Multiple WordPress plugins, which were addressed in 2020, were found being exploited in the wild. Despite the WordPress plugin vulnerability being patched since 2020, there were instances of cross-site request forgery (CSRF) attacks occurring due to these plugins.
Details about the WordPress plugins vulnerabilities
According to reports by inTheWild, over 70 WordPress plugins and themes were vulnerable and are being exploited in the wild. However, it is not clear who has been targeted and the data pilfered by cybercriminals.
The Cyber Express reached out to the inTheWild team for details of the exploits. We will update this story after receiving its response.
The high-severity WordPress plugin vulnerability CVE-2021-4342 had a severity score of 8.8.
It was initially published on September 26, 2023, and last updated on June 7, 2023, a Wordfence Intelligence report stated.
The WordPress plugins vulnerabilities was rendered exploitable due to improperly implemented non-protection.
It allowed hackers to bypass the protection layer and circumvent preventive measures used to deter websites from entering the application. Hackers could work like account holders and steal system data by exploiting the WordPress plugins and themes vulnerability.
How CSRF attacks used WordPress plugins vulnerabilities for data hacks
Cross-Site Request Forgery attack manipulates the legitimate user of a device to submit a malicious request to a Web app to authenticate another user.
Also called Sea Surf or Session Riding, the CSRF is a web security vulnerability to attain the privileges of the target and use the system for malicious intent.
Since the WordPress plugins and themes vulnerability relies on a user tapping or accessing a malicious link, exploitation through a CSRF attack can be prevented to a large extent by not clicking on unexpected links.
Mitigation mechanism against CSRF attacks via WordPress themes vulnerability
WordPress API offered a one-time security token called nonces to check the validity of nonce in a request.
To know if a link is legitimate, a CSRF token can be implemented that prevents attacks. However, it requires the CSRF tokens to be stored in HTML form instead of session cookies.
Logging off the application can also prevent the app from being exposed at odd hours for manipulation. It would help if users changed their usernames and passwords immediately and keep doing so every three months.
Remove settings that allowed remembering passwords and use the app singly without accessing other tabs on a browser or applications to avoid clicking on a malicious link.
List of updates issued since 2020 to address the WordPress plugins vulnerabilities
On September 16, 2020, a report noted 25 vulnerable WordPress plugins. These vulnerable WordPress plugins offered several features on the blogging website and were popular among bloggers for their extended benefits.
Some of them are as follows –
- Cartflows that has had over 100,000 installations in 2020.
- Paid Memberships Pro with over 100,000 installations.
- Cool Timeline with over 10,000 installations.
- Custom Field Template that was downloaded over 70,000 times.
- eCommerce Product Catalog Plugin downloaded over 10,000 times.
On September 26, 2020, more WordPress plugins and themes were added to the catalog. The vulnerable WordPress plugins addressed in this report were Ocean Extra and EWWW Image Optimizer.
The vulnerable WordPress themes mentioned in this report included Customizr a WordPress theme for a good user interface on smartphones.
In March 2021, a report addressed multiple WordPress plugins there were offered updates. Some of them included –
- Post SMTP Mailer/Email Log a mail plugin
- Forminator to create several types of forms
- Dokan with e-commerce related works
The updates continued through June 8, 2021 and June 21, 2021 wherein several WordPress plugins were offered patches including Qtranslate Slug, Custom css-js-php, Absolute Reviews, and Advanced Popups.
The following WordPress plugin vulnerabilities updates were offered in July 2021 and August 2021 addressing Slider Hero, WP-Backgrounds Lite and WP Security Question among others. There were no updates for the WordPress plugins and themes vulnerability thereafter until it was found to be exploited in the wild recently.