Blog
10.04.2023

Mitigating Vulnerabilities in the WordPress Import XML & RSS Feeds

The WordPress Import XML and RSS Feeds plugins have two significant vulnerabilities that can allow hackers to install web shells and deploy malware on targeted systems, putting over 3000 servers worldwide at risk. Attackers can use Living off the Land Binaries malware to execute commands and access files, leading to data exfiltration, credential theft, ransomware, denial of service, crypto mining, and botnet activities. The Virsec Security Platform can safeguard servers against these attacks, making it a proactive compensating control that offers server protection, even when an organization cannot apply software patches promptly.

Background: Over 3000 servers worldwide actively use the WordPress Import XML and RSS Feeds plugin. On September 25th, 2023, the US-CERT’s National Vulnerability Database (NVD) identified two vulnerabilities, CVE-2023-4300 (High Impact) and CVE-2023-4521, in versions 2.1.4 and below of this plugin.

Exploitation Risk: These vulnerabilities can allow a malicious actor to install a web shell and deploy malware on targeted systems. Depending on the attacker’s objectives, this malware can propagate within the network and initiate various attacks, including data exfiltration, credential theft, ransomware, denial of service, crypto mining, and botnet activities.

In-Depth Analysis: On August 28th, 2023, a researcher named Jonatas Souza Villa Flor discovered that the plugin fails to filter file extensions for uploaded files, enabling attackers to upload malicious PHP files, and resulting in remote code execution. The WordPress Security Scanner provided a proof-of-concept code that establishes a persistent command shell for the attacker’s control, facilitating further malware deployment.

Advanced Threat Techniques: Sophisticated attackers can use LOLBin (Living off the Land Binaries) malware instead of easily detectable executable malware. LOLBin malware leverages OS runtime utilities like bash and awk to execute commands, manipulate permissions, gather process information, extract credentials, access SSH private keys and known_hosts files, encode and encrypt data, inspect bash history, and even remove itself.

Kill Chain: We can divide the attacker’s activities into five stages: reconnaissance, persistence, weaponization, exploitation, and exfiltration:

WordPress Kill Chain

During the reconnaissance stage, Threat Actors leverage tools like Shodan to locate potentially vulnerable servers. Once found, the attacker verifies if the target uses the vulnerable WordPress plugin. Subsequently, in the persistence stage, the attacker establishes a reverse channel for control. In the weaponization stage, the attacker deploys the appropriate malware (such as LOLBIN scripts) for further reconnaissance, lateral movement, and data exfiltration. In the exploitation stage, the attacker performs malicious actions like lateral movement and data theft. Finally, in the exfiltration stage, critical data is sent back to the Threat Actor’s command and control center.

Virsec Security Platform (VSP) Protection: VSP is crucial in this scenario, as it identifies, within milliseconds, any code executed by the attacker during the reconnaissance stage as influenced by the attacker.

WordPress Kill Chain wVirsec

Even before the malicious code runs at Step 4, VSP’s Application Control Engine recognizes that no legitimate application is authorized to perform such actions. As a result, VSP safeguards the victim server by taking protective measures, such as terminating the user’s session, restarting the WordPress server, or closing the network socket used for communication with the attacker’s control center.

Demonstration: Watch a video illustrating how Virsec VSP thwarted Threat Actors that targeted these vulnerabilities at https://youtu.be/TrV5-9lq03c.

Key Takeaways:

  1. Organizations must respond promptly when information on Remote Code Execution vulnerabilities in deployed software becomes known. Threat actors are a constant threat, and the question isn’t if they will attack but when.

  2. While WPScan reported the vulnerability on August 28th, 2023, it’s challenging to determine if Threat Actors used these vulnerabilities even earlier.

  3. The Virsec Security Platform (VSP) provides proactive compensating controls, safeguarding systems even when patches cannot be applied promptly. CISOs can trust VSP to protect their systems.

For more information about the Virsec Security Platform (VSP) and how we protect vulnerable legacy workloads, visit www.virsec.com.

Don't miss our security insights, and subscribe to our blog now.

Subscribe to Our Blog
About the Author
Satya Gupta is Virsec’s visionary founder, with over 25 years of expertise in embedded systems, network security and systems architecture. Satya has helped build and guide the company through key growth phases from initial funding (2015), developing core technology with key partners including Raytheon and Lockheed (2016-2018), to launching an enterprise class, GA product (2019). Prior to this, Satya built a highly profitable software design and consulting business targeting data networking, application security and industrial automation projects. He was also Director of Firmware Engineering at Narad Networks and Managing Director and Chief Engineer at Eastern Telecom and Tech Ltd. Satya has more than 40 patents in complex firmware architecture with products deployed to hundreds of thousands of users. He holds a BS degree in Engineering from the Indian Institute of Technology in Kanpur and additional degrees from the University of Massachusetts at Lowell.