Introduction
WordPress has grown into the world’s most popular content management system (CMS), empowering individuals and businesses to create websites with ease. Its open-source nature has led to the development of a vibrant ecosystem of over 60,000 plugins and thousands of themes, enabling users to customize their sites for nearly any purpose – from blogs and e-commerce stores to corporate portals and educational platforms.
However, this widespread adoption also comes with responsibilities. WordPress’s core code and open-source plugins are frequently updated to address bugs, enhance features, and fortify security. Despite this, most of WordPress sites run outdated versions, leaving them vulnerable to known exploits. The platform’s security largely depends on a layered approach, combining regular updates, strong credentials, and additional measures like firewalls and malware scanning.
Patchstack improves website’s security by delivering an immediate, tailored protection against vulnerabilities called virtual patches (vPatches). Acting as customized firewall rules, these virtual patches shield WordPress sites from exploits targeting plugins, themes, or core, ensuring uninterrupted functionality and empowering website owners to maintain robust defenses without delay.
Unlike traditional methods that depend on waiting for developer-issued updates, Patchstack’s vPatches close the security gap instantly, mitigating threats as soon as vulnerabilities are identified.
Recent exploited vulnerabilities and how our vPatches blocked them
Last month alone, we designed and deployed more than 300 new virtual patches to protect our clients from a variety of vulnerabilities, ensuring swift defences against emerging threats, all of that without having to wait for an official patch.
While we’re continually adding more vPatches to cover new vulnerabilities, we also continuously monitor the malicious requests we block to protect our customers and have noticed an increase of over 20% in this number compared to the previous couple of months.
Here are now some of the most interesting vulnerabilities exploited this quarter:
Really Simple Security plugin
Account Takeover Vulnerability
WordPress Really Simple Security Plugin 9.0.0-9.1.1.1 – Account Takeover vulnerability (CVE-2024-10924)
- This Critical vulnerability affecting all versions (Free, Pro and Pro Multisites) of a popular plugin with 4M+ installations could allow unauthenticated attackers to log in as any user (including administrators) with 2FA authentication enabled, by taking advantage of a mishandled REST response return on the “skip_onboarding” function.
- Patchstack immediately released a vPatch blocking any malicious requests to the “/two_fa/skip_onboarding” endpoint
Several hundreds of attempts to exploit vulnerable versions of the plugin have been blocked since vPatch deployment.
Spam protection by CleanTalk plugin
Authorization Bypass Vulnerability
WordPress Spam protection, Anti-Spam, FireWall by CleanTalk plugin <= 6.44 – Authorization Bypass vulnerability (CVE-2024-10781)
This Critical vulnerability affecting the WordPress Spam protection plugin (200k+ installs), allowed unauthenticated attackers to install and activate arbitrary plugins, ultimately leading to the website’s takeover.
- In vulnerable versions, the plugin’s access key verification could be bypassed when the API key was not configured in the plugin. The MD5 or SHA256 hash of an empty string would then be used as the reference value during the verification, as such enabling anyone to use the said hashes to pass the verification.
- Patchstack’s clients were automatically protected from this vulnerability with a virtual patch blocking any request containing hashes of empty values (respectively “d41d8cd98f00b204e9800998ecf8427e” and “e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855”) in the “spbc_remote_call_token” parameter.
Several hundreds of attempts to exploit vulnerable versions of the plugin have been blocked since vPatch deployment.
GiveWP plugin
PHP Object Injection Vulnerability
WordPress GiveWP plugin <= 3.16.3 – Unauthenticated PHP Object Injection to Remote Code Execution vulnerability (CVE-2024-9634)
- This Critical vulnerability affecting a popular donation plugin with 100k+ installations suffered from a flaw that allowed unauthenticated attackers to perform PHP Object Injection attacks because of an improperly deserialized “give_company_name” parameter during the donation process. This could ultimately lead to the website’s takeover.
- Patchstack immediately released a vPatch blocking any malicious requests containing known PHP object patterns in the vulnerable parameter.
Several hundreds of attempts to exploit vulnerable versions of the plugin have been blocked since vPatch deployment.
Elementor Pro plugin
Arbitrary Options Change Vulnerability
WordPress Elementor Pro plugin <= 3.11.6 – Authenticated Arbitrary Options Change vulnerability (CVE-2023-3124)
This plugin with an estimate of 4M+ active users suffered from a security flaw that allowed any user with a role as low as Subscriber to change arbitrary options including enabling user registration and, for example, setting new account’s default role to administrator, leading to the website’s takeover.
- The vulnerability resided in the “update_page_option” function, called via the “pro_woocommerce_update_page_option” action. No capability check was in place, and the plugin’s nonce check was easily bypassed since the said nonce was leaked to anyone visiting the admin dashboard.
- Patchstack’s vPatch was deployed on our affected clients’ websites, protecting them from any exploitation attempts by blocking requests for the vulnerable action when the user doesn’t have sufficient permissions.
More than 2.500 attempts to exploit vulnerable versions of the plugin have been blocked since vPatch deployment. Although the vulnerability was discovered and patched last year, the plugin’s popularity has led to it still being exploited today.
SEOPress plugin
Authentication Bypass Vulnerability
WordPress SEOPress plugin < 7.9 – Authentication Bypass Leading To PHP Object Injection vulnerability (CVE-2024-5488)
- This plugin with 300K+ installations included a vulnerable authentication check, accessible by unauthenticated users, which could be bypassed by providing any existing user’s username, enabling attackers to update certain posts metadata that could ultimately be escalated to conduct PHP Object Injection attacks which could have a critical impact such as being able to execute arbitrary code remotely (RCE).
- Patchstack immediately mitigated this vulnerability by issuing a vPatch that blocked any request calling the “seopress/v1/posts” action parameter along with vulnerable sub-actions when the user doesn’t have sufficient permissions.
Key takeaways and conclusion
Protecting your WordPress site from cyber threats demands a comprehensive, proactive security strategy. While keeping the WordPress core, plugins, and themes up to date is essential for addressing known vulnerabilities, the time gap between identifying a flaw and releasing official fixes can leave your site exposed.
Virtual patching solutions, like those offered by Patchstack, fill this critical security gap by instantly mitigating risks as vulnerabilities are discovered, safeguarding your site during the interim.
Pairing virtual patches with consistent security practices – such as timely updates, removing unused components, and actively monitoring for emerging threats – creates a robust defense against potential attacks, maintaining both functionality and peace of mind.
Be sure to follow our updates for the latest vulnerabilities and solutions to keep your site secure moving forward.
Help us make the Internet a safer place
Making the WordPress ecosystem more secure is a team effort, and we believe that plugin developers and security researchers should work together.
- If you’re a plugin developer, join our mVDP program that makes it easier to report, manage and address vulnerabilities in your software.
- If you’re a security researcher, join Patchstack Alliance to report vulnerabilities & earn rewards.
