Zerodium, a company that buys security exploits to then resell to government entities, tripled its price for WordPress Remote Command Execution (RCE) exploits.
In a tweet sent out on Friday, April 9th, Zerodium announced that they had temporarily tripled the price they pay out to security researchers for WordPress RCE exploits. Increasing the payout from $100,000 to $300,000.
A member of the WPScan research team discovered two security vulnerabilities within the premium WooCommerce Customers Manager WordPress plugin, versions less than 26.6.
The following two vulnerabilities were identified and added to our WordPress vulnerability database:
WordPress has a special file named wp-config.php that stores sensitive configuration information for your website.
By default, the wp-config.php file stores the following information:
Developers can also store other sensitive information in the file.
When developers write code they often use version control software, such as SVN or Git, to help manage their work.
When version control software is used, it often uses a hidden folder to store data about the source code being written. As this folder is hidden, it often can’t be viewed and therefore inadvertently ends up on your website.
Not so long ago the web’s communications were mostly un-encrypted, allowing anyone who could eavesdrop on the traffic to read them. In recent years, the web has seen a dramatic change from mostly being un-encrypted to encrypted.
When your website has HTTPS enabled all communication traffic from your user’s computers to your website are encrypted. This prevents any attackers, whether they be in a coffee shop trying to steal payment details, or nation state governments, from reading your user’s communications.
Not only does HTTPS offer your users more security, search engines like Google also rank websites that use HTTPS higher than those that don’t, resulting in more traffic from Google and others.
WordPress secret keys are random long bits of text that are stored in the wp-config.php file. They help with encrypting and hashing important data within WordPress. They are used to help secure your authentication cookies and to create secure numbers to protect against attacks.
WordPress have their own WordPress Secret Key Generator that will output random secret keys for you, like the ones below:
When WordPress developers are working on coding a theme or plugin, it is often useful for them to log important data to a file, such as error messages, so that they can view and fix any problems. In WordPress, the debug log file is created with a known file name, debug.log, and usually stored in the publicly accessible /wp-content/ directory.
To enable debug logging in WordPress, the developer has to set the following constants in the wp-config.php file:
The WPScan security research team identified an Unauthenticated Reflected Cross-Site Scripting (XSS) vulnerability within the Zebra_Form PHP library, which is used by multiple WordPress plugins.
While investigating a dubious advisory related to a Cross-Site Scripting (XSS) vulnerability in the wp-ticket plugin, the Zebra_Form library was found to be responsible for the issue. At the time of writing, despite contacting the vendor multiple times, the latest version of Zebra_Form, version 2.9.8, is still affected.
Fortunately, the affected WordPress plugins were no longer maintained, or had a small number of active installations. Nevertheless, we wanted to make the public aware of the vulnerability affecting Zebra_Form in case it is used elsewhere.
WordPress XMLRPC allows other websites and software to interact with your WordPress website. Also known as an API. Some examples include creating new posts, adding comments, deleting pages and probably most commonly used in WordPress, pingbacks.
As the name suggests, XMLRPC works by sending and receiving XML data. In WordPress, the file responsible for XMLRPC is called xmlrpc.php. This is the file that will receive XML data, process it and return the response, also in XML.
