An Unusually High Number of WordPress Plugin 0-days Exploited in March 2021

In March 2021 Seravo’s security monitoring noticed three separate 0-day vulnerabilities in multiple WordPress plugins being exploited. A zero day vulnerability means that upon discovering the vulnerability, there is no prior fix ready to be deployed, and often the only way to protect a site against the vulnerability is to deactivate and remove the affected plugin.

Zero-day vulnerabilities discovered in March 2021:

  • WooCommerce HelpScout, unauthenticated file upload and remote code execution (RCE) (Keep reading to find out more abour this vulnerability)
  • Thrive Themes and plugins*, unauthenticated arbitrary file upload and option deletion)
  • The Plus Addons for Elementor Page Builder < 4.1.7 (Authentication bypass) (Read our blog about it)

*) This vulnerability was also identified by Seravo, but reported to the WordPress vulnerability database by WordFence.

Monitoring the Sites for Malicious Code

The lack of fixes makes zero-day vulnerabilities vexatious. Oftentimes even recognizing them can be a feat, as on the surface the plugin seems to be working as usual. All break-ins permitted by the vulnerability won’t even leave a trace behind. Updating the plugins won’t protect WordPress sites from 0-days – the system must also be monitored and malicious traffic identified, both of which are covered in Seravo’s premium hosting and upkeep.

Seravo’s environment offers tools for inspecting the code, for example with the aid of PHPCS. It can be used in hunting down vulnerable pieces of code. If you’d like to have Seravo’s experts to carry out a thorough security examination or intensify your website’s security, get in touch with us.

On Saturday 20th of March 2021, Seravo’s security monitoring – a part of our upkeep service – made alerts about potentially malicious code. Once Seravo’s on-duty system administrator started investigating the matter, it was proven that malicious code indeed existed on some sites, meaning there had been a breach of some kind. Further investigations revealed that yet another* zero-day vulnerability had been found in a plugin used on websites in Seravo’s premium hosting service.

*) The previous 0-day vulnerability was found by Seravo on March 6th 2021.

Seravo’s Customers Are Protected

Due to the security measures and processes of Seravo’s infrastructure, none of the malicious code was run on the servers. Once found to be vulnerable, the plugin was promptly deactivated on Seravo’s customers’ websites.

The vulnerability was found in WooCommerce Help Scout WordPress plugin, allowing unauthenticated file uploads and remote code execution. These kinds of weaknesses in the plugin’s code are ranked critical by the Common Vulnerability Scoring System (CVSS), as they give an attacker full access to run possibly malignant code on a website with the vulnerable plugin activated.

The Affected Plugin Should Be Updated Immediately

This vulnerability has been fixed with plugin version 2.9.1 and the plugin should be updated immediately.

Following our threat handling process, we contacted the plugin developers as soon as the vulnerability was found. We also contacted WPScan WordPress Vulnerability Database and Finnish National Cyber Security Centre, so that all WordPress users could be aware of the vulnerability as soon as possible.

Proof-of-concept (PoC) code will be made available once enough time has passed for users to update.