State of New Jersey SealOFFICIAL SITE OF THE STATE OF NEW JERSEY

Multiple Vulnerabilities Found in WordPress

NJCCIC Advisory

Original Release Date: 8/6/2020

Summary

Three vulnerabilities have been discovered in WordPress Newsletter, a plugin designed to assist subscribers in building and delivering marketing newsletters and emails. During analysis of the first reported vulnerability, researchers discovered two additional vulnerabilities –an authenticated reflected Cross-Site Scripting (XSS) vulnerability considered medium severity, and a PHP Object Injection vulnerability considered high severity. Successful exploitation of these vulnerabilities may allow a threat actor to create backdoors, add malicious administrative user accounts, and decode and execute malicious code in the victim’s browser resulting in account takeover. Newsletter has been downloaded and installed to more than 3000,000 websites and, though patches were developed and released in the updated version 6.8.3, only an estimated 150,000 WordPress sites have applied the update at the time of this writing. Furthermore, analysts determined additional firewall rules are necessary in order to ensure full coverage for these vulnerabilities; however, these rules have only been released to premium users. Both firewall rules will be made available to free account users August 14, 2020. Additionally, a high severity vulnerability was recently found in WordPress’s Facebook chat plugin that enables website owners to embed pop-up chats to have dialogue with visitors in real-time. Successful exploitation could allow threat actors to chat with visitors - creating an attack similar to a man in the middle (MiTM) - in order to coax customers into divulging personal information in social engineering attempts or downloading malicious code. A patch was developed and made available July 28, 2020; however, 50,000 WordPress websites remain vulnerable at the time of this writing. An additional firewall rule was created for this vulnerability.

Recommendations

The NJCCIC recommends WordPress Newsletter plugin users update to version 6.8.3, and Facebook chat plugin users update to version 1.6 immediately, and apply firewall rules as they are made available. Additional reporting and technical details can be found in the Wordfence blog posts (1, 2).

Join & Subscribe

Never miss an update! Sign up for a no cost membership today! Receive up-to-date content and more in our weekly bulletin.

Sign Up

Featured Content

New Jersey Cybersecurity & Communications Integration Cell

2 Schwarzkopf Dr, Ewing Township, NJ 08628

njccic@cyber.nj.gov

OUR COMMITMENT

The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.

Agency Seals of State of NJ, NJOHSP and NJCCIC

STAY CONNECTED:

View our Privacy Policy here.

View our Site Index here.