Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in RD Station plugin <= 5.1.3 at WordPress.

*   Details
*   Reviews
*   Installation
*   Support
*   Development

Hello! This is the most practical way to integrate RD Station Marketing with your WordPress site.

It automatically activates the RD Station Marketing tracking code in your WordPress pages, enabling features such as Lead Tracking and Pop ups. It also integrates the contact forms that capture Leads that convert in your website forms directly to RD Station Marketing.

More info about the version 5.0.0: https://ajuda.rdstation.com.br/hc/pt-br/articles/360054981272

Compatible with the following forms:

*   Contact Form 7
*   Gravity Forms
*   WooCommerce (only available for the checkout form)
*   Custom Scripts: you can also add custom integrations scripts in every single page or post you want.

Features:

*   Forms Integrations
*   Tracking code
*   As many integrations as you want
*   RD Station Marketing popups

A configuração do plugin é muito simples, ele já detectou automaticamente um formulário customizado que foi criado sem o uso de outros plugins e já integrou ele ao sistema do RD Station. Usando o Woocommerce ele captura todo processo que o usuário percorre para efetuar uma compra.

Achei muito restrito a dois tipos de formulários. Estou usando OptinMonster que foi pago a U$300 e simplesmente não terei o que fazer com ele. Isto me chocou. Espero que avancem neste quesito.

Olá Felipe, você tem alguma previsão para integração do plugin com o Form Craft 3?

Adicionei este plugin ao meu site para poder fazer a conexão diretamente a partir dos meus formulários em Contact Form 7. O plugin faz com que o formulário entre em looping infinito (a seta embaixo depois que você aperta botão de submit). Pelo que percebi isso aconteceu depois o último update para a versão 2.1. Uma lástima. Plugin mal testado me fez perder um tempo enorme.

Read all 5 reviews

“RD Station” is open source software. The following people have contributed to this plugin.

Contributors

*    filipenasc

**5.1.3**

*   Fixing a bug in sending legal bases using Gravity Forms

**5.1.2**

*   Update constant names

**5.1.1**

*   Removing refresh token error from Log Screen and adding clear log button
*   Fix error in the integration with advanced fields Gravity Forms
*   More info about the version 5.1.1: https://ajuda.rdstation.com.br/hc/pt-br/articles/360054981272

**5.1.0**

*   Log Screen

**5.0.5**

*   Adding products to WooCommerce mapping fields list

**5.0.4**

*   Sending drop-down menu from Contact Forms 7 as single text when Allow multiple selections aren’t checked
*   Fixing invalid data type errors

**5.0.3**

*   Sending drop-down menu from Contact Forms 7 as single text when Allow multiple selections aren’t checked
*   Fixing refresh token error

**5.0.2**

*   Adding company fields to the field mapping list

**5.0.1**

*   Fixing problem with corrupted files in version 5.0.0

**5.0**

*   Mapping fields RD Station
*   API v2 RD Station

**4.0**

*   One-click RD Station integration
*   Add tracking code, popups and new forms integrations

**3.2**

*   Add new translation keys

**3.0**

*   WooCommerce integration

**2.4**

*   Add custom scripts support

**2.3.1**

*   Ignore captcha fields

**2.3**

*   Update RD Station endpoint
*   Improve field mapping of Contact Form 7

**2.2**

*   Check post meta before saving the post

**2.0**

*   Gravity Forms field mapping

**1.1**

*   Add form\_origem field

**1.0**

*   Gravity Forms and Contact Form 7 support.

CVE-2022-38139: RD Station

Categories: News
Tags: BackupBuddy

Tags:  WordPress

Tags:  vulnerability

Tags:  exploit

Tags:  hack

Tags:  compromise

Tags:  update

We take a look at a vulnerability in popular WordPress plugin BackupBuddy, and the steps you need to take to fix it.



(Read more...)




The post BackupBuddy WordPress plugin vulnerable to exploitation, update now! appeared first on Malwarebytes Labs.

Users of WordPress may need to perform an urgent update related to the popular BackupBuddy plugin. BackupBuddy is a plugin which offers backup solutions designed to combat “hacks, malware, user error, deleted files, and running bad commands”. Unfortunately, running an older version of BackupBuddy could leave your site open to potential breaches. According to Security Week, the issue tagged as CVE-2022-31474 is down to an “insecure method of downloading the backups for local storing”. This results in people being able to grab files from the server without having been properly authenticated first.

**Traversing a WordPress installation**

The vulnerability is listed as a “Directory Traversal Vulnerability”, and affects users running BackupBuddy from version 8.5.8.0 up to 8.7.4.1. The developers make the following observations:

*   Using this vulnerability, attackers can view the contents of any file on your server which is readable by the WordPress installation. Sensitive files could be made available to the attackers, which is not something you’d want to happen.
*   The vulnerability is being actively exploited in the wild. Sometimes you get lucky and find that something has been patched before anyone can make use of it. This isn’t the case here, sadly.
*   The developers have made the security update available to anybody running BackupBuddy, regardless of version. No matter which licence you’re using, you can apply the fix. In theory, there is no need for anyone, anywhere to be running a vulnerable installation with the fix available to install.

**Next steps to take for BackupBuddy users**

*   Backup to version 8.7.5 right away. You should be doing this whether or not you’re concerned by the above security issue. Old versions of products frequently fall victim to additional security issues over time, especially if they’re no longer maintained.
*   Reset your database password if you suspect there’s been a compromise of your WordPress installation.
*   Change your WordPress salts. These are tools at your disposal used to help keep passwords for your site secure.
*   Reset and update anything else not for public consumption in your wp-config.php, for example stored API keys for other services.

**The risks of not updating your site and plugins**

WordPress is an immensely popular target for people fully invested in site compromise. Hijacked sites can be used for SEO poisoning, redirecting to malicious sites, spam, malware installation, phishing, and more.

If you’re running BackupBuddy, go and check your current version and update right away. Once that’s done, it would be wise to ensure everything else on your WordPress installation is fully up to date too. Let’s not make it easy for those up to no good: It won’t help your business, or the people who make use of your site.

BackupBuddy WordPress plugin vulnerable to exploitation, update now!

Broken Access Control vulnerability in Dean Oakley's Photospace Gallery plugin <= 2.3.5 at WordPress allows users with subscriber or higher role to change plugin settings.

*   Details
*   Reviews
*   Support
*   Development

**Description**

This plugin has been closed as of September 12, 2022 and is not available for download. This closure is temporary, pending a full review.

**Reviews**

All I get is a page with full-size images beneath each other.

Check it out http://moroccanlegacy.ca/new/gallery/

Read all 13 reviews

**Contributors & Developers**

CVE-2022-38135: Photospace Gallery

Project mission is to crowdsource the indexing and curating of plugin bug data

Adam Bannister 12 September 2022 at 11:04 UTC

Project mission is to crowdsource the indexing and curating of plugin bug data

An open source project designed to help security researchers fingerprint WordPress Plugins is seeking feedback and contributors.

Currently in beta mode, WPHash is a free-to-use web service that helps security professionals identify installed plugins and whether they contain security vulnerabilities.

To this end, it indexes 75 million SHA256 hashes for WordPress plugins – covering the vast majority available on the WordPress marketplace, along with their various versions.

The project mission is “to crowd-source the indexing and curating of WordPress plugin vulnerability data”.

**Enumeration and fingerprinting**

“WPHash’s main purpose is to provide security researchers with additional tooling in the form of a web service, which helps them in the enumeration and fingerprinting of installed WordPress plugins,” Dave Miller, WPHash architect and security engineer at Swiss IT security company Cyllective, tells The Daily Swig.

The WPHash website comprises an alphabetical index of hashes, a search function for this index, an experimental OpenAPI spec for looking up hashes and filepaths, and FAQs. Both original and normalized SHA256 checksums are indexed.

Catch up with the latest WordPress security news

“Researchers can query WPHash for known filepaths of the plugin they’re after,” says Miller. “Then, they request these filepaths on the target and calculate the SHA256 hash, which they then use to lookup plugin metadata on WPHash. This process allows them to determine exact plugin versions, and with further investigation determine if the plugin is vulnerable.”

Indexed vulnerabilities can be queried via WPHash or in researchers’ own tooling by using the raw data available on the WPHash GitHub repo.

Miller has said on Reddit that WPHash is not intended to be a direct competitor to Automattic WordPress security scanner WPScan, whose vulnerability data and tooling he concedes is currently “more curated and more complete”.

Nevertheless, WPScan fulfils Miller’s preference for freely accessing crowdsourced vulnerability information “in my own tooling without being stuck with API rate limits”.

**Call for contributors**

The scope of future development for WPHash partly hinges on the level of community support Miller can attract. At the very least, he is “dedicated to keep operating WPHash for free and try to keep improving both the REST API as well as the data behind it”.

A number of retweets on Twitter and upvotes on Reddit have signalled support for the project, suggests Miller, who hopes to enlist some co-contributors from the open source community “once people start playing around with WPHash and its data. I think I need to make it easier and start writing contribution guides to get more people involved.”

Anyone who wishes to contribute, field questions, or offer feedback to WPHash can do so by contacting Miller via his Twitter account.

Cyllective, which published a blog post documenting its research into plugin vulnerabilities in May, is sponsoring the project.

RECOMMENDED Graph-based JavaScript bug scanner discovers more than 100 zero-day vulnerabilities in Node.js libraries

WordPress project WPHash harvests 75 million hashes for detecting vulnerable plugins

Server-Side Request Forgery (SSRF) vulnerability in Rank Math SEO plugin <= 1.0.95 at WordPress.

**Rank Math SEO plugin vulnerable to Server-Side Request Forgery**

Critical severity GitHub Reviewed Published Sep 10, 2022 • Updated Sep 16, 2022

GHSA-j95r-86hx-xwxg: Rank Math SEO plugin vulnerable to Server-Side Request Forgery

The critical flaw in BackupBuddy is one of thousands of security issues reported in recent years in products that WordPress sites use to extend functionality.

Attackers are actively exploiting a critical vulnerability in BackupBuddy, a WordPress plug-in that an estimated 140,000 websites are using to back up their installations.

The vulnerability allows attackers to read and download arbitrary files from affected websites, including those containing configuration information and sensitive data such as passwords that can be used for further compromise.

WordPress security vendor Wordfence reported observing attacks targeting the flaw beginning Aug. 26, and said it has blocked close to 5 million attacks since then. The plug-in's developer, iThemes, issued a patch for the flaw on Sept. 2, more than one week after the attacks began. That raises the possibility that at least some WordPress sites using the software were compromised before a fix became available for the vulnerability.

**A Directory Traversal Bug**

In a statement on its website, iThemes described the directory traversal vulnerability as impacting websites running BackupBuddy versions 8.5.8.0 through 8.7.4.1. It urged users of the plug-in to immediately update to BackupBuddy version 8.75, even if they are not currently using a vulnerable version of the plug-in.

"This vulnerability could allow an attacker to view the contents of any file on your server that can be read by your WordPress installation," the plug-in maker warned.

iThemes' alerts provided guidance on how site operators can determine if their website has been compromised and steps they can take to restore security. These measures included resetting the database password, changing their WordPress salts, and rotating API keys and other secrets in their site-configuration file.

Wordfence said it had seen attackers using the flaw to try to retrieve "sensitive files such as the /wp-config.php and /etc/passwd file which can be used to further compromise a victim."

**WordPress Plug-in Security: An Endemic Problem**

The BackupBuddy flaw is just one of thousands of flaws that have been disclosed in WordPress environments — almost all of them involving plug-ins — in recent years.

In a report earlier this year, iThemes said it identified a total of 1,628 disclosed WordPress vulnerabilities in 2021 -- and more than 97% of them impacted plug-ins. Nearly half (47.1%) were rated as being of high to critical severity. And troublingly, 23.2% of vulnerable plug-in had no known fix.

A quick scan of the National Vulnerability Database (NVD) by Dark Reading showed that several dozen vulnerabilities impacting WordPress sites have been disclosed so far in the first week of September alone.

Vulnerable plug-ins are not the only concern for WordPress sites; malicious plug-ins are another issue. A large-scale study of over 400,000 websites that researchers at the Georgia Institute of Technology conducted uncovered a staggering 47,337 malicious plug-ins installed on 24,931 websites, most of them still active.

Sounil Yu, CISO at JupiterOne, says the risks inherent in WordPress environments are like those present in any environment that leverages plug-ins, integrations, and third-party applications to extend functionality.

"As with smartphones, such third-party components extend the capabilities of the core product, but they are also problematic for security teams because they significantly increase the attack surface of the core product," he explains, adding that vetting these products is also challenging because of their sheer number and lack of clear provenance.

"Security teams have rudimentary approaches, most often giving a cursory look at what I call the three Ps: popularity, purpose, and permissions," Yu notes. "Similar to app stores managed by Apple and Google, more vetting needs to be done by the marketplaces to ensure that malicious \[plug-ins, integrations, and third-party apps\] do not create problems for their customers," he notes.

Another problem is that while WordPress is widely used, it often is managed by marketing or Web-design professionals and not IT or security professionals, says Bud Broomhead, CEO at Viakoo.

"Installing is easy and removing is an afterthought or never done," Broomhead tells Dark Reading. "Just like the attack surface has shifted to IoT/OT/ICS, threat actors aim for systems not managed by IT, especially ones that are widely used like WordPress."

Broomhead adds, "Even with WordPress issuing alerts about plug-ins being vulnerabilities, other priorities than security may delay the removal of malicious plug-ins."

Attackers Exploit Zero-Day WordPress Plug-in Vulnerability in BackupBuddy

Issue present in pingback requests feature

Issue present in pingback requests feature

  

Researchers have gone public with a six-year-old blind server-side request forgery (SSRF) vulnerability in a WordPress Core feature that could enable distributed denial-of-service (DDoS) attacks.

In a blog post published this week (September 6), Sonar researchers detailed how they were able to exploit a vulnerability in the pingback requests feature within WordPress.

The vulnerability first surfaced in 2017, yet remains unpatched.

**Pingback problem**

Pingback requests allow WordPress authors to be notified when another website links to their blog.

The pingback functionality is exposed on the XMLRPC API, which can be accessed through the file. Using this method, other blogs can announce pingbacks.

Read more of the latest news about web security vulnerabilities

This feature could enable attackers to perform DDoS attacks by maliciously asking thousands of blogs to check for pingbacks on a single victim server, Sonar researchers explained.

Although pingbacks can be turned off via a checkbox, they are still enabled by default on WordPress instances.

It’s worth noting, the researchers pointed out, that they “couldn’t generically identify ways to leverage this behavior to take over vulnerable instances without relying on other vulnerable services”.

Rather, the bug could ease the exploitation of other vulnerabilities in the affected organization’s internal network.

**Bypassing restrictions**

Thomas Chauchefoin, vulnerability researcher at Sonar and author of the blog, told The Daily Swig: “In 2012, the risks around the pingback feature started to be known, and the WordPress maintainers introduced restrictions on the destination of such requests: they would be limited to a restricted set of ports, only public IP addresses, etc.

“In essence, our finding allows getting around some of these restrictions and targeting hosts from the local network. Attackers could use it to send requests to hosts that wouldn’t have been reachable otherwise, for instance, to exploit a vulnerability in internal services.”

He added: “This bug is in the lineage of most CVEs related to pingbacks, but the oldest indicator of a researcher documenting how to get around this specific restriction is from 2017.”

DON’T MISS WordPress warning: 140k BackupBuddy installations on alert over file-read exploitation

SonarSource researchers disclosed the issue to WordPress on January 21. It was acknowledged as a duplicate bug, according to Sonar, which was reported to the WordPress team in January 2017.

Chauchefoin added: “We reported the vulnerability on January 21 through the official channels, with a pretty standard 90-day disclosure policy. After agreeing to a 30-day extension period, we reviewed a first patch still waiting to be merged upstream. Our publication occurs 228 after our initial report.”

A WordPress Security Team spokesperson told The Daily Swig: “As identified in the Sonar blog post, this is a low-impact issue and exploiting it requires ‘\[chaining\] it to additional vulnerabilities in third-party software’.

“As such, the Security Team considers the issue a low priority.”

They added: “Because of its low severity, the team is discussing whether this issue could be fixed in public as a general hardening measure.”

**Mitigation advice**

WordPress told The Daily Swig that exploiting the bug requires “vulnerabilities in multiple systems outside of WordPress”, but that it recommends website owners always use the DNS servers provided by their hosting provider.

They added: “For the pingbacks, users can turn off pingbacks. The XMLRPC endpoint will only make the HTTP requests (detailed in the Sonar blog post) if pingbacks are open for the post being pinged.

“Website owners can (a) turn off pingbacks globally using the code snippet provided in the original post and/or (b) turn off pingbacks for their blog posts.”

Chauchefoin added: “Going public with unpatched bugs is exceptional for us and was a carefully considered decision. As we had proof that our finding collided with previous public work and that it would require significant work to weaponize against real-world environments, we believe that withholding details any longer would only disadvantage defenders.

“We would like to salute the efforts of the WordPress maintainers; even if we couldn't reach the best outcome possible, backporting fixes for the software behind 40% of all websites is not trivial!”

**Previous pingback issue**

Another vulnerability in the pingback requests feature that allowed DDoS attacks was fixed by WordPress core in 2012.

The issue, reported by Acunetix, could be abused in multiple ways, researchers reported, and was fixed “as a public hardening ticket” in WordPress Core version shortly after discovery.

RECOMMENDED Vendor disputes seriousness of firewall plugin RCE flaw

Six-year-old blind SSRF vulnerability in WordPress Core feature could enable DDoS attacks

Authenticated (subscriber+) Plugin Setting change vulnerability in WP Shamsi plugin <= 4.1.1 at WordPress.

CVE-2022-38058

Multiple Cross-Site Request Forgery (CSRF) vulnerabilities in All in One SEO plugin <= 4.2.3.1 at WordPress.

**Solution**

Update the WordPress All In One SEO Pack plugin to the latest available version (at least 4.2.4).

Rafie Muhammad (Patchstack) discovered and reported this Cross Site Request Forgery (CSRF) vulnerability in WordPress All In One SEO Pack Plugin. This could allow a malicious actor to force higher privileged users to execute unwanted actions under their current authentication. For example a password change which will then allow the malicious actor to login into the admin account. This vulnerability has been fixed in version 4.2.4.

**11 other known vulnerabilities for this plugin**To plugin page

**Report to Patchstack Alliance bounty platform and earn monthly cash prizes.**

Learn more

Tag

#wordpress