Hackers target WordPress database plugin active on 1 million sites
Malicious activity targeting a critical severity flaw in the ‘Better Search Replace’ WordPress plugin has been detected, with researchers observing thousands of attempts in the past 24 hours.
Better Search Replace is a WordPress plugin with more than one million installations that helps with search and replace operations in databases when moving websites to new domains or servers.
Admins can use it to search and replace specific text in the database or handle serialized data, and it provides selective replacement options, support for WordPress Multisite, and also includes a “dry run” option to make sure that everything works fine.
The plugin vendor, WP Engine, released version 1.4.5 last week to address a critical-severity PHP object injection vulnerability tracked as CVE-2023-6933.
The security issue stems from deserializing untrusted input and allows unauthenticated attackers to inject a PHP object. Successful exploitation could lead to code execution, access to sensitive data, file manipulation or deletion, and triggering an infinite loop denial of service condition.
The description of the flaw in Wordfence’s tracker states that Better Search Replace isn’t directly vulnerable but can be exploited to execute code, retrieve sensitive data, or delete files if another plugin or theme on the same site contains the Property Oriented Programming (POP) chain.
The exploitability of PHP object injection vulnerabilities often relies on the presence of a suitable POP chain that can be triggered by the injected object to perform malicious actions.
Hackers have seized the opportunity to exploit the vulnerability as WordPress security firm Wordfence reports that it has blocked over 2,500 attacks targeting CVE-2023-6933 on its clients over the past 24 hours.
The flaw impacts all Better Search Replace versions up to 1.4.4. Users are strongly recommended to upgrade to 1.4.5 as soon as possible.
Download stats on WordPress.org recorded close to a half million downloads over the past week, with 81% of the active versions being 1.4 but unclear about the minor release.
Update 1/25 – Wordfence has told BleepingComputer that they initially used a broad rule to detect the activity described above, and as a result, some of the logged attempts concern other flaws, like CVE-2023-25135. However, most of the attacks are attributed to exploitation attempts for CVE-2023-6933.
Over 150k WordPress sites at takeover risk via vulnerable plugin
Two vulnerabilities impacting the POST SMTP Mailer WordPress plugin, an email delivery tool used by 300,000 websites, could help attackers take complete control of a site authentication.
Last month, security researchers Ulysses Saicha and Sean Murphy discovered two vulnerabilities in the plugin and reported them to the vendor via Wordfence’s bug bounty program.
The first, tracked as CVE-2023-6875, is a critical authorization bypass flaw arising from a “type juggling” issue on the connect-app REST endpoint. The issue impacts all versions of the plugin up to 2.8.7
An unauthenticated attacker could exploit it to reset the API key and view sensitive log information, including password reset emails.
Specifically, the attacker can exploit a function relating to the mobile app to set a valid token with a zero value for the authentication key via a request.
Next, the attacker triggers a password reset for the site’s admin and then accesses the key from within the application, changing it and locking the legitimate user out of the account.
With administrator privileges, the attacker has full access and can plant backdoors, modify plugins and themes, edit and publish content, or redirect users to malicious destinations.
The second vulnerability, is a cross-site scripting (XSS) problem identified as CVE-2023-7027 that arises from insufficient input sanitization and output escaping.
The flaw impacts POST SMPT up to version 2.8.7 and could let attackers inject arbitrary scripts into the web pages of the affected site.
Wordfence first contacted the vendor about the critical flaw on December 8, 2023, and after submitting the report they followed up with a proof-of-concept (PoC) exploit on December 15.
The XSS issue was reported on December 19, 2023, and a PoC was shared the next day.
The plugin’s vendor published on January 1, 2024 version 2.8.8 of POST SMPT that includes security fixes for both issues.
Based on statitics from wordpress.org, there are roughly 150,000 sites that run a vulnerable version of the plugin that is lower than 2.8. From the remaining half that have version 2.8 and higher installed, thousands are likely vulnerable as well when considering that the platform reports roughly 100,000 downloads since the release of the patch.
