28 Unrestricted Access OCT 2021 – WP Security Circumvention

Unrestricted Access OCT 2021

Managed WordPress Security Report

Be informed about the latest Unrestricted Access OCT 2021 – WP Security Circumvention, identified and reported publicly. These breaches create even more problems and vulnerability exploitation with a severe negative impact on any WordPress Security. Consider our FREE security AUDIT.

An jaw-dropping estimated 2.693.000+ active WordPress installations are susceptible to these attack types, considering only the publicly available numbers. The estimated number can double with premium versions as they are private purchases.

Furthermore, the initial estimation can multiply if we consider the already patched versions BUT NOT UPDATED by owners, as the vulnerability remains active within their domain. As these owners start changing their hosting provider (due to constant unexplained issues), they actively migrate these vulnerabilities behind protected areas, possibly exposing other clean WP to different attack types.

It is a mind-boggling 560% increase compared to December 2020. We compare last month versus previous winter holiday season, which has the biggest shopping traffic and attack spike throughout the year. Read more about our previous report here: 37 Unrestricted Access SEP 2021 – WP Security Circumvention and 5 Unrestricted Access Issues – WordPress Security DEC. The following cases made headlines PUBLICLY just last month in the Unrestricted Access OCT 2021 – WP Security Circumvention category:

• Age Gate – Unauthenticated Import Settings
  • There are many uses for restricting content based on age, be it movie trailers, beer or other adult themes. This plugin allows you to set a restriction on what content can been seen or restricted based on the age of the user. Active installations: 30,000+

• JS Job Manager – Unauthenticated Arbitrary Plugin Installation/Activation
  • JS Jobs allows you to run your own, unique jobs classifieds service where you or employer can advertise their jobs, job seekers can upload their resume and apply to any jobs. Active installations: 600+

• WP Attachment Export – Unauthenticated Posts Download
  • WP Attachment Export allows you to export your media library into a WordPress eXtended RSS or WXR file. You can then use the Tools->Import function in another WordPress installation to import the media library. Active installations: 2,000+

• Registrations for the Events Calendar – Event Registration Plugin – Reflected Cross-Site Scripting
• Registrations for the Events Calendar – Event Registration Plugin – Unauthenticated SQL Injection
  • Collect and manage event registrations with a customizable form and email template. Whether you’re holding a meetup, class, workshop, tournament, or any other kind of event, you need a way to handle registration. Our plugin makes managing event registration easy and simple. Even nontechnical users can setup the plugin and start collecting registrations within minutes. Active installations: 10,000+

• Contest Gallery – Photo Contest Plugin for WordPress – Email Address Disclosure
• Contest Gallery – Photo Contest Plugin for WordPress – Missing Access Controls to Unauthenticated SQL injection
  • Highly configurable photo contest gallery plugin for WordPress. Active installations: 2,000+

• WP DSGVO Tools (GDPR) – Unauthenticated Arbitrary Post Deletion
  • Our top priority is compliance with the laws and the regulations of courts and of data protection authorities. We do not offer options that are not legally or legally highly controversial. Active installations: 30,000+

• Event Manager and Tickets Selling Plugin for WooCommerce – Unauthenticated Arbitrary Elementor Template Import
• Event Manager and Tickets Selling Plugin for WooCommerce – Unauthenticated Arbitrary Options Reset
  • Event Manager and Tickets Selling Plugin for WooCommerce- is one of the best and simple event management plugin available in WordPress directory & the best event manager plugin for WordPress. Active installations: 9,000+

• Stylish Price List – Unauthenticated Arbitrary Image Upload
• Stylish Price List – Subscriber+ Arbitrary Image Upload
  • Create a stunning price list (price table/pricing table) with ease and make it your virtual high-quality brochure. It was developed for small businesses, spas, salons, restaurants, retail and more. Active installations: 3,000+

• WP Debugging – Unauthenticated Plugin’s Settings Update
  • This plugin sets the following debug constants in wp-config.php on plugin activation and removes them on plugin deactivation. Any errors will result in a PHP Exception being thrown. Active installations: 5,000+

• Modern Events Calendar Lite – Unauthenticated Blind SQL Injection
• Modern Events Calendar Lite – Reflected Cross-Site Scripting
  • WordPress event calendar plugin is the best tool used for managing events websites. Modern Events Calendar is a comprehensive events management plugin. It is a FREE events management plugin which is extremely user-friendly and well-designed for displaying the events calendar on the websites, ever easier. Active installations: 100,000+

• WP System Log – Unauthenticated Stored Cross-Site Scripting
  • You will see very detailed report what people or even other plugins are doing on your site, then block or be alerted on such requests or even logout user immediately. Active installations: 60+

• Shiny Buttons – CSS3 Button Generator for WordPress – Unauthenticated Stored Cross-Site Scripting
  • This plugin has been closed as of September 27, 2022 and is not available for download. Reason: Security Issue.

• ToTop Link – Unauthenticated PHP Object Injection
  • This plugin has been closed as of October 21, 2022 and is not available for download. This closure is temporary, pending a full review.

• WordPress + Microsoft Office 365 / Azure AD | LOGIN – Unauthenticated Stored Cross-Site Scripting
  • With WPO365 | LOGIN users can sign in with their corporate or school (Azure AD / Microsoft Office 365) account to access your WordPress website: No username or password required (OIDC or SAML 2.0 based SSO). Plus you can send email using Microsoft Graph instead of SMTP from your WordPress website. Active installations: 4,000+

• WPS Hide Login – Protection Bypass with Referer-Header
  • WPS Hide Login is a very light plugin that lets you easily and safely change the url of the login form page to anything you want. It doesn’t literally rename or change files in core, nor does it add rewrite rules. It simply intercepts page requests and works on any WordPress website. Active installations: 1+ million

• AutomatorWP – Missing Authorization and Privilege Escalation
  • AutomatorWP is a flexible and open-source automator plugin that lets you connect your WordPress plugins together and create automated workflows. Active installations: 3,000+

• Bulk Datetime Change – Missing Authorisation
  • Bulk change date/time for posts. Active installations: 1,000+

• Directorist – Business Directory Plugin – CSRF to Remote File Upload
  • Want to build an online directory of business listings similar to Yelp, Yellow-Pages, or Tripadvisor on your WordPress site? If the answer is YES, you have come to the right place. Directorist simplifies the process of creating powerful business directories or classified websites of any kind. Active installations: 8,000+

• Secure Copy Content Protection and Content Locking – Email Address Disclosure
  • Secure Copy Content Protection is a plugin aimed at protecting web content from being plagiarized. Active installations: 10,000+

• Like Button Rating ♥ LikeBtn – Unauthorised Vote Export to Email & IP Addresses Disclosure
  • The Like Button Rating plugin allows you to add a cool looking fully customizable Like button. Active installations: 7,000+

• WordPress Popups for Marketing and Email Newsletters, Lead Generation and Conversions by OptinMonster – Unprotected REST-API Endpoints
  • OptinMonster is the best popup builder and marketing plugin that helps you get more email subscribers, increase sales, and grow your business. Active installations: 1+ million

• Smash Balloon Social Post Feed – Arbitrary Plugin Settings Update to Stored XSS
  • Display Facebook posts on your WordPress site. Completely customizable, responsive, search engine crawlable, and GDPR compliant Facebook feeds. Display unlimited Facebook feeds from your Facebook page or Facebook Group, and completely match the look and feel of your site with tons of customization options! Automatically powers any Facebook oEmbeds on your site. Active installations: 200,000+

• Logo Slider and Showcase – Plugin’s Settings Update
  • Logo Slider and Showcase is fully Responsive Plugin to display your logos, clients and partners with different ways like Grid, Slider and Isotope Filtering by category wise. Active installations: 10,000+

• Temporary Login Without Password – Plugin’s Settings Update
  • Create secure, self-expiring ⏱️, automatic login links 🔗 for WordPress. Give them to developers when they ask for admin access to your site. Or an editor for a quick review of work done. Login works just by opening the link, no password needed. Active installations: 40,000+

• Single Post Exporter – Plugin’s Settings Update via CSRF
  • This plugin has been closed as of September 23, 2022 and is not available for download. Reason: Security Issue.

• WP Admin Logo Changer – Plugin’s Settings Update via CSRF
  • This plugin has been closed as of October 4, 2022 and is not available for download. This closure is temporary, pending a full review.

• Wp Limits – Plugin’s Settings Update via CSRF
  • This plugin has been closed as of October 4, 2022 and is not available for download. This closure is temporary, pending a full review.

• Push Notifications for WordPress (Lite) – Settings Update via CSRF
  • Send push notifications to iOS and Android devices when you publish a new post. Straight from your WordPress site, in real-time. This plugin has a built in hub, allowing WordPress to send out the push notifications directly—without using any third-party’s server. Active installations: 800+

BRIEF: Open and Unrestricted Access OCT 2021 to anything within a website is one thing everybody considers to be a total disaster. Many employees have come to rely on the Internet both for work and day-to-day life. As such, they demand unrestricted access at work, and many company bosses have obliged. Without the knowledge to them, however, there may be a risk associated with this.

What is Unauthenticated Insecure Deserialisation?

Insecure Deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary code upon it being deserialized. If the function that is responsible for converting serial data into a structured object assumes that the data is trusted, an attacker may format the serial data in such a way that the result of deserialization is malicious. Unfortunately, many standard deserialization functions in programming languages assume that the data is safe.

What is Unauthenticated Backup Download?

The plugin does not restrict access to a BACKUP file containing sensitive information, such as the internal path of backups, which may then allow unauthenticated users to download them.

What is Unrestricted File Upload?

By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website. By doing this, it allows an attacker to inject malicious content such as web shells into the sites, and providing a method for initial access into the system.

What is Login Rate Limiting Bypass?

When the plugin is configured with a custom header in its Trusted IP Origins setting (e.g X-Forwarded-For), attackers could bypass the protection offered by tampering the header sent in requests. When the plugin is configured to accept an arbitrary header as client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does never reach the maximum allowed retries.

What is Improper Authorisation Check?

An attacker could leverage these issues to dump the database including administrative user credentials, to steal cookie-based authentication credentials, or launch other attacks. An anonymous user may create a new dive entry with a crafted HTTP POST.

 

MANAGED WordPress Security: Unrestricted Access OCT 2021 Related Posts