WordPress插件警报：超过20万网站面临关键性SQLi漏洞威胁

A critical security flaw has been disclosed in a popular WordPress plugin called Ultimate Member that has more than 200,000 active installations.

一个知名的WordPress插件Ultimate Member披露了一个关键的安全漏洞，该插件拥有超过200,000个活跃安装。

The vulnerability, tracked as CVE-2024-1071, carries a CVSS score of 9.8 out of a maximum of 10. Security researcher Christiaan Swiers has been credited with discovering and reporting the flaw.

该漏洞，标记为CVE-2024-1071，CVSS评分为10分中的9.8分。安全研究人员Christiaan Swiers被认为是发现并报告该漏洞的人。

In an advisory published last week, WordPress security company Wordfence said the plugin is "vulnerable to SQL Injection via the 'sorting' parameter in versions 2.1.3 to 2.8.2 due to insufficient escaping on the user supplied parameter and lack of sufficient preparation on the existing SQL query."

WordPress安全公司Wordfence在上周发表的一份公告中表示，该插件“由于版本2.1.3至2.8.2中对于用户提供参数的不足转义和现有SQL查询的不足准备，因此通过“sorting”参数容易受到SQL注入的影响。”

As a result, unauthenticated attackers could take advantage of the flaw to append additional SQL queries into already existing queries and extract sensitive data from the database.

因此，未经身份验证的攻击者可以利用该漏洞将附加的SQL查询添加到已经存在的查询中，并从数据库中提取敏感数据。

It's worth noting that the issue only affects users who have checked the "Enable custom table for usermeta" option in the plugin settings.

值得注意的是，该问题仅影响已在插件设置中勾选“为用户元数据启用自定义表”选项的用户。

Following responsible disclosure on January 30, 2024, a fix for the flaw has been made available by the plugin developers with the release of version 2.8.3 on February 19.

在2024年1月30日进行负责任的披露后，插件开发人员已发布了漏洞修复，版本为2.8.3，发布日期为2月19日。

Users are advised to update the plugin to the latest version as soon as possible to mitigate potential threats, especially in light of the fact that Wordfence has already blocked one attack attempting to exploit the flaw over the past 24 hours.

建议用户尽快更新插件到最新版本，以减轻潜在威胁，特别是考虑到Wordfence在过去24小时内已经阻止了一次尝试利用该漏洞的攻击。

In July 2023, another shortcoming in the same plugin (CVE-2023-3460, CVSS score: 9.8) was actively exploited by threat actors to create rogue admin users and seize control of vulnerable sites.

2023年7月，同一插件中的另一个缺陷（CVE-2023-3460，CVSS评分：9.8）被威胁行为者积极利用，创建恶意管理员用户并控制易受攻击的网站。

The development comes amid a surge in a new campaign that leverages compromised WordPress sites to inject crypto drainers such as Angel Drainer directly or redirect site visitors to Web3 phishing sites that contain drainers.

在一个新的活动中，利用受损的WordPress站点注入加密排水器，如Angel Drainer，或将站点访问者重定向到包含排水器的Web3钓鱼站点。

"These attacks leverage phishing tactics and malicious injections to exploit the Web3 ecosystem's reliance on direct wallet interactions, presenting a significant risk to both website owners and the safety of user assets," Sucuri researcher Denis Sinegubko said.

"这些攻击利用钓鱼策略和恶意注入来利用Web3生态系统对直接钱包交互的依赖性，这对网站所有者和用户资产的安全构成重大风险，" Sucuri研究员Denis Sinegubko表示。

It also follows the discovery of a new drainer-as-a-service (DaaS) scheme called CG (short for CryptoGrab) that runs a 10,000-member-strong affiliate program comprised of Russian, English, and Chinese speakers.

这也是发现了一个名为CG（缩写为CryptoGrab）的新排水器作为服务（DaaS）方案，它运行一个由俄罗斯、英语和中文使用者组成的拥有10,000名成员的联盟计划。

One of the threats actor-controlled Telegram channels "refers attackers to a telegram bot that enables them to run their fraud operations without any third-party dependencies," Cyfirma said in a report late last month.

在上个月晚些时候的一份报告中，Cyfirma称，一个威胁行为者控制的Telegram频道"将攻击者引荐给一个telegram机器人，使他们能够在没有任何第三方依赖的情况下运行其欺诈操作。"

"The bot allows a user to get a domain for free, clone an existing template for the new domain, set the wallet address where the scammed funds are supposed to be sent, and also provides Cloudflare protection for that new domain."

"该机器人允许用户免费获取一个域名，为新域名克隆一个现有模板，设置应该发送受骗资金的钱包地址，并为该新域名提供Cloudflare保护。"

The threat group has also been observed using two custom telegram bots called SiteCloner and CloudflarePage to clone an existing, legitimate website and add Cloudflare protection to it, respectively. These pages are then distributed mostly using compromised X (formerly Twitter) accounts.

观察到这个威胁组还使用两个自定义的telegram机器人，名为SiteCloner和CloudflarePage，分别用于克隆一个现有的合法网站并为其添加Cloudflare保护。然后这些页面主要通过被攻破的X（前身为Twitter）账户进行分发。

原文始发于微信公众号（知机安全）：WordPress插件警报：超过20万网站面临关键性SQLi漏洞威胁