35 Unrestricted Access APR 2021 – WP Security Circumvention

28 Unrestricted Access APR 2021

Managed WordPress Security Report

Be informed about the latest Unrestricted Access APR 2021 – WP Security Circumvention, identified and reported publicly. These breaches create even more problems and vulnerability exploitation with a severe negative impact on any WordPress Security. Consider our FREE security AUDIT.

An estimated 2.630.000+ active WordPress installations are susceptible to these attack types, considering only the publicly available numbers. The estimated number can double with premium versions as they are private purchases.

Furthermore, the initial estimation can multiply if we consider the already patched versions BUT NOT UPDATED by owners, as the vulnerability remains active within their domain. As these owners start changing their hosting provider (due to constant unexplained issues), they actively migrate these vulnerabilities behind protected areas, possibly exposing other clean WP to different attack types.

It is a 600% increase compared to December 2020. We compare last month versus previous winter holiday season, which has the biggest shopping traffic and attack spike throughout the year. Read more about our previous report here: 28 Unrestricted Access MAR 2021 – WP Security Circumvention and 5 Unrestricted Access Issues – WordPress Security DEC. The following cases made headlines PUBLICLY just last month in the SQL Injections APR 2021 category:

---

• captchinoo-captcha-for-login-form-protection – Arbitrary Plugin Installation/Activation via Low Privilege User
  • This plugin has been closed as of March 23, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• wp-maintenance-mode-site-under-construction – Arbitrary Plugin Installation/Activation via Low Privilege User
  • This plugin has been closed as of March 23, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• tree-website-map – Arbitrary Plugin Installation/Activation via Low Privilege User
  • This plugin has been closed as of March 23, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• Visitor Traffic Real Time Statistics – Arbitrary Plugin Installation/Activation via Low Privilege User
  • Visitor Traffic Real Time Statistics is a Counter and statistics plugin for WordPress to display your WordPress blog statistics and traffic. Ranging from general total statistics. Active installations: 50,000+

---

• Login Protection – Limit Failed Login Attempts – Arbitrary Plugin Installation/Activation via Low Privilege User
  • This plugin will block an Internet address (IP) or username from making further attempts after a specified limit on retries has been reached. Informs the user about the remaining retries or lockout time on the login page. Active installations: 400+

---

• Login as User or Customer (User Switching) – Arbitrary Plugin Installation/Activation via Low Privilege User
  • This plugin allows you to quickly swap between user accounts in WordPress (in one click). This is very helpful for admins or customer support users to access any user account in one click. Active installations: 400+

---

• Redirection for Contact Form 7 < 2.3.4 – Authenticated Arbitrary Plugin Installation
• Redirection for Contact Form 7 < 2.3.4 – Authenticated Arbitrary Post Deletion
• Redirection for Contact Form 7 < 2.3.4 – Authenticated PHP Object Injection
• Redirection for Contact Form 7 < 2.3.4 – Unauthenticated Arbitrary Nonce Generation
• Redirection for Contact Form 7 < 2.3.4 – Unprotected AJAX Actions
  • The ultimate add-on for Contact Form 7 – redirect to any page you choose after mail sent successfully, firing scripts after submission, save submissions in database, and much more options to make Contact Form 7 poweful then ever. Active installations: 200,000+

---

• WordPress Newsletter by AcyMailing SMTP Newsletter < 7.5.0 – Unauthenticated Open Redirect
  • Build better newsletters : faster, easier & automated. AcyMailing is one of the best newsletter automation tools for successful marketing campaigns. Active installations: 5,000+

---

• Business Directory Plugin – Easy Listing Directories for WordPress < 5.11 – Arbitrary File Upload to RCE
• Business Directory Plugin – Easy Listing Directories for WordPress < 5.11.1 – Authenticated PHP4 Upload to RCE
• Business Directory Plugin – Easy Listing Directories for WordPress < 5.11.2 – Arbitrary Listing Export
• Business Directory Plugin – Easy Listing Directories for WordPress < 5.11.2 – Arbitrary Listing Export
  • Are you looking for a simple directory website builder for WordPress? With Business Directory Plugin, you can be in control without a developer. Active installations: 20,000+

---

• Business Hours Pro <= 5.5.0 – Unauthenticated Arbitrary File Upload to RCE
  • No known fix – This item is no longer available

---

• Classyfrieds <= 3.8 – Authenticated Arbitrary File Upload to RCE
  • No known fix – plugin closed

---

• College Publisher Import <= 0.1 – Arbitrary File Upload to RCE
  • This plugin has been closed as of April 12, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• WordPress Download Manager < 3.1.19 – Authenticated (author+) PHP4 File Upload to RCE
• WordPress Download Manager < 3.1.23 – Unauthorised Asset Manager Usage
  • WordPress Download Manager is a Files / Documents Management Plugin to manage, track and control file downloads from your WordPress Site. Use Passwords, User Roles to control access to your files, control downloads by speed or by putting a limit on download count per user, block bots or unwanted users or spammers using Captcha Lock or IP Block feature, you may also ask users to agree with your terms and conditions before they download. Active installations: 100,000+

---

• Event Banner <= 1.3 – Arbitrary File Upload to RCE
  • No known fix – plugin closed

---

• Imagements <= 1.2.5 – Unauthenticated Arbitrary File Upload to RCE
  • This plugin has been closed as of April 2, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• iThemes Security (formerly Better WP Security) FREE < 7.9.1 – Hide Backend Bypass
• iThemes Security (formerly Better WP Security) PRO < 6.8.4 – Hide Backend Bypass
  • iThemes Security (formerly Better WP Security) gives you over 30+ ways to secure and protect your WordPress site. On average, 30,000 new websites are hacked each day. WordPress sites can be an easy target for attacks because of plugin vulnerabilities, weak passwords and obsolete software. Active installations: 1+ million

---

• Modern WPBakery Page Builder Addons (formerly Visual Composer) | Add-ons 0-day – Unauthenticated Arbitrary File Upload
  • No known fix. This item is no longer available.

---

• WP Content Copy Protection & No Right Click – Arbitrary Plugin Installation/Activation via Low Privilege User
  • This wp plugin protect the posts content from being copied by any other web site author , you dont want your content to spread without your permission!! Active installations: 100,000+

---

• Conditional Marketing Mailer for WooCommerce – Arbitrary Plugin Installation/Activation via Low Privilege User
  • All notices can be created and active on your website. Each notice can have a different set of conditions that need to be met for the notice to be sent. Notices can be in published or draft status. Only published notices will be active on the site. Active installations: 80+

---

• Store Locator Plus <= 5.5.14 – Authenticated Privilege Escalation
  • This plugin has been closed as of April 12, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• Tutor LMS – eLearning and online course solution < 1.8.8 – Authenticated Local File Inclusion
  • Tutor is a complete, feature-packed and robust WordPress LMS plugin to create & sell courses online easily. All the features of this learning management system hits all the checkpoints for a full-fledged online course marketplace. You can create challenging and fun quizzes, interactive lessons, powerful reports and stats making Tutor potentially the best free WordPress LMS plugin. Manage, administer and monetize your education, online school, and online courses without having to write a single line of code. Active installations: 30,000+

---

• User Rights Access Manager < 1.0.4 – Improper Access Controls
  • User Rights Access Manager is a lightweight and powerful plugin that grants you complete control on your admin area’s content by restricting access of admin menus, submenus, post-types to specific user or specific user roles. Active installations: 700+

---

• WordPress Download Manager < 3.1.18 – Unauthorised Download Duplication
  • WordPress Download Manager is a Files / Documents Management Plugin to manage, track and control file downloads from your WordPress Site. Use Passwords, User Roles to control access to your files, control downloads by speed or by putting a limit on download count per user, block bots or unwanted users or spammers using Captcha Lock or IP Block feature, you may also ask users to agree with your terms and conditions before they download. Active installations: 100,000+

---

• WP Fastest Cache < 0.9.1.7 – Authenticated Arbitrary File Deletion via Path Traversal
  • In the premium version there are many features such as Minify Html, Minify Css, Enable Gzip Compression, Leverage Browser Caching, Add Expires Headers, Combine CSS, Combine JS, Disable Emoji. Active installations: 1+ million

---

• WPBakery Page Builder Clipboard < 4.5.8 – Unauthorised Arbitrary License Options Update
  • WPBakery Page Builder (Visual Composer) Clipboard allows you to copy/cut and paste single content elements or stack of content elements across pages without ever leaving WPBakery Page Builder (back end) interface! Active installations: Not public info!

---

• WPGraphQL <= 1.3.5 – Denial of Service
  • WPGraphQL is a free, open-source WordPress plugin that provides an extendable GraphQL schema and API for any WordPress site. Active installations: 10,000+

BRIEF: Open and Unrestricted Access APR 2021 to anything within a website is one thing everybody considers to be a total disaster. Many employees have come to rely on the Internet both for work and day-to-day life. As such, they demand unrestricted access at work, and many company bosses have obliged. Without the knowledge to them, however, there may be a risk associated with this.

What is Unauthenticated Insecure Deserialisation?

Insecure Deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary code upon it being deserialized. If the function that is responsible for converting serial data into a structured object assumes that the data is trusted, an attacker may format the serial data in such a way that the result of deserialization is malicious. Unfortunately, many standard deserialization functions in programming languages assume that the data is safe.

What is Unauthenticated Backup Download?

The plugin does not restrict access to a BACKUP file containing sensitive information, such as the internal path of backups, which may then allow unauthenticated users to download them.

What is Unrestricted File Upload?

By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website. By doing this, it allows an attacker to inject malicious content such as web shells into the sites, and providing a method for initial access into the system.

What is Login Rate Limiting Bypass?

When the plugin is configured with a custom header in its Trusted IP Origins setting (e.g X-Forwarded-For), attackers could bypass the protection offered by tampering the header sent in requests. When the plugin is configured to accept an arbitrary header as client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does never reach the maximum allowed retries.

What is Improper Authorisation Check?

An attacker could leverage these issues to dump the database including administrative user credentials, to steal cookie-based authentication credentials, or launch other attacks. An anonymous user may create a new dive entry with a crafted HTTP POST.

 

Related Posts to MANAGED WordPress Security: