A recent report from Patchstack has exposed multiple security vulnerabilities in the widely-used Ninja Forms plugin for WordPress. These vulnerabilities, known as CVE-2023-37979, CVE-2023-38386, and CVE-2023-38393, impact versions 3.6.25 and below, putting over 800,000 websites at risk. Each flaw poses distinct risks to the affected sites.
The first vulnerability, CVE-2023-37979, has a CVSS score of 7.1 and is a reflected cross-site scripting (XSS) issue that operates through POST requests. Exploiting this flaw, an unauthorised user could gain elevated privileges on a targeted WordPress site by tricking privileged users into visiting a specially crafted website.
The next two vulnerabilities, CVE-2023-38386 and CVE-2023-38393, involve broken access control within the form submissions export feature. This could allow malicious actors with Subscriber and Contributor roles to export all Ninja Forms submissions on a WordPress site, potentially exposing sensitive data.
To protect their websites from potential threats, users of the Ninja Forms plugin are strongly advised to update to version 3.6.26 as soon as possible.
Apart from the Ninja Forms plugin, Patchstack also discovered other vulnerabilities affecting WordPress-related software. One such flaw is a reflected XSS vulnerability in the Freemius WordPress SDK, impacting versions prior to 2.5.10 (CVE-2023-33999), which could grant unauthorised access with elevated privileges.
Another critical bug was found in the HT Mega plugin (CVE-2023-37999), present in versions 2.2.0 and below. This vulnerability allows any unauthenticated user to escalate their privileges to match that of any role on the WordPress site.
Given these recent security disclosures, website administrators are urged to stay vigilant and apply the necessary updates and patches promptly to protect their WordPress installations from potential attacks.
A recently discovered Android malware called CherryBlos is using optical character recognition (OCR) to gather sensitive data from images stored on infected devices. Distributed through fake social media posts, CherryBlos can steal cryptocurrency wallet credentials and manipulate clipboard content to replace wallet addresses with the attacker's address. The malware requests accessibility permissions, allowing it to grant itself additional privileges as needed. To evade detection, attempts to uninstall the app are redirected to the home screen.
CherryBlos overlays fake interfaces on legitimate cryptocurrency wallet apps to steal credentials and transfer funds fraudulently. It utilises OCR to identify potential mnemonic phrases in images on the device, uploading the results to a remote server. The success of the campaign relies on users' habit of taking screenshots of wallet recovery phrases.
Trend Micro discovered an app linked to the CherryBlos threat actors on the Google Play Store named Synthnet, but Google has since removed it. The group also shares similarities with another activity involving 31 scam money-earning apps known as FakeTrade. These apps targeted Android users in various countries, promising increased income but preventing fund withdrawals when attempted.
Recently, McAfee detailed a SMS phishing campaign against Japanese Android users involving malware called SpyNote, which masquerades as a power and water infrastructure app. Once launched, SpyNote tricks users into enabling accessibility features, allowing it to run in the background and install additional malware without user consent.
In response to the growing misuse of accessibility APIs by rogue apps, Google announced that starting August 31, 2023, all new developer accounts registering as organisations will need a valid D-U-N-S number from Dun & Bradstreet to submit apps, aiming to build user trust.
With malware threats constantly evolving, users must stay vigilant, avoid downloading apps from unverified sources, verify developer information, and scrutinize app reviews to mitigate risks.
Ivanti has disclosed a security flaw in Endpoint Manager Mobile (EPMM), formerly known as MobileIron Core, which has been actively exploited by malicious actors in the wild. Tracked as CVE-2023-35081 with a CVSS score of 7.8, the vulnerability affects supported versions 11.10, 11.9, and 11.8, as well as end-of-life (EoL) versions.
The vulnerability allows an authenticated administrator to perform arbitrary file writes to the EPMM server. When combined with CVE-2023-35078, which is a critical remote unauthenticated API access vulnerability, it enables attackers to bypass administrator authentication and restrictions, potentially gaining sensitive information and control over EPMM configurations.
The security flaws have been used to target Norwegian government entities, leading the U.S. Cybersecurity and Infrastructure Security Agency (CISA) to issue an alert urging users and organisations to apply the latest patches to mitigate the risk.
Additionally, Google Project Zero reported a decline in the number of in-the-wild 0-day vulnerabilities in 2022 compared to the previous year. While 41 such exploits were detected in 2022 (down from 69 in 2021), 17 of them were variations of previously disclosed vulnerabilities. The report also highlighted a decrease in browser-targeted 0-days, indicating that attackers are shifting their focus to zero-click exploits that target other components on devices.
Given the active exploitation of EPMM vulnerabilities, it is crucial for users and organisations to promptly apply security updates and follow best practices to enhance their cybersecurity posture.
*Subscribe to our newsletter
.svg)
.png)
.png)
