1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • This premium WordPress plugin could let hackers hijack your websi

    From TechnologyDaily@1337:1/100 to All on Fri Aug 25 15:30:03 2023
    This premium WordPress plugin could let hackers hijack your website

    Date:
    Fri, 25 Aug 2023 15:13:52 +0000

    Description:
    It's the latest in a series of WordPress plugin vulnerabilities that could mean big trouble for your website.

    FULL STORY ======================================================================

    WYSIWYG editor for WordPress and first-draft Elon Musk baby name JupiterX
    Core has been hijacking accounts and uploading files, but a patch has been issued.

    Reporting the news, BleepingComputer also cites Themeforest sales for the JupiterX theme to estimate that its used on over 172,000 websites. The real number is probably less than that, but its a good indicator of the scale of the problem.

    Rafie Muhammad, a researcher at Wordpress security firm Patchstack, was the first to discover two distinct vulnerabilities and report them to JupiterX developer ArtBee, who have since patched the flaw. Naturally, if you use this plugin, update your version as soon as possible. Jupiter X Core Wordpress
    flaw

    The first flaw identified, CVE-2023-3838, affects all JupiterX Core versions up to 3.5.5, and allows for file uploads without authentication, opening the floodgates to arbitrary code execution.

    A patch came with version 3.3.8, adding authentication checks into the
    plugins upload_files function, as well as a second check to block uploads of, per BleepingComputer, risky file types. We imagine this means executables.

    The second flaw, CVE-2023-38389, allowed for breaches of any WordPress
    account so long as any attacker knew the email address attached, impacting up to JupiterX Core version 3.3.8. Read more

    How to build a WordPress website: A step by step guide

    9 benefits of WordPress hosting

    Weve also listed the best WordPress hosting services

    Version 3.4.3 fixed the flaw, with Muhammad writing that the ajax_handler function in the plugins Facebook login mechanicism let any attacker, for a time, set key login variables involving Facebook user IDs to any value.

    ArtBees resolved the issue by pulling a users e-mail address and unique user ID from Facebooks authentication endpoint , though it seems hard to believe that it wasnt coded that way to begin with. Heres our list of the best WordPress website builders right now



    ======================================================================
    Link to news story: https://www.techradar.com/pro/security/this-premium-wordpress-plugin-could-let -hackers-hijack-your-website


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)