Episode 107: Two Plugin Vulnerabilities Target File Upload Capabilities

The Wordfence Threat intelligence team finds vulnerabilities in two plugins, the User Profile Picture plugin and the WooCommerce Upload Files plugin. WordPress 5.7 is set to release on Tuesday, March 9 with numerous enhancements for the block editor, a new robots.txt API, and a stay of execution on jQuery-migrate. A zero day affecting Microsoft Exchange Server allows attackers to steal emails. And Brave buys a search engine to add to their growing privacy-oriented portfolio.

Here are timestamps and links in case you’d like to jump around, and a transcript is below.
0:15 Defiant is hiring, we have great benefits!
1:58 Medium Severity Vulnerability Patched in User Profile Picture Plugin
3:48 Critical Vulnerability Patched in WooCommerce Upload Files
5:51 WordPress 5.7 to be released March 9; Wordfence Live livestream
9:50 Microsoft fixes actively exploited Exchange zero-day bug
10:55 Brave buys a search engine

Find us on your favorite app or platform including iTunes, Google Podcasts, Spotify, YouTube, SoundCloud and Overcast.

Click here to download an MP3 version of this podcast. Subscribe to our RSS feed.

Episode 107 Transcript

Ram:
Welcome to Think Like a Hacker, the podcast about WordPress, security, and innovation. I am Ram Gall, Threat Analyst at Wordfence, and with me is Director of Marketing, Kathy Zant. Kathy, how are things?

Kathy:
Things are well, Ram. Things are very well. Hey, did you hear we’re hiring?

Ram:
I did hear we’re hiring. We’re hiring for a sec ops role. So, if you know AWS and like securing infrastructure, apply. We’re also hiring two senior PHP developers and a senior researcher to do website performance research using our Fast or Slow tool. And if you are not thinking of applying, but know someone who might, a $500 gift card could be yours if you refer a successful candidate. We actually added a cool new benefit where we now get the entire week between Christmas and New Year’s off.

Kathy:
You’re way too excited about that for March, because we’ve got so many months for that week off. But it’s coming, it’s coming and-

Ram:
It is, and there’s a reason I mentioned it. I’m leading into something, okay, Kathy?

Kathy:
Yeah.

Ram:
I’m leading into something.

Kathy:
Teasing something. Well, our benefits here at Defiant, the maker of Wordfence, are exceptional. We will put a link to our benefits in the show notes, and that will either encourage you to apply or make you incredibly jealous. We are very well taken care of by this organization. We work hard and we are cared for in that work. Not only do we get ample time off, we get tuition reimbursement, security certification, study time, as well as paying for those certifications, and some great health benefits for wellness, things that I personally enjoy, as well as all the standard great benefits. So, we’ll leave you those in the show notes, if you’d like to go over them. And if you know somebody who can help us out in these four roles that we have open, definitely send them our way. Again, $500 gift card for a successful candidate.

Let’s jump into our first story. What do we have, Ram? We’ve got a medium severity vulnerability in the User Profile Picture plugin. What do you know?

Ram:
Yeah. So, this was one of Chloe’s finds. It’s a plugin that lets users upload profile pictures, which you’d think that’d be safe. And it has 60,000 installs, so it’s not a small plugin. Anyways, turns out that any user that was allowed to upload a profile picture could access a rest API end point, and do stuff like usernames, email addresses, and password hashes of every single user on the WordPress site.

Kathy:
Oh, wow. Yeah, whenever I see upload with a plugin, it makes me a little bit nervous. Now we have a firewall rule in place for premium customers at this time?

Ram:
Yep. We do, in fact, have a firewall rule in place for premium customers, and that should become available to free users 30 days afterwards.

Kathy:
It looks like March 17th.

Ram:
Yep. There is a caveat here. Only authors by default or higher level user roles can exploit this. So, the plugin developers actually promoted their other plugin by saying, “Hey, you should check out our other plugin that you can use to give other users this upload files capability, if you want to.”

Kathy:
Oh, wow.

Ram:
So, it’s like, hey, why don’t you make your site less secure?

Kathy:
But they fixed this in the-

Ram:
They did fix it, so I shouldn’t be too mean to them. They did seem to have a pretty good response on this.

Kathy:
Yeah. It’s always good when we have plugin developers that are very responsive to our inquiries when we have an issue with a plugin. So, this is all patched up. Make sure you update to the latest, fully patched version, which is 2.5.0. And we also have another vulnerability. You found this one, didn’t you, Ram?

Ram:
This one is a story. So, on December 29th, during that holiday break, we actually do have, did have a holiday break last year, but I volunteered to keep an eye out for any vulnerabilities. We got alerted to a potential zero day in WooCommerce Upload Files, which is not actually WooCommerce, but it’s a separate add-on plugin that you can use to upload files. Say you want to buy a shirt with a custom logo on it, or a mug with a picture of your kid on it, that kind of thing. Anyways, we got alerted to a potential zero day. I took a look at it, found out that, hey, yes, there is a vulnerability that lets me upload PHP shells and achieve remote code execution. So, yeah, it was critical. So, we got in touch with the plugin’s author, got him to fix it, and got a firewall rule out all the same day. So, Wordfence threat intelligence never sleeps. Okay. We do sleep, but we still will usually get stuff taken care of, even if it’s over the holidays.

Kathy:
Yeah. Okay. So, this affected 5,000, well, there’s about 5,000 sites that use this particular plugin. And this doesn’t look like it’s available on the repo. Are people buying this one?

Ram:
Yeah. This one is an Envato Market CodeCanyon premium plugin.

Kathy:
Okay. And it has that word in the title, upload. That always makes me nervous.

Ram:
It does. I got to say that the plugin developer was really helpful. Even though it was, as we said, at a time when a lot of people are having holiday hours, he’s still got it fixed within a matter of hours.

Kathy:
Right. Yeah. I’m looking at the timeline on your post, and it looks like you contacted early in the morning, and then by the end of the day, everything was set.

Ram:
Yeah. We even got the roll out by the end of the day. We had to do some fairly extensive testing on it, because well, pretty much any time we release a firewall rule, we do have to do testing on it, but we got everything pretty much set by end of day.

Kathy:
Gotcha. And it looks like free users of the Wordfence plugin received a firewall rule January 28th?

Ram:
January 28th. Yeah.

Kathy:
Great. Okay, excellent. What do we have next?

Ram:
Well, I hear there are a bunch of upcoming features in the WordPress 5.7 release, which is due on March 9th.

Kathy:
Hey, wow. That’s Tuesday. That’s coming up pretty quick.

Ram:
That is.

Kathy:
Awesome.

Ram:
We will cover it in a livestream.

Kathy:
That makes sense. Stay tuned. Just head over to our YouTube channel and you’ll get a notification of our weekly livestream. We cover everything from WordPress, to security, to the latest in WordPress releases, and what you can expect, and just make things very easy for you to transition into a new WordPress version. But there’s a lot of cool things coming. In terms of security, the number one thing that’s coming, and we talked about this on a previous episode, but let’s revisit it. It looks like WordPress 5.7 is offering a one-click HTTP to HTTPS site upgrade feature. What do you know about this, Ram?

Ram:
Just that this is going to make life easier for so many WordPress users. So, there are a few third party plugins that do offer some degree of functionality for this. But one thing I’ve seen a lot is people will install several of these plugins because each one of them might cover a different aspect of that process. And then they have conflicts, and you’ll see things like redirect loops happen. So, having it built into core is really nice, and not having to manually update the database by running a search and replace query.

Kathy:
And then it logs you out, and then you have redirects. Yeah. I’ve been through that pain. Anybody who’s been through that pain has battle scars. So, this’ll be really nice going forward. If you don’t get your HTTPS, your SSL certificate installed before you launch, and then have to go through the process of upgrading to HTTPS later, this’ll make things, actually, a lot easier.

But there’s a number of other cool things coming with WordPress 5.7, and it looks like a lot of these are associated with the block editor. Looks like drag and drop blocks are happening. Full height blocks are coming. Block variations will get their own descriptions, that will make it a little bit easier for understanding what block you created in the past, and you go back and revisit it and try to figure out what’s going on there. So, there’s a number of things happening there. And then we also talked previously about admins being able to send passwords to users. Why don’t we revisit that a little bit?

Ram:
One of the main differences in behavior is that in the past, the only way you’d get a password reset is if you requested a password reset, or if someone who knew your email requested a password reset from the front of site, which means that, if you got a password reset and you didn’t ask for it, that means someone’s trying to get into your account. The main difference now is that admins can legitimately send you a password reset, even if you’re not sure how to do it yourself, which could be useful and could make life easier, especially for sites that have custom login pages or something like that.

Ram:
It does open up a very slight possibility of social engineering, but again, that’s going to be the case with any added functionality that allows access. I don’t expect to see too many problems with it. Oh, the other thing that I wanted to bring up is that WordPress had originally planned to completely get rid of the old jQuery and jQuery-migrate by 5.7, and just finish up that process, which we’ve also discussed in previous podcasts. It looks like there’s a bit of a stay of execution on that. So, you have a little more time.

Kathy:
Excellent. That’s good to know. And it looks like there’s a new robots.txt API.

Ram:
Oh, yes. That’s going to allow developers to programmatically control and update the robots meta tag on a website, which could be really useful if you don’t want search engine spam from people running malicious searches on your site.

Kathy:
Right. Yeah. So, that’ll be very, very helpful. So, lots of good stuff coming with WordPress 5.7, and we will have more on that once it’s released. But let’s jump into some security news. It looks like Microsoft is fixing an actively exploited zero day on Exchange Server. What’s going on?

Ram:
So, this was an out-of-band update, which is what made me catch, what caught my attention is they didn’t run it on any of their usual patch days. So, there’s basically four zero days in the on-premises version of Microsoft Exchange, which is basically Microsoft’s email system. A lot of companies have on-premises servers running exchange to handle their email. Anyways, these zero days were found being chained together to steal companies emails and plant malware to gain further access. So, Microsoft is seeing what they’re calling limited targeted attacks in the wild. So, this means that companies that have on-premises Exchange servers are being actively exploited. So, if your company does have an on-premise Exchange server, please update.

Kathy:
Okay. Yeah. That’s big news, and big, scary news. It doesn’t necessarily affect WordPress, but a lot of our listeners are in the realm of running all kinds of enterprise types of situations, and WordPress in the enterprise, so definitely something to be aware of.

And now we have a story about Brave. Brave is what? What is Brave exactly?

Ram:
Brave is effectively a browser, at least they started out as a browser, that offers an alternative to traditional advertising revenue using what they call attention tokens, which run on a blockchain, which I know is your favorite, Kathy.

Kathy:
Yeah. Block chains. I think block chains are really fascinating, and Brave is-

Ram:
Brave is my favorite mobile browser. I got to say that.

Kathy:
It is one of my favorite mobile browsers as well. In fact, I think I probably use Brave more than anything else. I’m most interested in Brave, the basic attention token, as a disruptive technology. And basically what they set out to do is disrupt advertising online. And I know anyone who’s listening to this podcast, who has visited any website with advertising on it, without an ad blocker, is annoyed by that advertising. It’s ridiculous sometimes. It’ll take over your scrolling. It’ll take over your screen. You’re reading something and there’s a pop-up and it’s asking you to buy something you’re not interested in. And so, I’m interested in disrupting that and creating a better experience for the web. I think a lot of us are. And so, that’s what they’re attempting to do with this basic attention token. You as a site visitor hold basic attention tokens in your browser, and then if the site that you’re visiting, or the Twitter user, or the Reddit user, or the YouTube channel, any content creator can get paid in that basic attention token directly.

Kathy:
So, it cuts out that middleman of advertising, and basically puts end users and content creators in touch using this browser. So, I think it’s very interesting. And now they just came out, this news came out on Wednesday, March 3rd, that Brave has now purchased Tailcat, which was a search engine developed by Cliqz, which was a privacy-focused browser business that aspired to compete with Google. And they shut down last year, but they have a search component. And so, Brave has purchased this, this thing called Tailcat, and that’s going to be Brave Search now. So, that’s going to basically add to their portfolio with Brave Ads, and Brave Today, Brave Firewall and VPN, and a video conferencing system that is called Brave Together. So, they’re doing a lot.

Ram:
It sounds like they are becoming a force to be reckoned with. Also, it just occurred to me how similar the Brave attention token is to the Dogecoin tipbot. Do you remember the Dogecoin tipbot?

Kathy:
Yes. Exactly.

Ram:
Back in the day, I tipped a currently non-negligible amount of Doge. I tipped what would be worth quite a lot of Doge today.

Kathy:
Oh, my gosh. Not as bad as the Bitcoin pizza though, right?

Ram:
Not as bad as the Bitcoin pizza, but.

Kathy:
Yeah. This whole cryptocurrency and blockchain world is fascinating to me. It seems to be-

Ram:
The future is weird.

Kathy:
The future is weird, and the future seems to be on blockchains. So, I find it very fascinating. Brave is definitely something to watch. If you’re not using the Brave browser, I would definitely check it out, and check out everything that Brave is doing. It looks like they, actually, the CEO of Brave is Brendan Eich. Do you know who he is known most for?

Ram:
I have no idea. I haven’t been following it.

Kathy:
He created JavaScript.

Ram:
Wait, what?

Kathy:
Wait, what?

Ram:
Oh, he’s that guy.

Kathy:
He’s that guy.

Ram:
Oh, now I have a beef with him.

Kathy:
I think the world of developers has a beef with him.

Ram:
Maybe he’s trying to make up for everything he did in his past as the developer of JavaScript.

Kathy:
Yeah. Could be. Anyway, Brave is definitely one to watch, hoping to make the worldwide web a better place. So, we will be back again next week with more fun news in WordPress security and innovation. And we will see you on Tuesday for Wordfence Live over on YouTube.

Ram:
Yep. I will see you then.

Kathy:
Bye.

Ram:
Bye.

You can find Wordfence on Twitter, Facebook, Instagram. You can also find us on YouTube, where we have our weekly Wordfence Live on Tuesdays at noon Eastern, 9:00 AM Pacific.