{"id":4681,"date":"2019-05-25T13:24:42","date_gmt":"2019-05-25T13:24:42","guid":{"rendered":"https:\/\/pariswells.com\/blog\/?p=4681"},"modified":"2020-05-25T13:36:24","modified_gmt":"2020-05-25T13:36:24","slug":"wordpress-exploits-and-solutions","status":"publish","type":"post","link":"https:\/\/pariswells.com\/blog\/research\/wordpress-exploits-and-solutions","title":{"rendered":"WordPress Exploits and Solutions"},"content":{"rendered":"<h3>Issue Description 1<\/h3><p>In default WordPress installation there are several methods to enumerate authors username. These Word Press users can then be used in brute\u00ad <br \/>force attacks against Word Press login page to guess passwords.<\/p><h3>Solution 1<\/h3><p>Block requests to sensitive user information at the server using .htaccess file or WAF for example. You should block or redirect all requests made to <br \/>&#8216;twp-json\/wp\/v2\/users\/&#8217; and to &#8216;author&#8217; parameter (via GET and POST requests).<\/p><p>Install WordPress Plugin &#8220;Disable REST API&#8221; and disable twp-json\/wp\/v2\/users\/https:\/\/codex.wordpress.org\/htaccess <br \/>http:\/\/cwe.mitre.org\/data\/defin1tions\/200.html<\/p><h3>Issue Description 2<\/h3><p>A public facing Word Press XML-RPC interface has been detected. <br \/>An attacker may be able to launch attacks against the web server Via XML-RPC including:<br \/>&#8211; Login into Word Press backend Administrative interface <br \/>&#8211; Brute force user credentials<br \/>&#8211; Use pingbacks (for scanning or fingerprinting for example)<\/p><h3>Solution 2<\/h3><p>BLock requests to sensitive user information at the server using .htaccess file or WAF for example. You should block or redirect all requests made to<br \/>&#8216;xmlrpc.php&#8217; (via GET and POST requests).<\/p><p>Install WordPress Plugin &#8220;Disable XML-RPC&#8221;<\/p><p>https:\/\/codex.wordpress.org\/htaccess<br \/>https:\/\/codex.wordpress.org\/XML-RPC_Support<\/p><h3>Issue Description 3<\/h3><p>According to its self-reported version number, jQuery is prior to 3.4.0. Therefore, it may be affected by a prototype pollution vulnerability due to <br \/>&#8216;extend&#8217; function that can be tricked into modifying the prototype of &#8216;Object&#8217;. Note that the scanner has not tested for these issues but has instead<br \/>relied only on the application&#8217;s self-reported version number. <\/p><h3>Solution 3<\/h3><p>Upgrade to jQuery version 3.4.0 or later.<\/p><p>Install WordPress Plugin &#8220;jQuery Updater&#8221;<\/p><p>https:\/\/snyk.io\/vuln\/SNYK-JS-JQUERY-174006 <br \/>https:\/\/snyk.io\/blog\/after-three-years-of-silence-a-new-jquery-prototype-pollution-vulnerability-emerges-once-again\/<br \/>https:\/\/github.com\/jquery\/jquery\/pull\/4333<\/p><h3>Issue Description 4<\/h3><p>According to its self-reported version number, jQuery is at least 1.4.0 and prior to 1.12.0 or at least 1.12.4 and prior to 3.0.0-beta1. Therefore, it may<br \/>be affected by a cross-site scripting vulnerability due to cross-domain ajax request performed without the data Type. <br \/>Note that the scanner has not tested for these issues but has instead relied on y on the application&#8217;s self-reported version number. <\/p><h3>Solution 4<\/h3><p>Upgrade to jQuery version 3.0.0 or later.<\/p><p>Install WordPress Plugin &#8220;jQuery Updater&#8221;<br \/><br \/>https:\/\/github.com\/jquery\/jquery\/issues\/2432<br \/>https:\/\/github.com\/jquery\/jquery\/pull\/2588\/commits\/c254d308a7d3f1 eac4d0b42837804cfffcba4bb2<\/p><h3>Issue Description 5<\/h3><p>The HTIP protocol by itself is clear text, meaning that any data that is transmitted via HTIP can be captured and the contents viewed. To keep data<br \/>private and prevent it from being intercepted, HTIP is often tunnelled through either Secure Sockets Layer (SSL) or Transport Layer Security (TLS). <br \/>When either of these encryption standards are used, it is referred to as HTIPS. <br \/>HTIP Strict Transport Security (HSTS) is an optional response header that can be configured on the server to instruct the browser to only<br \/>communicate via HTIPS. This will be enforced by the browser even if the user requests a HTIP resource on the same server. <br \/>Cyber-criminals will often attempt to compromise sensitive information passed from the client to the server using HTIP. This can be conducted via<br \/>various Man-in-The-Middle (MiTM) attacks or through network packet captures. <br \/>Scanner discovered that the affected application is using HTIPS however does not use the HSTS header. <\/p><h3>Solution 5<\/h3><p>Depending on the framework being used the implementation methods will vary. however it is advised that the \u2022 Strict-Transport-Security&#8217; header be<br \/>configured on the server. <br \/>One of the options for th s header is &#8216;rnax-age &#8216;. which is a representation (in milliseconds) determining the time in which the client&#8217;s browser will<br \/>adhere to the header policy. <br \/>Depending on the environment and the application this time period could be from as low as minutes to as long as days.<\/p><p><br \/>Add below to your functions.php<\/p><p>[pastacode lang=&#8221;php&#8221; manual=&#8221;%2F%2F%20HSTS%20Headers%0Aadd_action(%20&#8217;send_headers&#8217;%2C%20&#8217;mo_strict_transport_security&#8217;%20)%3B%0Afunction%20mo_strict_transport_security()%20%7B%0Aheader(%20&#8217;Strict-Transport-Security%3A%20max-age%3D15552001%3B%20includeSubDomains%3B%20preload&#8217;%20)%3B%0A%7D%0A%0Ahttps%3A%2F%2Ftools.ietf.org%2Fhtml%2Frfc6797%0Ahttps%3A%2Flwww.owasp.org%2Findex.php%2FHTIP%20_Strict_Transport_Security_Cheat_Sheet%0Ahttps%3A%2Flwww.chromium.org%2Fhsts%0Ahttps%3A%2F%2Fhstspreload.org%2F&#8221; message=&#8221;&#8221; highlight=&#8221;&#8221; provider=&#8221;manual&#8221;\/]<\/p>","protected":false},"excerpt":{"rendered":"<p>Issue Description 1In default WordPress installation there are several methods to enumerate authors username. These Word Press users can then be used in brute\u00ad force attacks against [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[1130],"class_list":["post-4681","post","type-post","status-publish","format-standard","hentry","category-research","tag-wordpress"],"aioseo_notices":[],"_links":{"self":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/4681","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/comments?post=4681"}],"version-history":[{"count":1,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/4681\/revisions"}],"predecessor-version":[{"id":4682,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/posts\/4681\/revisions\/4682"}],"wp:attachment":[{"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/media?parent=4681"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/categories?post=4681"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/pariswells.com\/blog\/wp-json\/wp\/v2\/tags?post=4681"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}