New Threat Research: MalSync Teardown: From DLL Hijacking to PHP Malware for Windows  

Read Threat Research

Search

Responsive Menu WordPress Plugin Patches File Upload, Remote Code Execution Flaws

In December 2020, researchers for WordFence disclosed three security vulnerabilities to the authors of the Responsive Menu WordPress plugin. After nearly a month and an escalation to the WordPress Plugins team, WordFence was finally able to get a point of contact.

The first of the three flaws enabled authenticated attackers to upload a zip file which could allow an eventual remote code execution. Although an attacker needs to be authenticated, the account can be any level of user such as a subscriber. Once authenticated, an attacker can craft a request to upload a zip file containing PHP scripts which are automatically extracted. These scripts could then be accessed by the attacker to trigger code execution. The other two vulnerabilities discovered by WordFence allowed an attacker to craft a request that would allow them to modify settings for the Responsive Menu plugin, which then allowed arbitrary file uploads.

After a month from the initial time of discovery, ExpressTech patched the vulnerabilities and made a new version of the plugin available for download on January 19th. Although a patch has been made available, BleepingComputer notes that around 50,000 sites could still be exposed after tracking the number of downloads since the patch was released.

Analyst Notes

Binary Defense highly recommends that any WordPress administrators using the Responsive Menu plugin update to version 4.0.4 or higher as soon as possible to prevent potential malicious activity. Attackers taking advantage of flaws like this can lead to malicious content being hosted on the site or even a full site takeover. Administrators should patch regularly and perform audits on installed plugins. If they are not needed anymore, plugins should be disabled or completely removed.

Source: https://www.bleepingcomputer.com/news/security/buggy-wordpress-plugin-exposes-100k-sites-to-takeover-attacks/