Security Archives - Online Pitstop

Third-Party Attacks Drive Major Financial Losses in 2024

admin — Sat, 01 Mar 2025 01:03:56 +0000

Third-party attacks emerged as a significant driver of material financial losses from cyber incidents in 2024, according to cyber risk management firm Resilience.

Third-party risks made up 31% of all client insurance claims and 23% of material losses last year. This marks a significant change from 2023, when no third-party claims led to material losses for Resilience clients.

“This shift underscores the growing vulnerabilities created by interconnected systems and reliance on external vendors in 2023,” the firm wrote in a report dated February 27.

Ransomware the Biggest Cause of Losses

Ransomware attacks targeting vendors made up 42% of the third-party claims, with losses from these incidents rising four-fold compared to 2023. The attack on automotive software firm CDK, which impacted thousands of car dealerships across the US and Canada, is an example of a ransomware attack on a vendor that financially impacts customers.

Vendor security failings, including the CrowdStrike global outage in July 2024, made up 4% of all material claims. Not all the claims arising from this incident have been fully developed, Resilience noted.

The company said that this trend is driving insurance companies to adjust their underwriting practices regarding third-party risk.

Overall, ransomware held its position as the top cause of material losses for businesses from 2023 to 2024. First-party ransomware incidents made up 44% of client ‘s material claims, while ransomware targeting vendors contributed to 18% of such claims.

Altogether, 62% of claims with losses were related to ransomware.

Despite these figures, the researchers noted that there are indications that ransomware frequency may be declining in broader markets.

“This is likely due to threat actors focusing on larger, high-profile organizations that yield bigger payouts, as opposed to the previous “spray and prey” approach,” they said.

Phishing Claims Fall Significantly

Phishing-related cyber incidents made up 9% of incurred claims in 2024, representing a 55% fall compared to 2023.

The researchers believe this trend is a reflection of improvements in phishing defenses and the shift towards third-party attacks.

There was a marked increase in transfer fraud claims, making up 18% of claims in 2024 compared to 14% in 2023.

Transfer fraud is where a scammer tricks a person into transferring them money using psychological manipulation. Resilience said it has observed scammers’ use of AI to scale such social engineering campaigns, resulting in increased susceptibility and higher success rates.

“As transfer fraud continues to grow, organizations must strengthen internal controls, educate employees on fraud prevention, and implement more robust verification processes for financial transactions,” the firm commented.

The post Third-Party Attacks Drive Major Financial Losses in 2024 appeared first on Online Pitstop.

DragonForce Ransomware Hits Saudi Firm, 6TB Data Stolen

admin — Fri, 28 Feb 2025 01:02:48 +0000

A new ransomware attack by DragonForce has targeted organizations in Saudi Arabia.

The attack, which affected a prominent Riyadh-based real estate and construction firm, resulted in the exfiltration of over 6TB of sensitive data.

According to a new advisory by Resecurity, threat actors first announced the breach on February 14, 2025, demanding ransom before publishing the stolen information. The deadline was set for February 27, one day before the start of Ramadan.

Advanced Data Leak Strategies

Following the expiration of the ransom deadline, DragonForce published the stolen data through a dedicated leak site (DLS), separate from its primary platform.

The ransomware group, which operates on a Ransomware-as-a-Service (RaaS) model, continues to expand its affiliate network, providing tools and resources to cyber-criminals in exchange for a share of ransom payments. Notably, its DLS features advanced CAPTCHA mechanisms to prevent automated tracking by cybersecurity firms.

DragonForce has been active since December 2023, with its first known victim being the Heart of Texas Region MHMR Center. The group has since evolved, leveraging sophisticated encryption techniques, TOR-based communications and secure payment methods, including Bitcoin wallets and private chat systems.

Ransom Payment Collection and Affiliate Network

The group recruits affiliates through the RAMP underground forum, offering one of the highest commission rates in the cybercrime market—up to 80% of ransom proceeds.

Affiliates communicate via TOR-based instant messaging (TOX) and must prove their capability by demonstrating access to victim networks. To enhance security, DragonForce has tightened its vetting process after a previous leak exposed affiliate URLs.

Affiliates also receive support services, such as:

‘Call services’ for direct victim intimidation
NTLM/Kerberos hash decryption to aid post-compromise operations
A highly flexible ransomware builder allowing customization of encryption settings

Tools, Tactics and Exploited Vulnerabilities

DragonForce employs phishing attacks and exploits vulnerabilities in Remote Desktop Protocol (RDP) and Virtual Private Network (VPN) services to gain initial access.

The group also employs dual extortion tactics, encrypting victim data while threatening to publish stolen information if ransom demands are unmet. Additionally, DragonForce has been known to release audio recordings of ransom negotiations, increasing pressure on victims to comply.

“The combination of wealthy targets, cybersecurity gaps and geopolitical factors make the Middle East an attractive region for ransomware groups to exploit, making these attacks more profitable,” Resecurity wrote.

“The DragonForce ransomware targeting KSA and the associated data leak from the recent victim in KSA underscore the urgent need for enhanced cybersecurity measures to protect vital national assets and sensitive information.”

The post DragonForce Ransomware Hits Saudi Firm, 6TB Data Stolen appeared first on Online Pitstop.

99% of Organizations Report API-Related Security Issues

admin — Thu, 27 Feb 2025 00:56:32 +0000

A growing reliance on APIs has fueled security concerns, with nearly all organizations (99%) reporting API-related security issues in the past year.

According to the Q1 2025 State of API Security Report by Salt Security, the rapid expansion of API ecosystems—driven by cloud migration, platform integration and data monetization—is outpacing security measures and exposing organizations to increased risk.

API Growth and Security Gaps

The report, published on Febrary 26, highlights significant API growth, with 30% of organizations experiencing a 51-100% increase in APIs over the past year and 25% reporting growth exceeding 100%.

API Growth Over the Past 12 Months. Credit: Salt Security.

This expansion has created challenges in maintaining accurate API inventories, as 58% of organizations monitor their APIs less than daily and lack confidence in inventory accuracy. Only 20% have achieved real-time monitoring, leaving most vulnerable to security threats.

Key API security challenges include:

37% of security issues stem from vulnerabilities such as misconfigurations and broken object-level authorization
34% involve sensitive data exposure
29% relate to authentication failures, highlighting weak access controls

“Organizations are facing the challenge of properly cataloging all their APIs so they can be placed into the proper security testing and awareness program,” said Thomas Richards, principal consultant at Black Duck. “The technology can improve workflows and benefit organizations, but we can’t forget the basics of cybersecurity to document, test, and verify best practices in order to innovate securely and manage software risk.”

Security challenges in production APIs over the past year. Credit: Salt Security.

Despite increasing investments, security gaps persist. Over half of organizations have boosted API security budgets, yet 30% cite limited funds as a key challenge.

Additionally, 22% struggle with personnel shortages and 10% lack proper security tools.

Many organizations (55%) have delayed application rollouts due to API security concerns, while 14% find their API programs difficult to manage.

“Because API attacks most often result from unauthorized or inappropriate access credential use, modern security requires access control that goes well beyond traditional perimeter-based identity access and authentication strategies,” explained Piyush Pandey, CEO at Pathlock. “Dynamic, agile access controls that start with compliant provisioning, continue with high-risk access monitoring and finish with critical application infrastructure health maintenance [are essential].”

Attack Trends and Emerging Risks

An analysis of API attack patterns reveals that 95% of attacks originate from authenticated users, underscoring the risk of compromised accounts. External-facing APIs remain a primary attack vector, with 98% of attack attempts targeting these interfaces. Among the most exploited vulnerabilities:

Security misconfigurations (54%)
Broken object-level authorization (27%)
API authentication failures (1%)

Generative AI (GenAI) is also reshaping the security landscape, introducing new threats and concerns. One-third of respondents report a lack of confidence in detecting AI-driven attacks, while 31% worry about the security of AI-generated code. Organizations are responding by implementing governance frameworks (26%) and AI-specific security tools (37%).

Security problems found in production APIs over the past 12 months. Credit: Salt Security.

Strengthening API Security

The report urges organizations to adopt a proactive security strategy, emphasizing real-time monitoring, robust posture governance, and adherence to frameworks such as the OWASP API Security Top Ten. Stronger API inventory management and investment in AI-driven security tools are also critical to mitigating emerging risks.

“The main driver of API adoption is the need for loose coupling between complex systems,” explains Jason Soroko, senior fellow at Sectigo. “APIs are abstraction layers that decouple underlying complexities, enabling rapid integration and development, which fuels digital transformation. [However], as organizations increasingly rely on APIs, the rapid expansion often outpaces security measures.”

To stay ahead, Soroko recommends that “cloud platforms and other purveyors of APIs need to offer security diagnostics to make it easier to rapidly deploy and maintain APIs with secure configurations.”

With API usage continuing to surge, organizations must prioritize security strategies that evolve alongside their expanding ecosystems to safeguard sensitive data and infrastructure against emerging threats.

The post 99% of Organizations Report API-Related Security Issues appeared first on Online Pitstop.

61% of Hackers Use New Exploit Code Within 48 Hours of Attack

admin — Wed, 26 Feb 2025 00:53:56 +0000

In 2024, cyber-criminals have launched attacks within 48 hours of discovering a vulnerability, with 61% of hackers using new exploit code in this short timeframe.

Companies faced an average of 68 days of critical cyber-attacks, while ransomware remained the most significant threat. The healthcare industry was particularly affected, with ransomware responsible for 95% of all breaches and impacting more than 198 million US patients.

These figures come from SonicWall’s Annual Cyber Threat Report, which also suggested that attackers are leveraging AI-driven automation and advanced evasion techniques, making it increasingly difficult for SMBs to defend themselves.

Key Cyber Threat Trends

These were some of the key cyber threat identified by SonicWall in 2024:

Ransomware Surge: North America saw an 8% rise, while Latin America experienced a 259% spike
IoT Attacks: Increased 124% year-over-year, with hackers targeting unprotected devices
Business Email Compromise (BEC): Accounted for 33% of reported cyber insurance events, up from 9% in 2023
Malware Variants: SonicWall identified 210,258 never-before-seen malware variants, averaging 637 new threats daily
Living Off the Land Binaries (LOLBins): Attackers increasingly use native system tools to evade detection

Top 10 LOLBins by percentage. Credit: SonicWall.

AI-enabled and File-based Attacks

According to the report, AI-driven tools are making cyber-attacks more accessible and complex. Server-side request forgery (SSRF) attacks rose by 452% as AI enhances obfuscation techniques and automates exploit chaining.

Business Email Compromise (BEC) attacks are also evolving, with generative AI enabling cybercriminals to craft highly convincing phishing emails.

File-based attacks, particularly involving malicious PDFs and HTML phishing files, also experienced a significant increase.

According to SonicWall data, 38% of detected malicious files were HTML-based, while PDFs followed closely at 22%.

Breakdown of everyday files used by threat actors. Credit: SonicWall.

Strengthening Cyber Defenses

To counter these threats, businesses must adopt a multi-layered cybersecurity strategy.

Key recommendations from SonicWall include:

Real-Time Patch Management: Apply security patches within 48 hours of disclosure
Zero Trust Security Models: Restrict access and validate all network traffic
24/7 Threat Monitoring: Partner with MSSPs for continuous security oversight
Enhanced Ransomware Defenses: Implement network segmentation and endpoint detection & response (EDR)
IoT Security: Secure connected devices by changing default credentials and updating firmware

With cyber-criminals accelerating their tactics, SMBs must act promptly to strengthen their defenses and mitigate financial and reputational damage.

The post 61% of Hackers Use New Exploit Code Within 48 Hours of Attack appeared first on Online Pitstop.

Essential Addons for Elementor XSS Vulnerability Discovered

admin — Tue, 25 Feb 2025 00:53:20 +0000

A critical security vulnerability in Essential Addons for Elementor has been identified, potentially impacting over two million WordPress websites.

The flaw, a reflected cross-site scripting (XSS) vulnerability, was discovered due to insufficient validation of the popup-selector query argument, allowing malicious scripts to be executed.

The issue, tracked with CVE-2025-24752, was first uncovered by Patchstack Alliance researcher xssium on September 30, 2024. After notifying the plugin vendor, a fix was implemented in version 6.0.15.

Understanding the Vulnerability

Essential Addons for Elementor is the most popular extension for the Elementor page builder, counting over 2 million active installations.

It enhances Elementor’s functionality by providing additional creative elements that help users design more dynamic and visually appealing web pages.

The flaw originated from the src/js/view/general.js file, where the plugin failed to properly sanitize the popup-selector argument.

When triggered, this could allow attackers to execute malicious scripts by embedding harmful content into the page.

How the Patch Fixes the Issue

The WPDeveloper resolved the vulnerability by enforcing stricter validation, permitting only alphanumeric characters and a limited set of symbols in the popup-selector argument. This prevents common XSS attack methods from exploiting the flaw.

WordPress developers are reminded of the importance of properly validating and sanitizing user-provided data.

“When working with user-provided data, developers need to ensure this data is properly validated and sanitized against potential processes that could lead to XSS,” Patchstack warned.

“Additionally, when rendering user-provided data back onto the website, it is important to make sure the content is properly escaped to help ensure potential XSS vulnerability.”

Failure to do so can expose websites to significant security risks, including unauthorized access and data breaches.

The post Essential Addons for Elementor XSS Vulnerability Discovered appeared first on Online Pitstop.

BlackBasta Ransomware Chatlogs Leaked Online

admin — Mon, 24 Feb 2025 00:52:54 +0000

Netherlands-based threat intelligence firm Prodaft revealed on February 20 that internal chatlogs from the BlackBasta ransomware gang have been leaked online.

BlackBasta is a ransomware strain that was first detected in April 2022. Early on, cyber threat intelligence experts assessed that the members of the group behind the ransomware were associated with other top-tier ransomware groups, especially Conti and REvil.

Yelisey Bohuslavskiy, Partner and Chief Research Officer at Red Sense, believes BlackBasta is a merger of the two defunct groups.

BlackBasta Internal Chat Logs Likely Legitimate

The leaked internal chat logs, purportedly from the BlackBasta ransomware group’s Matrix server, were initially posted on file sharing site MEGA by an individual calling themselves ExploitWhispers.

The files are now accessible via a dedicated Telegram channel after their removal from the original platform.

BlackBasta’s internal chats just got exposed, proving once again that cybercriminals are their own worst enemies. Keep burning our intelligence sources, we don’t mind. 😉 pic.twitter.com/6So7dl7xXn

— PRODAFT (@PRODAFT) February 20, 2025

The source of the leak remains unclear. The identity and motives of ExploitWhispers are unknown.

The leaks, which several threat intelligence sources told Infosecurity are likely legitimate, contain “highly useful information from a threat intelligence perspective,” according to Prodaft.

The logs contain 196,045 messages, all in Russian. They include internal messages spanning from September 18, 2023, to September 28, 2024, with details on the relationships between key threat actors, the group’s access to internal networks, as well as other significant information that provides deeper insight into the group’s operations.

Internal Conflict Causes BalckBasta’s Disbanding

One of the most active ransomware groups in early 2024, BalckBasta’s operations significantly reduced in the summer. This summer lull is typical for the group however their activity has never reached previous highs – bar October 2024 – since and BlackBasta claimed almost no attacks in 2025.

One week before the leaks several threat intelligence analysts, including Red Sense’s Bohuslavskiy, assessed that BlackBasta had disbanded.

According to Prodaft, the leaks revealed that the group has been mostly inactive this year due to internal conflicts, primarily caused by a key player in the ransomware syndicate known as ‘Tramp’ or ‘Trump.’

“Tramp was responsible for distributing Qbot and managing a spamming network, which led to major disputes within the team. As a result, several key members have left,” a Prodaft spokesperson told Infosecurity.

A Prodaft researcher known as @3xp0rt on social media also explained that BlackBasta was facing several internal and external pressures.

Internally, it seems that the alleged leader, Oleg Nefedov (aka ‘Tramp’ or ‘Trump’) prioritized his own financial gain, creating a toxic environment. An administrator named ‘Lapa’ is said to be overworked, underpaid and verbally abused, while another administrator known as ‘YY’ receives better compensation.

Externally, BlackBasta conducted a risky brute-force attack on Russian banks, which may provoke a reaction from authorities. This attack also caused ‘Cortes,’ associated with the Qakbot group, to distance himself from BlackBasta.

BlackBasta Members Join Cactus and Akira Ransomware Groups

The leaks also confirmed a possible link between some BlackBasta operators and the Akira ransomware syndicate, whose activity seemed to have picked up exactly when BlackBasta’s operation was easing.

“We can confirm that a number of BlackBasta operators—many of whom were originally part of the ex-Conti cluster—have migrated to both Cactus ransomware and Akira ransomware,” the Prodaft spokesperson said.

“This shift aligns with broader trends in the ransomware ecosystem, where operators frequently move between groups as internal disputes arise or financial incentives change,” Prodaft added.

The images illustrating this article were generated using Shutterstock AI Image Generator.

The post BlackBasta Ransomware Chatlogs Leaked Online appeared first on Online Pitstop.

DoD Contractor Pays $11.2M over False Cyber Certifications Claims

admin — Sun, 23 Feb 2025 00:45:38 +0000

California-based Health Net Federal Services (HNFS), a subsidiary of St Louis-based Centene Corporation, has reached an agreement to pay $11,253,400 to resolve allegations of false cybersecurity compliance certifications.

According to the US Department of Justice (DoJ), the false cybersecurity certifications were used to comply with requirements in a US Department of Defense (DoD) contract to administer the Defense Health Agency’s (DHA) TRICARE health benefits program for servicemembers and their families.

HNFS failed to meet certain cybersecurity controls and falsely certified compliance with them in annual reports to DHA between 2015 and 2018, it is alleged.

The reports were required under HNFS’ contract with the DHA to administer the TRICARE program.

It is also alleged that HNFS failed to timely scan for known vulnerabilities and to remedy security flaws on its networks and systems, in accordance with its System Security Plan and the response times HNFS had established.

The firm is also accused of ignoring reports from third-party security auditors and its internal audit department of cybersecurity risks on HNFS’ networks and systems related to asset management; access controls; configuration settings; firewalls; end-of-life hardware and software in use; patch management; vulnerability scanning; and password policies.

“Companies that hold sensitive government information, including sensitive information of the nation’s servicemembers and their families, must meet their contractual obligations to protect it,” said Acting Assistant Attorney General Brett A. Shumate, head of the Justice Department’s Civil Division.

“We will continue to pursue knowing violations of cybersecurity requirements by federal contractors and grantees to protect Americans’ privacy and economic and national security,” he said.

In 2016, Centene acquired all of the issued and outstanding shares of Health Net Inc., HNFS’s corporate parent, and assumed the liabilities of HNFS.

The claims asserted against defendants are allegations only and there has been no determination of liability, the DoJ has noted.

The post DoD Contractor Pays $11.2M over False Cyber Certifications Claims appeared first on Online Pitstop.

Salt Typhoon Exploited Cisco Devices With Custom Tool to Spy on US Telcos

admin — Sat, 22 Feb 2025 00:33:28 +0000

Chinese state-sponsored hackers, Salt Typhoon, used the JumbledPath utility in their attacks against US telecommunication providers to stealthily monitor network traffic and potentially steal sensitive data, a new Cisco report revealed.

In the report published by Cisco Talos on February 20, the researchers confirmed Salt Typhoon gained access to core networking infrastructure through Cisco devices and then used that infrastructure to collect a variety of information.

The typical approach of Salt Typhoon to gain initial access to Cisco devices was through the threat actor obtaining legitimate victim login credentials using living-off-the-land (LOTL) techniques on network devices.

One of the main revelations of the report was that Salt Typhoon used JumbledPath, a custom-built utility allowing the threat actor to execute a packet capture on a remote Cisco device through an actor-defined jump host.

Salt Typhoon Techniques, Tactics and Procedures

According to Cisco Talos, Salt Typhoon used stolen credentials and actively tried to steal more by targeting weak password storage, network device configurations and capturing authentication traffic.

The group stole device configurations, often via TFTP/FTP, to gain access to sensitive information like SNMP strings and weakly encrypted passwords, which could then be easily decrypted, and to understand network topology for further attacks.

JumbledPath, a utility written in Go and compiled as an ELF binary using an x86-64 architecture, was found in actor-configured Guest Shell instances on Cisco Nexus devices.

Guest Shell is a Linux-based virtual environment that runs on Cisco devices and allows users to execute Linux commands and utilities.

It was used to modify network device configurations, attempt to clear logs, impair logging along the jump path and return the resultant compressed, encrypted capture via another unique series of actor-defined connections or jumps.

“This allowed the threat actor to create a chain of connections and perform the capture on a remote device,” the Talos researchers said.

“The use of this utility would help to obfuscate the original source, and ultimate destination, of the request and would also allow its operator to move through potentially otherwise non-publicly-reachable (or routable) devices or infrastructure.”

The group then moved laterally within compromised networks and between different telecom providers, using compromised devices as stepping stones to reach other targets and avoid detection.

Finally, the threat actor repeatedly cleared relevant logs to obfuscate their activities, including .bash_history, auth.log, lastlog, wtmp, and btmp, where applicable. In many cases, shell access was restored to a normal state by using the “guestshell disable” command.

The threat actor modified authentication, authorization and accounting (AAA) server settings with supplemental addresses under their control to bypass access control systems.

Cisco Vulnerability Exploit Unrelated to Salt Typhoon

During their investigations, the Talos researchers found additional targeting of Cisco devices with the abuse of CVE-2018-0171, a legacy vulnerability in the Smart Install (SMI) feature of Cisco IOS and Cisco IOS XE software.

However, the researchers noted that this activity appears to be unrelated to the Salt Typhoon operations.

“We have not yet been able to attribute it to a specific actor. The IP addresses provided as observables below are associated with this potentially unrelated SMI activity,” they added.

Salt Typhoon Mitigation Recommendations

Following their investigations, the Talos researchers provided a list of Cisco-specific security threat mitigation recommendations. These include:

Disabling the underlying non-encrypted web server using the “no ip http server” command. If web management is not required, disable all of the underlying web servers using “no ip http server” and “no ip http secure-server” commands
Disabling telnet and ensuring it is not available on any of the Virtual Teletype (VTY) lines on Cisco devices by configuring all VTY stanzas with “transport input ssh” and “transport output none.”
Disabling the guestshell access (if not necessary) using “guestshell disable” for those versions which support the guestshell service
Disabling Cisco’s Smart Install service using “no vstack”
Using type 8 passwords for local account credential configuration
Using type 6 for TACACS+ key configuration

The images illustrating this article were generated using Shutterstock AI Image Generator.

The post Salt Typhoon Exploited Cisco Devices With Custom Tool to Spy on US Telcos appeared first on Online Pitstop.

Malicious Ads Target Freelance Developers via GitHub

admin — Fri, 21 Feb 2025 00:24:50 +0000

A new malware campaign targeting freelance developers has been using deceptive job advertisements to trick them into downloading malicious software disguised as legitimate tools.

The campaign primarily spreads through GitHub repositories and relies on freelancers’ eagerness to secure remote work opportunities.

The attackers pose as reputable companies, offering freelance developers attractive job opportunities. To make their deception convincing, they set up fake websites and distribute malicious software under the guise of professional development tools.

Once downloaded, the malware can compromise the victim’s system, allowing attackers to steal credentials or install additional payloads.

ESET researchers have linked the campaign to a threat actor they call “DeceptiveDevelopment.” The group specializes in targeting freelance platforms and coding communities to spread malware. Victims are often directed to GitHub, where malicious repositories host tools laden with hidden threats.

“DeceptiveDevelopment was first publicly described by Phylum and Unit 42 in 2023 and has already been partially documented under the names Contagious Interview and DEV#POPPER,” ESET wrote.

“We have conducted further analysis of this activity cluster and its operator’s initial access methods, network infrastructure, and toolset, including new versions of the two malware families used by DeceptiveDevelopment – InvisibleFerret and […] BeaverTail.”

The malware uses various techniques to evade detection and persist on compromised systems. ESET noted that it collects sensitive information, including saved login credentials, and can deliver additional malware payloads remotely.

Developers are advised to exercise caution when applying for freelance opportunities online. Verifying job offers and researching potential employers can help mitigate risks.

Experts also recommend avoiding downloads from unfamiliar GitHub repositories and keeping systems updated with robust security software.

“The DeceptiveDevelopment cluster is an addition to an already large collection of money-making schemes employed by North Korea-aligned actors and conforms to an ongoing trend of shifting focus from traditional money to cryptocurrencies,” ESET explained.

“We observed it go from primitive tools and techniques to more advanced and capable malware, as well as more polished techniques to lure in victims and deploy the malware. Any online job-hunting and freelancing platform can be at risk of being abused for malware distribution by fake recruiters.”

As freelance work continues to grow, threat actors are likely to exploit this evolving ecosystem. Developers and companies alike must implement stronger protections to defend against such targeted threats.

The post Malicious Ads Target Freelance Developers via GitHub appeared first on Online Pitstop.

WordPress Plugin Vulnerability Exposes 90,000 Sites to Attack

admin — Thu, 20 Feb 2025 00:23:42 +0000

A critical vulnerability in the Jupiter X Core WordPress plugin, used on over 90,000 websites, has been identified by security researchers.

The flaw, discovered on January 6, allows attackers with contributor privileges or higher to upload malicious SVG files and execute remote code on vulnerable servers. The issue (CVE-2025-0366) has been given a CVSS score of 8.8 (High).

Researchers from Wordfence disclosed that the vulnerability stems from improper sanitization of SVG file uploads and the plugin’s use of the get_svg() function, enabling attackers to bypass security controls.

The flaw allows attackers to upload specially crafted SVG files containing PHP code. By chaining this with a vulnerability in the get_svg() function, malicious files can be executed on the server.

“This makes it possible for authenticated attackers, with Contributor-level access and above, to include and execute arbitrary files on the server, allowing the execution of any PHP code in those files,” Wordfence wrote.

“This can be used to bypass access controls, obtain sensitive data or achieve code execution.”

The vulnerability was reported by the researcher stealthcopter on January 6 2025, through the Wordfence Bug Bounty Program, earning a $782 bounty.

A patch was released on January 29 2025 by the plugin’s developer, Artbees, that addresses the issue.

“While we do not expect this vulnerability to be widely exploited due to the minimum user-level requirement, vulnerabilities allowing for the upload of .svg files are usually limited to Cross-Site Scripting payloads and don’t typically allow remote code execution via file upload, which makes this vulnerability particularly interesting,” Wordfence explained.

Users of Jupiter X Core are strongly urged to update to version 4.8.8 immediately.

Experts also recommend adopting proactive measures, such as enabling automatic updates for plugins and themes whenever possible, to prevent exploitation. Regularly auditing installed plugins and removing unused or outdated ones can also reduce the attack surface.

The post WordPress Plugin Vulnerability Exposes 90,000 Sites to Attack appeared first on Online Pitstop.