Safeguarding personal and business information is more crucial than ever. One common, yet often overlooked, vulnerability that can compromise this safety is password reuse. What seems like a simple solution for individuals using the same password across multiple accounts exposes people, and the companies and organizations connected with them, to significant risks.
This article explores the aspects of password reuse, why it remains prevalent, and effective strategies to mitigate the risk. We’ll discuss why it’s so vital to avoid reusing passwords and how adopting better security practices can protect us.
As a website owner, you’ve worked hard to develop your website and build your business. But, with Google issuing over three million safe browsing warnings a day, it’s clear that you have to be vigilant against the ever-present threat of malware.
A single malware infection can cripple your website, damage your reputation, and even steal your customers’ data. That’s why it’s essential to have a reliable malware scanner in place to help you spot an infection as soon as it happens, so you can take steps to secure your site and get it back up and running.
With so many malware scanners available, it can be challenging to know which one to choose. However, thanks to our comprehensive review of the best website malware scanners, you’ll be able to determine the right option for you.
Managing multiple WordPress sites can be stressful. With the average WordPress site running 22 plugins, it’s crucial that every vulnerability is accounted for. That’s why we’re thrilled to announce our partnership with MainWP, bringing you two new Jetpack extensions in the MainWP marketplace. With this new agreement in place, managing multiple WordPress sites has never been easier.
During an internal audit of the Slimstat Analytics and Paid Memberships Pro plugins, we uncovered two SQL Injection vulnerabilities that could allow low-privileged users like subscribers to leak sensitive information from a site’s database.
If exploited, the vulnerability could grant attackers access to privileged information from affected sites’ databases (e.g., usernames and hashed passwords).
We reported the vulnerabilities to the plugin’s authors, and they recently released Slimstat Analytics version 4.9.3.3 and Paid Memberships Pro version 2.9.12 to address them. We strongly recommend that you update affected plugins to their respective latest version, and have an established security solution on your site, such as Jetpack Security.
You learned about the importance of the .htaccess file in our blog post How to Access and Edit the Default WordPress .htaccess File. As you can imagine, an important file such as .htaccess can be a target for bad actors. In this article, we’ll point out cases and indicators of compromise that affect this file.
Recently our colleague Joshua Goode escalated to the Security Research team an investigation he was performing on several websites that presented the same indicators of compromise. There were small variations in what the final payload was, but the attack timeline was always the same.
Attack timeline
As Joshua initially pointed out and subsequently confirmed by me, the chain starts with the installation of the core-stab plugin, followed by other additional items. The following timeline depicts one of the many compromised sites we reviewed:
Jan 10, 2023 @ 17:29:49.587 UTC – Core stab plugin upload – /wp-admin/update.php?action=upload-plugin
Jan 10, 2023 @ 17:29:52.270 – /wp-content/plugins/core-stab/index.php
Jan 11, 2023 @ 02:12:50.773 – /wp-admin/theme-install.php?tab=upload
Jan 11, 2023 @ 03:37:58.870 – Another core-stab install
Jan 11, 2023 @ 04:15:06.014 – Installation of a new plugin, task-controller, /wp-content/plugins/task-controller/index.php
Jan 11, 2023 @ 08:23:26.519 – Installation of WP File Manager (Unsure if by attacker but this plugin is typical with a lot of malware)
The most common “coincidence” is that all users involved in this attack had their emails listed on at least one public password leak since 2019, which only corroborates the overall findings: the attacker(s) used compromised or leaked accounts to install the malware.
You can find more details on how the core-stab malware works, as well as detailed detection and blocking information for WP security experts, via WPScan.
Testing and validating our Proof-of-Concept for the malicious code.
What to do if my site was infected?
If you find the core-stab plugin installed on your site, the first thing you should do is remove it and then follow these next steps:
The premium version of the WordPress plugin 3DPrint is vulnerable to Cross Site Request Forgery (CSRF) and directory traversal attacks when the file manager functionality is enabled. These vulnerabilities allow an attacker to delete or get access to arbitrary files and directories on the affected sites, including sensitive files like the site configuration files, which again could lead to a full site takeover.
During WordCamp Europe 2022, we ran a WordPress Capture The Flag (CTF) competition across four challenges.
We wanted to introduce folks to the addictive world of CTF, and let people experience how security researchers approach bug hunting, such as looking for oddities in the code and combining them to do weird, sometimes counterintuitive things.
Versions before 9.9.7 of the WordPress plugin “The School Management Pro” from Weblizar contain a backdoor allowing an unauthenticated attacker to execute arbitrary PHP code on sites with the plugin installed. If you have an earlier version installed on your site, we recommend upgrading to version 9.9.7 or later immediately. This is a critical security issue.
During an internal audit of the UpdraftPlus plugin, we uncovered an arbitrary backup download vulnerability that could allow low-privileged users like subscribers to download a site’s latest backups.
If exploited, the vulnerability could grant attackers access to privileged information from the affected site’s database (e.g., usernames and hashed passwords).
We reported the vulnerability to the plugin’s authors, and they recently released version 1.22.3 to address it. Forced auto-updates have also been pushed due to the severity of this issue. If your site hasn’t already, we strongly recommend that you update to the latest version (1.22.3) and have an established security solution on your site, such as Jetpack Security.
