Unpatched WordPress Plugin Security Bug Hits 50K – Threatpost

Newsletter
Join thousands of people who receive the latest breaking cybersecurity news every day.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
The administrator of your personal data will be Threatpost, Inc., 500 Unicorn Park, Woburn, MA 01801. Detailed information on the processing of personal data can be found in the privacy policy. In addition, you will find them in the message confirming the subscription to the newsletter.
Share this article:
An CRSF-to-stored-XSS security bug plagues 50,000 ‘Contact Form 7’ Style users.
A security bug in Contact Form 7 Style, a WordPress plugin installed on over 50,000 sites, could allow for malicious JavaScript injection on a victim website.
The latest WordPress plugin security vulnerability is a cross-site request forgery (CSRF) to stored cross-site scripting (XSS) problem in Contact Form 7 Style, which is an add-on to the well-known Contact Form 7 umbrella plugin. It ranks 8.8 out of 10 on the CVSS vulnerability-severity scale (CVE is pending).
CSRF allows an attacker to induce a victim user to perform actions that they do not intend to. XSS allows an attacker to execute arbitrary JavaScript within the browser of a victim user. This bug connects the two approaches.

Researchers at Wordfence said that there’s no patch yet available, and versions 3.1.9 and below are affected. WordPress removed the plugin from the WordPress plugin repository on Feb. 1.
Contact Form 7 is used to create, as its name suggests, contact forms used by websites. The vulnerable Contact Form 7 Style is an add-on that can be used to add additional bells and whistles to those forms that are made with Contact Form 7.
It does this by allowing users to customize a site’s Cascading Style Sheets (CSS) code, which is used to dictate the appearance of WordPress-based websites. This is where the vulnerability lies, according to Wordfence researchers.
“Due to the lack of sanitization and lack of nonce protection on this feature, an attacker could craft a request to inject malicious JavaScript on a site using the plugin,” they explained, in a posting this week, adding that further details will be withheld to give site owners a chance to address the issue. “If an attacker successfully tricked a site’s administrator into clicking a link or attachment, then the request could be sent and the CSS settings would be successfully updated to include malicious JavaScript.”
Since the number of installed instances for the plugin is so high, Due to the number of sites affected by this plugin’s closure, we are intentionally providing minimal details about this vulnerability to provide users ample time to find an alternative solution. We may provide additional details later as we continue to monitor the situation.
To exploit the flaw, cyberattackers would need to convince a logged-in administrator to click on a malicious link, which can be done via any of the common social-engineering approaches (i.e., through a fraudulent email or instant message).
Wordfence notified the plugin’s developer about the bug in early December; after receiving no response, the researchers then escalated the issue to the WordPress Plugins team in early January. The WordPress Plugins team also contacted the developer with no response, leading to the disclosure this week.
Because, as with all CSRF vulnerabilities, the bug can only be exploited if an admin user performs an action while authenticated to the vulnerable WordPress site, admins should always be wary when clicking on any links.
“If you feel you must click a link, we recommend using incognito windows when you are unsure about a link or attachment,” according to Wordfence. “This precaution can protect your site from being successfully exploited by this vulnerability along with all other CSRF vulnerabilities.”
In this case, users should also deactivate and remove the Contact Form 7 Style plugin and find a replacement, researchers added, since no patch appears to be forthcoming.
Download our exclusive FREE Threatpost Insider eBook Healthcare Security Woes Balloon in a Covid-Era World, sponsored by ZeroNorth, to learn more about what these security risks mean for hospitals at the day-to-day level and how healthcare security teams can implement best practices to protect providers and patients. Get the whole story and DOWNLOAD the eBook now – on us!
 
Share this article:
It’s a double-extortion play that uses the command-line password ‘KissMe’ to hide its nasty acts and adorns its ransom note with cutesy ASCII bunny art.
Zoho’s comprehensive endpoint-management platform suffers from an authentication-bypass bug (CVE-2021-44757) that could lead to remote code execution.
Companies must take more ‘innovative and proactive’ approaches to security in 2022 to combat threats that emerged last year, researchers said.
Join thousands of people who receive the latest breaking cybersecurity news every day.
1.8M+ attacks, against half of all corporate networks, are attempting to exploit #Log4Shell, including with a new r… https://t.co/dDky1faadm
1 month ago
Get the latest breaking news delivered daily to your inbox.
The First Stop For Security News
Infosec Insider content is written by a trusted community of Threatpost cybersecurity subject matter experts. Each contribution has a goal of bringing a unique voice to important cybersecurity topics. Content strives to be of the highest quality, objective and non-commercial.
Sponsored Content is paid for by an advertiser. Sponsored content is written and edited by members of our sponsor community. This content creates an opportunity for a sponsor to provide insight and commentary from their point-of-view directly to the Threatpost audience. The Threatpost editorial team does not participate in the writing or editing of Sponsored Content.

source

Leave a Reply

Your email address will not be published. Required fields are marked *