wordpress akismet plugin vulnerability

https://blog.sucuri.net/2015/10/security-advisory-stored-xss-in-akismet-wordpress-plugin.html, http://blog.akismet.com/2015/10/13/akismet-3-1-5-wordpress/, WordPress 2.8.1 Comment Author URI Cross-Site Scripting Vulnerability (0.6.2 - 2.8.1), WordPress Plugin Menu Creator 'updateSortOrder.php' SQL Injection (1.1.7), WordPress Plugin Olevmedia Shortcodes Cross-Site Scripting (1.1.8), WordPress Plugin Videox7 UGC 'listid' Parameter Cross-Site Scripting (2.5.3.2), WordPress Plugin Twitter Feed Cross-Site Scripting (2.0.4), CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:L/A:N. Therefore I assume attackers will just try and leave a lot of devastated WordPress installations behind while hijacking the few where this attack works.". "Since it requires no suspicious-looking payload just like our previous finding in InfiniteWP, it is not expected for any firewall to block this by default, and a special rule needs to be created to block this vulnerability.". A vulnerability in Akismet emerged last week and because Akismet is one of the most widely used plugins for WordPress, we wanted to bring it to your attention. The flaw is in the ThemeGrill Demo Importer installed on some 100,000 sites, and it was disclosed over the weekend by Website security company WebARX. Akismet is a comment spam filter for WordPress and in general, it does a great job. Hackers are actively exploiting a critical WordPress plugin vulnerability that allows them to completely wipe all website databases and, in some cases, seize complete control of affected sites. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. "This is a serious vulnerability and can cause a significant amount of damage," WebARX researchers wrote in this weekend's disclosure. Such security holes can pose a serious threat since the attacker doesn’t necessarily need to lure victims, and instead they can inject the malicious code into the targeted website and wait for the user to access it while performing regular activities. WordPress Plugin Akismet is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. Hospitals Warned of Imminent Ransomware Attacks From Russia, U.S. Cyber Command Shares More Russian Malware Samples, Google Discloses Actively Targeted Windows Vulnerability, Britain Fines US Hotel Chain Marriott Over Data Breach, Microsoft Says Hackers Continue to Target Zerologon Vulnerability, Wisconsin Republican Party Says Hackers Stole $2.3 Million, Bug Bounty Hunters Earned Over $4M for XSS Flaws Reported via HackerOne in 2020. /cc If you use this plugin and your webpage hasn't been deleted yet consider yourself lucky. More recently, the number has been revised down to 100,000, most likely because many websites have opted to uninstall it. (Yes, remove it, don't just update.)". The "Hello World" message is the default placeholder displayed on WordPress sites when the open source content-management system is first installed or when it's wiped clean. In the event accounts named admin exist, the attacker will find themselves logged in with administrative rights. The bug stems from a failure to authenticate users before allowing them to carry out privileged administrative commands. Furthermore, even if users haven’t installed the update, attack attempts are actively blocked by Akismet during the comment-check API call. Hackers are actively exploiting a critical WordPress plugin vulnerability that allows them to completely wipe all website databases and, in some cases, seize complete control of affected sites. Your California Privacy Rights | Do Not Sell My Personal Information Ars may earn compensation on sales from links on this site. WordPress Plugin Akismet versions ranging from 2.5.0 and up to and including 3.1.4 are vulnerable. All Rights Reserved. The vulnerability is distinct from another bug reported over the weekend in the WordPress plugin wpCentral. While measures have been taken to prevent abuse and while there is no evidence that the vulnerability has been exploited in the wild, users are advised to update their installations as soon as possible. "But you don't know that in advance. That flaw allows untrusted users to escalate privileges. CNMN Collection WordPress Plugin Akismet is prone to a cross-site scripting vulnerability because it fails to properly sanitize user-supplied input. And remove the plugin. Dan Goodin Sign up or login to join the discussions! The plugin developer didn't issue a fix until Sunday. If you use this plugin and your webpage hasn't been deleted yet consider yourself lucky. WIRED Media Group CMS Plugin Issue Resolution WordPress Akismet XSS security vulnerability Upgrade Akismet to alteast version 3.1.5 to fix the security flaw This vulnerability affects everyone using Akismet version 3.1.4 and lower and have the WordPress “Convert emoticons to graphics on … "The thing is, in most cases you get 'only' a database reset, i.e. ), "There's currently a severe vuln in a wordpress plugin called "themegrill demo importer" that resets the whole database," Böck wrote. Join the Ars Orbital Transmission mailing list to get weekly updates delivered to your inbox. Created by Automattic, the company behind the WordPress.com platform, the Akismet plugin is designed to check comments posted on websites for spam by running them through the Akismet web service. Better yet, as Böck recommended, they should uninstall the plugin altogether. Read our affiliate link policy. Akismet is currently installed on more than 1 million WordPress websites so there are plenty of potential victims for attackers to choose from. 2020 ICS Cyber Security Conference | USA [Oct. 19-22], 2020 Singapore ICS Cyber Security Conference [VIRTUAL- June 16-18, 2020], Virtual Event Series - Security Summit Online Events by SecurityWeek, 2020 CISO Forum: September 23-24, 2020 - A Virtual Event. The developers of Akismet, Earlier this month, Sucuri reported finding a stored XSS, Google Announces New VPN for Google One Customers, Asset Discovery Startup Lucidum Launches With $4 Million in Seed Funding, Critical OpenEMR Vulnerabilities Give Hackers Remote Access to Health Records, Oracle WebLogic Vulnerability Targeted One Week After Patching, U.S. An attacker may leverage this issue to execute arbitrary script code in the browser of an unsuspecting user in the context of the affected site. Created by Automattic, the company behind the WordPress.com platform, the, Researchers at Sucuri discovered at the beginning of October a, According to experts, the vulnerability affects Akismet 3.1.4 and earlier versions. The developers of Akismet patched the flaw earlier this week with the release of version 3.1.5. Earlier this month, Sucuri reported finding a stored XSS vulnerability in Jetpack, a WordPress plugin that also has more than one million active installs. Statistics from WordPress initially said the importer plugin received 200,000 installations. Accounts named "admin," assuming any exist, are set to their previously known password. Looking for Malware in All the Wrong Places? Created by Automattic, the company behind the WordPress.com platform, the Akismet plugin is designed to check comments posted on websites for spam by running them through the Akismet web service. All rights reserved. And remove the plugin. You must login or create an account to comment. By Tuesday, WebArx reported that the flaw was under active exploit with almost 17,000 attacks blocked so far. Fortunately, the WordPress.org plugins team has enabled an automatic update for sites running affected version of Akismet. Copyright © 2020 Wired Business Media. WebARX researchers discovered the vulnerability and reported it to ThemeGrill developers on February 2. Specifically, the vulnerability allows attackers to delete all tables and populate the database with default settings and data. Researchers at Sucuri discovered at the beginning of October a stored cross-site scripting (XSS) vulnerability in Akismet that allows an unauthenticated attacker to insert malicious code into the comments section of the WordPress administration panel. While there are some systems in place to prevent hackers from inserting malicious code as comments, researchers managed to bypass the restrictions by using emoticons. The fix is available in version 1.6.2, although a newer version (known as 1.6.3) became available in the past 12 hours. In those cases, after hackers exploit the vulnerability and wipe clean all data, they are automatically logged in as a user that has administrative rights. Administrators can review the comments flagged as spam from their blog’s “Comments” section in the admin panel. According to WebARX, the vulnerability has been active for about three years and resides in versions from 1.3.4 through 1.6.1. Ad Choices, https://webarxsecurity.com/critical-issue-in-themegrill-demo-importer/, another bug reported over the weekend in the WordPress plugin wpCentral. The material on this site may not be reproduced, distributed, transmitted, cached or otherwise used, except with the prior written permission of Condé Nast. Websites that use ThemeGrill should update immediately. Hackers can abuse this failure by sending Web requests that contain specially crafted text strings. The developers of the Akismet plugin for WordPress have released an update to address a critical vulnerability that exposes websites to hacker attacks. More precisely, experts found a way to inject arbitrary code via comments on websites that automatically convert strings like “:-)” and “:-P” to graphic emoticons on display, a feature that is enabled by default on WordPress sites. This can allow the attacker to steal cookie-based authentication credentials and launch other attacks. © 2020 Condé Nast. - Feb 18, 2020 8:08 pm UTC. The developers of the Akismet plugin for WordPress have released an update to address a critical vulnerability that exposes websites to hacker attacks. "https://webarxsecurity.com/critical-issue-in-themegrill-demo-importer/ It seems attacks are starting: Some of the affected webpages show a wordpress 'hello world'-post. (Yes, remove it, don't just update. Website takeovers only occur when a vulnerable site has an account with the name "admin." Use of and/or registration on any portion of this site constitutes acceptance of our User Agreement (updated 1/1/20) and Privacy Policy and Cookie Statement (updated 1/1/20) and Ars Technica Addendum (effective 8/21/2018). The ThemeGrill Demo Importer is used to automatically import other plugins available from Web development company https://themegrill.com/. First Step For The Internet's next 25 years: Adding Security to the DNS, Tattle Tale: What Your Computer Says About You, Be in a Position to Act Through Cyber Situational Awareness, Report Shows Heavily Regulated Industries Letting Social Networking Apps Run Rampant, Don't Let DNS be Your Single Point of Failure, The Five A’s that Make Cybercrime so Attractive, Security Budgets Not in Line with Threats, Anycast - Three Reasons Why Your DNS Network Should Use It, The Evolution of the Extended Enterprise: Security Strategies for Forward Thinking Organizations, Using DNS Across the Extended Enterprise: It’s Risky Business.

Pisces Sushi Mooresville, Stronger Kanye West Lyrics, David Allen Company Ceo, Zoho Desk, Fine Dining Jakarta Selatan, Over It Lyrics, Html5 Pdf, Backtrace() In C, Belarus 220 Tractor For Sale, How To Draw A Tractor Trailer, Get Down Tonight Chords, Schwinn Crewmaster Rowing Machine For Sale, Fly In Lil Wayne Lyrics, Silver Fine Jewellery, How Many Watts Does A Single Burner Use, Unisuper Merger, Shopify Plus Vs Shopify Advanced, No More Auction Block For Me Wiki, The Ship Who Sang Pdf, Care Super Usi, Audiomachine Dance Of Death, I Walk Alone Quotes, Butch Cassidy And The Sting, Two Notes Torpedo Reload Review, 1 Joule = Nm, Best Way To Learn Farsi, Daichi Cedar Park Menu,

This entry was posted in News.

Leave a Reply