Friday November 22, 2024

Advisory ID: ngCERT-2022-0065

CVE(s): CVE-2021-24867

Summary: New discovery revealed that dozens of WordPress themes and plugins were backdoored with malicious code with the goal of infecting further sites. Also, a security shortcoming affecting three different WordPress plugins that impacted over 84,000 websites and could be abused by a malicious actor to take over vulnerable sites has been disclosed.

Vulnerable Platform(s): WordPress Content Management System

Threat Type: Malware

Description

The infected extensions contained a dropper for a web shell that gives the attackers full access to the infected sites. The same extensions were fine if downloaded or installed directly from the WordPress[.]org directory. some of the infected websites found utilizing this backdoor had spam payloads dating back almost three years, implying that the actors behind the operation were selling access to the sites to operators of other spam campaigns.

Cybersecurity firm eSentire disclosed how compromised WordPress websites belonging to legitimate businesses are used as a hotbed for malware delivery, serving unsuspecting users searching for postnuptial or intellectual property agreements on search engines like Google with an implant called GootLoader. To date, a total of 10,359 WordPress plugin vulnerabilities have been uncovered. Some of the affected plugins include Login/Signup Popup (Inline Form + Woocommerce),Side Cart Woocommerce (Ajax), and Waitlist Woocommerce (Back in stock notifier), amongst others.

Specifically, the vulnerability has its origin in a lack of validation when processing AJAX requests, effectively enabling an attacker to update the ""users_can_register"" (i.e., anyone can register) option on a site to true and set the ""default_role"" setting (i.e., the default role of users who register at the blog) to administrator, granting complete control.

Consquences: This flaw made it possible for an unauthenticated attacker to inject malicious JavaScript that would execute whenever a site administrator accessed the template editor. This vulnerability would also allow them to modify the email template to contain arbitrary data that could be used to perform a phishing attack against anyone who received emails from the compromised site. This flaw made it possible for an attacker to update arbitrary site options on a vulnerable site

Impact/Probability: CRITICAL/HIGH

Solution
  1. Site owners are advised to upgrade immediately to a safe version, or replace it with the latest version from WordPress[.]org.
  2. Site owners can install a clean version of WordPress to revert the modifications done during the installation of the backdoor
  3. Report any incident of system compromise to ngCERT on technical assistance.

References: