Discover Xolo Leap: All the essential features and services modern solopreneurs need to run a borderless business. Run an EU business from anywhere on the planet!
Be informed about the latest Unauthenticated WP FEB 2024 - WP Security Circumvention, identified and reported publicly. It is a -34% DECREASE compared to previous month, as specifically going around existing security. Consider for your online safety, a managed WP/Woo security AUDIT, – OR – switching with a TOP10LIST alternative WP Security Plugin - OR - Hire professionals for managed Security.
As these unrestricted access cases from publicly reported vulnerable plugins are on your domain, it opens Pandora’s box from a security point of view. The following cases made headlines PUBLICLY just last month in the Unauthenticated WP FEB 2024 category:
| Unauthenticated WordPress reported in 2023: | 235 |
| Unauthenticated WordPress reported in 2024: | 29 |
BRIEF: Open and Unauthenticated access to anything within a website is one thing everybody considers to be a total disaster. Many employees have come to rely on the Internet both for work and day-to-day life. As such, they demand unrestricted access at work, and many company bosses have obliged. Without the knowledge to them, however, there may be a risk associated with this.
Insecure Deserialisation is a vulnerability which occurs when untrusted data is used to abuse the logic of an application, inflict a denial of service (DoS) attack, or even execute arbitrary code upon it being deserialised. If the function that is responsible for converting serial data into a structured object assumes that the data is trusted, an attacker may format the serial data in such a way that the result of deserialisation is malicious. Unfortunately, many standard deserialisation functions in programming languages assume that the data is safe.
The plugin does not restrict access to a BACKUP file containing sensitive information, such as the internal path of backups, which may then allow unauthenticated users to download them.
By exploiting this vulnerability, attackers could simply upload files of any type, bypassing all restrictions placed regarding the allowed upload-able file types on a website. By doing this, it allows an attacker to inject malicious content such as web shells into the sites, and providing a method for initial access into the system.
When the plugin is configured with a custom header in its Trusted IP Origins setting (e.g X-Forwarded-For), attackers could bypass the protection offered by tampering the header sent in requests. When the plugin is configured to accept an arbitrary header as client source IP address, a malicious user is not limited to perform a brute force attack, because the client IP header accepts any arbitrary string. When randomising the header input, the login count does never reach the maximum allowed retries.
An attacker could leverage these issues to dump the database including administrative user credentials, to steal cookie-based authentication credentials, or launch other attacks. An anonymous user may create a new dive entry with a crafted HTTP POST.
How wonderful would be to simply let others take care of your chores? We absolutely understand why you would want that. This is why we propose this unique campaign: the price of one cup of coffee for a managed service.
Start simply by contacting us with your selections:
We care about the protection of your personal data. Update, subscribe or unsubscribe anytime. Read our Privacy Policy.
