Connect with us

TECH

Hackers Exploit WordPress Plugin Vulnerability That Gives Full Control of Millions of Websites

Published

1 day ago

on

Getty Images

Hackers are actively exploiting a critical vulnerability in a widely used WordPress plugin that gives them full control over millions of websites, researchers say.

A vulnerability with a severity rating of 8.8 out of 10 is present in Elementor Pro, premium plugins Powered by over 12 million websites powered by the WordPress content management system Elementor Pro allows users to create high quality websites using a wide range of tools, one of which is WooCommerce, a standalone WordPress plugin. When these conditions are met, anyone with an account on the site – such as a subscriber or customer – can create new accounts with full administrator rights.

The vulnerability was discovered by Jerome Bruande, a researcher at security company NinTechNet. Last week Elementor, developer of the Elementor Pro plugin, released version 3.11.7 which fixed the vulnerability. V mail published Tuesday, Bruande wrote:

An authenticated attacker could use the vulnerability to create an administrator account by enabling logging (users_can_register) and setting the default role (default_role) to “administrator”, change the admin email address (admin_email) or, as shown below, redirect all traffic to an external malicious website by changing siteurl among many other possibilities:

MariaDB [example]> SELECT * FROM `wp_options` WHERE `option_name`='siteurl';
+-----------+-------------+------------------+----------+
| option_id | option_name | option_value     | autoload |
+-----------+-------------+------------------+----------+
|		 1 | siteurl     | https://evil.com | yes 	 |
+-----------+-------------+------------------+----------+
1 row in set (0.001 sec)

Now researchers from a separate security firm, PatchStack, report that the vulnerability is being actively exploited. Attacks come from different IP addresses, including:

  • 193.169.194.63
  • 193.169.195.64
  • 194.135.30.6

Files uploaded to hacked sites often have the following names:

  • wp-resortpack.zip
  • wp-rate.php
  • lll.zip

The URLs of compromised sites often change to:

  • away[dot]trackers[dot]com

The broken access control vulnerability is related to the use of Elementor Pro component “elementor-pro/modules/woocommerce/module.php”. When WooCommerce is running, this script registers the following AJAX actions:

/**
 * Register Ajax Actions.
 *
 * Registers ajax action used by the Editor js.
 *
 * @since 3.5.0
 *
 * @param Ajax $ajax
 */
public function register_ajax_actions( Ajax $ajax ) {
   // `woocommerce_update_page_option` is called in the editor save-show-modal.js.
   $ajax->register_ajax_action( 'pro_woocommerce_update_page_option', [ $this, 'update_page_option' ] );
   $ajax->register_ajax_action( 'pro_woocommerce_mock_notices', [ $this, 'woocommerce_mock_notices' ] );
}

another

/**
 * Update Page Option.
 *
 * Ajax action can be used to update any WooCommerce option.
 *
 * @since 3.5.0
 *
 * @param array $data
 */
public function update_page_option( $data ) {
   update_option( $data['option_name'], $data['editor_post_id'] );
}

The update_option function “is supposed to allow an admin or store manager to update some specific WooCommerce options, but user input is not validated and the function lacks capability checking to limit its access to a highly privileged user,” Bruande explained. He continued:

Elementor uses its own AJAX handler to manage most of its AJAX actions, including pro_woocommerce_update_page_optionwith global elementor_ajax action. It is in the “elementor/core/common/modules/ajax/module.php” script of the free version (which is required to run Elementor Pro):

/**
 * Handle ajax request.
 *
 * Verify ajax nonce, and run all the registered actions for this request.
 *
 * Fired by `wp_ajax_elementor_ajax` action.
 *
 * @since 2.0.0
 * @access public
 */
public function handle_ajax_request() {
   if ( ! $this->verify_request_nonce() ) {
  	$this->add_response_data( false, esc_html__( 'Token Expired.', 'elementor' ) )
     	->send_error( Exceptions::UNAUTHORIZED );
   }
   ...

Anyone using Elementor Pro should make sure they have version 3.11.7 or later as all previous versions are vulnerable. These users are also encouraged to check their sites for signs of infection listed in the PatchStack message.

Related Topics:
Continue Reading
Click to comment

Leave a Reply

Your email address will not be published. Required fields are marked *

TECH

Cashback and live streaming of the ICC T20 World Championship

Published

6 hours ago

on

April 3, 2023

By

October 20, 2021

Last update: 21.10.2021

The ICC T20 World Championship continues and it’s time to bet again. What could be better than doing it absolutely risk-free?

Here at AllGambling, we strive to make our readers happy. This time we are back with an exclusive bonus from 10CRIC India to be used in the ICC T20 World Championship 2021.

100% cashback Up to 2,500 rupees

Not only is India hosting the ICC T20 World Championship. India is also the country with the best bonus this year in the championship.

India-exclusive online casino and bookmaker 10CRIC India will hit everyone six with this fantastic bonus opportunity.

If you need more information, you can check out our excellent 10CRIC review.

How to get cashback

Now the question is how can you claim this fantastic cashback bonus. The answer is that it will only take you 2-3 minutes before you can participate in the promotion. Follow these simple steps to claim your 10CRIC cashback bonus.

  1. Register for free with 10CRIC
  2. Make a deposit and wager a minimum of ₹1000 on the T20 Men’s World Championship.
  3. Get 100% cashback if you lose your first bet!

Conditions

  1. The amount of the Cashback Bonus is equal to 100% of the Client’s total net loss (total losses minus total winnings) in the ICC Men’s T20 World Cup pre-match and live markets. The minimum chance of qualifying is 1.50.
  2. The minimum qualifying deposit for this promotion is ₹1,000.
  3. The cashback bonus amount must be equal to 100% of the Client’s total net loss (total losses minus total winnings) in ICC Men’s T20 World Cup pre-match matches (on any market).
  4. The minimum chance of qualifying is 1.50.
  5. The offer is valid from the start of the T20 FIFA World Cup on 17 October until the end of the T20 World Cup on 14 November 2021 at 23:59.
  6. The cashback bonus amount must be multiplied 1 (one) times on sports betting at odds of at least 1.60, excluding any handicap bets (other than 3-way handicap) and no-tie bets. The bonus amount will then be transferred from your sports bonus balance to your real balance and can be withdrawn.
  7. The bonus will be provided in the form of a free bet. The free bet amount is non-refundable.
  8. Cashing out a bet placed with a free bet will result in the bet being cancelled. The free bet will not be refunded.
  9. Any free bet will expire and be removed from your customer account seven days after it is credited to your customer account.
  10. The minimum cashback bonus amount is 500 rubles. If the bonus amount is less than 500 ₹, the bonus amount is not credited.
  11. Voided/Canceled bets, Tie bets, Cashout bets or bets placed with a Free Bet do not count towards the participation or rollover requirements of the bonus.
  12. The maximum cashback bonus amount is ₹2,500. The free bet can be used on any market.
  13. This promotion may not be used in conjunction with or contribute to any other promotion.
  14. These Terms and Conditions are governed by the 10CRIC General Terms and Conditions and the 10CRIC Promotion General Terms and Conditions.

FREE REGISTRATION Back to all posts

Continue Reading

TECH

Microsoft’s $1 billion project puts Mount Pleasant on the data center map.

Published

9 hours ago

on

April 3, 2023

By

Microsoft laid the groundwork for a relatively modest 40-acre data center in West Des Moines in 2010 and has been building ever since.

Continue Reading

TECH

Twitter publishes code that it claims determines what tweets people see and why.

Published

10 hours ago

on

April 3, 2023

By

Increase / Twitter has posted what it says is the code its algorithm uses to recommend tweets to its users.

Twitter got better one of the many promises made by CEO Elon Muskposting on Friday afternoon what is claimed to be the tweet recommendation algorithm code. on GitHub.

The code posted under GNU Affero General Public License v3.0contains numerous details about what factors make a tweet more or less likely to appear in a user’s timeline.

IN blog post accompanying code release, Twitter’s engineering team (without a caption) notes that the system for determining which “most popular tweets end up on your device’s For You timeline” “consists of many interconnected services and tasks.” Every time the Twitter home screen is refreshed, Twitter pulls “the top 1,500 tweets from hundreds of millions,” the post says.

The largest source of these tweets are “online sources” or users who are being followed by someone. The top tweets from this stack are ranked by the likelihood of a user interacting with the author of that tweet; the more likely their tweets are to appear in For You. For “offline sources” not followed by the user, Twitter says it considers tweets that get the attention of people the user follows and tweets that are liked by those who like tweets similar to the user.

Already those who have looked at the code have noticed considerations that raise many more questions. Many posted them, of course, on Twitter itself.

Olafur Vaage, senior software engineer at Norwegian consulting service TurtleSec, noted that inside “HomeTweetTypePredicates.scala.” some of the apparent reasons for a tweet to be a candidate for the “For You” section:

  • author_is_elon
  • author_is_power_user
  • author_is_democrat
  • author_is_republican

Elsewhere in the code code comment presumably left by a Twitter engineer, explains that these identification values ​​are “used solely for collecting metrics.” The comment goes like this:

These author ID lists are used solely for collecting metrics. We track how often we serve tweets from these authors and how often their tweets impress users. This helps us confirm on our A/B experimentation platform that we’re not submitting changes that negatively impact one group over others.

The names of the objects in question, such as “DDGStatsDemocratsFeature” or “DDGStatsElonFeature” seem to support this interpretation, but this may not be possible to confirm with available code. However, it is interesting that Twitter checks and correlates these variables. During the Twitter Spaces audio session, a Twitter engineer noted that the labels used for the metrics were Democrats and Republicans. Musk, who claimed he didn’t know about the labels until today, suggested they shouldn’t be there.

Other factors are also taken into account for a tweet: its age is less than 30 minutes, the presence of images, and whether it comes from a “power user”. some believe means “legacy” verified account.

Musk tweeted along with a company blog post that a recommendation algorithm stating an “acid test” would be if “independent third parties” could “determine with reasonable accuracy what users are likely to be shown.”

Twitter’s release of its algorithm code comes just days after the social network’s broader source code was discovered on GitHub, potentially sitting there for months. according to the New York Times. Twitter then received a subpoena forcing GitHub to reveal information about the GitHub poster.

A report by Platformer earlier this week said that Twitter used a secret list of 35 top Twitter users, including President Biden, LeBron James, Ben Shapiro and Musk. Evidence of the implementation of this list, reportedly prompted in part by Musk’s dissatisfaction with his own involvement, has yet to be found in a codebase posted on Twitter.

Specifically, the code arrives just hours before “verified legacy” users – those who were blue-checked to indicate authenticity or notoriety before Musk bought the service – are due to be canceled in favor of paid ones. Twitter Blue followers. Although some users associated with governments and large organizations may apply for ticks of other colorsonly Twitter Blue subscribers for $8 per month will receive “priority rating in conversations.” among other features.

All of these changes take place on April 1, or April Fool’s Day.

Continue Reading

Trending

Copyright © 2023 Culture Belle Media.