Later on January 10th, 2024 we received an interesting malware submission demonstrating how a Cross-Site Scripting vulnerability in single plugin can allow an unauthenticated attacker to inject an arbitrary administrative account that can be used to take over a website.
This type of vulnerability is often exploited in order to add spam content or malicious redirects to a compromised website, which we frequently see when performing Care and Response site cleanings.
Wordfence Premium, Wordfence Care, and Wordfence Response, along with Wordfence CLI Paid users received a malware signature to detect this malicious file on January 11th, 2024.
Wordfence free users will receive this signature after 30 days on February 11th, 2024.
Wordfence Premium, Wordfence Care, and Wordfence Response, along with those still using the free version, are protected against any exploits targeting this vulnerability.
If you believe your site has been compromised as a result of this vulnerability or any other vulnerability, we offer Incident Response services via Wordfence Care.
If you need your site cleaned immediately, Wordfence Response offers the same service with 24/7/365 availability and a 1-hour response time.
The custom JS code option itself is a peculiar - and quite powerful - feature of the Popup builder plugin, which lets an administrator run arbitrary JavaScript code in order to decide if a popup needs to be shown or not.
The implementation relies on the JavaScript eval() method, meaning that this option field - injectable with custom code by unauthenticated attackers - will happily run whatever code is found each time a user visits the website.
A recent blog post by Sucuri shows in detail how this vulnerability was used to install a rogue plugin titled WP Felody - we gathered the first data about it around the same time and found it was already detected by one of our malware signatures.
Unlike most malware, this source code is well structured and quite elegant, absolutely resembling legitimate and high-quality code; the use of console debug statements is also quite unusual.
As soon as a logged-in user with an administrator role is involved, the script will run an HTTP request to create a rogue admin account - identical to a legitimate one - and send the new credentials to a website controlled by the attacker.
Malware signature developed to provide detection and protection from any attackers trying to inject this malware.
Wordfence Premium, Wordfence Care, and Wordfence Response customers, along with Wordfence CLI Paid users, receive malware signature.
February 11th, 2024: Wordfence free users receive malware signature.
In this blog post we detailed an unusual direct WordPress administrative account injection method based on a Unauthenticated Cross-Site Scripting vulnerability exposed by the Popup Builder plugin affecting versions 4.2.2 and earlier.
This method allows unauthenticated threat actors to add a rogue WordPress admin account, resulting in a full website takeover.
The vulnerability appears to be addressed in version 4.2.3 of the plugin.
As a reminder, Wordfence Premium, Wordfence Care, and Wordfence Response, along with Wordfence CLI Paid users received a malware signature to detect this malicious file on January 11th, 2024.
The Popup Builder plugin has had 7 releases over the last 3 months, 5 of which were security-related.
This Cyber News was published on www.wordfence.com. Publication date: Wed, 17 Jan 2024 14:43:04 +0000