snicco

Taking the pain out of enterprise WordPress development

WordPress Sensitive Data Exposure vulnerabilities (10)

  • Possible site takeover through stolen API credentials in combination with SQLi – (MalCare <= 5.09)

    Affected plugin MalCare Active installs 300,000+ Vulnerable version <= 5.0.9 Audited version 4.97 / 5.0.9 Fully patched version 5.16 Recommended remediation Removal of the plugin Description MalCare uses broken cryptography to authenticate API requests from its remote servers to connected WordPress sites. Requests are authentication by comparing a shared secret stored as plaintext in the…

  • Possible site takeover through stolen API credentials in combination with SQLi – (BlogVault <= 5.09)

    Affected plugin BlogVault Active installs 100,000+ Vulnerable version <= 5.09 Audited version 5.09 Fully patched version 5.16 Recommended remediation Removal of the plugin Description This vulnerability is identical to this one in MalCare because MalCare and Blogout share 99% of their codebase. Proof of concept Refer to this POC and use “bvbackup” in step 4.…

  • Possible site takeover through stolen API credentials in combination with SQLi – (WPRemote <= 5.09)

    Affected plugin WPRemote Active installs 20,000+ Vulnerable version <= 5.09 Audited version 5.09 Fully patched version 5.16 Recommended remediation Removal of the plugin Description This vulnerability is identical to this one in MalCare because MalCare and WPRemote share 99% of their codebase. Proof of concept Refer to this POC and use “wpremote” in step 4.…

  • Possible site takeover through stolen API credentials in combination with SQLi – (WPUmbrella <= 2.10.0)

    WPUmbrella’s remote application uses a local companion plugin to perform its functionality. The communication between the remote WPUmbrella application and the WordPress site is secured using a shared secret stored as plaintext in the WordPress options table. An attacker that can read the plaintext value can fully impersonate WPUmbrella’s remote application and perform all actions,…

  • Encryption key is stored in version control – (WPMU Defender – 3.3.2)

    Affected plugin WPMU Defender Active installs 70,000+ Vulnerable version 3.3.2 Audited version 3.3.2 Fully patched version 3.3.3 Recommended remediation Immediately update to version 3.3.3 or higher and reset all TOTP secrets. Description The plugin uses symmetric encryption before storing users’ TOTP secrets in the database. However, the encryption key is stored in version control and…

  • TOTP Secrets stored as plaintext in a world-readable file – (WPMU Defender 3.3.1)

    Affected plugin WPMU Defender Active installs 70,000+ Vulnerable version 3.3.1 Audited version 3.3.1 Fully patched version 3.3.3 Recommended remediation Immediately update to version 3.3.3 or higher and reset all TOTP secrets. Description The plugin stores TOTP secrets as plaintext in a file inside the WordPress uploads directory. On the overwhelming amount of WordPress web server…

  • Time-based-side-channel attacks on secrets – (WPMU Defender <= 3.3.0)

    Affected plugin WPMU Defender Active installs 70,000+ Vulnerable version <= 3.3.0 Audited version 3.2.0 Fully patched version – Recommended remediation Removal of the plugin Description The plugin uses string comparison operators that don’t mitigate time-based attacks in almost all places where secret keys are compared to user input.A skilled attacker, given enough requests, can abuse…

  • Time-Based-Side-Channel-Attack on 2FA secrets – (iThemes Security <= 8.1.2)

    Affected plugin iThemes Security Active installs 1+ million Vulnerable version <= 8.1.2 Audited version 8.1.2 Fully patched version – Recommended remediation Removal of the plugin Description The plugin uses string comparison operators that don’t mitigate time-based attacks in almost all places where secret keys are compared to user input.A skilled attacker, given enough requests, can…

  • Site compromise through leaked wp-config – (miniOrange <= 5.5.82)

    The plugin stores filesystem and database backups as unencrypted .zip archives in the wp-uploads directory. The only protection is a .htaccess file which is ignored by NGINX. Since most web servers are configured to allow access to zip files in the wp-uploads directory, an attacker can download arbitrary backups and take over the entire site…

  • Time-Based-Side-Channel-Attack on 2FA secrets – (Google Authenticator <= 0.54)

    The plugin uses string comparison operators that don’t mitigate time-based attacks in almost all places where secret keys are compared to user input. A skilled attacker, given enough requests, can abuse this to reverse secrets using time-based-side-channel attacks.