Behind the Code: Identifying Zero-Day Exploits in WordPress

IF 2.8 Q2 COMPUTER SCIENCE, INFORMATION SYSTEMS

Future Internet Pub Date : 2024-07-19 DOI:10.3390/fi16070256

Mohamed Azarudheen Mohamed Mohideen, Muhammad Shahroz Nadeem, James Hardy, Haider Ali, Umair Ullah Tariq, Fariza Sabrina, Muhammad Waqar, Salman Ahmed

{"title":"Behind the Code: Identifying Zero-Day Exploits in WordPress","authors":"Mohamed Azarudheen Mohamed Mohideen, Muhammad Shahroz Nadeem, James Hardy, Haider Ali, Umair Ullah Tariq, Fariza Sabrina, Muhammad Waqar, Salman Ahmed","doi":"10.3390/fi16070256","DOIUrl":null,"url":null,"abstract":"The rising awareness of cybersecurity among governments and the public underscores the importance of effectively managing security incidents, especially zero-day attacks that exploit previously unknown software vulnerabilities. These zero-day attacks are particularly challenging because they exploit flaws that neither the public nor developers are aware of. In our study, we focused on dynamic application security testing (DAST) to investigate cross-site scripting (XSS) attacks. We closely examined 23 popular WordPress plugins, especially those requiring user or admin interactions, as these are frequent targets for XSS attacks. Our testing uncovered previously unknown zero-day vulnerabilities in three of these plugins. Through controlled environment testing, we accurately identified and thoroughly analyzed these XSS vulnerabilities, revealing their mechanisms, potential impacts, and the conditions under which they could be exploited. One of the most concerning findings was the potential for admin-side attacks, which could lead to multi-site insider threats. Specifically, we found vulnerabilities that allow for the insertion of malicious scripts, creating backdoors that unauthorized users can exploit. We demonstrated the severity of these vulnerabilities by employing a keylogger-based attack vector capable of silently capturing and extracting user data from the compromised plugins. Additionally, we tested a zero-click download strategy, allowing malware to be delivered without any user interaction, further highlighting the risks posed by these vulnerabilities. The National Institute of Standards and Technology (NIST) recognized these vulnerabilities and assigned them CVE numbers: CVE-2023-5119 for the Forminator plugin, CVE-2023-5228 for user registration and contact form issues, and CVE-2023-5955 for another critical plugin flaw. Our study emphasizes the critical importance of proactive security measures, such as rigorous input validation, regular security testing, and timely updates, to mitigate the risks posed by zero-day vulnerabilities. It also highlights the need for developers and administrators to stay vigilant and adopt strong security practices to defend against evolving threats.","PeriodicalId":37982,"journal":{"name":"Future Internet","volume":null,"pages":null},"PeriodicalIF":2.8000,"publicationDate":"2024-07-19","publicationTypes":"Journal Article","fieldsOfStudy":null,"isOpenAccess":false,"openAccessPdf":"","citationCount":"0","resultStr":null,"platform":"Semanticscholar","paperid":null,"PeriodicalName":"Future Internet","FirstCategoryId":"1085","ListUrlMain":"https://doi.org/10.3390/fi16070256","RegionNum":0,"RegionCategory":null,"ArticlePicture":[],"TitleCN":null,"AbstractTextCN":null,"PMCID":null,"EPubDate":"","PubModel":"","JCR":"Q2","JCRName":"COMPUTER SCIENCE, INFORMATION SYSTEMS","Score":null,"Total":0}

引用次数: 0

Abstract

The rising awareness of cybersecurity among governments and the public underscores the importance of effectively managing security incidents, especially zero-day attacks that exploit previously unknown software vulnerabilities. These zero-day attacks are particularly challenging because they exploit flaws that neither the public nor developers are aware of. In our study, we focused on dynamic application security testing (DAST) to investigate cross-site scripting (XSS) attacks. We closely examined 23 popular WordPress plugins, especially those requiring user or admin interactions, as these are frequent targets for XSS attacks. Our testing uncovered previously unknown zero-day vulnerabilities in three of these plugins. Through controlled environment testing, we accurately identified and thoroughly analyzed these XSS vulnerabilities, revealing their mechanisms, potential impacts, and the conditions under which they could be exploited. One of the most concerning findings was the potential for admin-side attacks, which could lead to multi-site insider threats. Specifically, we found vulnerabilities that allow for the insertion of malicious scripts, creating backdoors that unauthorized users can exploit. We demonstrated the severity of these vulnerabilities by employing a keylogger-based attack vector capable of silently capturing and extracting user data from the compromised plugins. Additionally, we tested a zero-click download strategy, allowing malware to be delivered without any user interaction, further highlighting the risks posed by these vulnerabilities. The National Institute of Standards and Technology (NIST) recognized these vulnerabilities and assigned them CVE numbers: CVE-2023-5119 for the Forminator plugin, CVE-2023-5228 for user registration and contact form issues, and CVE-2023-5955 for another critical plugin flaw. Our study emphasizes the critical importance of proactive security measures, such as rigorous input validation, regular security testing, and timely updates, to mitigate the risks posed by zero-day vulnerabilities. It also highlights the need for developers and administrators to stay vigilant and adopt strong security practices to defend against evolving threats.

查看原文本刊更多论文

代码背后识别 WordPress 中的零日漏洞

政府和公众的网络安全意识不断提高，这凸显了有效管理安全事件的重要性，尤其是利用以前未知软件漏洞的零日攻击。这些零日攻击尤其具有挑战性，因为它们利用的是公众和开发人员都不知道的漏洞。在我们的研究中，我们专注于动态应用安全测试 (DAST)，以调查跨站脚本 (XSS) 攻击。我们仔细检查了 23 个流行的 WordPress 插件，尤其是那些需要用户或管理员交互的插件，因为这些插件是 XSS 攻击的频繁目标。我们的测试在其中三个插件中发现了以前未知的零日漏洞。通过受控环境测试，我们准确识别并彻底分析了这些 XSS 漏洞，揭示了它们的机制、潜在影响以及可被利用的条件。最令人担忧的发现之一是管理员端攻击的可能性，这可能导致多站点内部威胁。具体来说，我们发现了允许插入恶意脚本的漏洞，从而创建了未经授权的用户可以利用的后门。我们采用了基于键盘记录程序的攻击载体，能够悄无声息地捕获和提取受攻击插件中的用户数据，从而证明了这些漏洞的严重性。此外，我们还测试了零点击下载策略，允许恶意软件在没有任何用户交互的情况下传输，进一步突出了这些漏洞带来的风险。美国国家标准与技术研究院（NIST）确认了这些漏洞，并为其分配了 CVE 编号：CVE-2023-5119（针对 Forminator 插件）、CVE-2023-5228（针对用户注册和联系表单问题）和 CVE-2023-5955 （针对另一个关键插件漏洞）。我们的研究强调了主动安全措施的极端重要性，如严格的输入验证、定期安全测试和及时更新，以降低零日漏洞带来的风险。它还强调了开发人员和管理员保持警惕并采取强有力的安全措施来抵御不断演变的威胁的必要性。

本文章由计算机程序翻译，如有差异，请以英文原文为准。

求助全文

约1分钟内获得全文求助全文

来源期刊

Future Internet Computer Science-Computer Networks and Communications

CiteScore

7.10

自引率

5.90%

发文量

303

审稿时长

11 weeks

期刊介绍： Future Internet is a scholarly open access journal which provides an advanced forum for science and research concerned with evolution of Internet technologies and related smart systems for “Net-Living” development. The general reference subject is therefore the evolution towards the future internet ecosystem, which is feeding a continuous, intensive, artificial transformation of the lived environment, for a widespread and significant improvement of well-being in all spheres of human life (private, public, professional). Included topics are: • advanced communications network infrastructures • evolution of internet basic services • internet of things • netted peripheral sensors • industrial internet • centralized and distributed data centers • embedded computing • cloud computing • software defined network functions and network virtualization • cloud-let and fog-computing • big data, open data and analytical tools • cyber-physical systems • network and distributed operating systems • web services • semantic structures and related software tools • artificial and augmented intelligence • augmented reality • system interoperability and flexible service composition • smart mission-critical system architectures • smart terminals and applications • pro-sumer tools for application design and development • cyber security compliance • privacy compliance • reliability compliance • dependability compliance • accountability compliance • trust compliance • technical quality of basic services.