Сritical vulnerability

  • Resolved rjon76

    (@rjon76)


    2 months, 2 weeks ago

    Hi.

    On our site we use the Fast Velocity Minify 3.2.6 plugin.

    We recently discovered that accessing some pages of the site causes 301 redirects to other sites. The origin of these redirects is unknown to us.
    Investigation showed that the cause of the redirects was this JS code
    try{
    window.location=’https://ww88.domain.com/’
    }catch(e){console.error(“An error has occurred. [ File: https://www.domain.COM/wp-content/plugins/wp-lozad/js/lozad.js?ver=5.8 ] [ “+e.stack+” ]”);}

    This JS code was embedded in some optimized JS files created by the Fast Velocity Minify plugin and located in the cache folder /wp-content/cache/fvm/min

    Question:

    Has a vulnerability been discovered and fixed in the Velocity Minify plugin in versions older than 3.2.6 that allows an attacker to modify files on the server?

Viewing 1 replies (of 1 total)
  • Plugin Author Raul P.

    (@alignak)

    Hi there,

    There are no known vulnerabilities on FVM and the plugin is regularly audited by me and third party services, like WordFence. Furthermore, if you download the plugin again, you can see that the offending code is not part of the source code.

    JS files, from any plugin are prime targets for malware, as well as the theme header and footer php files, so the affected file is not relevant when auditing. WordPress core files are often also injected with similar malware, and it is not usually because of a core related vulnerability. The target of most malware that affects WP sites is random, to try to prevent detection. As long as it runs somewhere, is all that it’s needed.

    A vulnerability has to occur in some PHP file, usually file upload related, or in some system that accepts api calls or importing of data, or sometimes simply something that accepts any user input, like a form.
    Often the culprit is unsanitized user input, so a hacker can inject php code that will run as part of the execution.

    Another possibility is a vulnerability at the server level.
    If you use shared hosting, that can happen relatively easy if any site on the server get’s infected, even if they don’t belong to you. Malware can spread inside the server, regardless of user isolation (unless they use containers, which would make things more complex for malware, but not impossible).
    If there is privilege escalation anywhere on the server, malware can spread to other clients.

    FVM doesn’t allow file uploads, and it doesn’t accept POST requests except for admin users, so it is unlikely that it’s the culprit. It does however, merge and minify JS and CSS files, so if those have malware, they will be minified as it is and put in the cache directory.

    If /plugins/wp-lozad/js/lozad.js?ver=5.8 is modified, first download a fresh copy and see if the error persists. It would not be the first time that hackers inject malware on repositories, but it’s rare. If the source is clean, then somewhere else allowed the vulnerability to go in.

    I would suggest switching hosting and audit all themes and plugins, especially if any code has been custom made, or original plugins or the theme have been customized (meaning, they lack updates).

    You can try to use WPScan to find versions of common plugins with known vulnerabilities.


    And you can use something like WordFence to scan the whole site for other issues, though be advised, even with WordFence, your site can still have new malware, if it’s not yet part of their signatures.

    There are high sensitivity modes to scan the site, but that will require a bit more knowledge to distinguish what is normal and not normal.

Viewing 1 replies (of 1 total)
  • You must be logged in to reply to this topic.