WordPress Security : XSS Remains as the Most Vulnerability Exploited
[[{“value”:”
Of all the security flaws discovered in the WordPress ecosystem, cross-site scripting (XSS) vulnerabilities accounted for about 53.3% of the total.
As of last year, XSS accounted for 27% of all security vulnerabilities, a significantly higher rate than in 2022.
Cross-site scripting (XSS) is a security flaw in which an attacker can insert malicious code into a website.
After that, the malicious code can be used to do undesirable acts like redirect traffic or steal confidential data, which could provide the attacker with control over a website.
XSS – The most common vulnerability in WordPress in 2023
Why is XSS the Most Common Kind of Vulnerability?
According to the PatchStack Security report, a flaw in the Freemius framework, a third-party managed eCommerce platform, was the source of a significant number of CSRF vulnerabilities in 2022.
Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .
The framework’s widespread use meant that it affected a large number of plugins.
Of those XSS vulnerabilities, researchers can trace more than 1,200 of them back to Freemius.
“This year we saw once again how a single cross-site scripting vulnerability in the Freemius framework resulted in 1,248 plugins inheriting the security vulnerability, exposing their users to risk”, the report said.
“21% of all new vulnerabilities discovered in 2023 can be traced back to this one flaw.
Developers need to choose their stack carefully and promptly apply security updates when these become available.”
Additionally, 42.9% of newly discovered vulnerabilities have a severity level of high or critical overall.
The proportion of vulnerabilities with high and critical severity is much larger than it was in 2022. 56.6% of vulnerabilities this year were categorized as “only” medium severity concerns, compared to 84% last year.
42.9% of newly discovered vulnerabilities have a severity level of high or critical overall
A high risk of 13.6% of newly discovered vulnerabilities necessitated quick action. 34.7% had a “Medium” priority level, which means that while they might be used in targeted attacks, they were severe enough to receive a virtual patch.
“Looking at all new security vulnerabilities found in 2023, 58.9% did not require any authentication to be exploited.
These vulnerabilities are inherently more dangerous because they can be exploited automatically and en masse”, researchers said.
On the other hand, 13.4% of the newly discovered vulnerabilities could only be exploited with the administrator role.
The Increase of Abandoned Plugins
The high number of abandoned plugins is another important source of vulnerabilities.
However, 827 plugins and themes in all were submitted to the WordPress team in 2023.
After that, 481 susceptible components were abandoned and taken out of the plugin repository.
To raise awareness of the “zombie plugin pandemic” in WordPress, researchers reported 404 of those plugins in a single day.
These “zombie” plugins are parts that, while first appearing secure and up-to-date may have unpatched security flaws.
Well-Known Plugins with Reported Security Flaws
Top 5 Newly Discovered Vulnerabilities with the Most Attempted Exploits
Critical Node.js Flaw Lets Attackers Execute Malicious Code on Windows Machines
[[{“value”:”
Node.js project disclosed a high-severity vulnerability affecting multiple active release lines of its software on Windows platforms.
This flaw, identified as CVE-2024-27980, allows attackers to execute arbitrary commands on affected systems, posing a serious risk to applications and services built on Node.js.
The core of the vulnerability lies within the child_process.spawn and child_process.spawnSync functions of Node.js when used on Windows operating systems. These functions are commonly utilized to spawn child processes from Node.js applications.
The flaw was discovered in the handling of batch files and command-line arguments passed to these functions.
Specifically, it was found that a maliciously crafted command-line argument could lead to command injection and arbitrary code execution, even if the shell option is not enabled in the function call.
This vulnerability is particularly alarming because it bypasses the safety mechanism provided by disabling the shell option, which is often recommended as a security best practice.
The impact is widespread, affecting all users of the 18.x, 20.x, and 21.x release lines of Node.js on Windows.
The Node.js project has acted swiftly in response to the discovery of CVE-2024-27980. Security updates to mitigate the issue have been released for the affected versions: 18.x, 20.x, and 21.x.
These updates are available as of Tuesday, April 9, 2024, and users are strongly urged to upgrade their Node.js installations immediately to protect their applications and infrastructure from potential exploitation.
Security researcher Ryotak was credited with discovering this vulnerability, and Ben Noordhuis implemented the fix. The Node.js project has expressed gratitude to the community members for their contributions to maintaining the platform’s security and integrity.
Recommendations for Node.js Users
In light of this critical vulnerability, Node.js users, especially those running applications on Windows, are advised to:
Update Immediately: Upgrade to the latest patched versions of Node.js (18.x, 20.x, 21.x) to mitigate the risk posed by CVE-2024-27980.
Review Security Practices: Re-evaluate the use of child processes within Node.js applications, especially in relation to handling external input and command-line arguments.
Stay Informed: Subscribe to the nodejs-sec mailing list and regularly check the official Node.js security page for updates on vulnerabilities and security releases.
Secure your emails in a heartbeat! To find your ideal email security vendor, Take a Free 30-Second Assessment.
Hackers Abuses SVG Image Files to Deliver GUloader Malware
[[{“value”:”
Hackers are exploiting the versatility of SVG (Scalable Vector Graphics) files to distribute the GUloader malware.
Understanding hostile actors’ techniques and tools is essential to staying ahead in the ever-changing cybersecurity field.
Its stealthy methods and ability to elude detection make this sophisticated malware loader a significant threat to companies and individuals.
Guloader uses evasion techniques, making it difficult for typical security measures to identify and mitigate. This highly elusive loader poses a significant threat to both organizations and individuals.
You can analyze a malware file, network, module, and registry activity with the ANY.RUN malware sandbox and the Threat Intelligence Lookup that will let you interact with the OS directly from the browser.
Rise of GUloader
GUloader is known for its stealth and ability to evade traditional security measures through polymorphic code and encryption.
This allows it to dynamically change its structure, making it difficult for antivirus software and intrusion detection systems to detect its presence.
According to the observations made by SpiderLabs, there has been a notable increase in the frequency of GuLoader utilization.
#Malspam Alert: Over the last weekend, we noticed a significant uptick in GuLoader activity, with the malware leveraging VBS scripts for multi-stage payload delivery. This recent surge highlights its evolving tactics for broader reach and evasion. pic.twitter.com/wOL1KylvxQ
McAfee Labs has recently observed a campaign where GUloader is distributed via malicious SVG files sent through email.
Spam Email
SVG files are commonly used for two-dimensional vector graphics and support interactivity and animation through JavaScript and CSS.
Modern browsers like Chrome, Firefox, and Edge can render SVG files natively, treating them as standard web content. Cybercriminals are exploiting this inherent trust in SVG files to deliver malware.
The infection begins when a user opens an SVG file attached to an email. This triggers the browser to download a ZIP file containing a Windows Script File (WSF).
The WSF then executes, using wscript to call a PowerShell command that connects to a malicious domain and executes hosted content, including shellcode injected into the MSBuild application.
Infection Chain
Technical Analysis of the Attack
The attack starts with a spam email containing an SVG file named “dhgle-Skljdf.svg”. The SVG file contains JavaScript that creates a malicious ZIP archive when the file is opened.
The ZIP file once dropped into the system, reveals an obfuscated WSF script that is difficult to analyze.
This script invokes PowerShell to connect to a malicious domain and execute the retrieved content, including base64-encoded shellcode and a PowerShell script.
Process Tree
The PowerShell script attempts to load the shellcode into the legitimate MSBuild process using the Process Hollowing technique.
After injection, the shellcode performs an anti-analysis check and modifies the Registry run key to achieve persistence.
The final stage involves downloading and executing the final malicious executable, GUloader, or malware variants.
Encoded PowerShell
Using SVG files to deliver malware like GUloader is a concerning development in the cybersecurity landscape.
Organizations and individuals must treat unexpected email attachments cautiously, especially those containing SVG files. Security professionals are encouraged to update their detection systems to counter this evolving threat.
You can block malware, including Trojans, ransomware, spyware, rootkits, worms, and zero-day exploits, with Perimeter81 malware protection. All are incredibly harmful, can wreak havoc, and damage your network.
Stay updated on Cybersecurity news, Whitepapers, and Infographics. Follow us on LinkedIn & Twitter.