Episode 90 Think Like a Hacker

Episode 90: WPBakery Plugin Vulnerability Exposes Over 4 Million Sites

A vulnerability discovered by the Wordfence Threat Intelligence team in the WPBakery plugin exposes over 4 million sites. High severity vulnerabilities were discovered in the Post Grid and Team Showcase plugins.

The online avatar service Gravatar, has been exposed to a user enumeration technique, which could be abused to collect data on its users’ profiles, and a card skimmer was found on Boom! Mobile’s web site, putting customer card data at risk.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:12 Vulnerability Exposes Over 4 Million Sites Using WPBakery Plugin
1:50 High Severity Vulnerabilities in Post Grid and Team Showcase Plugins
3:52 Online avatar service Gravatar allows mass collection of user info
5:37 Boom! Hacked page on mobile phone website is stealing customers’ card data

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 90 Transcript

Scott Miller:
Hello everyone. It’s Scott from Wordfence. This is Think Like A Hacker, the weekly podcast about WordPress, security, and innovation. Let’s take a look at the news.

In our first story this week, a vulnerability in WPBakery exposes over 4 million sites. The Wordfence Threat Intelligence team here found a vulnerability in the WPBakery plugin on July 27th. This plugin is installed on over 4.3 million sites and the vulnerability allowed authenticated attackers with contributor level or greater permissions to inject malicious JavaScript in posts. We initially contacted the plugin team on July 28th and disclosed full details on the 29th. After extensive correspondence between Wordfence and the WPBakery development team, a sufficient patch was released on September 24th.

Now the WPBakery plugin had a flaw that would allow users with contributor level or author level roles, the ability to inject malicious JavaScript into pages and posts. The flaw would also give the users the ability to edit other users’ posts. The plugin disabled any default post HTML filtering checks, which allowed any user with access to the WPBakery Builder, to inject HTML and JavaScript anywhere in a post using the page builder. It is recommended to update to the latest version 6.4.1 as soon as possible. You’ll also want to take a look for any untrusted contributor or author user accounts on your WordPress site.

Wordfence Premium users were protected from the vulnerability when they received a new firewall role for protection on July 28th, and Wordfence free users received the same protection on August 28th.

In our next story this week, we take a look at high severity vulnerabilities in the Post Grid and Team Showcase plugins. On September 14th, our threat intel team here at Wordfence discovered two high severity vulnerabilities in the Post Grid plugin, which has over 60,000 installations. While looking further into one of these issues we found in Post Grid, we discovered similar vulnerabilities were also present in the Team Showcase plugin, which is a separate plugin by the same author, and it has over 6,000 installations.

After triggering vulnerable functions in the plugins, a logged in attacker with subscriber level access or above could then send a source parameter referencing a malicious payload, and the vulnerable function would open the file containing that payload and eventually create a new page layout based on its contents. That page would then include a custom script section, which would allow an attacker to add malicious JavaScript to the custom CSS portion of that area. This would then be executed whenever an administrative user edited that layout or a visitor accessed any page based on that layout.

So this vulnerability could have been used to add a back door to the plugin or the theme files, or potentially to steal administrator session information. We reached out to PickPlugins, the developer of these plugins on September 16th, and patches for both plugins were made available not long after on the 17th. Wordfence Premium users received a firewall rule protecting them from these vulnerabilities in both plugins on September 16th. Sites that are still using the free Wordfence plugin will receive this rule after 30 days on October 16th.

If you’re using either the Post Grid or Team Showcase plugin, you should update to the latest version as soon as possible. At the current time, the latest version of the post grid plugin is 2.0.73. And the latest version of the Team Showcase plugin is 1.22.16.

In our next story, Gravatar, the online profile avatar service allows easy collection of user information. So the online avatar service Gravatar, has been exposed to a user enumeration technique, which could be abused to collect data on its users’ profiles. Security researcher Carlo Di Dato demonstrated that after simply appending .JSON to the Gravatar user’s profile page, an ID field was then accessible. Using that ID number specific to each Gravatar profile, user enumeration was possible with a simple script, which Di Dato demonstrated by visiting URLs from IDs 1 to 5,000, giving them access to the JSON data of the first 5,000 Gravatar users.

Some profiles contained more information than others, including location information, as well as phone numbers and Bitcoin wallet addresses. This information could of course also further be used in social engineering attacks. The simple enumeration technique would allow a crawler or bot to grab information at will from Gravatar profiles with no strict rate limiting seemingly in place. As we know, Gravatar is a popular service used with WordPress. And though users with public profiles do consent to making some data publicly available, users are likely unaware that their data could be retrieved as easily as it could be with this user enumeration method. You might consider checking what information is available on your Gravatar profile and also consider what needs to be there. You can also hide your public profile via the services settings.

In our last story for this week, customers card data is at risk due to a card skimmer on Boom! Mobile’s website. So if you’ve recently been searching for a new mobile device and visited Boom! Mobile’s website, you may have been at risk to have your card data stolen. Malwarebytes, the popular security firm has said that Boom!’s website contains a malicious script, which steals payment card data. The script was active and pulled data from the payment fields anytime that it detected changes in those fields.

One thing to note is the site, which is boom.us, is running PHP version 5.6.40, which has not been supported by the PHP developers since 2019, and also has known security issues. The information pulled from the skimmer on the site can include all added information to the forms, such as the name, address, card number, expiration date, and security code, as well as anything else in the form on the site. Boom! released a statement encouraging customers who may have made purchases on boom.us between the 30th of September and 5th of October to take necessary precautions with their card company. Unfortunately, these things can happen on websites and it’s always best to limit where you put your data online and try to stick with reputable websites.

That’s all for us this week. Thanks for joining me on Think Like A Hacker. Stop by on Tuesdays at 12:00 PM Eastern Time for Wordfence live on YouTube, where we talk all things security. Until next time, have a great weekend and we’ll catch you soon.

Follow me on Twitter @wfscottmiller. You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.

Did you enjoy this post? Share it!


No Comments