fbpx
Frame-14

Privacy Ninja

        • DATA PROTECTION

        • CYBERSECURITY

        • Penetration Testing

          Secure your network against various threat points. VA starts at only S$1,000, while VAPT starts at S$4,000. With Price Beat Guarantee!

        • API Penetration Testing
        • Enhance your digital security posture with our approach that identifies and addresses vulnerabilities within your API framework, ensuring robust protection against cyber threats targeting your digital interfaces.

        • On-Prem & Cloud Network Penetration Testing
        • Boost your network’s resilience with our assessment that uncovers security gaps, so you can strengthen your defences against sophisticated cyber threats targeting your network

        • Web Penetration Testing
        • Fortify your web presence with our specialised web app penetration testing service, designed to uncover and address vulnerabilities, ensuring your website stands resilient against online threats

        • Mobile Penetration Testing
        • Strengthen your mobile ecosystem’s resilience with our in-depth penetration testing service. From applications to underlying systems, we meticulously probe for vulnerabilities

        • Cyber Hygiene Training
        • Empower your team with essential cybersecurity knowledge, covering the latest vulnerabilities, best practices, and proactive defence strategies

        • Thick Client Penetration Testing
        • Elevate your application’s security with our thorough thick client penetration testing service. From standalone desktop applications to complex client-server systems, we meticulously probe for vulnerabilities to fortify your software against potential cyber threats.

        • Source Code Review
        • Ensure the integrity and security of your codebase with our comprehensive service, meticulously analysing code quality, identifying vulnerabilities, and optimising performance for various types of applications, scripts, plugins, and more

        • Email Spoofing Prevention
        • Check if your organisation’s email is vulnerable to hackers and put a stop to it. Receive your free test today!

        • Email Phishing Excercise
        • Strengthen your defense against email threats via simulated attacks that test and educate your team on spotting malicious emails, reducing breach risks and boosting security.

        • Cyber Essentials Bundle
        • Equip your organisation with essential cyber protection through our packages, featuring quarterly breached accounts monitoring, email phishing campaigns, cyber hygiene training, and more. LAUNCHING SOON.

Buggy WordPress Plugin Exposes 100K Sites To Takeover Attacks

Buggy WordPress Plugin Exposes 100K Sites To Takeover Attacks

Critical and high severity vulnerabilities in the Responsive Menu WordPress plugin exposed over 100,000 sites to takeover attacks as discovered by Wordfence.

Responsive Menu is a WordPress plugin designed to help admins create W3C compliant and mobile-ready responsible site menus.

Flaws patched last month

In all, the Wordfence Threat Intelligence team found three vulnerabilities that can be exploited by attackers with basic user permissions to upload arbitrary files and remotely execute arbitrary code.

The first flaw enables authenticated attackers to upload arbitrary files which eventually allows them to achieve remote code execution.

The other two vulnerabilities allow a potential threat actor to forge requests to modify plugin settings of the plugin which, in turn, allows them to upload arbitrary files allowing for remote code execution. 

To abuse the critical vulnerability, attackers logged in as subscribers or another low-level user have to upload menu themes archived as ZIP files and containing malicious PHP files.

After the archive is extracted for installation, the attacker can access the files via the site frontend to remotely execute the malicious code which ultimately can lead to a full site takeover.

Also Read: What Legislation Exists in Singapore Regarding Data Protection and Security?

Responsive Menu theme upload function without capability checks
Buggy theme upload function (Wordfence)

ExpressTech, the company behind Responsive Menu, patched the security issues on January 19, 2021, following multiple contact attempts between December 17 and January 4.

The report inquiries were eventually answered on January 10, after Wordfence escalated to the WordPress Plugins team.

Since the security issues impact Responsive Menu versions 4.0.0 up to 4.0.3 (or running in legacy mode), users are advised to immediately update to version 4.0.4 that addresses the bugs to prevent exploitation attempts.

“All three vulnerabilities could lead to a site takeover, which could have consequences including backdoors, spam injections, malicious redirects, and other malicious activities,” Wordfence added.

Roughly 50,000 sites still exposed to attacks

Even though Responsive Menu 4.0.4, the patched version, was released on January 19, just over 50,000 new downloads have been recorded until yesterday based on stats available on the WordPress plugin’s repository.

Since these numbers include both updates and new installs, almost 50,000 WordPress sites using Responsive Menu can still be hijacked by attackers.

Earlier this week, Wordfence also reported two critical and high severity CSRF vulnerabilities in the NextGen Gallery plugin that let hackers inject backdoors, create rogue admins, and potentially take over 530,000 WordPress sites still running unpatched plugin versions.

Also Read: A Look at the Risk Assessment Form Singapore Government Requires

WordPress should install plugin security updates as soon as possible after they’re released by developers seeing that threat actors frequently exploit already fixed vulnerabilities in outdated WordPress plugins in their attacks.

0 Comments

KEEP IN TOUCH

Subscribe to our mailing list to get free tips on Data Protection and Data Privacy updates weekly!

Personal Data Protection

REPORTING DATA BREACH TO PDPC?

We have assisted numerous companies to prepare proper and accurate reports to PDPC to minimise financial penalties.
×

Hello!

Click one of our contacts below to chat on WhatsApp

× Chat with us