Versions 3.4.0 to 3.4.1.1 of the plugin were affected by an authentication bypass vulnerability that allowed unauthenticated attackers to elevate their privileges to administrator and take control of a vulnerable site.The bug existed because the function responsible for validating application passwords from the Authorization header contained an incorrect return-value, allowing attackers to send a REST API request and impersonate an administrator for the duration of the request.“The plugin incorrectly treats the request as authenticated and sets the current user to the supplied administrator account, allowing unauthorized access to administrator-level REST API functionality, such as creating a new administrator account,” Defiantnotes.The web protection firm says it has blocked thousands of attacks targeting these vulnerabilities over the past 24 hours and warns that hundreds of thousands of websites are potentially at risk.Kirki has over 500,000 active installations, but only 150,000 sites are believed to be running a vulnerable plugin version. Burst Statistics has more than 200,000 active installations.Users are advised to update to Kirki version 6.0.7 or newer, and to Burst Statistics version 3.4.2 or newer, which contain patches for the exploited security defects.Related:Organizations Warned of Exploited Linux Kernel VulnerabilityRelated:‘HTTP/2 Bomb’ Exploit Knocks Web Servers Offline in SecondsRelated:Exclusive: How One Line of Code Put Billions of Microsoft Android App Downloads at RiskRelated:Android Update Patches Exploited Zero-Day, 123 Other Vulnerabilities
The bug existed because the function responsible for validating application passwords from the Authorization header contained an incorrect return-value, allowing attackers to send a REST API request and impersonate an administrator for the duration of the request.“The plugin incorrectly treats the request as authenticated and sets the current user to the supplied administrator account, allowing unauthorized access to administrator-level REST API functionality, such as creating a new administrator account,” Defiantnotes.The web protection firm says it has blocked thousands of attacks targeting these vulnerabilities over the past 24 hours and warns that hundreds of thousands of websites are potentially at risk.Kirki has over 500,000 active installations, but only 150,000 sites are believed to be running a vulnerable plugin version. Burst Statistics has more than 200,000 active installations.Users are advised to update to Kirki version 6.0.7 or newer, and to Burst Statistics version 3.4.2 or newer, which contain patches for the exploited security defects.Related:Organizations Warned of Exploited Linux Kernel VulnerabilityRelated:‘HTTP/2 Bomb’ Exploit Knocks Web Servers Offline in SecondsRelated:Exclusive: How One Line of Code Put Billions of Microsoft Android App Downloads at RiskRelated:Android Update Patches Exploited Zero-Day, 123 Other Vulnerabilities
“The plugin incorrectly treats the request as authenticated and sets the current user to the supplied administrator account, allowing unauthorized access to administrator-level REST API functionality, such as creating a new administrator account,” Defiantnotes.The web protection firm says it has blocked thousands of attacks targeting these vulnerabilities over the past 24 hours and warns that hundreds of thousands of websites are potentially at risk.Kirki has over 500,000 active installations, but only 150,000 sites are believed to be running a vulnerable plugin version. Burst Statistics has more than 200,000 active installations.Users are advised to update to Kirki version 6.0.7 or newer, and to Burst Statistics version 3.4.2 or newer, which contain patches for the exploited security defects.Related:Organizations Warned of Exploited Linux Kernel VulnerabilityRelated:‘HTTP/2 Bomb’ Exploit Knocks Web Servers Offline in SecondsRelated:Exclusive: How One Line of Code Put Billions of Microsoft Android App Downloads at RiskRelated:Android Update Patches Exploited Zero-Day, 123 Other Vulnerabilities
The web protection firm says it has blocked thousands of attacks targeting these vulnerabilities over the past 24 hours and warns that hundreds of thousands of websites are potentially at risk.Kirki has over 500,000 active installations, but only 150,000 sites are believed to be running a vulnerable plugin version. Burst Statistics has more than 200,000 active installations.Users are advised to update to Kirki version 6.0.7 or newer, and to Burst Statistics version 3.4.2 or newer, which contain patches for the exploited security defects.Related:Organizations Warned of Exploited Linux Kernel VulnerabilityRelated:‘HTTP/2 Bomb’ Exploit Knocks Web Servers Offline in SecondsRelated:Exclusive: How One Line of Code Put Billions of Microsoft Android App Downloads at RiskRelated:Android Update Patches Exploited Zero-Day, 123 Other Vulnerabilities
Kirki has over 500,000 active installations, but only 150,000 sites are believed to be running a vulnerable plugin version. Burst Statistics has more than 200,000 active installations.Users are advised to update to Kirki version 6.0.7 or newer, and to Burst Statistics version 3.4.2 or newer, which contain patches for the exploited security defects.Related:Organizations Warned of Exploited Linux Kernel VulnerabilityRelated:‘HTTP/2 Bomb’ Exploit Knocks Web Servers Offline in SecondsRelated:Exclusive: How One Line of Code Put Billions of Microsoft Android App Downloads at RiskRelated:Android Update Patches Exploited Zero-Day, 123 Other Vulnerabilities
Users are advised to update to Kirki version 6.0.7 or newer, and to Burst Statistics version 3.4.2 or newer, which contain patches for the exploited security defects.Related:Organizations Warned of Exploited Linux Kernel VulnerabilityRelated:‘HTTP/2 Bomb’ Exploit Knocks Web Servers Offline in SecondsRelated:Exclusive: How One Line of Code Put Billions of Microsoft Android App Downloads at RiskRelated:Android Update Patches Exploited Zero-Day, 123 Other Vulnerabilities
Related:Organizations Warned of Exploited Linux Kernel VulnerabilityRelated:‘HTTP/2 Bomb’ Exploit Knocks Web Servers Offline in SecondsRelated:Exclusive: How One Line of Code Put Billions of Microsoft Android App Downloads at RiskRelated:Android Update Patches Exploited Zero-Day, 123 Other Vulnerabilities
Related:‘HTTP/2 Bomb’ Exploit Knocks Web Servers Offline in SecondsRelated:Exclusive: How One Line of Code Put Billions of Microsoft Android App Downloads at RiskRelated:Android Update Patches Exploited Zero-Day, 123 Other Vulnerabilities
Related:Exclusive: How One Line of Code Put Billions of Microsoft Android App Downloads at RiskRelated:Android Update Patches Exploited Zero-Day, 123 Other Vulnerabilities
Related:Android Update Patches Exploited Zero-Day, 123 Other Vulnerabilities
Source: SecurityWeek
