We're seeing some particularly vulnerable WordPress plugins make their way around the community. Whether it's plugins with built-in vulnerabilities or plugins with leaky administrative privileges, it hasn't been a good month for WordPress blogs and websites.
The two plugin vulnerabilities we're going to talk about today both have Ajax hook issues. Of course, these are the first two that we've discovered so far, but we expect more plugins to be popping up with Ajax hook problems. We'll discuss the attack vector in detail below, but it's important to remember that anyone who had these plugins installed needs to comb through their website. Any available fixes aren't going to delete the damage that's already occurred.
So, let's see what kind of damage this latest round of plugins has caused, how these vulnerabilities function, and give you some resources that you may find handy in the future.
AMP for WordPress
The first vulnerability we're going to take a look at is currently ongoing. We've heard rumors of a critical patch being implemented, but no fix report as of yet. AMP for WP (+100,000 active installs) is an extremely popular mobile optimization plugin that's become increasingly critical as WordPress's development team continues to dodge mobile optimization issues.
Unfortunately, AMP for WP has a privilege-escalation issue that grants anyone with a login admin access to the website. Of course, these privilege-level vulnerabilities are particularly terrifying for site owners, because they create easy pathways for identity theft, malware, and other malicious damages.
So, if a user of the website decides they want to inject code or install ads on the website, they can exploit AMP for WP's Ajax hooks to perform those functions. Honestly, we expect to see some hidden crypto mining software on a bunch of sites that were running AMP for WP. Since mining bots are easy to install and hide once you have admin access and current crypto price fluctuations make personal-machine mining obsolete, mining bots have become a heavily desired exploit for hackers.
We'll keep you update on this one, but, as of right now, we would heavily recommend uninstalling AMP for WP if you're using WordPress. Of course, the damage may already be done, so make sure to run through your site with a fine-tooth comb and look for any glaring issues.
How it Works
The main vector of this AMP for WP attack originates from Ajax hooks. As WebARX detailed in their security analysis, Ajax hooks can be used to "call functions directly." Unfortunately, AMP for WP doesn't check for user level before the Ajax hook calls for a function.
Simplified: Anyone who is a registered user on your website can inject HTML, functions, malware, or even display ads on your site by abusing the vulnerability.
- AMP for WP (+100,000 active installs) has Ajax hook vulnerabilities
- Nefarious individuals can use this vulnerability to inject malicious code into your website without admin access
- Fix coming soon
WP GDPR Compliance
On the reigns of the European Parliament’s General Data Protection Regulation (GDPR), site owners around the globe are scrambling to find convenient and cost-effective options to comply with the European Union data protection law. So, plugins like WP GDPR Compliance (+100,000 active installs) have ballooned in users. Unfortunately, we saw nearly the same Ajax vulnerability in WP GDPR Compliance that we did in AMP for WP, which left thousands of sites vulnerable to user injections.
Thankfully, this one has a fix (though most of the damage has already been done.) So, it's hyper-important that you update to the latest version for the protection of personal data (1.4.3.), in order to comply with GDPR.
Here, we're looking at similar issues, where admin-Ajax.php isn't checking user privileges correct, which is ultimately leading to injections and malicious file storage.
WordFence is claiming that they are currently seeing this vulnerability in the wild. They claim to have come across non-admin installed shells and malicious code originating from this particular attack vector. This isn't surprising given the situation. Most of these third-party plugins are critical because they process data and provide data security options that the WordPress core simply doesn't. Of course, WordPress doesn't have to offer these options because they can lean on 3rd party sources to create plugins.
This line of thinking is fractured anytime there's a vulnerability. WordPress shoves all of the blame for these personal information data breaches on the plugin developer and carefully maneuvers around the issue by claiming non-association. This strange friction in the OSS world is a valuable asset for bad actors, who are taking full advantage by inserting nefarious code on millions of websites that process personal data.
How it Works
The main vector of attack for GDPR Compliance is via an Ajax hook. Users without privilege can abuse admin-Ajax.php in order to execute functions directly. So, hackers are installing shells, uploading malicious files, injecting spam ads, and more, without leaving a trace outside of the Ajax hook change.
Simplified: People who aren't administrators can inject malicious code into your website using a critical vulnerability that isn't checking whether or not they have administrative access.
- GDPR Compliance (+100,000 active installs) has Ajax hook vulnerabilities
- People can inject code without admin access
- Fix already here (but the damage is done)
Again, we're seeing a commonplace issue occur here. WordPress has more vulnerable plugins, which shouldn't surprise anyone at this point. WordPress's security issues would be laughable if millions of people weren't being subjected to malicious materials.
It's glaringly obvious that WordPress isn't concerned about security, and surely WordPress will shift blame for the situation. This OSS issue of dissolved responsibility has become increasingly prevalent over the last few years, and websites are getting attacked left-and-right as a result. However, be assured that as security concern continue grow public authorities will be imposing more supervisory authority, in the consent to process and management of data.
We expect to see more activity coming from this attack vector shortly. As always, we'll keep you updated.