WorldPress Websites to be Under a Thread

Using the AWP plugin vulnerability, attackers can create users with administrator's rights
21 November 2018   966

In October 2018, in a popular plugin for generating accelerated mobile pages AMP for WP, a vulnerability was discovered that allows any registered user to gain administrator privileges. Now WordPress sites with this plugin are under XSS-attack, which aims to create a "fake" administrators.

The error that allows to increase the rights of the user is the lack of verification of the rights to perform administrator actions in older versions of the plugin. Since version 0.9.97.20, released in early November 2018, the problem has been solved. But the lack of automatic updating of plugins on many WordPress sites makes them vulnerable.

WordFence information security specialist Mikey Veenstra said that a large-scale automated XSS attack is now under way, exploiting open vulnerability.

The malicious script is located at https: // sslapis [.] Com / assets / si / stat.js. Running the script from the admin browser will create a new one, but already under the control of intruders. This is done through a hidden iframe element that simulates the registration of a new user and sends a click () event to “push” the send data button.

In this way, an administrator account with the user name supportuuser and the address supportuser72019@gmail.com is added to the target site. The script analyzes the list of plugins and tries to install a PHP backdoor.

The script reads variables added to the URL of the hacked plug-in, assigning them as environment variables. This allows you to use any commands from the attacker:

WordPress site admins are recommended:

  • check the list of administrators and remove unknowns;
  • update AMP for WP to version 0.9.97.20 or higher;
  • check the activity of the WooCommerce plugin, which is also subject to XSS attack.

In June 2018, RIPS employees reported a WordPress vulnerability that allows malicious code to be loaded into the system and delete critical files. In November 2018, they also discovered a gap in the WooCommerce plugin for this CMS.

PHP 7.4 to be Available

The giant number of features and improvements are included in the newest update
02 December 2019   158

After a year of development, the release of the PHP 7.4 programming language is presented. The new branch includes a series of new features, as well as several changes that violate compatibility.

Key improvements in PHP 7.4:

  • Typed Properties
  • Arrow Functions
  • Limited Return Type Covariance and Argument Type Contravariance
  • Unpacking Inside Arrays
  • Numeric Literal Separator
  • Weak References
  • Allow Exceptions from __toString()
  • Opcache Preloading
  • Several Deprecations
  • Extensions Removed from the Core

The functions get_magic_quotes_gpc (), get_magic_quotes_runtime (), hebrevc (), convert_cyr_string (), money_format (), ezmlm_hash (),restore_include_path (), ldap_control_paged_result_response__preport (), are declared obsolete.

A warning is provided about using an outdated feature when trying to process invalid characters in the base_convert (), bindec (), octdec (), and hexdec () functions, as well as when specifying a non-string pattern in mb_ereg_replace ().

Get more information at the official website.