CyberSecurity news
FlagThis - #wordpress
|
info@thehackernews.com (The Hacker News)@The Hacker News - 70d
A critical vulnerability, CVE-2024-11972, has been discovered in the Hunk Companion WordPress plugin, affecting versions below 1.9.0. This flaw allows malicious actors to install and activate vulnerable plugins on affected sites through unauthenticated POST requests. Attackers can exploit this to backdoor sites. The vulnerability has a CVSS score of 9.8, highlighting its severity. This flaw poses a significant security risk, impacting over 10,000 websites. Site owners are advised to update their plugins immediately.
Recommended read:
References :
Pierluigi Paganini@securityaffairs.com - 45d
A sophisticated credit card skimmer malware campaign is targeting WordPress e-commerce websites, placing user payment information at risk. The malware operates by injecting malicious JavaScript code directly into the database tables of the content management system. This stealthy method allows the skimmer to evade traditional security detection systems, making it difficult to spot and remove. Once activated on the checkout page, the malware either hijacks existing payment fields or injects a fake payment form, closely mimicking legitimate payment processors. This form is designed to capture and record sensitive information such as credit card numbers, expiration dates, CVV numbers, and billing addresses.
The stolen data is then encoded using Base64 and encrypted with AES-CBC to make it appear harmless and harder to analyze. This encrypted data is subsequently sent to an attacker-controlled server using the navigator.sendBeacon function to avoid detection by the website user. The collected data, including payment card details and potentially other personal information, is then used for fraudulent transactions or sold on underground markets. Website owners are advised to examine custom HTML widgets, apply the latest security updates and patches, implement two-factor authentication, regularly review admin accounts, implement file integrity monitoring and use a website firewall for protection. Recommended read:
References :
@ciso2ciso.com - 48d
Critical security vulnerabilities have been discovered in the Fancy Product Designer plugin for WordPress, a popular premium plugin with over 20,000 sales that enables extensive product customization on WooCommerce sites. Patchstack researchers identified two unpatched critical flaws: an unauthenticated arbitrary file upload vulnerability (CVE-2024-51919) and an unauthenticated SQL injection vulnerability (CVE-2024-51818). These vulnerabilities place websites using the plugin at significant risk of unauthorized access and data breaches, as they allow for remote code execution and direct SQL database manipulation by malicious actors.
The file upload flaw is caused by inadequate input validation in the `save_remote_file` and `fpd_admin_copy_file` functions, which allows for uploading of PHP files and thus remote code execution. The SQL injection flaw originates from the `get_products_sql_attrs` function which fails to properly sanitize inputs, rendering the strip_tags function ineffective against such attacks. Website administrators using the Fancy Product Designer plugin are advised to immediately deactivate or remove it until a security patch is released by the vendor, Radykal. They should also monitor official channels for updates and implement WAFs to block exploitation attempts. Recommended read:
References :
@www.bleepingcomputer.com - 41d
A critical security flaw has been discovered in the W3 Total Cache plugin, a popular tool used by over one million WordPress websites. This vulnerability, tracked as CVE-2024-12365, allows attackers with even subscriber-level access to gain unauthorized access to sensitive data. The flaw stems from a lack of proper capability checks in the plugin's "is_w3tc_admin_page" function, enabling exploitation of sensitive information like nonce values. This could lead to information disclosure, excessive service consumption, and unauthorized requests to internal services, including metadata on cloud-based apps.
This vulnerability, which was publicly disclosed on January 13, 2025, poses a significant risk due to the widespread use of the plugin. Attackers can leverage this to access system data and perform unauthorized actions. While a patch has been released in version 2.8.2 of the W3 Total Cache plugin, many sites have yet to apply the update. Website administrators are urged to update to version 2.8.2 or later immediately to mitigate this high-severity risk, as well as review user access levels and conduct security audits. Recommended read:
References :
@gbhackers.com - 51d
References:
gbhackers.com
, securityonline.info
,
A critical vulnerability has been discovered in the popular UpdraftPlus: WP Backup & Migration Plugin, impacting over 3 million WordPress websites. This security flaw, identified as CVE-2024-10957, allows unauthenticated attackers to exploit a PHP Object Injection vulnerability through deserialization of untrusted input. The issue affects all versions of the plugin up to and including 1.24.11, with a patch released in version 1.24.12. The vulnerability has a high-risk CVSS score of 8.8 and could lead to severe consequences such as unauthorized file deletions, retrieval of sensitive user data, and even remote code execution. The exploit is triggered when an administrator performs a search and replace action within the plugin.
Website administrators using the UpdraftPlus plugin are urged to take immediate action and update to version 1.24.12 or later. It is essential for all WordPress users to review their installations, including all active plugins, to ensure they are updated with the latest versions. The ease of updating plugins via the WordPress dashboard reduces the window for potential attacks, and it is critical to stay informed about vulnerabilities like CVE-2024-10957 to prevent severe breaches. While no known proof of concept exists in the plugin itself, the existence of additional vulnerabilities in plugins and themes can escalate the risk. Recommended read:
References :
@www.the420.in - 2d
References:
Cyber Security News
, gbhackers.com
,
A large-scale malware campaign has compromised over 35,000 websites by injecting malicious JavaScript. The injected scripts redirect users to Chinese-language gambling platforms, specifically under the "Kaiyun" brand. This attack utilizes obfuscated JavaScript payloads to hijack user browsers, replacing legitimate website content with full-page redirects.
This malicious campaign operates by embedding a one-line `` tag into the source code of affected websites. These scripts then reference domains like zuizhongjs[.]com and other similar URLs. Once loaded, these scripts dynamically inject further payloads, manipulating browser behavior and creating a full-screen overlay that redirects users to unlicensed gambling platforms in Mandarin, targeting users in regions where Mandarin is predominantly spoken. The attackers employ techniques such as string concatenation and Unicode escapes to conceal their activities and evade detection by automated security systems. Recommended read:
References :
@gbhackers.com - 28d
A massive cyberattack has compromised over 10,000 WordPress websites, using them to distribute malware to both macOS and Windows users. The attackers exploited vulnerabilities in outdated WordPress versions and plugins, injecting malicious JavaScript code into the sites. This code redirects visitors to fake browser update pages, which then trick users into downloading malicious software. The campaign represents a significant escalation in threat sophistication, with the malware being delivered through client-side attacks via iframes. The malicious JavaScript dynamically injects the fake update pages, and also uses DNS prefetching to enhance the speed of loading these malicious domains.
The malware distributed includes AMOS (Atomic macOS Stealer), which targets macOS users by stealing sensitive data such as passwords and cryptocurrency wallet information. Windows users are targeted by SocGholish, a malware strain that acts as a downloader for additional malicious payloads. This coordinated approach on two operating systems suggests a sophisticated attack group or collaboration. Security experts warn that this is one of the first known cases of these specific malware strains being delivered through client-side attacks, and are urging website administrators to immediately update their WordPress installations and plugins, remove unused components, and review server logs for signs of compromise. Recommended read:
References :
@cve.mitre.org - 56d
References:
Pyrzout :vm:
, The Cyber Express
,
A critical vulnerability, identified as CVE-2024-11205, has been discovered in the WPForms plugin for WordPress. This security flaw impacts plugin versions 1.8.4 through 1.9.2.1. The issue arises from a missing authorization check within the wpforms_is_admin_page function, which allows attackers with even Subscriber-level privileges to perform unauthorized actions. Specifically, malicious actors could potentially refund payments and cancel subscriptions. This exploit could result in significant financial losses and disruptions for website owners using the affected WPForms plugin.
The vulnerability highlights the critical need for proactive security measures within WordPress environments. A fix is available in plugin version 9.1.2.2 or later, and administrators are urged to update immediately. Website operators should review user permissions, enable two-factor authentication, and closely monitor site activity for suspicious behavior. Regular backups are also essential to ensure data integrity in the event of a successful attack. CERT-In has issued alerts to WordPress users, emphasizing the urgency of this situation and the need to apply the latest updates. Recommended read:
References :
|