Hackers have exploited three zero-days to install backdoors on WordPress sites, according to a security alert published minutes ago by WordPress security firm Wordfence.
The zero-days affect three WordPress plugins — Appointments, RegistrationMagic-Custom Registration Forms, and Flickr Gallery.
The plugins' authors released updates to fix the attack vector — a PHP object injection vulnerability that affects all three plugins in the same way.
0-days allow hackers to install backdoors on vulnerable sites
"This vulnerability allowed attackers to cause a vulnerable website to fetch a remote file (a PHP backdoor) and save it to a location of their choice," says Wordfence researcher Brad Haas.
According to Haas, the vulnerability is hilariously easy to exploit, requiring the attackers to package the exploit code inside an HTTP POST request sent to the victim site. Attackers don't need to be authenticated on the site to trigger the exploit.
For sites running the Flickr Gallery plugin, the hacker has to target the site's root URL, while for the other two, the hacker has to aim the POST request at the admin-ajax.php file.
Once the hacker tricked sites into downloading the backdoor, he can take over sites within minutes.
Only 21,000 sites vulnerable
Wordfence said it detected the zero-days after investigating a series of hacked sites and finding evidence of past exploitation.
There is good and bad news. The good news is that the plugins are not that popular, having around 21,000 installations combined.
The bad news is that the zero-days are easy to exploit and other hackers can reverse engineer the plugin changelogs to deduce the exploit code.
The vulnerability at the core of these zero-days has a score of 9.8 out of 10 on the CVSSv3 severity scale, which is very high, and classifies the vulnerability as "Critical."
Website owners can update the plugins to the patched versions, or they can uninstall the plugins, just to be on the safe side. Below are the plugin versions where developers fixed the vulnerabilities:
⭄ Flickr Gallery by Dan Coulter (fixed in 1.5.3) [~ 4,000 installations]
⭄ RegistrationMagic-Custom Registration Forms by CMSHelpLive (fixed in 3.7.9.3) [~ 8,000 installations]
Comments
PluginVulns - 6 years ago
The wording in your post isn't entirely accurate. While PHP object injection vulnerabilities in WordPress plugins are very likely to be exploited, just knowing where to exploit one doesn't allow you to exploit it. You would also have to be aware of accessible code on the website that you could be used for malicious purposes with the exploit, which looks to be a barrier to less advanced hackers exploiting them from what we have seen, so describing them as "hilariously easy to exploit" is not accurate.
It also worth noting that these are far from the only WordPress plugins that have been found to have this type of vulnerability recently, last month we discovered and disclosed that four other plugins had contained this type of vulnerability (we also found several more vulnerabilities that combined this type of vulnerability with another issue):
https://www.pluginvulnerabilities.com/2017/09/01/php-object-injection-vulnerability-in-videowhisper-live-streaming/
https://www.pluginvulnerabilities.com/2017/09/05/php-objection-vulnerability-in-wordpress-meta-data-and-taxonomies-filter/
https://www.pluginvulnerabilities.com/2017/09/05/php-object-injection-vulnerability-in-booster-for-woocommerce/
https://www.pluginvulnerabilities.com/2017/09/22/php-object-injection-vulnerability-in-taketin-to-wp-membership/
Of more concern would be a couple of PHP object injection vulnerabilities that we found in recent months that haven't been fixed and the plugins are still available in the WordPress Plugin Directory (the second one is in a security plugin):
https://www.pluginvulnerabilities.com/2017/07/31/php-object-injection-vulnerability-in-product-reviews/
https://www.pluginvulnerabilities.com/2017/08/29/php-object-injection-vulnerability-in-wp-smart-security/