Episode 81: Critical Vulnerability Exposes over 700,000 Sites Using Divi, Extra, and Divi Builder
Our Threat Intelligence team disclosed numerous vulnerabilities this week, including a critical vulnerability in the Divi and Extra themes as well as the Divi Builder plugin. In total, this vulnerability affected over 700,000 sites. A vulnerability found in The Official Facebook Chat Plugin created a vector for social engineering attacks as it allowed an attacker to pose as a site owner via chat. Object Injection vulnerabilities discovered in the Newsletter plugin affected over 300,000 sites. We also look at the charges brought against 3 people in connection with the recent Twitter hack. The WordCamp US organizing team made the difficult decision to cancel WCUS this year amid online event fatigue.
Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:13 Critical Vulnerability Exposes over 700,000 Site using Divi, Extra, and Divi Builder
2:10 The Official Facebook Chat Plugin Created Vector for Social Engineering Attacks
4:00 Newsletter Plugin Vulnerabilities Affect Over 300,000 Sites
5:33 Three Suspects Charged for Roles in Twitter Hack, Bitcoin Scam
6:44 WordCamp US 2020 Canceled Due to Pandemic Stress and Online Event Fatigue
8:03 Upcoming in WordPress 5.5: Features and Changes Theme Authors Should Know About
Episode 81 Transcript
Hey everyone. It’s Scott from Wordfence. This is Think Like a Hacker, the weekly podcast about WordPress, security, and innovation. Let’s take a look at the news.
First up is the critical vulnerability that exposed over 700,000 sites using the Divi and Extra themes, as well as the Divi Builder plugin. On July 23rd, our Threat Intelligence team discovered the critical vulnerability in the two themes and the Divi Builder WordPress plugin. We began by verifying at the time that our current firewall rules already provided protection against the exploits. Between the themes and Divi Builder plugin, over 700,000 combined sites were exposed to a flaw that gave authenticated attackers with contributor or above level capabilities the ability to upload arbitrary files, including PHP files.
Now, unfortunately the vulnerability could also allow remote attackers to achieve remote code execution on the vulnerable site server, which then could also lead to a complete site takeover. The flaw was caused by a missing server side verification check. And the core of the problematic code could be found within the import function in the builder’s portability PHP file. Our team then reached out to Elegant Themes about the vulnerability on July 23rd, and a patch was released in version 4.5.3 for all products on August 3rd, which fixed the vulnerability.
Now, anyone who is using either of these two themes, or the Divi Builder plugin, we recommend getting updated to the latest version as soon as possible. The newly released patch prevents all files except JSON files from being uploaded, and it also ensures that files will be sufficiently deleted at any stage of the process once they’re no longer being used. If you’re using Wordfence right now, either free or premium, you’re protected from arbitrary code execution like this with the built in malicious file upload protection, so you don’t have to worry, but we still do recommend updating the plugin as soon as you can.
Our second story of the day involves a vulnerability in the official Facebook Chat plugin. Our threat intelligence team discovered this vulnerability towards the end of June. The plugin, which is installed on over 80,000 sites had a flaw that made it possible for low-level authenticated attackers to connect their own Facebook [messenger account] to a site’s chat and engage in chats with site visitors on the affected sites.
So to give you an idea what this plugin does, the Facebook Chat plugin adds a chat popup functionality that allows a site owner to connect their Facebook [account], to interact with site visitors or potential customers. When exploited, attackers could then route that chat functionality to their own Facebook page. This was then exploited by an AJAX action that had no compatibility check to verify that a request was coming from an authenticated administrator. The nonce that was used for Cross-Site Request Forgery (CSRF) protection was easily discoverable in the source code of any wp-admin dashboard.
So this is an example of social engineering with attempts to exploit weakness in humans through social interactions. We inherently want to trust others and if we’re not that versed in ways to keep ourselves safe on the internet, then we can all be vulnerable to these types of scams. This vulnerability was discovered by Wordfence on June 26th, and then a short time later, a firewall rule was tested and released for premium subscribers. About a month later on June 28th, a sufficient patch was released for the plugin in version 1.6. We took a look at how a vulnerability like this could be exploited in this past week’s Office Hours stream, so you can head over to the Wordfence YouTube channel and take a look at that. And we also go over some other best security practices to keep you safe.
Our next story is a vulnerability affecting over 300,000 sites with the Newsletter plugin. The Newsletter plugin is a full featured visual editor for email campaigns, which has over 300,000 installations, and also recently received a patch for an active vulnerability. During our own investigation of the patched vulnerability, we discovered two additional and more serious vulnerabilities, including both a cross site scripting, and PHP Object Injection vulnerability.
Now, not long after the discovery of these vulnerabilities, we released new firewall rules to our premium subscribers to protect against both the XSS cross site scripting and PHP Object Injection vulnerabilities. These new firewall rules that we released were first sent to our premium subscribers on July 15th, and will be available to our free users on August 14th. Our built in PHP Object Injection firewall rule in Wordfence would have protected against one of these vulnerabilities in most cases, though, out of caution, we also released an updated firewall rule specifically for this case. We recommend getting updated to the latest version of the Newsletter plugin, which at the time of the podcast is version 6.8.3.
So there’s been an update on the recent Twitter hack, and authorities charged three individuals in connection with the major attack. The first arrest was the 17-year-old Graham Clark from Tampa, Florida, who is believed to have orchestrated the entire attack. The FBI, the IRS and the Secret Service coordinated to charge Clark as an adult.
To bring you up to speed on the original story, the hackers compromised a Twitter employee in a phone spear-phishing attack on July 15, 2020, when they soon after gained access to Twitter accounts and internal support tools to run a Bitcoin scam. Now, initially, they came away with roughly $120,000 worth of Bitcoin. It’s worth noting that at the time of the attack, a thousand Twitter employees and contractors had access to the company’s internal support tools, which were used to carry out this attack. The two others charged are 19-year-old Mason Sheppard from the UK, and 22-year-old Nima Fazeli from Orlando, Florida. Sheppard and Fazeli were charged in San Francisco, California.
Last week, we talked about WordPress announcing the remaining 2020 WordCamps would be virtual. Since then, WordCamp US organizers have officially canceled WordCamp US for this year, which was originally scheduled for October 27th through the 29th. The event was transitioned to a virtual event back in April, but given how recent online WordCamps have struggled, organizers felt a full cancellation was the right call. The official statement read, “It is with heavy hearts that we have made the decision to cancel this year’s WordCamp US event. In light of the continued pandemic, online event fatigue for attendees, organizers and volunteers, and the desire for WordCamp experiences to be traditional WordCamp experiences, we have made the difficult decision to stop this year’s planning and cancel WordCamp US 2020.”
Along with the cancellation of WordCamp US, questions have been raised about Matt Mullenweg’s State of the Word address. Organizers said it’s still expected to happen, it’s just likely to take a different format. There are ideas being bounced around that the State of the Word will be its own event. Also, we’d love to hear what you think about virtual events. So go ahead and leave us a comment in the show notes.
Our last story of the day is the upcoming release for WordPress, which is 5.5. The release is scheduled for this upcoming Tuesday, and the update is expected to introduce new features and quite a few changes. Arguably, the biggest changes developers should be aware of are automatic updates and direct HTML changes to the custom logo output. We’re going over more details about this update on our Office Hours episode, which we have every Tuesday at noon Eastern Time on our YouTube channel.
We appreciate you listening and we hope you enjoyed this week’s episode. Check back next week for more security news. Make sure to follow us on social media. You can find Wordfence on Twitter, Facebook, Instagram, and then you can also find us on YouTube, where we have our weekly Office Hours on Tuesdays at noon Eastern, 9:00 AM Pacific. As always. If you’re interested in diving deeper into a story, we have links posted in our show notes.
Thanks for listening. And we’ll see you next week on Think Like a Hacker.
Please give us a like or give us a review on Apple podcasts.