The endless story of WordPress plugins security issues

Written by
David Balaban

 

There are numerous benefits of leveraging the WordPress content management system (CMS) to create a website. It’s open-source, flexible, and amazingly easy to set up. The key advantage is that the service is turnkey, which means you don’t have to reinvent the wheel by writing code of your own. There are tons of readily available site templates and plugins to choose from. All of these virtues make WordPress the world’s top CMS with a market share of about 60 per cent, according to 2020 figures.

The major flip side of this awesomeness and the global reign of WordPress in its niche is that cybercrooks are focused on finding ways to exploit its components. Whereas WP plugins make things so much easier both for webmasters and site visitors, they turn out to be the weakest link in this ecosystem due to gaping security loopholes in some of them. Here is a rundown on the recent incidents where imperfections of WordPress plugins could fuel large-scale cybercrime campaigns.

Google’s Proprietary Plugin Turns Out to Be Low-Hanging Fruit

Site Kit, a popular WP plugin created by Google, has a flaw allowing threat actors to access a site’s Google Search Console and sabotage or otherwise benefit from the unauthorized foothold. The privilege escalation bug was unearthed by researchers in late April 2020 and it took the developers roughly two weeks to address it. Although the patched version, Site Kit 1.8.0, has been available for quite some time now, tens of thousands of websites continue to use the old one that’s trivial to exploit.

This is a two-pronged vulnerability. First off, the previous build of Site Kit exposes the URL that the plugin uses to interact with Google Search Console. Secondly, the setup lacks proper user role verification mechanisms. This combo of weaknesses can be leveraged to extend the privileges of a regular subscriber all the way up to owner-level permissions.

The consequences of this foul play can range from affecting Google rankings of a website and preventing pages from being indexed – to malicious code injection and the theft of sensitive SEO data. This scope of access is fertile soil for an unscrupulous competitor’s shenanigans.

Buggy WP Plugin Puts More Than 1 Million Sites at Risk

Two critical flaws found in the hugely popular Page Builder WordPress plugin can become a launchpad for gaining administrator privileges and website takeover. The issue is particularly unnerving because this flexible page creation component has over 1 million active installations globally, which means the potential attack surface is enormous. Both bugs, categorized as cross-site request forgery (CSRF), were discovered in early May 2020.

By mishandling the plugin’s vulnerable builder_content and Live Editor features, an adversary can enroll a new admin account or maintain backdoor access to the WordPress website. Moreover, seasoned cybercriminals may be able to harness this attack vector to compromise the whole site. To the developers’ credit, they released a patch the next day the researchers let them know about their findings. Now it’s up to numerous webmasters to update their plugin to the latest secure version, which may take weeks.

Popup Builder Plugin Isn’t Safe to Use Either

With more than 100,000 active installations in its portfolio, Popup Builder is a great instrument to boost a WordPress website’s marketing facet through flexible features for tailoring popups about promos and subscription offers. This awesomeness shattered in March 2020, when white hats found a number of bugs that could become a pivot of large-scale compromise.

One of these vulnerabilities (CVE-2020-10196) allows a hacker to inject rogue JavaScript code into any popup so that website visitors are redirected to malicious pages instead of going to the intended resource. The other bug (CVE-2020-10195) take the compromise to the next level by providing a possibility to retrieve information related to Popup Builder. For instance, any authenticated user can steal the list of the site’s newsletter subscribers. Administrator privileges aren’t required to set this raid in motion.

In response to the vulnerability report, the vendor promptly released a fix. Website owners using this plugin should install the latest version as soon as possible to steer clear of the above issues.

Three Vulnerable Plugins Exploited in Real-World Attacks

WordPress plugins called ThemeGrill Demo Importer, Profile Builder, and Duplicator are susceptible to exploitation that may allow a perpetrator to circumvent authentication and pull off a privilege escalation trick. The worst part is that these unsafe plugins have been actively parasitized by several attackers.

According to security analysts, one threat actor dubbed “tonyredball” focuses on an admin registration flaw in Profile Builder and ThemeGrill Demo Importer plugins. The latter is targeted more heavily because a single admin account registration request can pave the malefactor’s way towards wiping the site’s entire database. Whereas Profile Builder can be exploited in a similar way, the damage is limited to running harmful scripts.

The hacker mostly piggybacks on this compromise by riddling JavaScript elements with sketchy code. In the aftermath of this tampering, website visitors are forwarded to junk pages that display requests to trigger web push notifications. If this hoax pans out, users will be confronted with irksome ads and incessant browser redirects. As per rough estimates based on plugin usage statistics, the number of websites affected by this glitch can reach 70,000.

Another malicious actor codenamed “solarsalvador1234” capitalizes on a bug in the Duplicator plugin, which boasts more than 1 million installations. Earlier versions of this WordPress site cloning and migration tool have a loophole allowing an attacker to download the wp-config.php file that stores sensitive data, including the administrator credentials.

Database Reset Plugin Issues

In January 2020, analysts at Wordfence unveiled two vulnerabilities in WP Database Reset, a plugin used to reset database tables to their original state. It currently has over 90,000 active installations. One of these flaws (CVE-2020-7047) is a potential source for privilege escalation that can allow a criminal to remove all users from a WordPress setup via a specially crafted request. The other bug (CVE-2020-7048) is categorized as critical. If exploited, it enables an attacker to reset the database of a WP site to its default condition.

In either scenario, full site takeover is fairly easy to execute. The imperfections have since been patched, but thousands of Database Reset instances continue to be vulnerable because webmasters neglect the update hygiene.

InfiniteWP Client Flaw Leading to Unauthorized Access

Managing an arbitrary number of WordPress sites from a central server is easy with the InfiniteWP Client plugin, which has well over 300,000 installations globally. In January 2020, security experts found a severe bug in this entity that exposes websites to an authentication bypass attack. Its crudely designed functions, “add_site” and “readd_site,” lack authentication checks, which makes it possible to use a particular Base64 encoded payload for accessing a site without a valid password. The only piece of information the criminal needs is the administrator’s username. A plugin update addressing this glitch was rolled out shortly after discovery, but numerous website owners have yet to apply it to stay on the safe side.

Zero-Day Bug in ThemeREX Addons Plugin

ThemeREX Addons, a WordPress plugin used on about 50,000 websites, has a remote code execution vulnerability. Unearthed in mid-February 2020, the loophole allows a malefactor to fire up a dodgy command that adds new admin accounts in a snap. This is, obviously, a shortcut to website compromise. The publisher came up with a solution in March, advising webmasters to delete the “~/plugin.rest-api.php” file that turned out to be the buggy plugin component. Doing so doesn’t adversely affect a site because WordPress core now supports the functionality previously provided by the above-mentioned file.

A Flaw in the GDPR Cookie Consent Plugin is Double Trouble

This one is in the pantheon of the top 100 WP plugins, with the total number of active installations exceeding 800,000. Its purpose is to bridge the gap between websites and GDPR compliance via extensively customizable cookie policy banners. In January 2020, researchers pinpointed a serious vulnerability in version 1.8.2 and earlier builds of the plugin. The bug can be exploited to execute cross-site scripting and privilege escalation incursions. One of the attack vectors is to change the status of a specific post or the entire WordPress site to “draft” – effectively; this will prevent the content from being shown to visitors.

Furthermore, the glitch makes it easy to modify, add, or remove any materials. To top it all off, malicious JavaScript injection is one more possible upshot of the attack. This is doable even with subscriber-level permissions. Although the patched version arrived on February 10, numerous plugin instances are still waiting to be updated.

Bottom Line

Any WordPress setup is half-baked without plugins. They enhance a site’s functionality in multiple different ways and align it with the webmaster’s needs. In addition to all other risks and threats, buggy plugins become a major entry point for hackers. This issue is particularly disconcerting because a single vulnerability can expose hundreds of thousands of websites to surreptitious attacks.

The most effective way to avoid the worst-case scenario is to keep WP plugins up to date. This is a no-brainer most of the time – a quick peek into the WordPress dashboard will let you know if there is a new version available with the latest patches on board. Another worthwhile habit is to stay tuned for new vulnerability reports from trustworthy services like Wordfence. Be sure to follow these simple recommendations to make your site a moving target.


David Balaban is a computer security researcher with over 15 years of experience in malware analysis and antivirus software evaluation

Would you recommend this article?

Share

Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.


Jim Love, Chief Content Officer, IT World Canada

Featured Download

IT World Canada in your inbox

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Latest Blogs

Senior Contributor Spotlight