WP Maintenance Plugin fixes flaw that allowed malicious code injection by hackers

Plugins are part of the core tols that enable WordPress websites to run properly. However it is also important to ensure that your plugins are not an entry point for attackers to inser malicious code that will endanger the visitors. In this age of GDPR you also want to prevent loss of data.

It is therefore inmportant to ensure that any plugins installed are always checked for vulnerabilities and flaws. At WordPress Chase we endeavor to brign these security news as soon as it hits our desk.

You can also use the Jetpack continuously monitored to ensure that your site or blog it is up and running and that you mitigate any downtimes before clients or visitors report it to you. Here is how to configure the Jetpack Downtime monitor

High Severity Vulnerability Patched in WP Maintenance Plugin affecting 30,000+ active installations

Back to the security update of the day, On November 15th, 2019, the WordFence Threat Intelligence team identified a vulnerability present in WP Maintenance, a WordPress maintenance plugin with approximately 30,000+ active installs. This flaw allowed attackers to enable a vulnerable site’s maintenance mode and inject malicious code affecting site visitors. They disclosed this issue privately to the plugin’s developer who released a patch the next day.

Plugin versions of WP Maintenance up to 5.0.5 are vulnerable to attacks against this flaw. All WP Maintenance users should update to version 5.0.6 immediately.

Read: How to install, manage and uninstall or delete a WordPress Plugin

Here is the report

Limited Nonce Protection and Input/Output Sanitation

WP Maintenance provides a maintenance mode to site owners wishing to take their site offline during a maintenance period, with useful features for enabling and customizing a maintenance page. These features include a customizable title, customizable text, a custom maintenance page image, custom css styles, a countdown, font and color choices, etc.

With extensive customizability comes a greater responsibility for security. Unfortunately, without nonce protection and scarce input/output sanitization on values, Cross-Site Request Forgery (CSRF) leading to Cross-Site Scripting (XSS) vulnerabilities were possible in WP Maintenance.

Settings could be edited across 6 tabs: General, Colors & Fonts, Pictures, CountDown, CSS Style, and Settings, all of which were susceptible to a CSRF attack. Additionally, several settings could be injected with malicious code, allowing XSS attacks. Settings could also be manipulated to an attacker’s benefit. For instance, an attacker could enable maintenance mode on a site, causing a loss of availability.

CSRF & Security Awareness

This vulnerability offers a good time to remind ourselves of the importance to stay vigilant to all input from users on our sites, as CSRF exploits are difficult to protect against. A CSRF, or Cross Site Request Forgery vulnerability “is an attack that forces an end user to execute unwanted actions on a web application in which they’re currently authenticated.” This means that CSRF vulnerabilities can only be exploited when someone with administrative capability performs an action set up by an attacker. For example, clicking on a link while currently authenticated to a web application like WordPress.

A common example to consider is receiving a comment on your WordPress blog containing a link. Clicking the link in the comment to see what the commenter is referring to could lead to exploitation of a vulnerability. Instead of that link taking you to the site you think you may be visiting, it could send a request to update your WordPress website plugin settings on your behalf.

Stay vigilant when clicking links or attachments in comments or even in emails because it is possible that someone is trying to exploit the human weakness on your site: you. We recommend not visiting any links from an untrusted source because malicious content could be on the other side of that link – even on the other end of a URL shortened link.

NOTE: This plugin affected should not be confused with the much more popular “WP Maintenance Mode” plugin

Read more on WordFence Blog

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 151 other subscribers

%d bloggers like this: