Get your sites updated if You are designed with DIVI! Critical Vulnerability Exposes over 700,000 Sites Using Divi, Extra, and Divi Builder

On July 23, 2020, our Threat Intelligence team discovered a vulnerability present in two themes by Elegant Themes, Divi and Extra, as well as Divi Builder, a WordPress plugin. Combined, these products are installed on an estimated 700,000 sites. This flaw gave authenticated attackers, with contributor-level or above capabilities, the ability to upload arbitrary files, including PHP files, and achieve remote code execution on a vulnerable site’s server.

We initially reached out to Elegant Themes on July 23, 2020 and, after establishing an appropriate communication channel, we provided the full disclosure details on July 28, 2020. The developers responded on June 29, 2020 to let us know a patch would be coming in the next version. Patches were released yesterday, on August 3, 2020, in version 4.5.3 for all products.

This is considered a critical security issue that could lead to remote code execution on a vulnerable site’s server. If you haven’t already updated, and you are running Divi versions 3.0 and above, Extra versions 2.0 and above, or Divi Builder versions 2.0 and above, we highly recommend updating to the patched version, 4.5.3 , immediately. Alternatively, you can use their Security Patcher Plugin until you can update safely.

Both Wordfence Premium and free users are protected against any attacks attempting to exploit this vulnerability due to the Wordfence firewall’s built-in malicious file upload protection.


Description: Authenticated Arbitrary File Upload
Affected Products: Divi Theme, Extra Theme, and Divi Builder plugin
Theme Slugs: divi, extra
Plugin slug: divi-builder
Affected Versions: (Divi): 3.0 – 4.5.2
Affected Versions: (Extra): 2.0 – 4.5.2
Affected Versions: (Divi Builder): 2.0 – 4.5.2
CVE ID: Pending.
CVSS Score: 9.9 (CRITICAL)
CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Fully Patched Version (same for all products): 4.5.3

Elegant Themes is the creator behind one of the most popular premium themes, Divi. One of the features of the Divi theme is that it comes with the Divi Page Builder that makes the site design and editing process easy and customizable. In addition to the Divi theme, Elegant Themes offers an alternative theme, Extra, that includes the Divi Builder. The standalone Divi Builder plugin is also available and can be used with any theme.

As part of the Divi Builder functionality, users that have the ability to create posts can import and export Divi page templates using the portability feature.

Unfortunately, we discovered that although this feature used a client-side file type verification check, it was missing a server-side verification check. This flaw made it possible for authenticated attackers to easily bypass the JavaScript client-side check and upload malicious PHP files to a targeted website. An attacker could easily use a malicious file uploaded via this method to completely take over a site.

Divi Builder portability feature used to import layouts

What went wrong?

Taking a closer look at the code, we can see that the portability import function was triggered with the use of the et_core_portability_import AJAX action and corresponding et_core_portability_ajax_import function, which does have nonce and capability check.

2324
add_action( 'wp_ajax_et_core_portability_import', 'et_core_portability_ajax_import' );

The core of the problematic code could be found within the import function of the builder’s portability.php file. Since the plugin had a client-side JavaScript-based file extension check for .json files, the developers might have missed adding a server-side file-type check here prior to using the file’s contents during the import, or assumed the client-side check would be sufficient protection.

73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
public function import( $file_context = 'upload' ) {
    global $shortname;
    $this->prevent_failure();
    self::$_doing_import = true;
    $timestamp              = $this->get_timestamp();
    $filesystem             = $this->set_filesystem();
    $temp_file_id           = sanitize_file_name( $timestamp );
    $temp_file              = $this->has_temp_file( $temp_file_id, 'et_core_import' );
    $include_global_presets = isset( $_POST['include_global_presets'] ) ? wp_validate_boolean( $_POST['include_global_presets'] ) : false;
    $global_presets         = '';
    if ( $temp_file ) {
        $import = json_decode( $filesystem->get_contents( $temp_file ), true );
    } else {
        if ( ! isset( $_FILES['file'] ) ) {
            return false;
        }
        if ( ! in_array( $file_context, array( 'upload', 'sideload' ) ) ) {
            $file_context = 'upload';
        }

Analyzing the code further, we see that the file is temporarily uploaded using wp_handle_upload, with test_type set to false, overriding the wp_check_filetype_and_ext function that checks a file’s type and determines if it is a safe file to upload based on a list of allowed mime types.

This meant that the wp_handle_upload function did not test the file type during the upload, essentially disabling the extensive file-type checking protection built-in to the function.

98
99
100
101
102
103
$handle_file = "wp_handle_{$file_context}";
$upload      = $handle_file( $_FILES['file'], array(
    'test_size' => false,
    'test_type' => false,
    'test_form' => false,
) );

1
do_action( 'et_core_portability_import_file', $upload['file'] );

From there, the file’s content was checked to see if it could be used for the import. If the file’s content did not appear to be usable JSON data for an import, then the process was killed and the message ‘importContextFail’ was returned.

114
115
116
117
118
119
120
121
$temp_file = $this->temp_file( $temp_file_id, 'et_core_import', $upload['file'] );
$import = json_decode( $filesystem->get_contents( $temp_file ), true );
$import = $this->validate( $import );
$import['data'] = $this->apply_query( $import['data'], 'set' );
if ( ! isset( $import['context'] ) || ( isset( $import['context'] ) && $import['context'] !== $this->instance->context ) ) {
    return array( 'message' => 'importContextFail' );
}

Toward the end of the function, there was a hook to the function ‘delete_temp_files’ that was intended to delete any JSON files used for the import once completed. However, since the import died for files without usable JSON content before getting to this function, the files remained in the uploads directory until a legitimate JSON file was imported.

145
$this->delete_temp_files( 'et_core_import' );

This flaw made it possible for authenticated users with the edit_posts capability, like contributors, editors, and authors, to upload arbitrary files. An attacker could easily upload malicious PHP files and access them from the uploads directory. This could ultimately result in remote code execution and complete compromise of a vulnerable site’s hosting account.

The wp_ajax_et_theme_builder_api_import_theme_builder AJAX action and corresponding function used to import a theme builder template was also susceptible to arbitrary file uploads due to the same issues, however, exploiting this would have required administrative privileges thus significantly reducing it’s severity.

Fortunately, Elegant Themes was very quick to respond and release a patch that not only prevented all files except .json files from being uploaded, but also ensured that files would be sufficiently deleted at any stage of the process once no longer used.

How to Update your Elegant Themes Product

As long as you have supplied your Elegant Themes Username and API key on your WordPress site, then you can take care of your updates directly in the updates area on your site. To do so, log into your site, and navigate to the “Updates” area. Select the Elegant Themes product you would like to update and just click “Update Plugin” or “Update Theme” depending on which product you are updating.

Also, please note that Elegant Themes has made this patch available to users, even if your account is expired.

WordPress updates area with Divi Builder plugin that needs updated.

If you are unable to update fully, you can install Elegant Themes Security Patcher Plugin that will temporarily patch the vulnerability until you are able to do a complete update.

Another way to stay protected

As mentioned, in our post last week, Wordfence has a feature to disable code execution in the uploads directory. Even if you’re not using one of Elegant Themes’ vulnerable products, we highly recommend enabling this setting as it will provide additional protection against vulnerabilities like this one that may erroneously allow PHP files to be uploaded into the uploads directory.

With this option enabled, attackers will not be able to execute PHP files uploaded into the uploads directory, providing an extra layer of security and assisting in thwarting attacks like this one. In the event that a zero-day vulnerability is discovered and actively exploited prior to the creation of a custom firewall rule, having this feature enabled can help keep your site protected.

The ‘Disable Code Execution for Uploads directory’ option location.

Proof of Concept Walkthrough

Due to the critical severity of this vulnerability and high user install base, we are refraining from posting a proof of concept walkthrough video for this vulnerability at this time. If you are interested to learn how this vulnerability might be exploited, please join us for Wordfence Office Hours next week on Tuesday, August 11th at 12:00 EST. This allows us to give you time to update and still provide you with the in-depth details on how this could have been exploited on unprotected sites.

Disclosure Timeline

Jul 23, 2020 – Initial discovery of vulnerability. We verify the Wordfence firewall provides protection against exploit attempts and we make our initial contact attempt with the Elegant Themes team.
July 27, 2020 – The developer confirms inbox for handling disclosure.
July 28, 2020 – We send full disclosure details.
July 28, 2020 – They respond letting us know they have begun working on a patch and anticipate releasing it on the upcoming Monday.
July 31, 2020 – They send us the details of the patch so we can verify the fix is sufficient.
August 3, 2020 – A patch is released in version 4.5.3 for all products.

Conclusion

In today’s post, we detailed a flaw in Elegant Themes’ products Divi, Extra, and Divi Builder that provided authenticated users with the ability to upload arbitrary files, including PHP files, and execute any code in those files on the server. This flaw has been fully patched in version 4.5.3 for all products. We recommend that users immediately update to the latest version available, which is version 4.5.3 at the time of this publication.

Sites using Wordfence Premium as well as those still using the free version of Wordfence are protected from attacks against this vulnerability. If you know a friend or colleague who is using one of these themes or the plugin on their site, we highly recommend forwarding this advisory to them to help keep their sites protected as this is a critical security update.

Special thanks to Mitch, from Elegant Themes, for working with us to quickly get a patch out to protect Elegant Themes users.

 

Read the full post here Critical Vulnerability Exposes over 700,000 Sites Using Divi, Extra, and Divi Builder

 

If you need us to do these updates for you, you need to contact us immediately. 

Phishing : Beware of Fake Email from “A Professional Photographer / illustrator” claiming Copyright Infringement

Phishing : Beware of Fake Email from “A Professional Photographer / illustrator” claiming Copyright Infringement

We recently got an email from one of our clients in regard to copyright infringement on a site by the use of illustrations. At Coffee Web Design, we only use stock photos or graphics that are royally free and we limit the places we use to get our stock images for our web designs. We take copyright infringement very seriously.

When we get an email like this, we have to do some research.

We did find this most recent article as a warning on a phishing alert that sends you to a Google doc share file and is also targeting WordPress sites at this moment.

DO NOT CLICK THE LINK

If you happen to click the link then it would be best practice to run a malware check in your browser and pc, or even phone if you tried to open it there.

Her is the information shared by INserCorp as a warning.

We have received several reports of a malicious website visitor filling out contact forms on iPlasmaCMS2 Websites from a person named “Mel” claiming your website is using their images and that you must “delete them NOW”.
Do NOT click on the link!
This is a classic phishing scheme – the malicious actor wants the unsuspecting victim who receives the email to click on the link which goes to a Google Drive hosted file that if clicked can create serious vulnerabilities in the victim’s device and/or network.

UPDATE – JUNE 29, 2020: It is confirmed that this script is also targeting Forms on WordPress websites as well. Thank you to the users who have contributed to this scam alert in our User Comments!
Ransomware Scheme Specifically Targeting iPlasmaCMS2 Website Administrators
The malicious actor is pretending to be a “Professional Photographer” or “Licensed Photographer” and going by the name “Mel” or “Melinda” with variations on the last name is using different fake email addresses and providing different fake phone numbers (generally with a ‘718’ area code).

Once the recipient clicks the link it will take them to a file download that will allow the hacker to seize control of the user’s device. The hacker will then be able to hold the user’s device hostage and demand a ransom or exploit access to the users’ system leading to further damage, compromised accounts, or injection of worms (viruses that infect the host machine and use it to launch attacks on others).

Take a look at two almost identical messages sent through two completely different Website Contact Forms powered by iPlasmaCMS2, Insercorp’s proprietary Web Content Management System:

—–Original Message—–
From: REDACTED <noreply@REDACTED>
Sent: Monday, June 15, 2020 4:05 AM
To: REDACTED <REDACTED>
Subject: REDACTED Location Contact Form

iPlasmaCMS Location Contact Form Message Generated on June 15, 2020
Name: Mel
Email Address: Melphotographer985@aol.com
Phone Number: 17185795917
Preferred Contact Method: Phone

Comments
Hello there!

This is Melinda and I am a licensed photographer.

I was discouraged, frankly speaking, when I came across my images at your website. If you use a copyrighted image without my approval, you must be aware that you could be sued by the copyrigh owner.

It’s illicitly to use stolen images and it’s so disgusting!

Take a look at this document with the links to my images you used at REDACTED and my earlier publications to obtain evidence of my copyrights.

Download it right now and check this out for yourself:

<REDACTED>

If you don’t remove the images mentioned in the document above within the next several days, I’ll write a complaint against you to your hosting provider stating that my copyrights have been infringed and I am trying to protect my intellectual property.

And if it doesn’t work, you may be pretty damn sure I am going to report and sue you! And I will not bother myself to let you know of it in advance.

The hacker is trying to scare unsuspecting victims into clicking a link (which we have removed to prevent our readers from accidentally clicking it). Now take a look at another report we received from a completely different client later in the same day:

—–Original Message—–
From: REDACTED <noreply@REDACTED>
Sent: Monday, June 15, 2020 10:45 PM
To: REDACTED <REDACTED>
Subject: General Contact Form Message from REDACTED

General Contact Form Message
Generated on June 15, 2020

First Name: Mel
Last Name: Pursley
Title: You have no any rights to use my images for REDACTED without my consent! It’s illegal! It violates my rights! You must delete them NOW!!!!!
Company: Me photographer
Email Address: Menikon972@aol.com
Phone Number: 17188033311
Preferred Contact Method: Phone

Comments
Hello,

This is Melynda and I am a professional photographer.

I was confused, frankly speaking, when I came across my images at your web-site. If you use a copyrighted image without my consent, you need to be aware that you could be sued by the copyright holder.

It’s against law to use stolen images and it’s so filthy!

Take a look at this document with the links to my images you used at REDACTED and my earlier publications to obtain evidence of my legal copyrights.

Download it right now and check this out for yourself:

<REDACTED>

If you don’t remove the images mentioned in the document above within the next few days, I’ll write a complaint against you to your hosting provider stating that my copyrights have been infringed and I am trying to protect my intellectual property.

And if it doesn’t work, you may be pretty damn sure I am going to report and sue you! And I will not bother myself to let you know of it in advance.

 

Read the full article here 

WordPress Updates and Backup Services

WordPress Updates and Backup Services

At Coffee Web Design we always encourage our clients to keep up with and do monthly WordPress updates. We know sometimes you need to concentrate on your business and may forget or aren’t sure of ability you have in doing it correctly. Thats why we provide monthly services in maintaining your WordPress web site. 

What happens if you do not update WordPress?

Security risks are the most important reason why you should update WordPress, themes and plugins. They should be done in a particular order to lessen the chance of breaking things in your site. WordPress core files usually are updated first, them your plugins (one at a time) and then your themes. 

Things are changing really fast in the technical world and sites are being attacked all the time for access to inject malware. These are VERY time consumiing if your site gets hacked. Then you have to pay for clean up of files and your site to close those vulnerable areas to prevent it from happening again. 

If you are behind or haven’t updated your site in a long time, you are more at risk for being hacked. 

If you are hacked, search engines like Google will flag your site so everyone can see that they are subject to malware. This clean up and process for being UN flagged is also very time conuming and search engines have to review over and over again till your site is successfully clean for viewers. You do not want to risk being black listed or listed as a hacked site. 

Since attacks are on the rise and we do not want to see any of our clients be vulnerable to hack attacks or have the expensive cost of cleaning up a site that has already been attacked. We offer updating and maintenance services now so you don’t have to worry about your web site any longer. 

How often should you update your WordPress site?

Usuaully we get updates at least once a month. We know cause we use WordPress as the platform for most of the sites we design and build. Its a great platform and offers so many dynamic options from just a personal WordPress page or blog to shopping carts and options for all types of business.

Plugin and Theme Vulnerabilities

Developers of all the great plugins and themes you can get by using WordPress also have to keep up with WordPress core developments and security updates. These updates too are usually done on a monthly basis, if not more! New warnings through WordPress also notifies you of plugins that are abandoned or are not longer supplying the demands of updates. These you should always be aware of and find a comproble solutoin in replacing these plugins with something else.

When we do updates at Coffee Web Design, we will notify you if this is the case.

Do we only offer updates for our design clients?

No we offer updating services in several packages for both our design clients and those who just meed the update and maintenance services.

What other optons come with maintenance of WordPress sites?

  1. Security – we always make sure that people have some type of security plan in their WordPress site. 
  2. A secure hosting plan – we want to make sure not matter what hosting you have, that it is a good and safe secured hosting. We have seen servers become infected with malware that can affect all or any on your hosting plan. We always suggest cPanel hosting since there are more options for security.
  3. Backups are available both server side and downloadable files just incase your site gets hacked. If you are on a smaller or tight budget, just the monthly maintenance updae plans are available. 

We have been doing updates for clients for many years now, because they get behind, forget, or simply are unsure of how to do maintenance properly. This takes a lot of time for us just to make sure you are secured. By subscribing to our WordPress maintenance plans, we go in and make sure every month, these are done for you. If something happens during an update, it is our responsibility to find the solution. This is included. If you do your own updates, great! If something happens we have to charge to fix it from now on. 

What is the typical costs for breaking of your site or security breaches?

Breaking of sites because of updates usually can take 1-4 hours to find out the problem and fix it. We charge and hourly fee to fix this.If it takes over 4 hours, then we notify the client of our progress and an approx time should be agreed upon. Weekends our hourly rate is double.

Fixing hacked sites – Anywhere you look if your site is hacked due to not updating or not having security installed on your site, then this can take more time. Usually finding the vulnerabilities takes 4-16 hours or MORE! This can be costly noe matter what service you need to use to clean up your site! In this case it runs between $125 the first hour and up! Then hourly fees apply depending on what we need to do to fix your site. If anyone has to work weekends, then it is double all hourly rates. This can be costly and we want to help you prevent this.

So think about our maintenance services to keep your site running in tip top shape. In the long run it is going to save hours of coslty fees to fix your WordPress site.

The Coffee Team

 

 

7 Steps to Secure Your New WordPress Installation

7 Steps to Secure Your New WordPress Installation

If you are a WordPress designer or developer who installs WordPress many times, and you are still installing WordPress automatically (e.g. using SimpleScripts or Softaculous in your cPanel), you should read this article. I will explain how to install WordPress the correct way and properly secure it. I have divided the process into 7 steps and I recommend you doing each one every time you set up a new WP installation. Here is our list.

 

1. Install WordPress the Manual Way

The first and the most important step to a secure WordPress installation is to install it manually. I don’t recommend installing WordPress automatically using the tools in your web hosting account control panel. It is not recommended, because these tools automatically set your WordPress username as “admin” and this is definitely not good for security. Or, they don’t allow you to change your database table prefix from the default “wp_” to something else (using the default wp_ prefix can be a security risk). So because of this I always prefer to install WordPress the manual way, even if it takes a little longer.

 

2. Don’t use “admin” as Your Username

Like mentioned above, never use “admin” as your WordPress username. If a potential hacker would try to guess your WP login details, the first thing they would try would be logging in with “admin” as your username. So because of this it is always recommended to use something different.

 

3. Use a Strong Password

This is a must and I’m sure you already know this. Use a strong password with both small and big characters, numbers and special characters like e.g. $ or &. I also recommend installing a password manager into your browser to manage all your passwords (this way you don’t have to remember them). You could try for example LastPass, as it’s free.

 

4. Remove Unnecessary Plugins and Themes

The first thing that I do after logging into my new WordPress dashboard is to delete the inactive plugins and themes that you won’t need. If you know that you will not be using a certain plugin or theme, you should remove it. This will make your WordPress installation cleaner.

 

5. Change Your WordPress Login Page

To take the security of your WordPress website even further, another good practice is to rename your WordPress admin login page. So, it won’t be yourwebsite.com/wp-login.php but for example yourwebsite.com/ml05pg2. You can use a free plugin for this, e.g. WPS Hide Login. This will make it even harder for anyone trying to log into your WordPress installation.

 

6. Prevent Spam Comments

Another thing good to do with every WP installation is to set the rules for your comments. In your WP admin panel in Settings > Discussion you can either completely forbid comments, or set a rule like, for example, to make the name and email field mandatory. An important option is to have the setting “A comment is held for moderation” enabled, so that you can manually moderate your comments. And I also recommend using a plugin to prevent comments spam on your blog. You can use Akismet or WP-SpamShield for example.

 

7. Backup Your Install

The last step to secure your website, is to have an actual backup of your whole installation. You can use a plugin like UpdraftPlus for this. And you can even schedule your backups to be automatically made e.g. every week, so that you always have an actual copy of your website that you can restore if anything goes wrong.

Source: 7 Steps to Secure Your New WordPress Installation

If you need help in securing your WordPress Site, contact us to help you.

Is your home router hacked? How to check and what to do.

Is your home router hacked? How to check and what to do.

Tuesday morning Wordfence published a post showing how thousands of attacks we see on WordPress sites come from hacked home routers. In the past month alone we have seen over 57,000 unique home routers being used to attack WordPress sites. Those home networks are now being explored by hackers who have full access to them. They can access workstations, mobile devices, wifi cameras, wifi climate control and any other devices that use the home WiFi network.

Half of the internet service providers we analyzed have routers with a very specific vulnerability.

This vulnerability is known as the “misfortune cookie”. We will call it the MC vulnerability for short. It has been known for a few years and was first disclosed by CheckPoint in 2014. It is now being used to hack home routers. Using the tool below you can tell if you have the MC vulnerability.

The MC vulnerability exists in a service that your ISP uses to remotely manage your home router. That service listens on a “port” number, which is 7547. Besides the MC vulnerability, this port can have other vulnerabilities, one of which was disclosed a few months ago. Researchers have been discussing the dangers of port 7547 in home routers for a few years now.

Your ISP should not allow someone from the public internet to connect to your router’s port 7547. Only your ISP should be able to access this port to manage your home router. They have the ability to configure their network to prevent outsiders from accessing that port. Many ISPs do not block public access to port 7547.

You can use the tool below to determine if your port 7547 is open to the public internet. If it is, we suggest you contact your ISP and ask them to prevent outsiders from accessing that port on your home router. Even if you aren’t vulnerable to one of the two vulnerabilities we posted above, future vulnerabilities may emerge on port 7547. By blocking public access you will protect yourself and your home network.

Read the full article here https://www.wordfence.com/blog/2017/04/home-routers-attacking-wordpress/

How to check to check your router

Use this free tool on Wordfence Security to check your router and see if it has been hacked or is vulnerable.

What to do with the results?

If your router is vulnerable, we recommend that you:
  • Immediately reboot your home router. This may flush any malware from your home router.
    Upgrade your router firmware if you can to the newest version. Close port 7547 in your router config if you are able to. (Many routers don’t allow this)
  • If you can’t upgrade your own firmware, immediately call your ISP and let them know you have a serious security vulnerability in your home router and you need help fixing it. You can point them to this blog post (the page you are on) and this CheckPoint website for more information. Let them know that your router has a vulnerability on port 7547 in “Allegro RomPager” that can allow an attacker to access your home network and launch attacks from your router on others.
  • Run a virus scan on all your home workstations.
  • Update all home workstations and devices to the newest versions of operating system and applications or apps.
  • Update any firmware on home devices where needed.

If you are not vulnerable, but port 7547 is open, we recommend that you:

  • Reboot your home router immediately. You may suffer from other port 7547 vulnerabilities.
  • Upgrade your router firmware if you can.
  • Close port 7547 on your router if you can. (Many routers don’t allow this)
  • Contact your ISP and let them know that port 7547 on your home router is accessible from the public internet. Let them know that port 7547 is used by your ISP to manage the router. It should not be publicly available. Suggest that they filter access to that port to prevent anyone on the public internet accessing it.

If you found this article helpful and would like more like it, take a look at our other Fresh Brews!

Pin It on Pinterest