3 Zero-Day Plugin Vulnerabilities Being Exploited In The Wild
As part of our site cleaning service, our security analysts track down the method the attacker used to compromise the site. Often this involves quite a bit of investigative work, and recently it led us to find 0-day exploits in three separate plugins. The exploits were elusive: a malicious file seemed to appear out of nowhere, and even sites with access logs only showed a POST request to /wp-admin/admin-ajax.php at the time the file was created. But we captured the attacks in our threat data, and our lead developer Matt Barry was able to reconstruct the exploits. We quickly pushed new WAF rules to block these exploits. Premium customers received the new rules and were protected immediately. We also notified the plugin authors; all three have published updates to fix the vulnerabilities.
PHP Object Injection Vulnerability Severity 9.8 (Critical) in Appointments, RegistrationMagic-Custom Registration Forms, and Flickr Gallery
Affected plugins and versions:
- Appointments by WPMU Dev (fixed in 2.2.2)
- Flickr Gallery by Dan Coulter (fixed in 1.5.3)
- RegistrationMagic-Custom Registration Forms by CMSHelpLive (fixed in 126.96.36.199)
This vulnerability allowed attackers to cause a vulnerable website to fetch a remote file (a PHP backdoor) and save it to a location of their choice. It required no authentication or elevated privileges. For sites running Flickr Gallery, the attackers only had to send the exploit as POST request to the site’s root URL. For the other two plugins, the request would go to admin-ajax.php. If the attacker was able to access their backdoor, they could completely take over the vulnerable site.
CVSS Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
What To Do
If you are running the Premium version of Wordfence and have the firewall enabled, our new firewall rules are already protecting you. Free users of Wordfence and paid users who have the Wordfence firewall disabled and are running these plugins should update to the most recent versions immediately.
Thanks a lot to the Wordfence team! My site Freunde.one was effected aswell and I use the RegistrationMagic plugin there. The issue happened two times in one week! I lost a lot of time fixing the issue.
Thanks for the info
Thanks for helping me sleep better at night.
I am a little confused. Your article is dated today, Oct 2 2017, and even though my copy of Wordfence says it is up to date with v6.3.19, my plugin details page shows the last update was 2 weeks ago. Am I missing something?
I try to keep things uptodate on all my websites that run Wordfence and while I am not running any of the listed plugins here, seeing something that is out of whack makes we curious.
Hi Ron, firewall rule updates are delivered via the Thread Defense Feed and do not require a Wordfence plugin update. Since you're not running any of the plugins listed you don't need to take any action.