26 Unrestricted Access AUG 2021 – WP Security Circumvention

Unrestricted Access AUG 2021

Managed WordPress Security Report

Be informed about the latest Unrestricted Access AUG 2021 – WP Security Circumvention, identified and reported publicly. These breaches create even more problems and vulnerability exploitation with a severe negative impact on any WordPress Security. Consider our FREE security AUDIT.

An jaw-dropping estimated 5.844.000+ active WordPress installations are susceptible to these attack types, considering only the publicly available numbers. The estimated number can double with premium versions as they are private purchases.

Furthermore, the initial estimation can multiply if we consider the already patched versions BUT NOT UPDATED by owners, as the vulnerability remains active within their domain. As these owners start changing their hosting provider (due to constant unexplained issues), they actively migrate these vulnerabilities behind protected areas, possibly exposing other clean WP to different attack types.

It is a mind-boggling 420% increase compared to December 2020. We compare last month versus previous winter holiday season, which has the biggest shopping traffic and attack spike throughout the year. Read more about our previous report here: 35 Unrestricted Access JUL 2021 – WP Security Circumvention and 5 Unrestricted Access Issues – WordPress Security DEC. The following cases made headlines PUBLICLY just last month in the Unrestricted Access AUG 2021 – WP Security Circumvention category:

---

• User Rights Access Manager – Access Restriction Bypass
  • This plugin has been closed as of July 19, 2022 and is not available for download. This closure is temporary, pending a full review.

---

• Image Export – Directory Traversal
  • This plugin has been closed and is no longer available for download.

---

• Simple eCommerce – Arbitrary File Upload
  • This plugin has been closed as of June 21, 2022 and is not available for download. Reason: Security Issue.

---

• Shopp eCommerce – Unauthenticated Arbitrary File Upload
  • This plugin has been closed as of June 29, 2022 and is not available for download. Reason: Security Issue.

---

• Fileviewer – Arbitrary File Upload/Deletion via CSRF
  • This plugin has been closed as of June 28, 2022 and is not available for download. Reason: Security Issue.

---

• Email Artillery – Multiple Authenticated SQL Injections
• Email Artillery – Multiple Reflected Cross-Site Scripting
• Email Artillery – CSRF to Stored XSS
• Email Artillery – Arbitrary File Upload
• Email Artillery – Multiple Authenticated SQL Injections
  • This plugin has been closed as of June 28, 2022 and is not available for download. Reason: Security Issue.

---

• WooCommerce – Authenticated Blind SQL Injection
  • WooCommerce is the world’s most popular open-source eCommerce solution. Our core platform is free, flexible, and amplified by a global community. The freedom of open-source means you retain full ownership of your store’s content and data forever. Active installations: 5+ million

---

• WP Cerber Security, Anti-spam & Malware Scan – Rest-API Protection Bypass
• WP Cerber Security, Anti-spam & Malware Scan – 2FA Authentication Bypass
  • Defends WordPress against hacker attacks, spam, trojans, and malware. Mitigates brute-force attacks by limiting the number of login attempts through the login form, XML-RPC / REST API requests, or using auth cookies. Tracks user and bad actors activity with flexible email, mobile and desktop notifications. Stops spammers by using a specialized anti-spam engine. Uses Google reCAPTCHA to protect registration, contact, and comments forms. Restricts access with IP Access Lists. Monitors the website integrity with an advanced malware scanner and integrity checker. Reinforces the security of WordPress with a set of flexible security rules and sophisticated security algorithms. Active installations: 200,000+

---

• Smash Balloon Social Post Feed – Unauthenticated Stored XSS
  • Display Facebook posts on your WordPress site. Completely customizable, responsive, search engine crawlable, and GDPR compliant Facebook feeds. Display unlimited Facebook feeds from your Facebook page or Facebook Group, and completely match the look and feel of your site with tons of customization options! Automatically powers any Facebook oEmbeds on your site. Active installations: 200,000+

---

• WooCommerce Blocks – Unauthenticated SQL Injection
  • WooCommerce Blocks are the easiest, most flexible way to display your products on posts and pages! Active installations: 200,000+

---

• BuddyPress – Activation Key Disclosure
• BuddyPress – SQL Injections
  • Are you looking for modern, robust, and sophisticated social network software? BuddyPress is a suite of components that are common to a typical social network, and allows for great add-on features through WordPress’s extensive plugin system. Active installations: 200,000+

---

• WordPress Download Manager – Authenticated Directory Traversal
• WordPress Download Manager – Authenticated File Upload
• WordPress Download Manager – Email Template Setting Update via CSRF
  • WordPress Download Manager is a Files / Documents Management Plugin to manage, track and control file downloads from your WordPress Site. Use Passwords, User Roles to control access to your files, control downloads by speed or by putting a limit on download count per user, block bots or unwanted users or spammers using Captcha Lock or IP Block feature, you may also ask users to agree with your terms and conditions before they download. Active installations: 100,000+

---

• Advanced Shipment Tracking for WooCommerce – Authenticated Options Change
  • Advanced Shipment Tracking (AST) provides all you need to manage and automate the WooCommerce fulfillment workflow. Easily add tracking information and fulfill orders, keep your customers informed, reduce time spent on post-shipping inquiries and increase overall customer satisfaction. Active installations: 50,000+

---

• HM Multiple Roles – Arbitrary Role Change
  • This HM Multiple Roles plugin provides a user interface and allows you to select multiple roles for a user. It hides the default role dropdown list and displays a list of role checkboxes for both new user and update user page. Multiple roles can be visible from the All User list page. Active installations: 500+

---

• Welcart e-Commerce – Unauthenticated Information Disclosure
• Welcart e-Commerce – Authenticated System Information Disclosure
  • Welcart is a free e-commerce plugin for WordPress with top market share in Japan. Welcart comes with many features and customizations for making an online store. You can easily create your own original online store. Active installations: 20,000+

---

• Post Grid, Post Carousel, & List Category Posts – by Smart Post Show – Unauthorised AJAX Calls
  • Smart Post Show (formerly Post Carousel) allows you to filter and display posts, pages, taxonomy (categories, tags, & post formats) in the beautiful carousel and grid layout easily without coding! The plugin helps you to create a beautiful post carousel or post grid in minutes for making your WordPress site content stand out and keep visitors engaged. Active installations: 10,000+

---

• Stop User Enumeration – REST API Bypass
  • Stop User Enumeration is a security plugin designed to detect and prevent hackers scanning your site for user names. User Enumeration is a type of attack where nefarious parties can probe your website to discover your login name. This is often a pre-cursor to brute-force password attacks. Stop User Enumeration helps block this initial attack and allows you to log IPs launching these attacks to block further attacks in the future. Active installations: 30,000+

---

• Visual Link Preview – Unauthorised AJAX Calls
  • Easily create a Facebook-like link preview for any link on your website. You can choose the image and text to display and create your very own custom template. The default template can be styled from the settings to match your website. Active installations: 9,000+

---

• Print My Blog – Print, PDF, & eBook Converter WordPress Plugin – Plugin Deactivation via CSRF
  • Offline publishing for you, site visitors, and the world outside WordPress. Print My Blog makes WordPress content useful outside of your website, like in print, PDFs, and other formats. Active installations: 4,000+

---

• WP Learn Manager – Unauthenticated Stored Cross-Site Scripting (XSS)
• WP Learn Manager – Unauthenticated Arbitrary User Field Edition/Creation
  • WP Learn Manager is extensive, featured rich and comprehensive learning management system for WordPress. WP Learn Manager comes with a lots of features like course list, course search with many filters, create course, create lectures, Add Quizzes, take lectures, enrollment, shortlist courses, Messaging, Social logins, Social sharing, Awards and many more. Active installations: 80+

---

• Cooked – Recipe Plugin – Unauthenticated Reflected Cross-Site Scripting (XSS)
  • Cooked is the absolute best way to create & display recipes with WordPress. SEO optimized (rich snippets), galleries, cooking timers, printable recipes and much more. Check out the full list below. Active installations: 8,000+

---

• WP Fusion Lite – Marketing Automation for WordPress – CSRF to Data Deletion
• WP Fusion Lite – Marketing Automation for WordPress – Reflected Cross-Site Scripting (XSS)
  • WP Fusion Lite synchronizes your WordPress users with leading CRMs and marketing automation systems, keeps user profiles in sync with CRM contact records, and lets you protect site content based on CRM tags. Active installations: 3,000+

---

• SP Project & Document Manager – Authenticated Shell Upload
• SP Project & Document Manager – Reflected Cross-Site Scripting
  • Project & Document management plugin, Remote file sharing, maintain and control unlimited number of documents, records, files, media, videos and images. You can create unlimited folders and sub folders to share, organize, manage client, student & supplier documents and accounts, control individual documents, and select specific file sharing of documents all in an easy to manage online process. Active installations: 3,000+

---

• Jock on air now – Authenticated Stored Cross-Site Scripting
• Jock on air now – Reflected Cross-Site Scripting
• Jock on air now – Arbitrary Plugin’s Settings Update via CSRF
  • Joan is a WordPress plugin that lets site admins easily manage and display a rotating programming schedule for radio or TV. Jock on air now (JOAN) displays the name of the current show and upcoming show with current time. If nothing is scheduled, it displays a custom message of your choice. Active installations: 1,000+

---

• Listing, Classified Ads & Business Directory – uListing – Unauthenticated SQL Injection
• Listing, Classified Ads & Business Directory – uListing – Authenticated IDOR
• Listing, Classified Ads & Business Directory – uListing – Authenticated Reflected XSS
• Listing, Classified Ads & Business Directory – uListing – Multiple CSRF
• Listing, Classified Ads & Business Directory – uListing – Modify User Roles via CSRF
• Listing, Classified Ads & Business Directory – uListing – Settings Update via CSRF
• Listing, Classified Ads & Business Directory – uListing – Unauthenticated Privilege Escalation
  • Developing listing and classified ads websites is a lucrative business opportunity, but in the past, it could be complicated to set up and maintain such a site. Doing it through WordPress previously meant investing quite a bit of money on a multitude of plugins that could be difficult to understand and to run together. Active installations: 3,000+

---

• Album and Image Gallery with Lightbox – Flagallery Photo Portfolio – Full Path Disclosure
• Album and Image Gallery with Lightbox – Flagallery Photo Portfolio – Reflected Cross-Site Scripting
• Album and Image Gallery with Lightbox – Flagallery Photo Portfolio – lib/hitcounter.php pid Parameter SQL Injection
• Album and Image Gallery with Lightbox – Flagallery Photo Portfolio – Reflected Cross-Site Scripting via wp-admin/admin.php skin parameter
• Album and Image Gallery with Lightbox – Flagallery Photo Portfolio – Multiple Vulnerabilities
  • Gallery Grand Flagallery – powerfull media and image gallery plugin. Easy interface for handling photos and image galleries. You can create a beautiful video gallery from YouTube, Vimeo. Active installations: 10,000+

BRIEF: Open and Unrestricted Access AUG 2021 to anything within a website is one thing everybody considers to be a total disaster. Many employees have come to rely on the Internet both for work and day-to-day life. As such, they demand unrestricted access at work, and many company bosses have obliged. Without the knowledge to them, however, there may be a risk associated with this.

What is Unauthenticated Insecure Deserialisation?

Insecure Deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary code upon it being deserialized. If the function that is responsible for converting serial data into a structured object assumes that the data is trusted, an attacker may format the serial data in such a way that the result of deserialization is malicious. Unfortunately, many standard deserialization functions in programming languages assume that the data is safe.

What is Unauthenticated Backup Download?

The plugin does not restrict access to a BACKUP file containing sensitive information, such as the internal path of backups, which may then allow unauthenticated users to download them.

What is Unrestricted File Upload?

By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website. By doing this, it allows an attacker to inject malicious content such as web shells into the sites, and providing a method for initial access into the system.

What is Login Rate Limiting Bypass?

When the plugin is configured with a custom header in its Trusted IP Origins setting (e.g X-Forwarded-For), attackers could bypass the protection offered by tampering the header sent in requests. When the plugin is configured to accept an arbitrary header as client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does never reach the maximum allowed retries.

What is Improper Authorisation Check?

An attacker could leverage these issues to dump the database including administrative user credentials, to steal cookie-based authentication credentials, or launch other attacks. An anonymous user may create a new dive entry with a crafted HTTP POST.

 

MANAGED WordPress Security: Unrestricted Access AUG 2021 Related Posts