WordPress Yith WooCommerce Gift Cards Premium plugin versions 3.19.0 and below suffer from a remote shell upload vulnerability.

Description: Unauthenticated Arbitrary File Upload

Affected Plugin: Yith WooCommerce Gift Cards Premium

Plugin Slug: yith-woocommerce-gift-cards-premium

Affected Versions: <= 3.19.0

CVE ID: CVE-2022-45359

CVSS Score: 9.8 (Critical)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:N/I:L/A:N

Researcher/s:  Dave Jong

Fully Patched Version: 3.20.0

We were able to reverse engineer the exploit based on attack traffic and a copy of the vulnerable plugin and are providing information on its functionality as this vulnerability is already being exploited in the wild and a patch has been available for some time.

The issue lies in the import_actions_from_settings_panel function which runs on the admin_init hook.

Since admin_init runs for any page in the /wp-admin/ directory, it is possible to trigger functions that run on admin_init as an unauthenticated attacker by sending a request to /wp-admin/admin-post.php.

Since the import_actions_from_settings_panel function also lacks a capability check and a CSRF check, it is trivial for an attacker to simply send a request containing a page parameter set to yith_woocommerce_gift_cards_panel, a ywgc_safe_submit_field parameter set to importing_gift_cards, and a payload in the file_import_csv file parameter.

Since the function also does not perform any file type checks, any file type including executable PHP files can be uploaded.

Cyber Observables

These attacks may appear in your logs as unexpected POST requests to wp-admin/admin-post.php from unknown IP addresses. Additionally, we have observed the following payloads which may be useful in determining whether your site has been compromised. Note that we are providing normalized hashes (hashes of the file with all extraneous whitespace removed):

kon.php/1tes.php – this file loads a copy of the “marijuana shell” file manager in memory from a remote location at shell[.]prinsh[.]com and has a normalized sha256 hash of 1a3babb9ac0a199289262b6acf680fb3185d432ed1e6b71f339074047078b28c

b.php – this file is a simple uploader with a normalized sha256 hash of 3c2c9d07da5f40a22de1c32bc8088e941cea7215cbcd6e1e901c6a3f7a6f9f19

admin.php – this file is a password-protected backdoor and has a normalized sha256 hash of 8cc74f5fa8847ba70c8691eb5fdf8b6879593459cfd2d4773251388618cac90d

Although we’ve seen attacks from more than a hundred IPs, the vast majority of attacks were from just two IP addresses:

103.138.108.15, which sent out 19604 attacks against 10936 different sites

and

188.66.0.135, which sent 1220 attacks against 928 sites.

The majority of attacks occurred the day after the vulnerability was disclosed, but have been ongoing, with another peak on December 14, 2022. As this vulnerability is trivial to exploit and provides full access to a vulnerable website we expect attacks to continue well into the future.

Recommendations

If you are running a vulnerable version of YITH WooCommerce Gift Cards Premium, that is, any version up to and including 3.19.0, we strongly recommend updating to the latest version available. While the Wordfence firewall does provide protection against malicious file uploads even for free users, attackers may still be able to cause nuisance issues by abusing the vulnerable functionality in less critical ways.

If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care. If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time. Both of these products include hands-on support in case you need further assistance.

If you have any friends or colleagues who are using this plugin, please share this announcement with them and encourage them to update to the latest patched version of YITH WooCommerce Gift Cards Premium as soon as possible.

If you are a security researcher, you can responsibly disclose your finds to us and obtain a CVE ID and get your name on the Wordfence Intelligence Community Edition leaderboard.

WordPress Yith WooCommerce Gift Cards Premium 3.19.0 Shell Upload

The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various AJAX actions in versions up to, and including, 2.5.6. Authenticated users can use an easily available nonce value to create header templates and make additional changes to the site, as the plugin does not use capability checks for this purpose.

This record contains material that is subject to copyright

**License:** CVE Usage: MITRE hereby grants you a perpetual, worldwide, non-exclusive, no-charge, royalty-free, irrevocable copyright license to reproduce, prepare derivative works of, publicly display, publicly perform, sublicense, and distribute Common Vulnerabilities and Exposures (CVE®). Any copy you make for such purposes is authorized provided that you reproduce MITRE's copyright designation and this license in any such copy. **Read more.**

Copyright 1999-2022 The MITRE Corporation

Have information to add, or spot any errors? Contact us at wfi-community@wordfence.com so we can make any appropriate adjustments.

CVE-2022-3794: Jeg Elementor Kit <= 2.5.6

The Jeg Elementor Kit plugin for WordPress is vulnerable to authorization bypass in various functions used to update the plugin settings in versions up to, and including, 2.5.6. Unauthenticated users can use an easily available nonce, obtained from pages edited by the plugin, to update the MailChimp API key, global styles, 404 page settings, and enabled elements.

CVE-2022-3805: Jeg Elementor Kit <= 2.5.6

A successful attacker could use the SSRF vulnerability to collect metadata from WordPress sites hosted on an AWS server, and potentially log in to a cloud instance to run commands.

A vulnerability in the Google Web Stories plug-in for WordPress could be exploited via a server-side request forgery (SSRF) vulnerability to steal Amazon Web Services (AWS) metadata from sites hosted on the AWS server. That metadata can include sensitive information such as the AccessKeyId, SecretAccessKey, and Token.

An SSRF vulnerability gives attackers a way to elevate privileges on a compromised system using a modified URL, thereby gaining access to internal resources.

The Web Stories plug-in is an open visual storytelling format for the Web, consisting of animations and other interactive graphics, which can be shared and embedded across sites and apps. There are more than 100,000 active installations of the plug-in.

A Wordfence research team discovered the plug-in was vulnerable to the SSRF bug (CVE-2022-3708) in versions through 1.24.0, due to insufficient validation of URLs supplied via the "url" parameter found via the /v1/hotlink/proxy REST API Endpoint.

"Exploiting this vulnerability, an authenticated user could make web requests to arbitrary locations originating from the web application," Wordfence Threat Intelligence team member Topher Tebow wrote in a Dec. 21 blog post.

He added that, in testing, the team was able to uncover specific metadata used to enable features like EC2 Instance Connect; stolen metadata could then be used to log in to the virtual server and run commands through the terminal.

The researcher noted that this is the tip of the iceberg: "There are many metadata categories provided by AWS that each have specific uses and varying degrees of severity if misused."

The team found the flaw in October, and by the end of November, two blocks of code were updated to fully patch the vulnerability in the plug-in.

"With the patch applied within version 1.25.0 and newer, attempts to obtain AWS metadata will fail," Tebow explained.

He added that the attack can succeed for users logged in with an account that has minimal permissions, such as a subscriber, so the issue particularly threatens sites with open registration.

"The authenticated user does not need high level privileges to exploit this vulnerability," Tebow continued.

**Using Zero Trust to Limit SSRF Vulnerabilities**

"Understanding the impact of vulnerabilities such as SSRF vulnerabilities is critical for developers," Tebow wrote. "Keeping code secure can be difficult to ensure during the development phase, which is why the code must be tested for vulnerabilities during and after it has been written."

Developers were advised to pay close to attention to their coding practices as they relate to the vulnerabilities inherent in each programming language, ensure any inputs are validated, and to adopt a posture of zero trust authentication.

"SSRF vulnerabilities are possible because the internal and external resources may be configured to assume that requests sent from an internal location are inherently trustworthy," Tebow noted. "By requiring validation and authorization for every action, this default trust is removed, and requests must be validated properly before being considered trusted."

Constant code reviews and updates of WordPress plug-ins and themes are among the other steps that developers can take to limit exploits of WordPress-built websites.

**WordPress Sites Face a Raft of Security Issues**

Malicious actors have been targeting WordPress sites at a rapid clip — mainly through vulnerable plug-ins — since the beginning of the year: In February, a report found tens of thousands of websites powered by WordPress were vulnerable to attack via a remote code execution (RCE) bug in a widely used plug-in called Essential Addons for Elementor.

In May, there was a widespread attack launched to exploit known RCE flaw in the Tatsu Builder WordPress plug-in, and two months later, researchers discovered a phishing kit that injects malware into legitimate WordPress sites and uses a fake PayPal-branded social engineering scam.

More recently, a threat group called SolarMarker exploited a vulnerable WordPress-run website to encourage victims to download fake Chrome browser updates, while another group of attackers were actively exploiting a critical vulnerability in BackupBuddy, a WordPress plug-in that an estimated 140,000 websites are using to back up their installations.

Google WordPress Plug-in Bug Allows AWS Metadata Theft

By Owais Sultan
Choosing the right hosting service provider is one of the most critical yet often overlooked components when it…
This is a post from HackRead.com Read the original post: What To Look For In The Best WordPress Hosting

Choosing the **right hosting service provider** is one of the most critical yet often overlooked components when it comes to the success of a website. A good WordPress hosting provider will not only offer all the right tools to conveniently manage your website but will also boost your SEO and increase your traffic.

With that said, finding the best WordPress hosting service is not always easy. That’s especially true considering that many hosting companies often make bold assertions about their services with little evidence to back them up.

So, if you are in the market for a **top WordPress hosting** service provider, it helps to know what to look out for, so you are better able to make an informed choice. Here are factors that make a good WordPress hosting service:

**Security**

With cases of **cybercrime increasing each day**, cybersecurity has never been more important. For this reason, security should be at the top of your priority list when shopping for a WordPress hosting service.

Fortunately, most of the top web hosting service providers in the market go to great lengths to buffer the websites of their clients against unauthorized access and data breaches. Standard security features to look for in your WordPress hosting provider include:

*   SSL certificates
*   DDoS protection
*   Threat monitoring
*   Two-factor authorization
*   Web application firewall (WAF)

It’s also important to ensure that the hosting company offers automated **backup solutions** (PDF) as these provide an extra layer of protection in case you inadvertently delete files or your site crashes.

**Performance**

Lags and slow-loading web pages can easily drive away visitors from your website, causing you to lose out on the traffic that you need to grow your brand and increase your revenue. For this reason, you should go for a hosting provider that can guarantee high levels of performance at all times.

Below are factors you can look out for when vetting a hosting provider for your site:

*   Error rate
*   Throughput
*   Page load time
*   Requests per second (RPS)
*   Peak response times (PRT)

**Great Customer Support**

It is inevitable that you will run into some concerns or questions once you begin working with a new WordPress hosting provider. So, naturally, you want a hosting provider with convenient and direct communication avenues that you can use to get in touch with them for any assistance you may require.

The good news is that most of the top WordPress hosting providers offer 24/7 customer support and have a very quick response time. Besides resolving basic website-related issues, such as server management and security, a reliable customer support team should also be able to provide assistance when it comes to web optimization and upgrades.

**Reliability**

When choosing a WordPress hosting service for your website, you can’t overlook the reliability of your provider’s servers. Even a single instance of downtime can not only cause you to lose out on revenue but also hurt your ranking on search engines and potentially damage your reputation

As such, it’s important to ensure that the hosting provider’s servers are reliable. Unfortunately, this can be a bit tricky since, as mentioned, most providers often go out of their way to inflate the efficiency of their servers when advertising.

Ideally, your hosting provider should be able to guarantee 99.9% uptime without being subject to any unexpected maintenance. To achieve this standard, most reputable hosting providers use strategies such as monitoring the capacity of their servers and creating backup routes to redirect excess traffic.

**Scalability**

Most people who invest their time and money into launching and running a website have the desire to watch it grow over time. So, when shopping for the right WordPress hosting for your site, you want a provider that is in tune with and responsive to this need.

In terms of scalability, the most important thing is to ensure your hosting provider has flexible plans that can conveniently accommodate any site. A reliable web hosting company will be able to suggest the right hosting package for your website and inform you when it is time to upgrade to a new plan to accommodate your site’s growth.

Choosing a WordPress hosting provider can make or break your website. So, if you are looking for a web hosting company to launch your website through, carefully consider whether they meet the criteria discussed above before committing to any purchase.

1.  **Step-by-Step Security Guide for WordPress**
2.  **Do this before granting WordPress admin access**
3.  **Tips for Using Uploader Widgets on WordPress Blogs**
4.  **5 Signs your WordPress Site is Hacked (And How to Fix It)**
5.  **5 WordPress Security Solutions with Free SSL Certificates**

Owais takes care of Hackread's social media from the very first day. At the same time He is pursuing for chartered accountancy and doing part time freelance writing.

What To Look For In The Best WordPress Hosting

The Sidebar Widgets by CodeLights plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the ‘Extra CSS class’ parameter in versions up to, and including, 1.4 due to insufficient input sanitization and output escaping. This makes it possible for authenticated attackers, with administrator-level permissions and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. This only affects multi-site installations and installations where unfiltered_html has been disabled.

*   Details
*   Reviews
*   Development

This plugin has been closed as of December 13, 2022 and is not available for download. This closure is temporary, pending a full review.

CodeLights widgets work with Page Builder by SiteOrigin v2.10.11 onward. CodeLights widgets are not working with SiteOrigin Page Builder version 2.10.0 – 2.10.10

For those who face difficulties after updating SO-Page-Builder: Make use of the Plugin "WP Rollback". After rolling back Page Builder (for example to version 2.9.5) ...everything works fine again! Cheers & Thank you for your excellent work!

hello, this plugin very good but not work in new version of siteorigin.

After the last update of the SiteOrigin Page Builder but unfortunately without function. And from CodeLight since days no reaction...

You can do so much with this bundle to easily create a great user experience. Keep up the great work!

Read all 35 reviews

“Sidebar Widgets by CodeLights” is open source software. The following people have contributed to this plugin.

Contributors

*    Ruslan Suhar

CVE-2022-4619: Sidebar Widgets by CodeLights

Categories: Threat Intelligence
Taking advantage of cost effective and high traffic adult portals, a threat actor is secretly defrauding advertisers by displaying Google ads under the disguise of an XXX page.



(Read more...)




The post Adult popunder campaign used in mainstream ad fraud scheme appeared first on Malwarebytes Labs.

_This blog post was authored by Jérôme Segura_

Online advertising is a multi billion dollar industry with projected spending to reach over 600 billion U.S. dollars for 2022. It's not surprising that criminals are trying their hardest to abuse this ecosystem in any way that they can.

One of the biggest threats and always top of mind for advertisers is bot traffic as it is the equivalent of throwing money down the drain with ads that will never be seen by real eye balls. However, ad fraud is more than bots and in fact, even when traffic is seemingly real, there can still be abuse.

Case in point, we came across a clever ad fraud scheme where a fraudster is running a cost-effective popunder campaign on high-traffic adult websites and then making money via Google Ads. What originally caught our attention was seeing a Google advert on what appeared to be an adult page, as it is strictly against the search giant's acceptable content policy. It turned out to be a clever way to hide a bogus blog loaded with many more ads, most of them hidden behind a fullscreen pornographic iframe.

As unaware visitors trigger the popunder landing page and continue browsing in their other tab, the decoy website is constantly refreshing with new content and of course new ads, generating millions of ad impressions per month.

We reported this invalid traffic and would like to thank Google for quickly shutting down this ad campaign.

**Popunder campaign on top adult sites**

It is no secret that adult websites generate a lot of traffic. Did you know that 3 of the top 20's most visited websites are from the adult industry, the more popular one getting an estimated 2.8 billion monthly visits?

A fraudster has set up an ad campaign with one of the major adult ad networks using an ad format known as a popunder, which is one of the most cost efficient. Depending on the visitor's geolocation and other parameters, the CPM (cost per thousand impressions) can be as low as $0.05.

A popunder is like a 'pop-up' in that it is triggered when a user clicks anywhere on a web page, except that the resulting ad will appear behind the open window. It's also not like a typical banner ad, it's actually an entire page, often referred to as a landing page whose goal is to provide clear and interesting information in order to have a high conversion ratio. Examples of common popunders for the adult industry include online dating services, adult webcams, or simply an adult portal.

At first, it appears that this popunder is simply promoting another adult website called Txxx. But a couple of things don't add up: the page's title and address bar show something completely unrelated and we can see what appears to be a Google ad at the bottom of the page.

The problem is that Google’s advertising policies state that sexually explicit content such as text, image, audio, or video of graphic sexual acts intended to arouse is not allowed. Technically speaking, the adult content is merely an iframe placed on top of a WordPress blog and the ad at the bottom should really have been hidden in the background.

To avoid detection, the code is heavily obfuscated and the iframe is built dynamically:

**SEO-friendly content to place ad banners**

The fraudster is actually deceiving Google by loading legitimate content (i.e. how to fix your plumbing issues) under a fullscreen XXX iframe. Not only that, but the page also refreshes its content at regular intervals, to serve a new article, still hidden behind with the XXX overlay to further monetize on Google Ads. This happens without the user's knowledge since the tab was launched as a popunder.

This is no ordinary landing page, it's actually a full blog with dozens of articles that were stolen from other sites.

*   10-home-heating-tips
*   10-ways-to-style-your-kitchen-countertops-like-a-pro
*   4-main-benefits-of-installing-gutter-protection-systems
*   8-most-common-roof-leak-causes-in-california
*   before-you-plan-to-build-your-own-house-work-out-your-budget
*   build-your-own-home-in-3-days
*   build-your-own-home-in-the-country
*   does-your-home-in-california-need-roof-ventilation
*   homeowner-s-guide-to-the-best-outdoor-lighting
*   how-much-does-a-mortgage-to-build-your-own-house-cost
*   how-much-does-it-cost-to-build-a-new-house-in-los-angeles-area
*   how-snow-and-ice-impact-your-roof
*   how-solar-panels-can-make-your-roof-last-longer
*   how-to-adhere-drywall-to-a-concrete-block
*   how-to-build-modern-dining-room-in-california

On average (when scrolling through the entire page), there are about 5 Google ads and sometimes even video ads which are more lucrative.

**Millions of ad impressions**

Looking at high level metrics (taken from Similarweb) for that one decoy website we see some interesting figures. The total number of visits per month is close to 300K (and doubling based on previous month data). But the more interesting metric is the number of pages viewed per visit, which is over 51.

How can a human actually browse and read 51 articles in an average of 7 minutes and 45 seconds? The answer is simple: they don't. The user is most likely busy minding their own business on the other active tab while the popunder page constantly reloads new articles along with Google Ads. We ran a quick capture of what this looks like based on the ad requests made to Google's servers:

While numbers will vary based on demographics and other settings, we estimate that the page generates an average of 35 ad impressions every minute. If we do the math and multiply the total number of monthly visits (281.9K) and average duration (7:45 min or 465 seconds), we get a total ad impressions of 76,465,375 per month. Calculating the exact revenue made will depend on different factors but with a CPM of $3.50, this scheme could theoretically generate $276,629 a month.

Since these ads are not going to be seen by anyone, we could consider that all those impressions are purely driven by invalid traffic (IVT). This is not typical bot traffic though, because the unwilling participants are real users with genuine IP addresses, cookies and other browser settings. However, there are giveaways such as an unexpectedly high number of pages per visit. For comparison, the most popular adult site has an average of 9 pages and 9 minutes per visit.

There is one more twist to this ad fraud scheme that comes in the form of clickjacking. Once a user gets the tab into focus (it was a popunder), suddenly the page rotation stops and what the user sees is what looks like another adult website (the iframe). A click anywhere on the page (the user may want to select one of the thumbnails and watch a specific video) triggers a real click on a Google ad instead.

Based on the previous stats, the popunder quietly cycles through blogs and ads for an average of 7 minutes and 45 seconds before the user either closes that tab or clicks on the page which would increase the advertiser's cost-per-click (CPC).

**(Fake) real news sites**

The decoy site used fairly complex and obfuscated code to defraud Google which likely was not developed for a one-off. We wrote a signature based on a string of text that stood out called 'povtor' and ran a retrohunt search on VirusTotal. Povtor is Russian for 'repeat' which aligns with our understanding of the threat actor likely being Russian.

The retrohunt search returned a number of hits for sites that had something in common: news portals registered on previously expired domains. While we have seen influence campaigns before, pushing only biased news stories for a certain political party, we don't believe this is the case here. The news articles look balanced and real which would indicate another motive.

This is again the same modus operandi of grabbing content from various places and creating SEO-friendly sites for advertising purposes. It does not appear that this particular scheme with the news sites was extremely successful though.

**Content may be king, except when stolen**

Fraudsters will continuously look for ways to make money online, with minimal effort required. Leveraging adult traffic ensures large volume and cost-efficient campaigns thanks to the pop-under format which is perfectly suited for running a landing page that will stay open for several minutes until the user closes it.

Visitors are not genuinely going to the website and can't even see ads that are masked by a full page iframe. However, those users are not bots and they have the correct browser settings and networking attributes, possibly making it harder to identify the invalid traffic.

Had it not been for a Google ad displayed at the bottom of the page (all other ads were hidden behind the XXX iframe), we likely would not have detected this fraudulent scheme. Even with web traffic analysis, the presence of an iframe does not clearly standout when all other content appears to be genuine.

Perhaps the content itself may be where security models will work best. It would be unlikely for a fraudster to write a hundred blog articles by themselves; it would make more sense at least to hire a third-party to produce that amount of content. This is why detecting duplicates and identifying copycat sites may yield good results from phishing pages to bogus blackhat SEO websites.

After our reporting to Google, we confirmed that the website was no longer loading ads, and instead showed blank iframes.

Adult popunder campaign used in mainstream ad fraud scheme

The External Media WordPress plugin before 1.0.36 does not sanitise and escape some of its settings, which could allow high privilege users such as admin to perform Stored Cross-Site Scripting attacks even when the unfiltered_html capability is disallowed (for example in multisite setup).

CVE-2022-3832

The Easy Video Player WordPress plugin before 1.2.2.3 does not sanitize and escapes some parameters, which could allow users with a role as low as Contributor to perform Cross-Site Scripting attacks.

CVE-2022-3937

The Directorist WordPress plugin before 7.4.4 does not prevent users with low privileges (like subscribers) from accessing sensitive system information.

Tag

#wordpress