WordPress Exploits and Solutions

May 25, 2019
Research
0 Comments
paris

Issue Description 1

In default WordPress installation there are several methods to enumerate authors username. These Word Press users can then be used in brute
force attacks against Word Press login page to guess passwords.

Solution 1

Block requests to sensitive user information at the server using .htaccess file or WAF for example. You should block or redirect all requests made to
‘twp-json/wp/v2/users/’ and to ‘author’ parameter (via GET and POST requests).

Install WordPress Plugin “Disable REST API” and disable twp-json/wp/v2/users/https://codex.wordpress.org/htaccess
http://cwe.mitre.org/data/defin1tions/200.html

Issue Description 2

A public facing Word Press XML-RPC interface has been detected.
An attacker may be able to launch attacks against the web server Via XML-RPC including:
– Login into Word Press backend Administrative interface
– Brute force user credentials
– Use pingbacks (for scanning or fingerprinting for example)

Solution 2

BLock requests to sensitive user information at the server using .htaccess file or WAF for example. You should block or redirect all requests made to
‘xmlrpc.php’ (via GET and POST requests).

Install WordPress Plugin “Disable XML-RPC”

https://codex.wordpress.org/htaccess
https://codex.wordpress.org/XML-RPC_Support

Issue Description 3

According to its self-reported version number, jQuery is prior to 3.4.0. Therefore, it may be affected by a prototype pollution vulnerability due to
‘extend’ function that can be tricked into modifying the prototype of ‘Object’. Note that the scanner has not tested for these issues but has instead
relied only on the application’s self-reported version number.

Solution 3

Upgrade to jQuery version 3.4.0 or later.

Install WordPress Plugin “jQuery Updater”

https://snyk.io/vuln/SNYK-JS-JQUERY-174006
https://snyk.io/blog/after-three-years-of-silence-a-new-jquery-prototype-pollution-vulnerability-emerges-once-again/
https://github.com/jquery/jquery/pull/4333

Issue Description 4

According to its self-reported version number, jQuery is at least 1.4.0 and prior to 1.12.0 or at least 1.12.4 and prior to 3.0.0-beta1. Therefore, it may
be affected by a cross-site scripting vulnerability due to cross-domain ajax request performed without the data Type.
Note that the scanner has not tested for these issues but has instead relied on y on the application’s self-reported version number.

Solution 4

Upgrade to jQuery version 3.0.0 or later.

Install WordPress Plugin “jQuery Updater”

https://github.com/jquery/jquery/issues/2432
https://github.com/jquery/jquery/pull/2588/commits/c254d308a7d3f1 eac4d0b42837804cfffcba4bb2

Issue Description 5

The HTIP protocol by itself is clear text, meaning that any data that is transmitted via HTIP can be captured and the contents viewed. To keep data
private and prevent it from being intercepted, HTIP is often tunnelled through either Secure Sockets Layer (SSL) or Transport Layer Security (TLS).
When either of these encryption standards are used, it is referred to as HTIPS.
HTIP Strict Transport Security (HSTS) is an optional response header that can be configured on the server to instruct the browser to only
communicate via HTIPS. This will be enforced by the browser even if the user requests a HTIP resource on the same server.
Cyber-criminals will often attempt to compromise sensitive information passed from the client to the server using HTIP. This can be conducted via
various Man-in-The-Middle (MiTM) attacks or through network packet captures.
Scanner discovered that the affected application is using HTIPS however does not use the HSTS header.

Solution 5

Depending on the framework being used the implementation methods will vary. however it is advised that the • Strict-Transport-Security’ header be
configured on the server.
One of the options for th s header is ‘rnax-age ‘. which is a representation (in milliseconds) determining the time in which the client’s browser will
adhere to the header policy.
Depending on the environment and the application this time period could be from as low as minutes to as long as days.

Add below to your functions.php

[pastacode lang=”php” manual=”%2F%2F%20HSTS%20Headers%0Aadd_action(%20’send_headers’%2C%20’mo_strict_transport_security’%20)%3B%0Afunction%20mo_strict_transport_security()%20%7B%0Aheader(%20’Strict-Transport-Security%3A%20max-age%3D15552001%3B%20includeSubDomains%3B%20preload’%20)%3B%0A%7D%0A%0Ahttps%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc6797%0Ahttps%3A%2Flwww.owasp.org%2Findex.php%2FHTIP%20_Strict_Transport_Security_Cheat_Sheet%0Ahttps%3A%2Flwww.chromium.org%2Fhsts%0Ahttps%3A%2F%2Fhstspreload.org%2F” message=”” highlight=”” provider=”manual”/]

(No Ratings Yet)