18 Unrestricted Access JAN 2021 – WP Security Circumvention

18 Unrestricted Access JAN 2021

WordPress Security Circumvention Report January 2022

Be informed about the latest Unrestricted Access JAN 2021 Circumvention, identified and reported publicly in January 2022. These breaches create even more problems and vulnerability exploitation with a severe negative impact on any WordPress Security. Consider our FREE security AUDIT.

An estimated 493.000 active WordPress installations are susceptible to these attack types, considering only the publicly available numbers. The estimated number can double with premium versions as they are private purchases.

Furthermore, the initial estimation can multiply if we consider the already patched versions BUT NOT UPDATED by owners, as the vulnerability remains active within their domain. As these owners start changing their hosting provider (due to constant unexplained issues), they actively migrate these vulnerabilities behind protected areas, possibly exposing other clean WP to different attack types.

It is a 260% increase compared to December 2020. Read more about our previous report here: 5 Unrestricted Access Issues – WordPress Security DEC. The following cases made headlines PUBLICLY just last month in the SQL Injections JAN 2021 category:

---

• Modern Events Calendar Lite < 5.16.5 - Authenticated Arbitrary File Upload leading to RCE
  • WordPress event calendar plugin is the best tool used for managing events websites. Modern Events Calendar is a comprehensive events management plugin Modern Events Calendar is a responsive, mobile-friendly, FREE, and comprehensive events management plugin which is extremely user-friendly and well-designed for displaying the events calendar on the websites, ever easier. Active installations: 70,000+

---

• Modern Events Calendar Lite < 5.16.5 - Unauthenticated Events Export
  • WordPress event calendar plugin is the best tool used for managing events websites. Modern Events Calendar is a comprehensive events management plugin Modern Events Calendar is a responsive, mobile-friendly, FREE, and comprehensive events management plugin which is extremely user-friendly and well-designed for displaying the events calendar on the websites, ever easier. Active installations: 70,000+

---

• Super Forms – Drag & Drop Form Builder <= 4.9.602 - Unauthenticated PHP4 File Upload to RCE
  • Super Forms is the one and only plugin that you will ever need for your contact forms. This WordPress Plugin is very user friendly when it comes to building forms. With unlimited options you will be able to create any kind of forms. With conditional logic, Multipart elements and tons of customizable options and settings to adjust any color of any element to fit your needs. Active installations: Not public info

---

• Modal Survey < 2.0.1.8.2 - Authenticated PHP Object Injection
  • Modal Survey is a Premium WordPress Plugin to get your visitors voice through an attention-grabber poll. Provides a lot of customization options including unlimited surveys, questions and answers with animated display. It has an ability to offer a link at the end of survey, thus much more users will fill out the poll. Active installations: Not public info

---

• Modal SurveyModal Survey < 2.0.1.8.2 - Unauthenticated Arbitrary Survey Update, Deletion and Creation
  • Modal Survey is a Premium WordPress Plugin to get your visitors voice through an attention-grabber poll. Provides a lot of customization options including unlimited surveys, questions and answers with animated display. It has an ability to offer a link at the end of survey, thus much more users will fill out the poll. Active installations: Not public info

 

---

• Listing, Classified Ads & Business Directory – uListing < 1.7 - Unauthenticated Arbitrary Post/Page Deletion
  • Developing listing and classified ads websites is a lucrative business opportunity, but in the past, it could be complicated to set up and maintain such a site. Doing it through WordPress previously meant investing quite a bit of money on a multitude of plugins that could be difficult to understand and to run together. Active installations: 3,000+

---

• Listing, Classified Ads & Business Directory – uListing < 1.7 - Unauthenticated Arbitrary Roles and Capabilities Creation/Deletion
  • Developing listing and classified ads websites is a lucrative business opportunity, but in the past, it could be complicated to set up and maintain such a site. Doing it through WordPress previously meant investing quite a bit of money on a multitude of plugins that could be difficult to understand and to run together. Active installations: 3,000+

---

• Listing, Classified Ads & Business Directory – uListing < 1.7 - Unauthenticated Information Disclosure
  • Developing listing and classified ads websites is a lucrative business opportunity, but in the past, it could be complicated to set up and maintain such a site. Doing it through WordPress previously meant investing quite a bit of money on a multitude of plugins that could be difficult to understand and to run together. Active installations: 3,000+

---

• Listing, Classified Ads & Business Directory – uListing < 1.7 - Unauthenticated WordPress Options Change
  • Developing listing and classified ads websites is a lucrative business opportunity, but in the past, it could be complicated to set up and maintain such a site. Doing it through WordPress previously meant investing quite a bit of money on a multitude of plugins that could be difficult to understand and to run together. Active installations: 3,000+

---

• Listing, Classified Ads & Business Directory – uListing < 1.7 - Unauthenticated Arbitrary Account Change
  • Developing listing and classified ads websites is a lucrative business opportunity, but in the past, it could be complicated to set up and maintain such a site. Doing it through WordPress previously meant investing quite a bit of money on a multitude of plugins that could be difficult to understand and to run together. Active installations: 3,000+

---

• Listing, Classified Ads & Business Directory – uListing < 1.7 - Unauthenticated Arbitrary Account Creation
  • Developing listing and classified ads websites is a lucrative business opportunity, but in the past, it could be complicated to set up and maintain such a site. Doing it through WordPress previously meant investing quite a bit of money on a multitude of plugins that could be difficult to understand and to run together. Active installations: 3,000+

---

• 123ContactForm for WordPress <= 1.5.6 - Unauthenticated Arbitrary File Upload

  • WARNING: PLUGIN CLOSED: NO KNOWN FIX.

---

• 123ContactForm for WordPress <= 1.5.6 - Unauthenticated Arbitrary Post Creation

  • WARNING: PLUGIN CLOSED: NO KNOWN FIX.

---

• WPESignature < 1.5.6.8 - Unauthenticated Arbitrary File Upload leading to RCE
  • If you’re looking to reduce paperwork headaches… you should discover WPESignature, the #1 WordPress document signing software that agencies, freelancers and organizations use to take control of the eSignature experience! Active installations: Not public info

---

• Simple Job Board < 2.9.4 - Authenticated Path Traversal Leading to Arbitrary File Download
  • Simple Job Board by PressTigers is an easy, light weight plugin that adds a job board to your WordPress website. Active installations: 20,000+

---

• Elementor Contact Form DB < 1.6 - Unauthenticated & Unauthorised Form Submissions Export
  • A simple plugin to store Elementor Pro Form submissions. This plugin stores contact form submissions from the Elementor Pro Form Module in a handy interface on the back end of WP. Active installations: 40,000+

---

• Orbit Fox by ThemeIsle < 2.10.3 - Authenticated Privilege Escalation
  • Extend your theme functionality with Orbit Fox with various modules like Social Media Share Buttons & Icons, Uptime Monitoring, Google Analytics, custom menu-icons, one click import page templates, page builder addons and free stock featured images. Active installations: 400,000+

---

• WP Quick FrontEnd Editor <= 5.5 - Authenticated Content Injection

  • WARNING: PLUGIN CLOSED: NO KNOWN FIX.

BRIEF: Open and Unrestricted Access JAN 2021 to anything within a website is one thing everybody considers to be a total disaster. Many employees have come to rely on the Internet both for work and day-to-day life. As such, they demand unrestricted access at work, and many company bosses have obliged. Without the knowledge to them, however, there may be a risk associated with this.

What is Unauthenticated Insecure Deserialisation?

Insecure Deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary code upon it being deserialized. If the function that is responsible for converting serial data into a structured object assumes that the data is trusted, an attacker may format the serial data in such a way that the result of deserialization is malicious. Unfortunately, many standard deserialization functions in programming languages assume that the data is safe.

What is Unauthenticated Backup Download?

The plugin does not restrict access to a BACKUP file containing sensitive information, such as the internal path of backups, which may then allow unauthenticated users to download them.

What is Unrestricted File Upload?

By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website. By doing this, it allows an attacker to inject malicious content such as web shells into the sites, and providing a method for initial access into the system.

What is Login Rate Limiting Bypass?

When the plugin is configured with a custom header in its Trusted IP Origins setting (e.g X-Forwarded-For), attackers could bypass the protection offered by tampering the header sent in requests. When the plugin is configured to accept an arbitrary header as client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does never reach the maximum allowed retries.

What is Improper Authorisation Check?

An attacker could leverage these issues to dump the database including administrative user credentials, to steal cookie-based authentication credentials, or launch other attacks. An anonymous user may create a new dive entry with a crafted HTTP POST.

 

Related Posts to MANAGED WordPress Security: