WordPress WooCommerce Payments plugin versions 5.6.1 and below suffer from authentication bypass and privilege escalation vulnerabilities. Details surrounding these issues seem minimal at this point.

**WordPress WooCommerce Payments 5.6.1 Authentication Bypass / Privilege Escalation**

**WordPress WooCommerce Payments 5.6.1 Authentication Bypass / Privilege Escalation**

    Vulnerability allows attackers to impersonate any user and puts as many as 500,000 sites at risk of takeover.PSA: Update Now! Critical Authentication Bypass in WooCommerce Payments Allows Site TakeoverThe Wordfence Threat Intelligence team regularly monitors plugin updates and reviews any indicating that a potential security issue may have been addressed. Today, March 23, 2023, we noticed that the “WooCommerce Payments – Fully Integrated Solution Built and Supported by Woo” plugin updated to version 5.6.2 with a changelog entry marked simply “Security update.”After reviewing the update we determined that it removed vulnerable code that could allow an unauthenticated attacker to impersonate an administrator and completely take over a website without any user interaction or social engineering required.We developed a Proof of Concept and began writing and testing a firewall rule immediately. The rule was released the same day, on March 23, 2023 to Wordfence Premium,  Wordfence Care, and Wordfence Response customers.Regardless of the version of Wordfence you are using, we urge you to update to the latest version of the WooCommerce Payments plugin, which is 5.6.2 as of this writing, immediately. WooCommerce Payments is installed on over 500,000 sites, and this is a critical-severity vulnerability.This email content has also been published on our blog and you're welcome to post a comment there if you'd like to join the conversation. Or you can read the full post in this email.Vulnerability InformationDescription: Authentication Bypass and Privilege Escalation Affected Plugin: WooCommerce PaymentsPlugin Slug: woocommerce-paymentsPlugin Developer: AutomatticAffected Versions: <= 5.6.1CVE ID: N/ACVSS Score: 9.8 (Critical)CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:HFully Patched Version: 5.6.2The WooCommerce Payments plugin is a fully integrated payment solution for WooCommerce developed by Automattic. Unfortunately it contained functionality designed to integrate with the WooCommerce Payment Platform that allowed unauthenticated attackers to impersonate any user on the site in some contexts, which could then be used to gain full access to a site’s administrator account.We are withholding additional details at this time to give users time to update.We do not yet know whether this vulnerability was discovered internally by Automattic or reported by an external researcher, and have not yet determined whether it is actively being exploited in the wild.We expect to see large-scale attacks targeting this vulnerability once a proof of concept becomes available to attackers.ConclusionIn today’s PSA we are alerting our user base to a critical-severity vulnerability in WooCommerce Payments, a plugin installed on over 500,000 sites. This vulnerability allows unauthenticated attackers to completely take over a vulnerable site, and we expect to see mass exploitation in the near future. We recommend that all users update to the latest version available, which is 5.6.2 at the time of this writing.If your site has Wordfence Premium, Wordfence Care, or Wordfence Response installed, your site will have received a firewall rule today, March 23, 2023, protecting it against this vulnerability. If your site is running the free version of Wordfence, the rule will become available 30 days from now, on April 22, 2023.If you know a friend or colleague who is using this plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected. Please help make the WordPress community aware of this issue.If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard.

WordPress WooCommerce Payments 5.6.1 Authentication Bypass / Privilege Escalation

Cobalt Strike 4.7.1 fails to properly escape HTML tags when they are displayed on Swing components. By injecting crafted HTML code, it is possible to remotely execute code in the Cobalt Strike UI.

****NAME****

**HelpSystems Cobalt Strike code execution**

*   **Platforms Affected:**  
    HelpSystems Cobalt Strike 4.7.1  
    
*   **Risk Level:**  
    9.8  
    
*   **Exploitability:  
    **Unproven  
    
*   **Consequences:**  
    Gain Access

****DESCRIPTION****

**HelpSystems Cobalt Strike could allow a remote attacker to execute arbitrary code on the system, caused by a vulnerability in the C2 framework. By creating Swing components from user input, an attacker could exploit this vulnerability to create arbitrary Java objects in the class path and invoke their setter methods, resulting in a code execution.**

**CVSS 3.0 Information**

*   **Privileges Required:** None
*   **User Interaction:** None
*   **Scope:** Unchanged
*   **Access Vector:** Network
*   **Access Complexity:** Low
*   **Confidentiality Impact:** High
*   **Integrity Impact:** High
*   **Availability Impact:** High
*   **Remediation Level:** Official Fix  
    

****MITIGATION****

**Upgrade to the latest version of Cobalt Strike (4.7.2 or later), available from the Cobalt Strike Web site. See References.**

*   **Reference Link:**  
    https://www.cobaltstrike.com/  
    
*   **Reference Link:**  
    https://securityintelligence.com/posts/analysis-rce-vulnerability-cobalt-strike/  
    

A considerable amount of time and effort goes into maintaining this website, creating backend automation and creating new features and content for you to make actionable intelligence decisions. Everyone that supports the site helps enable new functionality.

If you like the site, please support us on Patreon using the button below

To keep up to date follow us on the below channels.

Click Above for Telegram

Click Above for Discord

Click Above for Reddit

Click Above For LinkedIn

**Post navigation**

CVE-2022-42948: HelpSystems Cobalt Strike code execution | CVE-2022-42948 - RedPacket Security

The interrogation of CEO Shou Zi Chew highlighted US lawmakers’ own failure to pass privacy legislation.

In one sense, today’s US congressional hearing on TikTok was a big success: It revealed, over five hours, how desperately the United States needs national data-privacy protections—and how lawmakers believe, somehow, that taking swipes at China is a suitable alternative. 

For some, the job on Thursday was casting the hearing's only witness, TikTok CEO Shou Zi Chew, as a stand-in for the Chinese government—in some cases, for communism itself—and then belting him like a side of beef. More than a few of the questions lawmakers put to Chew were vague, speculative, and immaterial to the allegations against his company. But the members of Congress asking those questions feigned little interest in Chew’s responses anyway. 

Attempts by Chew, a 40-year-old former Goldman Sachs banker, to elaborate on TikTok’s business practices were frequently interrupted, and his requests to remark on matters supposedly of considerable interest to members of Congress were blocked and occasionally ignored. These opportunities to get the CEO on record, while under oath, were repeatedly blown in the name of expediency and for mostly theatrical reasons. Chew, in contrast, was the portrait of patience, even when he was being talked over. Even when some lawmakers began asking and, without pause, answering their own questions.

The hearing might’ve been a flop, had lawmakers planned to dig up new dirt on TikTok, which is owned by China-based ByteDance, or even hash out what the company could do next to allay their concerns. But that wasn't the aim. The House Energy and Commerce Committee was gathered, it said, to investigate “how Congress can safeguard American data privacy and protect children from online harms.” And on that, the hearing revealed plenty.

For one thing, it’s clear that the attempts to isolate TikTok from its competitors—to treat it differently than dozens of other companies with atrocious records of endangering kids and abusing private data—is a pointless exercise. Asking about TikTok's propensity for surveilling its own users, Chicago congresswoman Jan Schakowsky warned Chew against using legal, typical industry practices as a defense against these wrongs. “You might say, ‘not more than other companies,’” she said, adding that she preferred not to “go by that standard.” 

OK. But why not? 

The truth is that if TikTok were to vanish tomorrow, its users would simply flock to any number of other apps that have no qualms about surveilling the most private moments of their lives and amassing, manipulating, and selling off sensitive information about them. Excluding the most serious but largely unsubstantiated allegations leveled at TikTok—that it is acting or will act in coordination with Chinese intelligence services—there wasn’t a concern about privacy raised by lawmakers Thursday that couldn't be addressed by existing legislation supporting a national privacy law. 

Ensuring that companies and the data brokers they enrich face swift reprisals for blatantly abusing user trust would have the benefit of addressing not only the accusations levied against TikTok, but deceitful practices common across the entire social media industry. 

The irony of US lawmakers pursuing a solution to a problem that’s already been solved by draft legislation—but not actually fixed due to its own inaction—wasn’t entirely lost on the members. While primarily focused on a single company, the hearing, Florida congresswoman Kathy Castor said, should really serve as a broader call to action. “From surveillance, tracking, personal data gathering, and addictive algorithmic operations that serve up harmful content and have a corrosive effect on our kids’ mental and physical well-being,” she said, Americans deserve protection, no matter the source.

The TikTok Hearing Revealed That Congress Is the Problem

Nexus, offered in a malware-as-a-service model, is the latest in a vast and growing array of trojans targeting mobile banking and cryptocurrency applications.

A threat actor is targeting customers of 450 banks and cryptocurrency services worldwide with a dangerous Android trojan that has multiple features for hijacking online accounts and potentially siphoning funds out of them.

The authors of the so-called "Nexus" Android Trojan have made the malware available to other threat actors via a newly announced malware-as-a-service (MaaS) program, where individuals and groups can rent or subscribe to the malware and use it in their own attacks.

Researchers at Italian cybersecurity firm Cleafy first spotted Nexus last June, but at the time assessed it to be a rapidly evolving variant of another Android banking Trojan they were tracking as "Sova.. The malware contained several chunks of Sova code and had capabilities at the time for targeting more than 200 mobile banking, cryptocurrency and other financial apps. Cleafy researchers observed what they assumed was the Sova variant hidden in fake apps with logos that suggested they were Amazon, Chrome, NFT and other trusted apps.

But in January, Cleafy researchers spotted the malware—now more evolved—surfacing on multiple hacking forums under the name Nexus. Shortly thereafter, the malware authors began making the malware available to other threat actors via its new MaaS program for the relatively price of $3,000 a month.

Federico Valentini, head of Cleafy's threat intelligence team, says it's unclear how threat actors are delivering Nexus on Android devices. "We didn't have access to specific details on Nexus's initial infection vector, as our research was mainly focused on analyzing its behavior and capabilities," Valentini says. "However, based on our experience and knowledge of similar malware, it is common for banking trojans to be delivered through social engineering schemes such as smishing," he says referring to phishing via SMS text messages.

**Multiple Features for Account Takeover  
**

Cleafy's analysis of Nexus showed the malware to contain several features for enabling account takeover. Among them is a function for performing overlay attacks and logging keystrokes to steal user credentials. When a customer of a target banking or cryptocurrency app, for instance, attempts to access their account using a compromised Android device, Nexus serves up a page that looks and functions exactly like the login page for the real app. The malware then uses its keylogging feature to grab the victim's credentials as entered in the login page.

Like many banking Trojans, Nexus can intercept SMS messages to grab two-factor authentication codes for accessing online accounts. Cleafy found Nexus capable of abusing Android's Accessibility Services feature to steal seeds and balance information from cryptocurrency wallets, cookies from websites of interest, and two-factor codes of Google's Authenticator app.

The malware authors also appear to have added new functionalities to Nexus that were not present in the version that Cleafy observed last year and initially assumed was a Sova variant. One of them is a feature that quietly deletes received SMS two-factor authentication messages and another is a function for stopping or activating the module for stealing Google Authenticator 2FA codes. The latest Nexus variant also has a function for periodically checking its command-and-control server (C2) for updates and for automatically installing any that might become available. A module that appears to be still under development suggests that the authors might implement an encryption capability in the malware, most likely to obfuscate its tracks after completing an account takeover.

**Nexus: A Work in Progress?**

Valentini says Cleafy's research suggests that Nexus has compromised potentially hundreds of systems. "What's particularly noteworthy is that the victims do not appear to be concentrated in a particular geographical region but are well distributed globally."

Despite the malware's many functions for taking over online financial accounts, Cleafy's researchers assessed Nexus to still be a work-in-progress. One indication, according to the security vendor, is the presence of debugging strings and the lack of usage references in certain modules of the malware. Another giveaway is the relatively high number of logging messages in the code which suggest the authors are still in the process of tracking and reporting on all actions the malware performs, Cleafy said.

Notably, the malware in its present avatar does not include a Virtual Network Computing, or VNC, module that would give the attacker a way to take complete remote control of a Nexus-infected device. "The VNC module allows threat actors to perform on-device fraud, one of the most dangerous types of fraud since money transfers are initiated from the same device used by victims daily."

**One of Many Android Banking Trojans**

Nexus is one of several Android banking trojans that have surfaced just over the past few months and have added to the already large number of similar tools in the wild currently. Earlier this month for instance, researchers from Cyble reported observing new Android malware dubbed GoatRAT targeting a recently introduced mobile automated payment system in Brazil. In December 2022, Cyble spotted another Android banking trojan tracked as "Godfather" resurfacing after a hiatus, with advanced new obfuscation and anti-detection features. Cyble cyber-researchers found the malware masquerading as legitimate software on the Google Play store.

Those two malware variants are barely even the tip of the iceberg. A Kaspersky analysis showed that some 200,000 new banking trojans surfaced in 2022, representing a 100% increase over 2021.

'Nexus' Android Malware Targets Customers of 450 Financial Institutions Worldwide

A use-after-free flaw was found in the Linux kernel’s Ext4 File System in how a user triggers several file operations simultaneously with the overlay FS usage. This flaw allows a local user to crash or potentially escalate their privileges on the system. Only if patch 9a2544037600 ("ovl: fix use after free in struct ovl_aio_req") not applied yet, the kernel could be affected.

CVE-2023-1252: [PATCH 5.15 138/917] ovl: fix use after free in struct ovl_aio_req

Google has stepped in to remove a bogus Chrome browser extension from the official Web Store that masqueraded as OpenAI's ChatGPT service to harvest Facebook session cookies and hijack the accounts.
The "ChatGPT For Google" extension, a trojanized version of a legitimate open source browser add-on, attracted over 9,000 installations since March 14, 2023, prior to its removal. It was originally

Browser Security / Artificial Intelligence

Google has stepped in to remove a bogus Chrome browser extension from the official Web Store that masqueraded as OpenAI's ChatGPT service to harvest Facebook session cookies and hijack the accounts.

The "ChatGPT For Google" extension, a trojanized version of a legitimate open source browser add-on, attracted over 9,000 installations since March 14, 2023, prior to its removal. It was originally uploaded to the Chrome Web Store on February 14, 2023.

According to Guardio Labs researcher Nati Tal, the extension is propagated through malicious sponsored Google search results that are designed to redirect unsuspecting users searching for "Chat GPT-4" to fraudulent landing pages that point to the fake add-on.

Installing the extension adds the promised functionality – i.e., enhancing search engines with ChatGPT – but it also stealthily activates the ability to capture Facebook-related cookies and exfiltrate it to a remote server in an encrypted manner.

Once in possession of the victim's cookies, the threat actor moves to seize control of the Facebook account, change the password, alter the profile name and picture, and even use it to disseminate extremist propaganda.

The development makes it the second fake ChatGPT Chrome browser extension to be discovered in the wild. The other extension, which also functioned as a Facebook account stealer, was distributed via sponsored posts on the social media platform.

WEBINAR

Discover the Hidden Dangers of Third-Party SaaS Apps

Are you aware of the risks associated with third-party app access to your company's SaaS apps? Join our webinar to learn about the types of permissions being granted and how to minimize risk.

RESERVE YOUR SEAT

If anything, the findings are yet another proof that cybercriminals are capable of swiftly adapting their campaigns to cash in on the popularity of ChatGPT to distribute malware and stage opportunistic attacks.

"For threat actors, the possibilities are endless — using your profile as a bot for comments, likes, and other promotional activities, or creating pages and advertisement accounts using your reputation and identity while promoting services that are both legitimate and probably mostly not," Tal said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

Fake ChatGPT Chrome Browser Extension Caught Hijacking Facebook Accounts

Cloud-based System of Trust application now available for test-driving quantitative risk assessment of suppliers of hardware, software, services.

MITRE has quietly released a cloud-based prototype platform for its new System of Trust (SoT) framework that defines and quantifies risks and cybersecurity concerns for the supply chain.

The so-called Risk Model Manager (RMM) platform is now available for organizations to assess supply chain risk and security, as well as to view, edit, and customize the SoT framework content, or export it for use as a subset framework. MITRE first debuted the SoT framework concept at the 2022 RSA Conference (RSAC), and it will officially announce the RMM prototype platform next month at RSAC 2023 in San Francisco.

Software supply chain risk and security received a loud wake-up call after high-profile attacks like SolarWinds and Log4j painfully punctuated the dangers of threat actors compromising vendors' software and then in turn compromising customers' software installations. There has been no common, agreed-upon way to define or measure these risks to date. Enter MITRE's SoT, a framework for providing a sort of standard way to evaluate suppliers, service providers, and supplies that can be used by cybersecurity teams as well across the business for assessing a vendor or a software product.

The SoT framework, which is a cloud-native app hosted on AWS, is centered around 14 top-level risk areas related to suppliers, service providers, and supplies, including the financial stability and cybersecurity practices of the supplier, as well as risk of counterfeit and compromise to products. These risk categories are then used to evaluate a supplier or product during the acquisition process, digging into detailed questions on how a supplier tracks and ensures the security of third-party software components used in their product, for example.

"The System of Trust is very appealing because it gives a structure that's more comprehensive, well laid-out, and explains what kinds of risks" you have in your supply chain, in detail, explains Robert Martin, senior software and supply chain assurance principal engineer at MITRE Labs. That goes beyond traditional risk measurement and assessment tools, he notes.

There are some 40 organizations currently involved in shaping the SoT platform, which now includes some 660 specific supply chain categories and risk factors. MITRE is gathering input to flesh out the tool from businesses with supply chains, supply chain security vendors, and standards groups that touch some elements of supply chain operations. Among some of the big name members of the SoT community are Microsoft, BlackBerry, CISA, Cisco, Dell Technologies, Intel, Mastercard, NASA, Raytheon, Schneider Electric, Siemens, and The Open Group.

SoT is yet another project by MITRE that builds a reference framework for the cybersecurity industry: its wildly popular ATT&CK framework, for instance, maps the common steps threat groups use to infiltrate networks and breach systems, while its newer D3FEND model specifies a common way to define defensive capabilities and technologies. But SoT provides a wider lens of risk than just cybersecurity — factoring in financial, quality, and integrity risk as well, for example.

"The big thing they have here is they are doing what they have done with ATT&CK and D3FEND: provide a common language for everyone to use when we are talking about not only the position in the chain but the specific vulnerabilities or attack methods and defenses," says Curt Franklin, principal analyst for enterprise security management at Omdia.

Franklin says MITRE's pedigree with its other cybersecurity programs should help propel the SoT, but wide adoption likely will take time. "I can imagine some of the third-party risk assessment \[vendors\] building SoT into their products like they build FAIR \[Factor Analysis of Information Risk\] or ATT&CK into theirs," Franklin says. "I think the odds are good that \[SoT\] will be more widely adopted. I think the odds are just as good that it will take a while."

That's because there still are multiple ways to define and measure risk in cybersecurity, and no two models work together, he says. "It's very difficult to say how my risk posture compares to my peers in the industry. What something like this does is provide a particular framework for some common quantification of risk."

**How SoT Works**

Each risk item in the RMM is scored using data measurements that are then applied to a scoring algorithm. The resulting scores identify the strengths and weaknesses of a supplier, for example, against the specific risk categories. That would allow a business to assess quantitatively the security risk of a software vendor or its product, for example.

One of the organizations closely working the project is Schneider Electric, whose vice president of supply chain security Cassie Crossley will join Martin in an RSAC 2023 session on SoT called "Creating the Standard for Supply Chain Risk — MITRE's System of Trust." Crossley says Schneider has multiple, comprehensive supply chain risk assessment processes currently in place across different parts of the company, and Schneider plans to provide input and feedback to the SoT based on its own requirements and metrics.

"We would want to work with those teams \[across Schneider\] to identify some areas where we can provide suggestions and also see how we can better align or sort of adopt more of the \[SoT\] framework," Crossley says. "I don't know yet if we will have a full, 'hey, we are 100% SoT.' But we would make our own processes and identify areas where we want to incorporate more of a structure" for supply chain risk assessment, she says.

For Schneider, supply chain risk and security issues apply both to its own products and ones it buys for internal use, including the "third and fourth parties we work with," she says. She sees SoT possibly helping with visibility into risks associated with "upstream" suppliers that aren't typically part of a supplier evaluation process.

"I think by using SOT, if it could become a common model for a lot, we can get those answers faster for those upstream" suppliers, she says, if an organization can ask vendors to map it to their upstream suppliers.

**MITRE's Open Source Plan**

Martin says the main challenges for SoT to become the go-to standard for supply chain assessments are enough bandwidth to expand the project as it catches on, as well as getting the word out to avoid duplication of effort. "I'm worried about people not being aware of this and off trying to solve something that overlaps. We are making sure people are aware" and can help contribute to SoT, he says.

MITRE plans to offer RMM as an open source tool when it's fully baked. For now, Martin says, organizations can use it to assist MITRE in fleshing out the tool itself or for their own internal use. "They can take it offline," he says, "and do an assessment against" the SoT.

MITRE Rolls Out Supply Chain Security Prototype

WordPress plugins Watu Quiz versions 3.3.9 and below, GN Publisher versions 1.5.5 and below, and Japanized For WooCommerce versions 2.5.4 and below suffer from cross site scripting vulnerabilities.

Description: Reflected Cross-Site Scripting 

Affected Plugin: Watu Quiz

Plugin Slug: watu

Affected Versions: <= 3.3.9

CVE ID: CVE-2023-0968

CVSS Score: 6.1 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Researcher/s: Marco Wotschka 

Fully Patched Version: 3.3.9.1

Description: Reflected Cross-Site Scripting 

Affected Plugin: GN Publisher: Google News Compatible RSS Feeds

Plugin Slug: gn-publisher

Affected Versions: <= 1.5.5

CVE ID: CVE-2023-1080

CVSS Score: 6.1 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Researcher/s: Marco Wotschka 

Fully Patched Version: 1.5.6

Description: Reflected Cross-Site Scripting 

Affected Plugin: Japanized For WooCommerce

Plugin Slug: woocommerce-for-japan

Affected Versions: <= 2.5.4

CVE ID: CVE-2023-0942

CVSS Score: 6.1 (Medium)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:L/I:L/A:N

Researcher/s: Marco Wotschka 

Fully Patched Version: 2.5.5

Vulnerability Details

Watu Quiz is a plugin that offers site owners the ability to create exams, quizzes and surveys. It allows administrators to review quiz submissions and filter search results by username, email, date taken and quiz score. Unfortunately, the search terms – provided as URL parameters – were not properly sanitized before being echoed on the search form.

Visiting a URL containing a malicious payload sufficed to trigger the execution of malicious JavaScript code in the context of the visiting user’s session. Since the exploitable page was an administrative page, this code could be used to create new administrator users or to perform other similarly severe actions potentially resulting in site takeover.

A vulnerable line of code in the plugin used the user-provided parameter and output it directly:

<input name="dn" type="text" value="<?php echo @$_GET['dn']?>" />

The dn parameter can be used to close out the value attribute, add an onmouseover event (or an onfocus event combined with the autofocus attribute) and execute JavaScript in the context of the victim’s browser.

/wp-admin/admin.php?page=watu_takings&exam_id=1&dn="%2Fonmouseover%3Dalert(123)%2F%2F

Versions up to 3.3.9 of this plugin are vulnerable. The issue is fixed in version 3.3.9.1 as of March 3, 2023.

GN Publisher is a plugin that makes RSS feeds which comply with Google News RSS feed technical requirements – necessary for inclusion in the Google News Publisher Center. The plugin addresses some common RSS compatibility issues publishers typically experience.

On its main configuration page It offers a tabbed form where administrators can change plugin-specific settings. However, the plugin does not properly escape the tab name before outputting it.

The software features a button in the top right corner that offers an upgrade to the PRO version. The code for the button in the vulnerable version is shown below (slightly reformatted for legibility):

As can be seen, the button element contains a php echo statement that outputs the tab parameter as a button class attribute. An unauthenticated attacker can take advantage of this and inject attribute-based JavaScript that executes on an event of the attacker’s choosing such as onmouseover, or onfocus in combination with autofocus, assuming they can also successfully trick a site administrator into performing an action.

/wp-admin/options-general.php?page=gn-publisher-settings&tab=hans%22%2F+onmouseover%3Dalert%281%29%3B%2F%2F

Versions up to, and including, 1.5.5 are vulnerable. Version 1.5.6 addressed this issue and was released on February 24, 2023.

The plugin Japanized for WooCommerce adds additional features to WooCommerce that make it more user-friendly for a Japanese audience, such as honorific titles and custom payment options geared towards the Japanese market. Similarly to the other two plugins discussed above, Japanized for WooCommerce outputs unsanitized user input provided via URL parameter.

As long as a tab parameter is provided, it will be output as part of the provided JavaScript that follows. A malicious piece of code can be used to close the script tag, open a new one, and include code to be executed on behalf of the visiting user.

/wp-admin/admin.php?page=wc4jp-options&tab=hans%27%3C%2Fscript%3E%3Cscript%3Ealert%281%29%3C%2Fscript%3E

Just like the other two vulnerabilities discussed above, this vulnerability can be exploited by unauthenticated attackers as long as an administrator of a vulnerable site can be tricked into performing an action such as clicking on a link leading them to the vulnerable form.

This issue is patched as of version 2.5.6, which was released on February 28, 2023.

As a final reminder, as is typical for Reflected Cross-Site Scripting vulnerabilities, these attacks can be carried out by unauthenticated users. However, the interaction of a site user is a requirement. Furthermore, the malicious injection does not persist as it is not stored in the database.

Conclusion

In today’s post, we detailed flaws in three plugins that made it possible for attackers to inject malicious JavaScript into a vulnerable site. While the exploitation of these vulnerabilities requires some degree of social engineering, they all could be used for site takeover.

All Wordfence users, including those running Wordfence Premium, Wordfence Care, and Wordfence Response, as well as sites still running the free version of Wordfence, are fully protected against this vulnerability.

If you believe your site has been compromised as a result of these vulnerabilities or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both these products include hands-on support in case you need further assistance.

If you have any friends or colleagues who are using one of these plugins, please share this announcement with them and encourage them to update to the latest version as soon as possible.

If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence leaderboard.

WordPress Watu Quiz 3.3.9 / GN Publisher 1.5.5 / Japanized For WooComerce 2.5.4 XSS

In the triumvirate of identity types, protecting the identity, privacy, and data of carbon-based forms — humans — is key. Safeguards must be in place as AI becomes more interactive.

ChatGPT and Bard AI are making the news for all kinds of reasons. People are charmed and unnerved by the quirky responses and how seemingly sentient these chatbots are.

But artificial intelligence (AI) has existed for years, and the issues today aren't just related to a greater capacity for writing term papers and malware. These new tools simply add to an already complex ecosystem of identities, which may be carbon-based, silicon-based, or now, increasingly complex artificial identities created by AI.

**Identity Trifecta**

First, let's define these different identity types:

**Carbon-based identity:** This one is easy. It's humans. We have names, we have personally identifiable information, mannerisms, and so much more. And we live, breathe, and interact with carbon, silicon, and artificial identities every day.

**Silicon-based identity:** A silicon-based identity is something that we all interact with but rarely or never think about as an entity: our cars, smartphones, and millions of other items that rarely exist or interact on their own.

**Artificial-based identity:** If you've ever read a novel, you've met a whole cast of artificial identities. Each character is a fictional creation with a backstory, internal motivations, and seemingly interactive relationships. The new chatbots can create detailed identities in moments.

**Why Does Identity Matter?**

A silicon-based identity integrates with you and your identity. Take your smartphone, for example. You set it up and customize it so that you can log in with your fingerprint or your face. You use it to set up online banking accounts, social media profiles, and much more. Essentially, you create a link between your carbon identity and your silicon identity, which allows you to interact with your bank and other peer-to-peer connections. When you sell or give away the phone, you know you need to wipe all that data, otherwise the next user could use connections that you authenticated to access your financial, work, and other personal accounts. Even after removing the data, the phone still exists as a silicon identity, and it will integrate with the next carbon entity that sets it up.

Artificial entities are increasingly easy to create, however. AI can generate faces that people find trustworthy and have difficulty distinguishing from real ones. Combined with chatbots, some of these entities have LinkedIn profiles and can easily — and convincingly — reach out to prospective customers without adding to an organization's staffing costs or training requirements. Other chatbots may be answering your banking questions, responding to fraud alerts, or authorizing transactions. They may help you book a flight, facilitate a product return, or respond to insurance queries.

**Who — or What — Are You Talking To?**

How to know which type of entity you're talking to is a question that's only going to become more challenging in the coming months and years. Today, most chatbots can answer simple questions with canned responses. Most users probably find them frustratingly inadequate and try to interact with a carbon entity instead. But it's getting harder to tell them apart. As these solutions become more available, flexible, and interactive, you need to consider who you want to share protected information with.

It may seem safe to share your banking information with an artificial identity, forgetting that if you share your checking account info and authorize them to take money out, you have very little control over when and how that happens. There are some financial regulations in place to help consumers, but they only help after something goes wrong. When your credit or debit card is compromised, you can dispute fraudulent transactions, prevent future charges, and get a new card. That can limit the potential fallout.

Health information is far more complicated. If you share information with an artificial identity about your carbon entity, such as that you have diabetes and high blood pressure, that information goes somewhere you can no longer control. If this private health information is disclosed, either because the artificial entity you shared it with was created for malicious purposes or because the data collected wasn't properly secured and encrypted, that part of your identity is now compromised and you cannot make that information private again.

**Protect Data, Privacy, and Identity**

As the different types of identities become increasingly intertwined and complicated, it's important for organizations to make it clear when an identity interfacing directly with people is artificial, why they're using it, and how.

They also need to protect the identity, privacy, and data of the carbon identities, regardless of how it is collected. That means how this information is collected, transmitted, and encrypted is important.

As we move forward, we must make certain that we protect data, privacy, and identity by challenging and validating access for all these different types of identities. Although artificial identities are becoming interactive and seemingly human, the responsibility to protect carbon identities is paramount.

Are You Talking to a Carbon, Silicon, or Artificial Identity?

As of April 20, 2023, we are decommissioning SenderBase.org and any attempts to visit that web page will fail.

Thursday, March 23, 2023 07:03

As of April 20, 2023, we are decommissioning SenderBase.org and any attempts to visit that web page will fail.

Talos Intelligence’s website (TalosIntelligence.com) has served as the replacement for SenderBase.org for many years, with TalosIntelligence.com providing the same information as SenderBase.org once did. Since that time, visitors to SenderBase.org have been automatically redirected to TalosIntelligence.com, and the redirect from SenderBase.org is finally being removed on \[date\]. After that, attempts to visit SenderBase.org will fail.

Any users still utilizing bookmarks or links pointing to Senderbase.org should update these to ensure they still work appropriately.

Thank you for assisting us in this process.

Tag

#intel