WordPress Woes: A Fake Plugin and Three Zero-Day Vulnerabilities Found

A fake Wordpress plugin containing a backdoor and three zero-day vulnerabilities—all affecting the high-profile blogging platform WordPress—were recently discovered. The backdoor was discovered masquerading as WP-SpamShield Anti-Spam, which is a fairly popular tool (with over 100,000 installs) designed to fight spam. The three-zero day exploits, which are being exploited in the wild, were tracked down by security analysts of WordPress’ security plugin Wordfence.

Tagged as X-WP-SPAM-SHIELD-PRO, the backdoor can reportedly disable other security-related tools, steal data, and add a hidden admin account. Security researchers discovered the fake plugin had a seemingly legitimate structure and file names, but they are actually fake.  In addition, the backdoor can allow attackers to upload anything to the site.

One of the files in the plugin has ‘class-social-facebook.php,’ which, on the surface, looks like it blocks potential unwanted Facebook spam. But further analysis revealed that it was designed to break the website, potentially making it unusable. This is done by listing all the active plugins within the app installation, and then disabling all of them. Two other files named ‘class-term-metabox-formatter.php’ and ‘class-admin-user-profile.php’ can be used by attackers for data gathering purposes.

Another file called ‘plugin-header.php’ was designed to add an additional administrator account to the site, which allows the attacker to delete the exploit files, while also revealing the username, password, and the email that can be used to loginto the compromised website.

The fake plugin also possesses code that it can use to ping home, notifying attackers each time an administrator activates it on the website.

Zero-Days

Meanwhile, websites that utilize certain plugins may be exposed to potential attacks after zero-days were found in three separate WordPress plugins: Appointments, RegistrationMagic-Custom Registration Forms, and Flickr Gallery.

Called PHP Object Injection Vulnerability Severity 9.8, the vulnerability allows attackers to manipulate a vulnerable website into fetching a remote file (a PHP backdoor) and save it to their preferred location. The scheme doesn’t require authentication or elevated privileges. For websites that run Flickr Gallery, it only takes sending the exploit as a POST request to the site’s root URL to get the job done.  For Appointments, RegistrationMagic-Custom Registration Forms, the request would go to admin-ajax.php. If the attacker gains access to the plugins’ backdoor, it's possible to take control of the vulnerable site.

Solutions

The discovered vulnerabilities have been patched in the following versions:

IT professionals and web developers/programmers can mitigate threats that may abuse web-based platforms like WordPress through the following best practices:

  • Web developers must assume that all user-generated input are malicious. Their validation and sanitation are a must. Whitelisting—rejecting all input except those in the whitelist—is one of the ways input can be handled securely. 
  • Stringently validating untrusted data in Cascading Style Sheet (CSS) properties, HTML attributes, and XML parser, for instance—while also retaining the look and feel of the website/application—is necessaryfor fortifying web apps/pages against intruders.
  • Regularly applying the latest updates and patches is a must to prevent security flaws in the system and its software from being exploited. 
  • Disabling the parsing of external entities also helps mitigate XXE-based denial-of-service attacks.
  • Developers should disable components that aren’t necessary to the website, database, or web application’s functionality. Sometimes they can even increase your attack surface.
  • Employing firewalls, intrusion detection and prevention systems, virtual patching, and URL categorization, as well as enforcing robust patch management policies, will significantly reduce the system’s attack surface.
  • IT professionals should enforce privilege management policies to mitigate attacks that entail administration-level access to the system/machine. Developers can do the same by limiting user permissions in the website/application, and encrypting or hashing credentials and other sensitive data (i.e., connection strings).

Trend Micro’s endpoint solutions such as Trend Micro™ Smart Protection Suites, and Worry-Free™ Business Security can also protect end users and businesses from threats by detecting and blocking malicious files and all related malicious URLs.

Trend Micro™ Deep Security™ and Vulnerability Protection provide virtual patching that protects servers and endpoints from threats that abuse vulnerabilities found in WordPress plugins. OfficeScan’s Vulnerability Protection shields endpoints from identified and unknown vulnerability exploits even before patches are deployed. Trend Micro™ Deep Discovery™ provides detection, in-depth analysis, and proactive response to attacks using exploits through specialized engines, custom sandboxing, and seamless correlation across the entire attack lifecycle, allowing it to detect threats even without any engine or pattern update.
HIDE

Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.