11-12-2024 , 11:32 PM
https://cyberinsider.com/700000-wordpres...available/ 700,000 WordPress Sites Vulnerable to Takeover, No Fix Available
November 12, 2024 By Alex Lekander — Leave a Comment
MainWP, a plugin widely used for managing multiple WordPress sites from a single dashboard, has left a critical security vulnerability unpatched, despite being informed of the issue.
This flaw, present in the MainWP Child plugin used by over 700,000 websites, permits unauthorized attackers to access websites with administrator privileges, potentially compromising sensitive data and user trust.
Authentication bypass problem
The vulnerability, classified as an authentication bypass, exists within the MainWP Child plugin due to an insecure connection setup between the MainWP Child and Dashboard plugins. When linking a MainWP Child site to a central Dashboard, the only required information is the site's URL and the administrator username — no password is necessary. This weak verification process allows attackers to exploit the connection and gain admin access simply by submitting a username, bypassing password checks entirely.
Within the plugin's register_site function, the setup process includes checks for certain parameters, such as user and pubkey. However, if both are supplied, the plugin's login function grants administrative access without enforcing a password requirement. This design flaw leaves sites with unprotected MainWP Child installations vulnerable to unauthorized logins. Notably, sites are only protected if they manually enable the “Require unique security ID” feature, which is off by default, thus leaving many installations exposed.
The flaw has been assigned a CVSS score of 9.2 (Critical) and is tracked as CVE-2024-10783.
Disclosure and response
Security researcher Sean Murphy, who identified the issue, disclosed it to MainWP and to Wordfence's bug bounty program. On November 2, 2024, Wordfence initially validated the report but later ruled the issue out of scope, describing it as a “known feature” rather than a vulnerability. Wordfence explained that this functionality, documented in MainWP's usage guidelines, was intentional and included user warnings. MainWP directly rejected the report on November 11, asserting the design's validity and confirming that the software “works as designed,” thus declining to patch the issue.
Murphy expressed dismay over MainWP's stance, pointing out that this is not the first instance of an authentication bypass vulnerability in the MainWP Child plugin. Similar flaws have been found and patched in the past, raising questions about MainWP's decision not to address this current vulnerability. Murphy argues that MainWP's approach fails to balance usability with necessary security protections.
Implications and security recommendations
MainWP's refusal to patch this vulnerability exposes managed sites to a substantial risk of takeover attacks, especially if left unconnected to a dashboard or if security configurations remain at default settings. The vendor's position underscores a fundamental disagreement over the nature of security risks: whereas many in the cybersecurity field consider insecure design a vulnerability in itself, MainWP and Wordfence's decisions suggest otherwise, emphasizing intention over security outcomes.
MainWP's warning when plugin left at vulnerable state
kernelmode.blog
For WordPress site administrators using MainWP Child, Murphy has recommended alternative security measures, such as enabling the “Require unique security ID” option, which, when configured, provides an additional verification layer. Additionally, security providers can deploy virtual patches on web application firewalls to detect and mitigate potential exploit attempts. Murphy provided a proof-of-concept (PoC) exploit, primarily for security teams, to help them recognize malicious activity targeting this vulnerability.
Website admins are recommended to perform the following actions:
Enable “Require unique security ID” to prevent unauthorized logins.
Use a Web Application Firewall (WAF) to detect and block exploit attempts by analyzing request patterns based on known attack signatures.
Keep all plugins, themes, and WordPress core updated, and assess installed plugins for potential risks, including intentional design flaws that could jeopardize security.
About Alex Lekander
Alex is the founder and Editor-in-Chief of CyberInsider.com. His background and expertise includes digital privacy, security, and tech journalism. When he’s not working behind a screen, Alex is probably tinkering with a boat or enjoying the outdoors. https://opentip.kaspersky.com/https%3A%2...tab=lookup Report
Report for web address
https://cyberinsider.com/700000-wordpres...available/
Good
Overview
IPv4 count ≈ 6
Files count 0
Created
26 Jun, 1996
17:00
Expires
25 Jun, 2028
18:00
Domain cyberinsider.com
Registration organization Privacy service provided by Withheld for Privacy ehf
Registrar name NAMECHEAP INC
November 12, 2024 By Alex Lekander — Leave a Comment
MainWP, a plugin widely used for managing multiple WordPress sites from a single dashboard, has left a critical security vulnerability unpatched, despite being informed of the issue.
This flaw, present in the MainWP Child plugin used by over 700,000 websites, permits unauthorized attackers to access websites with administrator privileges, potentially compromising sensitive data and user trust.
Authentication bypass problem
The vulnerability, classified as an authentication bypass, exists within the MainWP Child plugin due to an insecure connection setup between the MainWP Child and Dashboard plugins. When linking a MainWP Child site to a central Dashboard, the only required information is the site's URL and the administrator username — no password is necessary. This weak verification process allows attackers to exploit the connection and gain admin access simply by submitting a username, bypassing password checks entirely.
Within the plugin's register_site function, the setup process includes checks for certain parameters, such as user and pubkey. However, if both are supplied, the plugin's login function grants administrative access without enforcing a password requirement. This design flaw leaves sites with unprotected MainWP Child installations vulnerable to unauthorized logins. Notably, sites are only protected if they manually enable the “Require unique security ID” feature, which is off by default, thus leaving many installations exposed.
The flaw has been assigned a CVSS score of 9.2 (Critical) and is tracked as CVE-2024-10783.
Disclosure and response
Security researcher Sean Murphy, who identified the issue, disclosed it to MainWP and to Wordfence's bug bounty program. On November 2, 2024, Wordfence initially validated the report but later ruled the issue out of scope, describing it as a “known feature” rather than a vulnerability. Wordfence explained that this functionality, documented in MainWP's usage guidelines, was intentional and included user warnings. MainWP directly rejected the report on November 11, asserting the design's validity and confirming that the software “works as designed,” thus declining to patch the issue.
Murphy expressed dismay over MainWP's stance, pointing out that this is not the first instance of an authentication bypass vulnerability in the MainWP Child plugin. Similar flaws have been found and patched in the past, raising questions about MainWP's decision not to address this current vulnerability. Murphy argues that MainWP's approach fails to balance usability with necessary security protections.
Implications and security recommendations
MainWP's refusal to patch this vulnerability exposes managed sites to a substantial risk of takeover attacks, especially if left unconnected to a dashboard or if security configurations remain at default settings. The vendor's position underscores a fundamental disagreement over the nature of security risks: whereas many in the cybersecurity field consider insecure design a vulnerability in itself, MainWP and Wordfence's decisions suggest otherwise, emphasizing intention over security outcomes.
MainWP's warning when plugin left at vulnerable state
kernelmode.blog
For WordPress site administrators using MainWP Child, Murphy has recommended alternative security measures, such as enabling the “Require unique security ID” option, which, when configured, provides an additional verification layer. Additionally, security providers can deploy virtual patches on web application firewalls to detect and mitigate potential exploit attempts. Murphy provided a proof-of-concept (PoC) exploit, primarily for security teams, to help them recognize malicious activity targeting this vulnerability.
Website admins are recommended to perform the following actions:
Enable “Require unique security ID” to prevent unauthorized logins.
Use a Web Application Firewall (WAF) to detect and block exploit attempts by analyzing request patterns based on known attack signatures.
Keep all plugins, themes, and WordPress core updated, and assess installed plugins for potential risks, including intentional design flaws that could jeopardize security.
About Alex Lekander
Alex is the founder and Editor-in-Chief of CyberInsider.com. His background and expertise includes digital privacy, security, and tech journalism. When he’s not working behind a screen, Alex is probably tinkering with a boat or enjoying the outdoors. https://opentip.kaspersky.com/https%3A%2...tab=lookup Report
Report for web address
https://cyberinsider.com/700000-wordpres...available/
Good
Overview
IPv4 count ≈ 6
Files count 0
Created
26 Jun, 1996
17:00
Expires
25 Jun, 2028
18:00
Domain cyberinsider.com
Registration organization Privacy service provided by Withheld for Privacy ehf
Registrar name NAMECHEAP INC