The CleanTalk Research Team identified a critical Stored XSS (Cross-Site Scripting) vulnerability in the WP SEOPress plugin, version 7.7.1. This flaw can be exploited by attackers with contributor privileges to create new admin accounts, potentially granting them full control of your WordPress website.
Stored XSS vulnerabilities allow attackers to inject malicious scripts directly into your website’s database. These scripts are then executed whenever someone views the compromised content. Unlike reflected XSS, user interaction isn’t required to trigger the attack, making it particularly dangerous.
How Attackers Can Exploit This Vulnerability
An attacker with contributor privileges can exploit this vulnerability by injecting malicious JavaScript code into the “SEO Title” field while creating a new post. This code can then be used to create a new admin account, granting them complete control over your website.
Potential Consequences of an Exploit
Complete Site Takeover: Attackers could create new admin accounts and seize full control of your website.
Data Theft: Sensitive information like user credentials, financial records, and even your website’s content could be stolen.
Website Defacement: Attackers could alter the appearance of your site, inject further malicious code, or display unauthorized content.
Persistent Backdoors: Malicious actors might install backdoors to ensure continued access even after the initial vulnerability is patched.
Taking Action to Secure Your Website
Update Immediately: The most critical step is to update the WP SEOPress plugin to the latest version as soon as possible. This update addresses the vulnerability and safeguards your website.
Review User Roles: Carefully review user roles and permissions. Contributors should have the minimum access necessary for their tasks.
Through continuous vulnerability discovery and disclosure, we empower website owners and developers to take preventative measures. We believe that by working together, we can create a robust and secure WordPress ecosystem for everyone.
Attention WordPress website owners! We’re excited to announce that the CleanTalk Security Plugin now effectively addresses a well-known vulnerability involving the WordPress.com API.
This vulnerability, previously discussed here, allowed unauthorized actors to potentially trace administrator usernames through a public API endpoint. While disabling the REST API entirely would be ideal, it wasn’t always a viable option for many websites.
The CleanTalk Team Steps Up
We understand the critical nature of this vulnerability and the potential security risks it poses. Our development team has been working diligently to implement a comprehensive solution within the CleanTalk Security Plugin.
This update delivers:
Enhanced User Data Protection: CleanTalk can now effectively block attempts to exploit the exposed API endpoint, safeguarding your administrator username and other sensitive user data.
Improved Overall Security: This fix is just one piece of the puzzle. CleanTalk Security offers a robust suite of security measures to keep your website safe from a wide range of threats.
What You Can Do
Update Your Plugin: Ensure you’re running the latest version of the CleanTalk Security Plugin to benefit from this critical fix and ongoing protection.
Review Your Security Practices: Consider implementing additional security measures like strong password policies and user access restrictions for an extra layer of defense.
CleanTalk: Committed to Your Security
We at CleanTalk are dedicated to providing the best possible security for your WordPress website. We continuously refine our plugin to address both emerging and long-standing vulnerabilities.
For further information on CleanTalk Security and its capabilities, please refer to the plugin’s documentation.
This revised announcement emphasizes the team’s effort in resolving a known issue and highlights the broader security benefits of the CleanTalk Security Plugin.
The CleanTalk Security plugin now offers built-in plugin vulnerability checks, empowering you to safeguard your WordPress website proactively. Just a friendly reminder if you haven’t try it till now: feel free to pick up the plugin and install it according to these instructions.
While plugins add valuable functionality, they can also introduce security risks if vulnerabilities exist. To address this, CleanTalk regularly scans popular plugins and integrates the findings directly into the Security plugin.
Here’s how it benefits you:
Real-time Vulnerability Insights: Get notified within the plugin itself whenever potential vulnerabilities are detected in your active plugins.
Proactive Security Measures: Take immediate action to address vulnerabilities and minimize the risk of attacks.
Simplified Security Management: No need to visit external platforms for vulnerability information; it’s all accessible within the plugin.
This integration strengthens your WordPress security by informing you about potential threats and allowing you to take immediate action.
Stay Updated, Stay Secure!
The CleanTalk Security plugin continues to evolve, offering comprehensive security solutions for your WordPress site. Remember to update the plugin to benefit from the latest features and vulnerability checks.
During routine plugin testing, we discovered a critical security vulnerability in the Shortcodes Ultimate plugin for WordPress which has 600,000+ installations. This plugin, widely used for adding powerful shortcodes to enhance website functionality, is currently vulnerable to a severe security flaw that could potentially allow attackers to exploit and gain unauthorized access to your WordPress site.
The exploit allows contributors to embed malware JavaScript code into new posts via shortcode, subsequently facilitating admin account creation. By exploiting this flaw, attackers can gain unauthorized access and wreak havoc on websites.
Don’t rush to delete the plugin. To mitigate the risk you should just update your Shortcodes Ultimate plugin to the latest version. Additionally, implementing robust security measures, such as regular vulnerability assessments and user role restrictions, can fortify defenses against XSS attacks.
If your website was developed using one of the popular CMS like WordPress or others, there are various security plugins for them, which provide permanent protection from malware. But what to do if your site is unprotected and you suspect that it has been infected? Let’s find out together.
6 signs that your website may be infected
First of all, let’s break down when it’s really time for you to think about cleaning your site of malware.
Unusual activity in Server logs Server logs contain access logs that display the users who have recently accessed your website.
Your website is slow Hackers deploy DoS attacks to overload your server resources, thus impacting your website speed and performance.
Emails ending in the Spam folder This happens when your web server is infected with malware. As a result, email servers categorize your emails as “spam”.
Pop-up and Spam Ads Usually happens when you have installed an insecure plugin or theme. Hackers earn money when visitor clicks on them.
Modified website files To insert backdoors and other malicious code in your site, hackers often modify your website core files.
Website being redirected Hackers often deploy cross-site scripting (or XSS) attacks to send your website traffic to unsolicited websites.
What is a manual malware removal
During a manual malware removal, a dedicated cybersecurity specialist is assigned to your site to work on your site from start to complete site cleanup.
Step 1: Clean up the bad stuff Using SSH and admin access, the specialist reaches your website hosting and gets rid of all viruses, malware, malicious code, and bad links on your website.
Step 2: Restore the site from backup In case you have a backup he restores the site from backup. Otherwise, he works with the site’s current version.
Step 3: Protect it from future infections The specialist installs a permanent Security protection plugin to avoid infecting in the future.
Reasons to use manual malware removal instead of automatic
Sometimes automatic solutions can be enough to find the most known viruses and malware and often are low cost or free.
Automatic free malware removal tools can be effective at identifying and removing known malware from a website, but there are several reasons why they may not completely cure a website of all security threats.
Over-insurance and possible data loss The problem is that they often over-insure and accept your files as bad ones, causing large file and data losses during automatic site cures. A specialist can always distinguish your files from malicious ones even if it’s a custom code.
Evolving Malware Malware is constantly evolving, with new variants and techniques being developed by cybercriminals. Automatic tools may not always be able to keep up with the latest malware threats.
Hidden Malware Some malware is designed to be stealthy and can hide in obscure locations within a website’s code or files. Automatic tools may not always detect these hidden threats.
False Positives Automatic tools may sometimes flag legitimate code or files as malware, leading to false positives. This can result in the removal of essential components of the website, causing functionality issues.
Complex Infections In some cases, websites may be infected with complex malware that requires manual intervention to fully eradicate. Automatic tools may not have the capability to address these intricate infections effectively.
Vulnerability Patching While malware removal tools can remove existing infections, they may not address the underlying vulnerabilities that allowed the malware to compromise the website in the first place. It’s essential to also address security vulnerabilities and implement robust security measures to prevent future infections.
Human Expertise Manual inspection and intervention by cybersecurity experts are often necessary to thoroughly assess the extent of an infection, identify potential backdoors, and ensure that the website is fully secure.
In conclusion, while automatic malware removal tools are valuable for initial detection and removal of known threats, they may not be sufficient to completely cure a website of all security issues. Manual inspection, ongoing security measures, and expert intervention are often necessary to ensure comprehensive protection against malware and other security threats.
Why it is profitable for you to use CleanTalk malware removal
100% refund in case of unsuccessful We will manually clean your site from viruses and malware or refund your money.
10+ years fighting malware of fighting malware and spam all over the Internet. We are aware of all the dangers that can threaten your website and how to deal with them.
30-day support Free 30-day help with reinfection. As a guarantee of our work we continue to be with you and will get back to work if needed.
50+ CVE reports published And we continue to share found vulnerabilities in our blog.
10 000+ active users A lot of loyal users that trust our experience and use our Security protection.
1 year of free Security Plugin Order your Malware Removal now and get 1 year of free Security plugin.
Clean your site from malware today
And get CleanTalk Security Plugin for 1 year for FREE
When it comes to understanding the activity and location of an IP address, there are various tools available that provide valuable information. CleanTalk IP Tools allows users to gather details about an IP address, including its geographical location, DNS name, provider, and spam activity.
How IP address info works
By entering an IP address into the IP Info tool on cleantalk.org, users can gain insights into the geographic location of the IP address, including the country, region, city, and even the latitude and longitude coordinates. This information can be useful for tracking the origin of suspicious or malicious activity on a website or network.
In addition to geographical location, the IP Info tool also provides details about the DNS name associated with the IP address. This can be helpful for identifying the domain or organization to which the IP address is registered, providing valuable context for potential security threats or network management.
Furthermore, the IP Info tool on cleantalk.org offers information about the provider associated with the IP address, allowing users to understand the network infrastructure and ownership behind the address. This can be crucial for identifying and contacting the responsible party in the event of abuse or unauthorized access.
Lastly, the IP Info tool also includes data about the presence of spam or hacking activity associated with the IP address. This can be a valuable indicator for website administrators and network security professionals when monitoring for malicious or unwanted traffic originating from a particular IP address.
In conclusion, the IP Info tools provided by cleantalk.org are valuable resources for gaining insights into the details of an IP address, including its geographical location, DNS name, provider, and spam activity. Whether for website administrators, network security professionals, or individual users, these tools offer important information for understanding and managing online activity and security risks.
Fraud attacks have become increasingly prevalent, posing a serious threat to businesses and individuals alike. These attacks involve the use of deceptive tactics to gain unauthorized access to sensitive information or financial resources. Fraudsters often utilize various means such as phishing, identity theft, and credit card fraud to carry out their malicious activities. The consequences of falling victim to a fraud attack can be devastating, leading to financial losses, damage to reputation, and legal repercussions.
One of the key challenges in combating fraud is the ability to accurately identify and prevent such attacks in real time. CleanTalk provides cloud security and anti-spam services for websites. By leveraging comprehensive data about IP and email addresses from our blacklists, CleanTalk enables businesses to effectively detect and block fraudulent activities.
The data from these blacklists contains valuable information about known malicious IPs and email addresses that have been associated with fraudulent behavior, spam or hacking attempts. This is an important indicator of malicious behavior, as spammers often engage in a wide range of fraudulent activities beyond just sending spam emails. By monitoring and analyzing these patterns, businesses can gain valuable intelligence that helps them avoid potential fraud attacks. By cross-referencing this data with the activities on their platforms, businesses can proactively identify and block potential fraudsters before they can cause harm.
CleanTalk offers multiple methods for businesses to integrate fraud prevention services into their platforms. The use of our API allows for real-time checks on IP and email addresses, ensuring that any suspicious activity is promptly flagged and addressed. Additionally, CleanTalk provides the option to regularly update and synchronize their blacklist data with a business’s internal systems through the export of data files, ensuring that the most current information is always available for fraud prevention efforts.
By harnessing the power of CleanTalk’s comprehensive data and cutting-edge technology, businesses can significantly enhance our ability to identify and prevent fraud attacks. This proactive approach not only safeguards businesses and individuals from potential financial losses but also contributes to building trust and confidence in online transactions. As fraud continues to evolve and become more sophisticated, the importance of robust fraud prevention measures cannot be overstated. CleanTalk stands out as a valuable ally in this ongoing battle against fraud, empowering businesses to stay one step ahead of fraudsters and protect their operations and customers from harm.
While monitoring exposed password databases we found a leaked database that contained 178 compromised credentials of CleanTalk users among other data. These emails/passwords were compromised some time ago and after that were used to create a CleanTalk account by their owners. As soon as we found this potential vulnerability – we immediately reset passwords for all CleanTalk users related to these email addresses.
Please remember to be careful when clicking on third-party links or using unverified services or WordPress plugins. And be sure to check the list of your compromised passwords in your browser. If you use Google Chrome you can find it here: chrome://password-manager/checkup/compromised.
While evaluating the plugin, we uncovered a vulnerability that permits the execution of Stored Cross-Site Scripting (XSS) on behalf of a contributor. This vulnerability is exploited by inserting a shortcode into a newly created post, potentially resulting in an account takeover.
Plugin testing and vulnerability detection in the Testimonial Slider Shortcode plugin have been completed
August 24, 2023
I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
September 20, 2023
The author has released a fix update
September 25, 2023
Registered CVE-2023-4795
Discovery of the Vulnerability
During a thorough evaluation of the Testimonial Slider Shortcode plugin, a significant security vulnerability was uncovered. This vulnerability allows for the execution of Stored Cross-Site Scripting (XSS) attacks through the use of a shortcode within a new post. Intriguingly, this security loophole can be exploited by contributors and users with elevated privileges, potentially leading to unauthorized account access.
Understanding of Stored XSS attack’s
Stored Cross-Site Scripting (XSS) represents a type of security vulnerability where malicious scripts are inserted into a web application and then stored for future execution when other users interact with the affected content. In the context of this vulnerability, attackers can utilize shortcodes to store and subsequently execute malicious JavaScript code.
Exploiting the Stored XSS
Exploiting the Stored XSS vulnerability within the Testimonial Slider Shortcode plugin involves the insertion of malicious code within a shortcode by an attacker with contributor-level privileges or higher. The injected code may include payloads designed to steal user data, impersonate users, or execute actions on behalf of the compromised contributor account. Attackers can create seemingly innocuous posts that, upon viewing, trigger the execution of the malicious script.
POC shortcode:
[tss_item text=»Abelson has been an amazing firm to work with. Lorem changed the company.» name=»JOHN SAMPSON LP» link=’” onmouseover=”alert(/XSS/)”‘/]
This is shortcode which you can add to new post
Despite the requirement for contributor-level privileges, CVE-2023-4795 poses substantial risks. An attacker who successfully exploits this vulnerability can:
Execute arbitrary code within the context of other users’ browsers.
Pilfer sensitive data such as cookies or session information.
Gain unauthorized access to the compromised contributor’s account.
Assume the identity of contributors to carry out nefarious actions on the website.
In a real-world scenario, envision an attacker leveraging this vulnerability to compromise a contributor’s account on a website employing the Testimonial Slider Shortcode plugin. By embedding a malicious shortcode in a seemingly harmless post, they can execute an XSS attack on anyone who views the manipulated content. This could result in unauthorized account access, data breaches, and harm to the website’s reputation.
Recommendations for Improved Security
To mitigate the risks posed by CVE-2023-4795 and enhance the overall security of WordPress websites employing the Testimonial Slider Shortcode plugin, consider the following recommendations:
Plugin updates: Ensure the Testimonial Slider Shortcode plugin is kept up to date, specifically to version 1.1.9 or later, which should contain a patch addressing this vulnerability.
Input validation and sanitization: Developers should implement stringent input validation and data sanitization to prevent the injection of malicious code through shortcodes or other user inputs.
Least privilege principle: Restrict the capabilities and permissions of contributors and other user roles to minimize the potential impact of a compromised account.
Regular security assessments: Routinely conduct security audits and penetration testing to proactively identify and address vulnerabilities.
User education: Educate contributors and administrators about potential security threats and best practices for securely using and managing plugins and shortcodes.
By adhering to these recommendations, website administrators can significantly reduce the risk of Stored XSS attacks and enhance the overall security posture of their WordPress installations, even for vulnerabilities that may require contributor-level privileges.
Use CleanTalk solutions to improve the security of your website
Dmitrii i.
If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.
During testing, a vulnerability was found that allows, through changing the settings, to implement Stored XSS on all pages where there is a mention of the plugin. This vulnerability is available on behalf of the administrator and allows you to leave javascript “backdoor” when capturing an administrative account, which will allow account takeover. Unfiltered_html capability is prohibited
Plugin testing and vulnerability detection in the Simple Posts Ticker plugin have been completed
August 21, 2023
I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
September 18, 2023
The author has released a fix update
September 25, 2023
Registered CVE-2023-4725
Discovery of the Vulnerability
During the process of comprehensive security testing, a critical vulnerability was unearthed in the Simple Posts Ticker plugin, specifically a Stored Cross-Site Scripting (XSS) flaw. This vulnerability enables an attacker to execute malicious code, impersonating an administrator, by manipulating the plugin’s settings. Despite requiring administrator-level privileges, this vulnerability still poses a significant threat to website security.
Understanding of Stored XSS attack’s
Stored Cross-Site Scripting (XSS) is a type of security vulnerability where malicious scripts are injected into a web application and subsequently stored for later execution when unsuspecting users access the affected content. In the context of this vulnerability, an attacker can leverage the plugin’s settings to store and execute malicious JavaScript code.
Exploiting the Stored XSS
Exploiting the Stored XSS vulnerability in the Simple Posts Ticker plugin requires administrator-level access to manipulate the plugin’s settings. An attacker can insert malicious code, such as JavaScript payloads, into the settings fields. When the settings are saved, the malicious code is stored and executed whenever the administrator interacts with the plugin, potentially leading to the compromise of their account.
POC:
3px;”><img src=x onerror=alert(1)>
Despite the need for administrator privileges to exploit CVE-2023-4725, the potential risks associated with this vulnerability are severe. An attacker who successfully compromises an administrative account through this Stored XSS flaw can:
Gain unauthorized access to sensitive website functions.
Modify content, settings, and configurations.
Create “backdoors” in the form of JavaScript code to maintain control.
Launch further attacks, such as privilege escalation or data theft.
In a real-world scenario, imagine an attacker exploiting this vulnerability to compromise an administrator’s account on a website that uses the Simple Posts Ticker plugin. They could inject malicious JavaScript code into the plugin’s settings, enabling them to control the administrator’s account and potentially carry out actions that damage the website’s reputation and integrity.
Recommendations for Improved Security
To mitigate the risk posed by CVE-2023-4725 and enhance the overall security of WordPress websites using the Simple Posts Ticker plugin, the following recommendations should be followed:
Update the plugin: Ensure the Simple Posts Ticker plugin is updated to the latest version (1.1.6 or higher), which should contain a patch addressing this vulnerability.
Input validation and sanitization: Developers should implement rigorous input validation and data sanitization to prevent the injection of malicious code in settings fields.
Regular security audits: Conduct routine security audits and penetration testing to identify and rectify vulnerabilities proactively.
Least privilege principle: Limit the capabilities and permissions of administrator accounts to reduce the potential damage caused by a compromised administrative account.
User awareness and education: Educate administrators about potential security threats and best practices for securely configuring and managing plugins.
By adhering to these recommendations, website administrators can significantly reduce the risk of Stored XSS attacks and enhance the overall security posture of their WordPress installations, even for vulnerabilities requiring administrator privileges.
Use CleanTalk solutions to improve the security of your website
Dmitrii i.
If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.
