Six disclosures this week, with three issues unfixed.
View this week’s vulnerable plugin list.
One of the disclosures is actually from last week that I intended to include but forgot. I want to bring attention to it because it highlights how vulnerabilities can, and often are, stacked. Wordfence recently wrote about how attackers are targeting fresh WordPress installs, and wrote a follow-up about how attackers are finding new sites faster than ever before. How? The University of Missouri consistently use sites/services like crt.sh to watch for new ssl certs that have been generated for our organizations, and sites like domainpunch.com to monitor domains that are being registered using one of our trademarks. Attackers have access to these same tools, and watch for new domains. They can then target those sites and try to begin the installation process before the site owner. But how can we use this same attack vector on an existing site? That’s exactly how the researcher of last week’s WooCommerce Extra Product Options plugin disclosure approached his research. By looking for (and finding) an arbitrary file deletion vulnerability, he then can delete the wp-config file which allows him to go through the WordPress set-up stage again, ultimately taking over the site. I strongly encourage you to read his post.
In a similar vein, the researcher behind several disclosures back in April reveals how he approached and found vulnerabilities in multiple WordPress plugins. Again, if security research is of interest to you, I highly recommend you read his post.
Other Security News
For those of you who may be using or supporting phpBB, make sure you are on the latest version (3.2.1 – released July 17, 2017) as the disclosure behind the Server-Side Request Forgery vulnerability was released today.