Remember the old saying about bad things coming in threes? Flaw hunters Wordfence would probably agree with the sentiment after uncovering some nasty zero-day flaws in a trio of WordPress plugins.
Not a great start, then, but much worse is that the vulnerabilities were already being exploited when the company discovered them by chance during recent attack investigations – meaning anyone running them is vulnerable and should update immediately.
The plugins are (with fixed versions):
- Appointments by WPMU Dev (fixed in 2.2.2)
A bookings plugin to help small businesses schedule appointments and manage customer contacts.
- Flickr Gallery by Dan Coulter (fixed in 1.5.3)
Integrates Flickr images but now discontinued. This plugin has only been tested up to WordPress 3.0.5 which is over six years old. Please don’t run anything this ancient.
- RegistrationMagic-Custom Registration Forms by CMSHelpLive (fixed in 3.7.9.3)
Offers a range of features around managing user registrations.
How long attackers have been exploiting them isn’t clear but all are rated “critical” and given a rather alarming Common Vulnerabilities Scoring System (CVSS) rating of 9.8. Any one of the three could be used to create a backdoor to take complete control of a vulnerable website.
Tracking them down required detective work so it’s a tad fortunate they were found at all:
The exploits were elusive: a malicious file seemed to appear out of nowhere, and even sites with access logs only showed a POST request to /wp-admin/admin-ajax.php at the time the file was created.
Putting a backdoor into a vulnerable site is as simple as sending the exploit in a POST request to the WordPress AJAX endpoint admin-ajax.php
or, in the case of Flickr Gallery to the root URL, at which point it’s game over. No authentication or elevated privilege is needed.
The good news is that none of the three are widely used, with a combined install count of only 21,000, tiny next to the tens of millions of sites running WordPress. Needless to say, any one of the sites running these plugins and failing to heed the warnings could pay a high price.
WordPress plugin flaws are an ongoing worry but it’s not always a simple thing to fix.
Earlier this year, 200,000 websites were affected by malicious spam code hidden inside a plugin called Display Widgets, which was duly removed from the WordPress repository. Except that each time it was re-admitted, the problem reoccurred, four times in all.
In the end, the plugin was re-submitted as an older, clean version.
The incident highlights a weakness in WordPress plugin security. The core of WordPress is well maintained and supported by a diligent security team that can deploy security updates to millions of WordPress installs automatically. The plugin ecosystem, a collection of tens of thousands of pieces of third party software that can turn your site into anything from a job site to a photo gallery, is the wild west by comparison.
In large part, your WordPress site’s security depends on the quality of the plugins you install.
Site owners running a vulnerable plugin are reliant on the plugin author to respond to problems quickly so look for software that is actively maintained and updated regularly. When plugin updates are available notifications will appear in your site’s admin interface in the Plugins tab and in Dashboard > Updates. Log in and check often, every day if you can, or pay someone to do it for you (the same applies to other CMS software like Drupal, Joomla or Magento.)
Good web hosts will keep you up to date or alert you if they think you’re running vulnerable software. Some specialist WordPress web hosting companies also keep their own allow lists of vetted plugins.
Bryan
PSA:
While the 21,000 installations figure is encouraging, a quick sanity check can tattle on the default location for added reassurance…
find -type d | grep -E ‘/plugins/(appointments|flickr-gallery|custom-registration-form-builder-with-submission-manager)$’
I double checked this method by appending a plugin I know is in there. Make the line end in “|jetpack)$'”
Mark Stockley
Hi Bryan,
If you’ve got shell access to a WordPress installation then I recommend the WordPress CLI. The following command, run from anywhere within the WordPress directory structure, will list the installed plugins and version numbers:
wp plugin list
To update a plugin to the latest version run:
wp plugin update <plugin>
To deactivate a plugin:
wp plugin deactivate <plugin>
Bryan
Sweet, thanks Mark. Fortuitous that I’m recently eyeballing wp-cli.
I like how using it will preclude lots of webby bugs simply after a chown command. And in conjunction with a cron job or two I still can handle updates but without the added risk of files owned by the web daemon.
Before taking the plunge I wanted to research how it pokes into the database (and how gracefully it handles multiple VMs). With your stamp of approval, I’ll definitely give it a peek–and feel less apprehensive of missing a backdoor if I don’t scrutinize the entire thing.
Thanks again!
Tom
I always install the WordPress File Monitor plugin, which mails when files are modified/added. It doesn’t stop anything of course, and it also mails when wordpress updates, but at least you get a heads up when something possibly malicious happens.