Episode 83: 100,000 Sites Impacted by Vulnerabilities in Advanced Access Manager
The Wordfence Threat Intelligence team discovered vulnerabilities in the Advanced Access Manager plugin installed on over 100,000 WordPress sites. A high severity authorization bypass could lead to privilege escalation and site takeover. Critical vulnerabilities found in the Quiz and Survey Master plugin could also lead to site takeover on the 30,000 WP sites using the vulnerable version of this plugin.
Thousands of sites broke after updating to WordPress 5.5 due to deprecated support for jQuery Migrate, and the release of the Enable jQuery Migrate Helper plugin reached 10,000 active installations to help fix these sites using older themes or plugins.
As cryptocurrency values rise, we’re seeing a wave of new scams and hacking campaigns with cryptocurrency as a driving force, such as the recent Twitter hack and a botnet campaign called Fritzfrog that is breaching SSH servers to mine Monero.
Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:10 High-Severity Vulnerability Patched in Advanced Access Manager
2:05 Critical Vulnerabilities Patched in Quiz and Survey Master Plugin
3:43 Sites updating to WordPress 5.5 breaking due to deprecated jQuery migrate, new plugin released as a fix
6:27 Fritzfrog campaign breaching SSH servers, similar to previous cryptocurrency hacking campaigns
Episode 83 Transcript
Hey everyone, it’s Scott from Wordfence. This is Think Like a Hacker, the weekly podcast covering WordPress security and innovation. Let’s get right into this week’s stories.
Our first story of the week is the high severity vulnerability patched in the Advanced Access Manager plugin, Ram Gall, and our Threat Intel team here at Wordfence found vulnerabilities in the Advanced Access Manager plugin, which is installed on over 100,000 sites.
This high-severity Authorization Bypass vulnerability could lead to a privilege escalation and a site takeover. This plugin allows users to log in via the WordPress REST-API and unfortunately the plugins REST end points were set to respond to a successful login with a JSON-encoded copy of all metadata about the user, which can potentially expose users’ information to an attacker or a low-privileged user.
This information includes items such as the user’s hashed password and their capabilities and roles, as well as any custom metadata that might’ve been added by other plugins. Wordfence premium users received a firewall rule protecting against the Authorization Bypass vulnerability on August 14th, and sites that are still running the free version of Wordfence will receive this rule 30 days later on September 13th, 2020.
Now, lots of plugins and management systems give you the ability to customize roles for users on your site, whether you’re running a blog, an eCommerce store, or a membership site, or just adding a specific capability for certain users on your site. These additional roles require additional thought and attention, much like the plugins and management systems that are offering the features.
From a security standpoint, when it comes to issues and vulnerabilities like this regarding roles and capabilities, it’s typically recommended limiting the roles of users to only what is necessary and staying as close to the core functionality in WordPress as possible.
Our next story this week is the critical vulnerabilities patched in the Quiz and Survey Master plugin. On July 17th, our Threat Intel team found two vulnerabilities in the Quiz and Survey Master plugin, which is installed on 30,000 sites.
The Quiz and Survey Master plugin is a plugin built to allow users the ability to easily add quizzes and surveys to their site. One of the features of the plugin allows file upload implementation for quizzes and surveys. This upload feature, however, was not secure. The checks performed during a file upload only evaluated how the general settings were configured for the file upload itself.
During the upload, checks were made primarily to see if the file type and size were valid. The issue we discovered allows for unauthenticated attackers to upload arbitrary files and achieve Remote Code Execution, as well as remove arbitrary files, such as a site’s wp-config.php file, which could result in site downtime or a site takeover.
It’s recommended to update to version 7.0.1 as soon as possible. And thankfully the default Wordfence firewall rules protecting against malicious file uploads, local file inclusion, and directory traversal will protect both free and premium users from attackers targeting these vulnerabilities.
As a rule of thumb, be selective with who you provide access to your site. And more importantly, who is giving access levels greater than subscriber level. Users with these levels should always have unique and complex passwords.
jQuery Migrate is a library that basically helps old code function correctly on WordPress sites. This means if you have a plugin or a theme that is potentially no longer supported, or in other words, it’s out-of-date, it may have worked fine until updating to 5.5 where the library to help the code work was no longer included.
The result of the library not being included in the core updates so far has been 10,000 plus sites having issues. On one hand, this looks like the fault of WordPress for not including the library, but one of the real issues here is the number of sites using old themes and plugins.
Since the WordPress core update, there’s been a jQuery helper plugin released, which has surpassed the 10,000 [site] installation mark. This plugin, which was developed by the WordPress core team has provided some relief for users who have seen their site break due to the jQuery Migrate library not being included in the 5.5 core update.
This issue has exposed sites that are using older themes and plugins. And if your site was affected by these issues in 5.5, it may be a good time to look at finding replacements for those themes and plugins that are no longer supported.
If your site currently has plugins and themes that are still supported, but just out-of-date, there’s plenty of tools out there now that can help you manage updates. The new features and core that were added in 5.5 will allow you to update themes and plugins automatically and you can also use Wordfence alerts on your site to stay in tune with available updates for your themes and plugins.
You can also consider using Wordfence Central, which is a hub to add all of your Wordfence-protected sites, both free and premium and keep track of the scans and security of all the sites in one place. There’s a cool option for a summary of alerts in central that will help you with alert fatigue, and keep you up-to-date with what needs attention on your sites. The best part of it is, it’s completely free to use.
If you’re interested in some more information on auto-updates, we also have a good blog post on wordfence.com from August 6th, which is titled WordPress Auto-Updates, What Do You Have to Lose? And it details how you should go about the automatic update feature, which was introduced in WordPress 5.5. You can also check out the Wordfence livestream on YouTube from August 11th, where we go into this in depth.
In our last story this week, we take a look at the increasing value of cryptocurrency and how it’s increasing the number of attacks we’re seeing in various formats. Cryptocurrency has been increasing in value in the past few months, including the privacy focused cryptocurrency Monero.
It’s currently ranked as the 16th most valuable cryptocurrency on CoinMarketCap And it’s a favorite currency for those looking to hide their transactions, including hackers. With this rise in value, we believe we’ll start seeing more attacks using Monero mining much like what we saw with a massive crypto mining campaign, which affected WordPress sites in 2017.
We’ll include that link to our blog post in the show notes. Now, we’re already starting to see some of these attacks that have cryptocurrency as a driving force, including the recent Twitter hack, which focused on Bitcoin. In a similar story, a botnet campaign named Fritzfrog was discovered breaching SSH servers dating back to at least January 2020.
Fritzfrog used brute force to breach SSH. And once their malware was present, the malware replicated and grew in order to perform additional tasks. After some of the higher resource tasks were killed off on the server by the malware, it deployed tasks of its own, which focused on mining the Monero cryptocurrency.
In cases like these and as currency evolves, hackers won’t be far behind and there’s always a use for powerful servers, websites, and user accounts for hackers and botnets. It’s always important to monitor your server resources regularly, as well as harden your security and keep administrator, FTP, SSH, and other important accounts locked down or inaccessible until they’re needed.
That’s all for this week. Don’t forget to subscribe to our mailing list on wordfence.com, as well as check us out on Wordfence, live on YouTube every Tuesday at noon, Eastern 9:00 AM Pacific time where we talk all things WordPress and security. From all of us here at Wordfence, thanks for tuning in to Think Like a Hacker. And we look forward to catching up with you next week.
Follow me on Twitter @wfscottmiller. You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.