5 Unrestricted Access Issues – WordPress Security DEC, 2020
Be informed about the latest Unrestricted Access Issues, identified and reported publicly in December 2020. As these WordPress Security vulnerabilities have a severe negative impact for any website, consider a security AUDIT. The following PLUGINS made headlines just last month.
- Newsletter <= 1.5.1 - Unauthenticated Insecure Deserialisation
- Newsletter is a real newsletter and email marketing system for your WordPress blog: perfect for list building, you can easily create, send and track e-mails, headache-free. It just works out of box! Active installations: 300,000+
- Total Upkeep – WordPress Backup Plugin plus Restore & Migrate by BoldGrid < 1.14.10 - Unauthenticated Backup Download
- Total Upkeep is more than just a “backup plugin”. It can help stop website crashes before they even happen. Website data loss can happen even if you’re doing everything “right”, like keeping your WordPress and plugins updated or having a backup plugin installed. There’s so many things outside of your control that could totally wipe out your website without any warning. Active installations: 60,000+
- Contact Form 7 < 5.3.2 - Unrestricted File Upload
- Contact Form 7 can manage multiple contact forms, plus you can customize the form and the mail contents flexibly with simple markup. The form supports Ajax-powered submitting, CAPTCHA, Akismet spam filtering and so on.Active installations: 5+ million
- Limit Login Attempts Reloaded < 2.17.4 - Login Rate Limiting Bypass
- Limit the number of login attempts that are possible through the normal login as well as XMLRPC, Woocommerce and custom login pages. WordPress by default allows unlimited login attempts. This can lead to passwords being easily cracked via brute-force. Limit Login Attempts Reloaded blocks an Internet address (IP) from making further attempts after a specified limit on retries has been reached, making a brute-force attack difficult or impossible. Active installations: 1+ million
- DiveBook <= 1.1.4 - Improper Authorisation Check
- This plugin has been closed as of December 9, 2020 and is not available for download. This closure is temporary, pending a full review.Active installations: 60,000+
BRIEF: Open and unrestricted access to anything within a website is one thing everybody considers to be a total disaster. Many employees have come to rely on the Internet both for work and day-to-day life. As such, they demand unrestricted access at work, and many company bosses have obliged. Without the knowledge to them, however, there may be a risk associated with this.
What is Unauthenticated Insecure Deserialisation?
Insecure Deserialization is a vulnerability which occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary code upon it being deserialized. If the function that is responsible for converting serial data into a structured object assumes that the data is trusted, an attacker may format the serial data in such a way that the result of deserialization is malicious. Unfortunately, many standard deserialization functions in programming languages assume that the data is safe.
What is Unauthenticated Backup Download?
The plugin does not restrict access to a BACKUP file containing sensitive information, such as the internal path of backups, which may then allow unauthenticated users to download them.
What is Unrestricted File Upload?
By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website. By doing this, it allows an attacker to inject malicious content such as web shells into the sites, and providing a method for initial access into the system.
What is Login Rate Limiting Bypass?
When the plugin is configured with a custom header in its Trusted IP Origins setting (e.g X-Forwarded-For), attackers could bypass the protection offered by tampering the header sent in requests. When the plugin is configured to accept an arbitrary header as client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomizing the header input, the login count does never reach the maximum allowed retries.
What is Improper Authorisation Check?
An attacker could leverage these issues to dump the database including administrative user credentials, to steal cookie-based authentication credentials, or launch other attacks. An anonymous user may create a new dive entry with a crafted HTTP POST.