Tweet
A high-severity vulnerability recently discovered in a WordPress plugin put some 60,000 websites at risk of website takeover, data exfiltration, or remote code execution.
This is according to the Wordfence Threat Intelligence, a research team that hunts for bugs in one of the worldās most popular CMS platforms, WordPress.
The Wordfenceās report explains that, in mid-April, the team found an Object Injection vulnerability in the Booking Calendar plugin which, at press time, has had more than 60,000 installations.
https://cdn.mos.cms.futurecdn.net/ybbmQ8p4Q999AkMWkW8HLm.jpg
Share your thoughts on Cybersecurity and get a free copy of the Hackerās Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/Ā£10.99.
[HEADING=1]Executing arbitrary code[/HEADING]
The plugin gives webmasters the option to add a booking system to the site, which includes the ability to publish a flexible timeline, showing existing bookings and openings.
The flexible timeline also allows webmasters to configure viewing preferences and options, when viewing the published timeline. Some of these options were passed in PHPās serialized data, Wordfence explained, and an attacker could control this data through multiple methods.
āAny time an attacker can control data that is unserialized by PHP, they can inject a PHP object with properties of their choice,ā the announcement reads. āIf a āPOP Chainā is also present, it can allow an attacker to execute arbitrary code, delete files, or otherwise destroy or gain control of a vulnerable website.ā
Read more
The silver lining in the finding is that Wordfence did not find any POP chains in the Booking plugin, meaning attackers would need āsome luckā and additional research to make use of the flaw. Still, as POP chains often appear in software libraries, the threat is real.
Wordfence notified the developers of its findings in mid-April and the patch was deployed within three days. Users are advised to patch to version 9.1.1. of the plugin, as soon as possible.
Being among the most popular website hosting platforms in the world, WordPress and its plugins are often targeted by threat actors, looking for zero-days through which they could deploy malware. While WordPress itself is generally considered safe, its thousands of third-party plugins are bound to suffer from a few vulnerabilities.
[ul]
[li]No security tech stack is complete with a great antivirus solution[/li][/ul]
Continue readingā¦
This is according to the Wordfence Threat Intelligence, a research team that hunts for bugs in one of the worldās most popular CMS platforms, WordPress.
The Wordfenceās report explains that, in mid-April, the team found an Object Injection vulnerability in the Booking Calendar plugin which, at press time, has had more than 60,000 installations.
https://cdn.mos.cms.futurecdn.net/ybbmQ8p4Q999AkMWkW8HLm.jpg
Share your thoughts on Cybersecurity and get a free copy of the Hackerās Manual 2022. Help us find how businesses are preparing for the post-Covid world and the implications of these activities on their cybersecurity plans. Enter your email at the end of this survey to get the bookazine, worth $10.99/Ā£10.99.
[HEADING=1]Executing arbitrary code[/HEADING]
The plugin gives webmasters the option to add a booking system to the site, which includes the ability to publish a flexible timeline, showing existing bookings and openings.
The flexible timeline also allows webmasters to configure viewing preferences and options, when viewing the published timeline. Some of these options were passed in PHPās serialized data, Wordfence explained, and an attacker could control this data through multiple methods.
āAny time an attacker can control data that is unserialized by PHP, they can inject a PHP object with properties of their choice,ā the announcement reads. āIf a āPOP Chainā is also present, it can allow an attacker to execute arbitrary code, delete files, or otherwise destroy or gain control of a vulnerable website.ā
Read more
WordPress.com website builder review
Major WordPress update will make amateurs look like master web developers
WordPress plugin vulnerability exposed millions of websites to attack
Major WordPress update will make amateurs look like master web developers
WordPress plugin vulnerability exposed millions of websites to attack
Wordfence notified the developers of its findings in mid-April and the patch was deployed within three days. Users are advised to patch to version 9.1.1. of the plugin, as soon as possible.
Being among the most popular website hosting platforms in the world, WordPress and its plugins are often targeted by threat actors, looking for zero-days through which they could deploy malware. While WordPress itself is generally considered safe, its thousands of third-party plugins are bound to suffer from a few vulnerabilities.
[ul]
[li]No security tech stack is complete with a great antivirus solution[/li][/ul]
Continue readingā¦