1. Forum
  2. tqwNet
  3. TQW_GENTECH

  • One million WordPress sites at risk of attack

    From TechnologyDaily@1337:1/100 to All on Thu Oct 28 14:45:04 2021
    One million WordPress sites at risk of attack

    Date:
    Thu, 28 Oct 2021 13:29:43 +0000

    Description:
    High severity vulnerabilities in a popular WordPress plugin could help
    hackers launch all kinds of campaigns against vulnerable installations.

    FULL STORY ======================================================================

    Cybersecurity researchers have helped patch several vulnerabilities in an extremely popular WordPress plugin , which could have been exploited by any visitor to undertake a number of actions against affected WordPress websites, such as exporting sensitive information.

    The vulnerabilities, discovered by WordPress security experts Wordfence , existed in the OptinMonster plugin that boasts of a user base of over a million websites.

    OptinMonster helps create sales campaigns on WordPress websites without much effort. through the use of dialogs. Wordfence explains that the vast majority of the plugins functionality as well as the OptinMonster app site rely on the use of API endpoints. Open sesame

    Unfortunately, the majority of the REST-API endpoints were insecurely implemented, making it possible for unauthenticated attackers to access many of the various endpoints on sites running a vulnerable version of the plugin, wrote Wordfences threat analyst Chloe Chamberland.

    In her run down of the vulnerabilities, Chamberland notes that one of the vulnerable endpoints could have been exploited to leak sensitive data like
    the sites full path on the server, along with the API key the website uses to make requests on the OptinMonster site.

    With access to the API key, an attacker could make changes to any campaign associated with a sites connected OptinMonster account and add malicious JavaScript that would execute anytime a campaign was displayed on the exploited site, says Chamberland.

    She notes that rather worryingly the vulnerability could have been exploited by any visitor to the website.

    Although there arent reports of the vulnerabilities being exploited in the wild, the plugin developer has invalidated all API keys, forcing users to generate new ones. Theyve also patched all vulnerabilities and made changes
    to how changes are made to the campaigns.

    Want to build a website? Use one of these best WordPress website builders , and deck them up using one of these best WordPress themes .



    ======================================================================
    Link to news story: https://www.techradar.com/news/one-million-wordpress-sites-at-risk-of-attack/


    --- Mystic BBS v1.12 A47 (Linux/64)
    * Origin: tqwNet Technology News (1337:1/100)