Hackers are breaking into WordPress websites by exploiting a recently patched privilege escalation vulnerability in a popular plug-in that allows site owners to conform to the GDPR user data collection requirements.
The vulnerability was discovered last week after some WordPress users reported attacks against their websites. The plug-in was temporarily removed from the official plug-in repository and was later reinstated after a patched version was released.
According to researchers from WordPress security firm Defiant, the WP GDPR Compliance vulnerability allows attackers to first inject arbitrary options into a site’s database and then to call them to trigger arbitrary WordPress actions.
So far, attackers have been exploiting this issue in two ways. One method involves enabling new user registrations through the vulnerability and then changing the default role of new users to Administrator. Attackers can then simply register new users with administrator privileges and take over the website.
In the attacks seen in the wild, after compromising the website the hackers reverse the rogue configuration changes. This prevents other attackers from breaking in and administrators from noticing the unauthorized modifications.
“Several hours after the new user is created, the attacker logs in to their new administrator account and can begin installing further backdoors,” the Defiant researchers said in a blog post. “In our sample cases, we’ve seen attackers uploading a robust PHP webshell in a file named wp-cache.php.”
The second exploit observed by Defiant leverages the vulnerability to inject malicious actions into a website’s WP-Cron task scheduling mechanism. This exploit was only seen on websites that also have the WooCommerce plug-in installed and the rogue tasks are used to install a persistent backdoor that gets automatically reinstalled if removed.
So far, aside from opening backdoors into the compromised websites, researchers haven’t seen any other form of abuse or end-stage payload being used, which is unusual.
“This behavior can mean a number of different things. It’s possible that these attackers are stockpiling infected hosts to be packaged and sold wholesale to another actor who has their own intentions,” the researchers said. “There’s also the chance that these attackers do have their own goals in mind, but haven’t launched that phase of the attack yet.”
All website owners who have the WP GDPR Compliance plug-in installed should upgrade it to the latest version—currently 1.4.3—and should check if their websites have been compromised. The Defiant blog post contains indicators of compromise.
VMware Patches Critical VM Escape Vulnerability
VMware has patched a critical vulnerability in its ESXi, Workstation and Fusion products that could allow attackers to break out of virtual machines and compromise the host systems.
The vulnerability is located in the vmxnet3 virtual network adapter so only poses a risk to systems that have this adapter enabled. When exploited, the flaw allows a hacker who controls the guest operating system to execute arbitrary code on the host, breaking virtualization’s main security boundary.
The vulnerability was disclosed by a researcher from Chaitin Tech at the GeekPwn2018 contest that took place in Shanghai, China, Oct. 24-25. The contest organizers passed on the information to VMware, which developed patches and published an advisory last week.
Exploits that allow virtual machine escapes are highly valuable to hackers and pose a serious risk to data center and cloud infrastructure. Vulnerability broker Zerodium, which acquires zero-day exploits and shares them with its customers, including government agencies, is offering up to $100,000 for VMWare ESXi guest-to-host escapes.
Last week, a different researcher publicly disclosed a zero-day VM escape vulnerability in VirtualBox, a popular open source virtualization software. That vulnerability was also located in the driver for a virtualized network adapter.