*   Easy Pricing Table
*   Pricing Tables (Legacy)

1.  Upload the Easy Pricing Tables plugin file (easy-pricing-tables.zip) to the /wp-content/plugins/ directory
2.  Activate the plugin through the ‘Plugins’ menu in WordPress
3.  In your sidebar, select ‘Pricing Tables -> Add New’ to create a new table

**Can I use Easy Pricing Tables with Elementor?**

Yes, Easy Pricing Tables is compatible with Elementor and any other page builder plugin that supports shortcodes.

To add a pricing table anywhere other than the block editor, go to the Easy Pricing Tables plugin dashboard, create your table, and add it to your post with the shortcode provided.

**How can I save pricing tables to publish in multiple parts of my site?**

Create your pricing table and save it as a reusable block. Choose this reusable block anywhere you wish to add your pricing table.

**How do I change the width of my pricing table?**

Your pricing tables will fit to the content area your theme allows. You can edit how wide or narrow it appears with the “change alignment” setting (in the settings toolbar above the block). Change the alignment settings to set how much of the content area your pricing table fits to (e.g. “wide width” or “full width”).

**How can I integrate Easy Pricing Tables with WooCommerce?**

Easy Pricing Tables premium comes with a one-click integration to add WooCommerce products to your pricing table. Check out Easy Pricing Tables Premium here.

Looks great, is fluid, and customisable. Perfect. Love it.

Easy to setup and works beatifully. Love that you can include logo images in table.

Been using this plugin for almost a year now, the legacy version, works perfect for my needs.

Well, the free plugin is complete waste of time.

Great plugin for creating pricing tables.

Read all 128 reviews

“Pricing Tables WordPress Plugin – Easy Pricing Tables” is open source software. The following people have contributed to this plugin.

Contributors

CVE-2021-36866: Pricing Tables WordPress Plugin – Easy Pricing Tables

EnemyBot DDoS botnet is rapidly weaponizing security bugs disclosed in CMS systems like WordPress plug-ins, Android devices, commercial Web servers, and other enterprise applications.

An Internet of Things (IoT) botnet dubbed “EnemyBot" is expanding its front lines to target security vulnerabilities in enterprise services — potentially leading to it being a much more virulent threat than it has been, researchers say.

EnemyBot, which is controlled by a threat actor known as Keksec, is a Linux botnet that emerged on the malware scene in late March. It shares source code with two other well-known botnets, Gafgyt (aka Bashlite) and the mighty Mirai, according to a prior analysis from Fortinet. Like those threats, EnemyBot is used to carry out distributed denial-of-service (DDoS) attacks. Other aspects of the code include smaller elements from Qbot and other malware, and some custom development.

While it began life focusing on adding IoT devices and routers to its botnet footprint, EnemyBot has now evolved to add remote code execution (RCE) exploits for a host of popular business applications, including VMware Workspace ONE, Adobe ColdFusion, WordPress sites (via vulnerable plug-ins like Video Synchro PDF), PHP Scriptcase, and others, according to researchers at AT&T Labs. 

Researchers discovered that the group is using a mix of recent, so-called "one-day" bugs, as well as older known issues, looking to take advantage in lags in patching.

Keksec is "now targeting IoT devices, web servers, Android devices and content management system (CMS) servers," according to the firm's recent report, which notes that the latest version of EnemyBot adds a webscan function containing a total of 24 exploits to attack vulnerabilities of different devices and Web servers and self-propagate. 

The enterprise-focused exploits that were recently added include:

*   Log4Shell vulns: CVE-2021-44228, CVE-2021-45046
*   F5 BIG IP devices: CVE-2022-1388
*   Spring Cloud Gateway: CVE-2022-22947
*   TOTOLink A3000RU wireless router: CVE-2022-25075
*   Kramer VIAWare: CVE-2021-35064
*   PHP Scriptcase: No CVE yet assigned
*   Adobe ColdFusion 11: No CVE yet assigned

"The nature of devices and systems targeted through EnemyBot is different than vulnerabilities aimed at corporate datacenters," Bud Broomhead, CEO at Viakoo, tells Dark Reading. "WordPress installations, Android devices, IoT devices and other targets for EnemyBot are all widely deployed (therefore might be hard to find), are operated by organizations of all sizes, and are often managed by lines of business that lack cybersecurity skills."

**EnemyBot: A Super Soldier?**

In addition to the DDoS capabilities, EnemyBot can also receive commands to download and execute new code that could add to its functions or update its vulnerability list, according to the analysis. This means that, worryingly, the malware can adopt new vulnerabilities within days of those issues being discovered, researchers warned, as seen when it added a bug tracked as CVE-2022-22954 affecting VMware Workspace ONE, almost immediately after disclosure.

Sean Malone, CISO at Demandbase, says that given its rapid development, EnemyBot and others like it present a new urgency for enterprise defenders.

"The rapid weaponization of newly released vulnerabilities highlights the need to be able to patch almost instantaneously when new vulnerabilities are identified," he tells Dark Reading. "We should assume that every piece of software, every application development framework, and every IoT device will have a critical vulnerability identified at some point. Our architectures should be designed to limit the available attack surface, and mitigate the blast radius of a compromised system through defense-in-depth measures."

That should include adding the ability to profile systems and network traffic to know what normal looks like, and alert when the system activity and network traffic deviates from that baseline, he adds.

"This botnet emphasizes the need for rapid patching of internet facing devices and the risks of running apps in the cloud," says John Bambenek, principal threat hunter at Netenrich. "This traffic is easily spotted on the wire, but in typical cloud deployments, organizations aren’t able to run network intrusion detection. If organizations aren’t running NIDS or rapidly patching, they are both blind and vulnerable."

**Keksec & EnemyBot's Future**

For its part, Keksec is a well-resourced group that has been around since 2016, making a name for itself by creating various botnets-for-hire. It's known for exploiting vulnerabilities to invade multiple architectures with polymorphic tools (these can include Linux and Windows payloads, as well as custom Python malware), in order to accomplish everything from DDoS to cryptomining to espionage.

For instance, last year the operators made headlines with the "Simps" botnet, which was built for DDoS attacks on gaming targets. Another of its creations is the HybridMQ-keksec botnet, a Frankenstein-like effort created by combining and modifying the source code of Mirai and Gafgyt, just like EnemyBot.

Keksec is constantly adding to its arsenal, and "has the ability to update and add new capabilities to its arsenal of malware on a daily basis," the AT&T Labs researchers note. And indeed, with the new ability to compromise enterprise services and devices, EnemyBot could be poised to ramp up the volume of its attacks.

"In addition, the malware base source code can now be found online on GitHub, making it widely accessible," according to AT&T Labs, whose researchers also note that this won't be the only new EnemyBot variant to bubble up from Keksec's laboratory. "The developer of the GitHub page on EnemyBot self-describes as a 'full time malware dev,' that is also available for contract work."

That spells swelling attack volumes, researchers warn.

"Being available through GitHub means that many types of threat actors, from professional cybercriminals to amateurs, will be able to adapt EnemyBot into new and multiple variants," says Broomhead. "Without question, this is a red-lights-flashing warning sign for organizations to improve their discovery, threat assessment, and remediation capabilities."

EnemyBot Puts Enterprises in the Crosshairs With Raft of '1-Day' Bugs

Technique skirts web security controls

A security researcher has discovered a neat, albeit partially developed, technique to bypass CSP (Content Security Policy) controls using WordPress.

The hack, discovered by security researcher Paulos Yibelo, relies on abusing same origin method execution.

This technique uses JSON padding to call a function. That’s the sort of thing that might allow the compromise of a WordPress account but only with the addition of a cross-site scripting (XSS) exploit, which the researcher doesn’t have as yet.

Catch up with the latest WordPress related security news

Yibelo told The Daily Swig that they have not gone as far as attempting the trick on live sites, restricting exploits to a test research site they themselves owned.

“I haven’t really attempted to because it requires a logged in WordPress user or admin to visit my website, so I install the plugin and have a HTML injection – which is illegal to do,” Yibelo explained, adding they hadn’t attempted to exploit the bug in the wild on bug bounty sites either.

The researcher added that they reported it to WordPress three months ago via HackerOne. After failing to get a reply, Yibelo went public with the findings through a technical blog post.

**Endpoint endgame**

Attacks are potentially possible in two scenarios: 1) websites that don’t use WordPress directly but have an endpoint of WordPress on the same-domain or subdomain, and 2) a website hosted on WordPress with a CSP header.

The potential impact is severe, as Yibelo’s blog post explains:

If an attacker finds an HTML injection vulnerability within the main domain (ex: website1.com – not WordPress,) using this vulnerability, they can use a WordPress endpoint to upgrade a useless HTML Injection to a full blown XSS that can be escalated to perform \[remote code execution\] RCE. This means having WordPress anywhere on the site defeats the purpose of having a secure CSP.

The Daily Swig invited WordPress’s core development team to comment on the research. No word back, as yet, but we’ll update this story as and when we hear more.

Yibelo concluded: “I hope Wordpress fixes it so CSP stays relevant on sites that host a WordPress endpoint.”

Content Security Policy is a technology set by websites and used by browsers that can block external resources and prevent XSS attacks.

YOU MAY ALSO LIKE WordPress theme Jupiter patches critical security hole

Researcher goes public with WordPress CSP bypass hack

As many as 47,337 malicious plugins have been uncovered on 24,931 unique websites, out of which 3,685 plugins were sold on legitimate marketplaces, netting the attackers $41,500 in illegal revenues.
The findings come from a new tool called YODA that aims to detect rogue WordPress plugins and track down their origin, according to an 8-year-long study conducted by a group of researchers from the

As many as 47,337 malicious plugins have been uncovered on 24,931 unique websites, out of which 3,685 plugins were sold on legitimate marketplaces, netting the attackers $41,500 in illegal revenues.

The findings come from a new tool called YODA that aims to detect rogue WordPress plugins and track down their origin, according to an 8-year-long study conducted by a group of researchers from the Georgia Institute of Technology.

"Attackers impersonated benign plugin authors and spread malware by distributing pirated plugins," the researchers said in a new paper titled "**Mistrust Plugins You Must**."

"The number of malicious plugins on websites has steadily increased over the years, and malicious activity peaked in March 2020. Shockingly, 94% of the malicious plugins installed over those 8 years are still active today."

The large-scale research entailed analyzing WordPress plugins installed in 410,122 unique web servers dating all the way back to 2012, finding that plugins that cost a total of $834,000 were infected post-deployment by threat actors.

YODA can be integrated directly into a website and a web server hosting provider, or deployed by a plugin marketplace. In addition to detecting hidden and malware-rigged add-ons, the framework can also be used to identify a plugin's provenance and its ownership.

It achieves this by performing an analysis of the server-side code files and the associated metadata (e.g., comments) to detect the plugins, followed by carrying out a syntactic and semantic analysis to flag malicious behavior.

The semantic model accounts for a wide range of red flags, including web shell, function to insert new posts, password-protected execution of injected code, spam, code obfuscation, blackout SEO, malware downloader, malvertising, and cryptocurrency miners.

Some of the noteworthy findings are as follows -

*   3,452 plugins available in legitimate plugin marketplaces facilitated spam injection
*   40,533 plugins were infected post-deployment across 18,034 websites
*   Nulled plugins — WordPress plugins or themes that have been tampered to download malicious code on the servers — accounted for 8,525 of the total malicious add-ons, with roughly 75% of the pirated plugins cheating developers out of $228,000 in revenues

"Using YODA, website owners and hosting providers can identify malicious plugins on the web server; plugin developers and marketplaces can vet their plugins before distribution," the researchers pointed out.

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

YODA Tool Found ~47,000 Malicious WordPress Plugins Installed in Over 24,000 Sites

Malware borrows generously from code used by other botnets such as Mirai, Qbot and Zbot.

Malware borrows generously from code used by other botnets such as Mirai, Qbot and Zbot.

A rapidly evolving IoT malware dubbed “EnemyBot” is targeting content management systems (CMS), web servers and Android devices. Threat actor group “Keksec” is believed behind the distribution of the malware, according to researchers.

“Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices,” reported AT&T Alien labs in a recent post. “The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities,” they added.

 According to AT&T’s analysis of the malware‘s code base, EnemyBot borrows generously from code used by other botnets such as Mirai, Qbot and Zbot. The Keksec group distributes the malware by targeting Linux machines and IoT devices, this threat group was formed back in 2016 and includes several botnet actors.

****EnemyBot Working****

The Alien lab research team study found four main sections of the malware.

The first section is a python script ‘cc7.py’, used to download all dependencies and compile the malware into different OS architectures (x86, ARM, macOS, OpenBSD, PowerPC, MIPS). After compilation, a batch file “update.sh” is created and used to spread the malware to vulnerable targets.

The second section is the main botnet source code, which includes all the other functionality of the malware excluding the main part and incorporates source codes of the various botnets that can combine to perform an attack.

The third module is obfuscation segment “hide.c” and is compiled and executed manually to encode /decode the malware strings. A simple swap table is used to hide strings and “each char is replaced with a corresponding char in the table” according to researchers.

The last segment includes a command-and-control (CC) component to receive vital actions and payloads from attackers.

AT&T researcher’s further analysis revealed a new scanner function to hunt vulnerable IP addresses and an “adb\_infect” function that is used to attack Android devices.

ADB or Android Debug Bridge is a command-line tool that allows you to communicate with a device.

“In case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing shell command,” said the researcher.

“Keksec’s EnemyBot appears to be just starting to spread, however due to the authors’ rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers,” the researchers added.

This Linux-based botnet EnemyBot was first discovered by Securonix in March 2022, and later in-depth analysis was done by Fortinet.

****Vulnerabilities Currently Exploited by EnemyBot****

The AT&T researchers release a list of vulnerabilities that are currently exploited by the Enemybot, some of them are not assigned a CVE yet.

The list includes Log4shell vulnerability (CVE-2021-44228, CVE-2021-45046), F5 BIG IP devices (CVE-2022-1388), and others. Some of the vulnerabilities were not assigned a CVE yet such as PHP Scriptcase and Adobe ColdFusion 11.

*   Log4shell vulnerability – CVE-2021-44228, CVE-2021-45046
*   F5 BIG IP devices – CVE-2022-1388
*   Spring Cloud Gateway – CVE-2022-22947
*   TOTOLink A3000RU wireless router – CVE-2022-25075
*   Kramer VIAWare – CVE-2021-35064

“This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread,” the researcher explained.

****Recommended Actions** **

The Alien lab researcher suggests methods to protect from the exploitation. Users are advised to use a properly configured firewall and focus on reducing Linux server and IOT devices’ exposure to the internet.

Another action recommended is to monitor the network traffic, scan the outbound ports and look for the suspicious bandwidth usage. Software should be updated automatically and patched with the latest security update.

EnemyBot Malware Targets Web Servers, CMS Tools and Android OS

Validation check loopholes exposed

Malicious actors can take unauthorized ownership of online accounts even before their victims sign up for services, according to new research backed by the Microsoft Security Response Center (MSRC).

Dubbed ‘account pre-hijacking’, the class of attack involves an attacker setting an account takeover exploit in motion before the victim has even registered with an online service. After the victim signs up, the attacker takes advantage of security holes in the service’s authentication mechanisms to access or take ownership of the newly-created account.

The study (PDF) found dozens of high-traffic services to be vulnerable to at least one type of pre-hijacking attack. The research sheds light on the security issues surrounding account creation, a seldom scrutinised issue.

**More than one way to pre-hijack an account**

The research was supported by one of the Identity Project Research Grants awarded by the MSRC in early 2020.

“In this project, we explored several topics, but soon noticed a pattern emerging around the ‘pre-hijacking’ threat model,” Andrew Paverd, a senior researcher at MSRC, and independent researcher Avinash Sudhodanan told The Daily Swig.

Account pre-hijacking assumes that the victim doesn’t yet have an account on the target service and the attacker knows the email and other basic details of the victim. The researchers discovered five types of pre-hijacking attack scenarios.

Some take advantage of multiple account creation modes supported by many online services. On many websites, users can directly provide an email address and password to create their account or use federated authentication by using a consumer-focused single sign-on (SSO) service, as provided by the likes of Facebook, Google, and Microsoft.

DON’T FORGET TO READ Security ‘researcher’ hits back against claims of malicious CTX file uploads

For example, in one type of attack, the attacker creates an account with the victim’s email address. The victim then creates an account using the federated approach. In some services, this merges the attacker’s and victim’s accounts, giving them both simultaneous access to the same account.

In another type of attack, the attacker creates an account with the victim’s email and associates their own federated identity to the same account. When the victim tries to create their account, they will be prompted to reset their password. The victim will obtain access to the account, but the attacker will also be able to access the account through the SSO identity.

The researchers said: “It’s very positive to see how many online services are moving towards single sign-on \[but\] this means that they might have to support multiple login mechanisms. This in itself is not necessarily an issue, and many services do this securely.

“Our research simply points out some subtle pitfalls to be aware of when supporting multiple login mechanisms,” the researchers added.

**Switch hitter**

Paverd and Sudhodanan pointed out that three of the attacks they found do not require the service to support multiple login mechanisms.

For example, in one scheme, the attacker’s session might remain active even after the victim recovers their account and resets the password.

Catch up on the latest authentication news and analysis

In yet another scenario, the attacker creates an account with the victim’s email and initiates an email change request to the attacker’s own email address. The attacker then waits for the victim to claim the account before completing the email change request and taking ownership of the account.

**Top services affected**

In their study, the researchers examined 75 services that ranked among Alexa’s list of top-150 high-traffic domains. At least 35 were affected by one or more account pre-hijacking attacks, including Dropbox, Instagram, LinkedIn, WordPress.com, and Zoom. Fortunately, all the affected services were notified of the vulnerabilities and have implemented the necessary fixes.

“We think that a lack of awareness may have been the main cause of these potential vulnerabilities. We are therefore publishing this research to raise awareness and help organizations mitigate these vulnerabilities,” Paverd and Sudhodanan said.

The most important takeaway, the researchers concluded, is “to verify that the user actually owns any user-supplied identifiers (e.g., email address or phone number) before using them to create a new account or adding them to an existing account”. This would mitigate all types of pre-hijacking attacks identified to date.

The researchers’ paper also describes several other possible defense-in-depth strategies.

They recommended that users enable multi-factor authentication (MFA) whenever possible because it stops most pre-hijacking attacks they uncovered.

Another sign of account pre-hijacking is receiving an email about an account that you did not create, which users usually ignore. “Report this to the relevant website,” the researchers said.

YOU MAY ALSO LIKE Tails users warned not to launch bundled Tor browser until security hole is fixed

Dozens of high-traffic websites vulnerable to ‘account pre-hijacking’, study finds

WordPress User Meta Lite and Pro plugin versions 2.4.3 and below suffer from a path traversal vulnerability.

RCE Security Advisory  
https://www.rcesecurity.com

1. ADVISORY INFORMATION  
=======================  
Product:        User Meta  
Vendor URL:     https://wordpress.org/plugins/user-meta  
Type:           Relative Path Traversal [CWE-23]  
Date found:     2022-02-28  
Date published: 2022-05-24  
CVSSv3 Score:   4.3 (CVSS:3.0/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N)  
CVE:            CVE-2022-0779

2. CREDITS  
==========  
This vulnerability was discovered and researched by Julien Ahrens from  
RCE Security.

3. VERSIONS AFFECTED  
====================  
User Meta Lite 2.4.3 and below  
User Meta Pro 2.4.3 and below

4. INTRODUCTION  
===============  
An easy-to-use user profile and management plugin for WordPress that allows  
user login, reset-password, profile update and user registration with extra  
fields, all on front-end and many more. User Meta Pro is a versatile user  
profile builder and user management plugin for WordPress that has the most  
features on the market. User Meta aims to be your only go to plugin for  
user management.

(from the vendor's homepage)

5. VULNERABILITY DETAILS  
========================  
The WordPress ajax action "um_show_uploaded_file" is vulnerable to an  
authenticated path traversal when user-supplied input to the HTTP POST  
parameter "filepath" is processed by the web application. Since the application  
does not properly validate and sanitize this parameter, it is possible to  
enumerate local server files using a blind approach. This is because the  
application doesn't return the contents of the referenced file but instead  
returns different form elements based on whether a file exists or not.

The following Proof-of-Concept triggers this vulnerability:

POST /wp-admin/admin-ajax.php HTTP/1.1  
Host: localhost  
Content-Length: 147  
Content-Type: application/x-www-form-urlencoded; charset=UTF-8  
Cookie: [your-wordpress-auth-cookies]  
Connection: close

field_name=[your-field-name]&filepath=/../../../../../etc/passwd&field_id=[your-field-id]&form_key=[your-form-key]&action=um_show_uploaded_file&pf_nonce=[your-auth-nonce]&is_ajax=true

6. RISK  
=======  
The vulnerability can be used by an authenticated attacker to enumerate  
local server files based on a blind approach.

7. SOLUTION  
===========  
Update to User Meta/User Meta Pro 2.4.4

8. REPORT TIMELINE  
==================  
2022-02-28: Discovery of the vulnerability  
2022-02-28: WPScan (CNA) assigns CVE-2022-0779  
2022-03-03: Contacted the vendor via their contact form  
2022-03-06: Vendor response, acknowledgement of the issue  
2022-03-18: Version 2.4.2 is released  
2022-03-22: Vulnerability is still exploitable since fix was applied only client-side. Contacted vendor again.  
2022-04-13: No response, contacted vendor again  
2022-04-18: Vendor added a new fix to version 2.4.3. Asked to retest.  
2022-04-19: Vulnerability is still exploitable due to a logic bug in the fix. Contacted vendor again.  
2022-04-29: Vendor asks whether another fix in version 2.4.4 is fine  
2022-05-16: Fix seems to work  
2022-05-24: Public disclosure

9. REFERENCES  
=============  
https://github.com/MrTuxracer/advisories

WordPress User Meta Lite / Pro 2.4.3 Path Traversal

A nascent Linux-based botnet named Enemybot has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS).
"The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities," AT&T Alien Labs said in a technical write-up published last week. "Services

A nascent Linux-based botnet named **Enemybot** has expanded its capabilities to include recently disclosed security vulnerabilities in its arsenal to target web servers, Android devices, and content management systems (CMS).

"The malware is rapidly adopting one-day vulnerabilities as part of its exploitation capabilities," AT&T Alien Labs said in a technical write-up published last week. "Services such as VMware Workspace ONE, Adobe ColdFusion, WordPress, PHP Scriptcase and more are being targeted as well as IoT and Android devices."

First disclosed by Securonix in March and later by Fortinet, Enemybot has been linked to a threat actor tracked as Keksec (aka Kek Security, Necro, and FreakOut), with early attacks targeting routers from Seowon Intech, D-Link, and iRZ.

Enemybot, which is capable of carrying out DDoS attacks, draws its origins from several other botnets like Mirai, Qbot, Zbot, Gafgyt, and LolFMe. An analysis of the latest variant reveals that it's made up of four different components -

*   A Python module to download dependencies and compile the malware for different OS architectures
*   The core botnet section
*   An obfuscation segment designed to encode and decode the malware's strings, and
*   A command-and-control functionality to receive attack commands and fetch additional payloads

Also incorporated is a new scanner function that's engineered to search random IP addresses associated with public-facing assets for potential vulnerabilities, while also taking into account new bugs within days of them being publicly disclosed.

"In case an Android device is connected through USB, or Android emulator running on the machine, EnemyBot will try to infect it by executing \[a\] shell command," the researchers said, pointing to a new "adb\_infect" function. ADB refers to Android Debug Bridge, a command-line utility used to communicate with an Android device.

Besides the Log4Shell vulnerabilities that came to light in December 2021, this includes recently patched flaws in Razer Sila routers (no CVE), VMware Workspace ONE Access (CVE-2022-22954), and F5 BIG-IP (CVE-2022-1388) as well as weaknesses in WordPress plugins like Video Synchro PDF.

Other weaponized security shortcomings are below -

*   **CVE-2022-22947** (CVSS score: 10.0) - A code injection vulnerability in Spring Cloud Gateway
*   **CVE-2021-4039** (CVSS score: 9.8) - A command injection vulnerability in the web interface of the Zyxel
*   **CVE-2022-25075** (CVSS score: 9.8) - A command injection vulnerability in TOTOLink A3000RU wireless router
*   **CVE-2021-36356** (CVSS score: 9.8) - A remote code execution vulnerability in KRAMER VIAware
*   **CVE-2021-35064** (CVSS score: 9.8) - A privilege escalation and command execution vulnerability in Kramer VIAWare
*   **CVE-2020-7961** (CVSS score: 9.8) - A remote code execution vulnerability in Liferay Portal

What's more, the botnet's source code has been shared on GitHub, making it widely available to other threat actors. "I assume no responsibility for any damages caused by this program," the project's README file reads. "This is posted under Apache license and is also considered art."

"Keksec's Enemybot appears to be just starting to spread, however due to the authors' rapid updates, this botnet has the potential to become a major threat for IoT devices and web servers,'' the researchers said.

"This indicates that the Keksec group is well resourced and that the group has developed the malware to take advantage of vulnerabilities before they are patched, thus increasing the speed and scale at which it can spread."

Found this article interesting? Follow THN on Facebook, Twitter __ and LinkedIn to read more exclusive content we post.

EnemyBot Linux Botnet Now Exploits Web Server, Android and CMS Vulnerabilities

The Simple Real Estate Pack WordPress plugin through 1.4.8 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks when the unfiltered_html capability is disallowed

Tag

#wordpress