ND Shortcodes HACKED/EXPLOITED

  • Our site has been hacked three separate times in July. Each time a new admin user was created, WP settings were changed to allow new user creation, and then redirect the website elsewhere.

    After reviewing log files, each time, it came down to a plugin included with this theme, “ND Shortcodes”, your own custom written plugin. Suspiciously, this plugin has just been removed altogether from the WordPress plugin directory on July 24, 2019 without any explanation or warning.

    You have an obligation to folks using your themes and your plugins to warn them about exploits of your themes and plugins. Please provide clarity as to why your plugin was removed from the public directory and why no updates have been applied to fix this exploit.

Viewing 15 replies - 1 through 15 (of 16 total)

  • In working through the cleanup of a website today, I ran into what appears to be the same issue with this plugin.

    Apparently, another person (making three of us) have noted similar behavior and commented on this in the Theme forest forum. Search for Discussion on Charity Foundation and the word “exploit” (since I know the moderators in here hate links you’ll have to do a manual search, sorry).

    In that ticket, he notes there is a version 5.9 out now and in downloading the latest Charity Foundation 1.2 version today, the plugin is indeed updated to version 5.9.

    So I would start by getting the latest version from Theme Forest, removing the old theme and plugin from site, then uploading the latest bits.

    Thread Starter NetzzJD

    (@netzzjd)

    Thanks for the heads up. I was told to update to 5.9 as well, but am not clear if that version is actually fixed or not. So far the support here and on Themeforest has been dismissive. I have yet to communicate to an actual developer, just the low-level, non-tech support staff who have no clue. The comments you reference on TF are now not even publicly viewable (“This comment is currently being reviewed.”).

    They are definitely trying to hide and cover up the fact that their plugin and theme was hackable or had/has problems. Unfortunate to see.

    I just want an explanation from the author here.

    Yeah, one of my clients that uses the Charity Foundation theme got hacked, and apparently, the problem came from the nd-shortcodes.

    The problem is this POST request:

    /wp-admin/admin-post.php?nd_options_value_import_settings=default_role[nd_options_option_value]administrator[nd_options_end_option]users_can_register[nd_options_option_value]1

    With this POST request. they set the default user role to administrator, and activate the user registration, so this way they can create a new admin user and hack the website. I think there is no checking for admin in this request.

    A temporary “fix” for this can be blocking this type of request, but I’m a bit busy to do an example now.

    Moderator Jan Dembowski

    (@jdembowski)

    Forum Moderator and Brute Squad

    @nicdark I’ve removed the tag added when you reported this topic. This isn’t really something that needs a moderator to intervene.

    Developer updated plugin with below notes regarding the exploit:

    5.9.1
    sanitize, validate, and escape all datas on POST and GET requests
    improved plugins_url()
    removed post-search, import/export and locations features.

    5.9
    Improved nd_options_import_settings_php_function function for security reasons.

    Hopefully, that will help resolve the matter for now.

    Same problem.
    I’m using the Hotel Booking theme.
    On 5th july I found a new user administrator and WP settings changed to allow new user creation. I retrieved a version from a few days earlier (a version before the creation of the administrator user), but on 24th July the site has been hacked and redirected without any new admin user.

    So I think they could hack the site even without creating a user administrator.
    I hope that the new plugin update 5.9.1 will really solve this problem.

    The antivirus on my computer blocked the redirect telling me that it was infected with the trojan Scrinject.B. Does anyone have any idea what to look for to find any malicious code left in the site?

    • This reply was modified 5 years, 4 months ago by lluca.
    • This reply was modified 5 years, 4 months ago by lluca.

    Anyone found a fix for this?

    I think my site (which is using Charity Foundation Theme) has been hacked/exploited too.

    How can the authors be so silent about this? It’s a shame.

    Mariana Moura da Maia

    (@mariana-moura-da-maia)

    ND Shortcods update is available.
    The update hangs!
    What a crap!

    Thread Starter NetzzJD

    (@netzzjd)

    I’ve had no issue updating to the latest 5.9.1 version. However, it’s still unclear if the issue was fixed. The developer of this plugin does state they addressed this in their changelog notes for 5.9 and 5.9.1.

    The author/developer still has not clearly explained what happened, why they pulled their plugin without any explanation and are hiding and blocking all comments about their plugin and themes here and on Themforest support lines. @jdembowski anything that can be done here to hold them accountable? Very shady practice. Just be transparent and let everyone know what’s going on, don’t hide everything and pretend nothing happened.

    An actual response from the developer @nicdark would be great and clear everything up.

    I think my situation is a little bit worse.

    I can’t access the Dashboard anymore. I’ve restored a previous backup but the redirection is still there. Then I’ve disabled all plugins…but nothing changed.

    Scanning my files, none of them is infected:

    Scanned Files : 98883
Scanner Hits : 0
Time Taken : 206 (sec)

    Now, with the help of my hosting, I’m checking the database for some injection in MySQL.

    • This reply was modified 5 years, 4 months ago by mrprainx.

    Hi all,
    Yes, as far as I can tell on the sites I’ve repaired with this exploit, the latest Version 5.9.1 does appear to close the exploit. At least those sites have not been re-hacked – fingers crossed.

    As I noted above, the developer does state that his patches were done to cover the security issues noted previously.

    I do suspect he’s just hoping this thing will blow over so he can get on with his life…

    Mariana Moura da Maia

    (@mariana-moura-da-maia)

    You have to edit wpoptions in the database

    Thread Starter NetzzJD

    (@netzzjd)

    Yes, it should be a very simple MySQL database fix for the redirect and regain access. Check your wp_options table for the ‘siteurl’ and ‘home’ values, making sure they are your own domain/website.

    • This reply was modified 5 years, 4 months ago by NetzzJD.

    Thank you all.

    Unfortunately the wp_options table has the correct values both for ‘siteurl’ and ‘home’.

    I’ll keep you posted.

    In the meanwhile, if someone has something else to share…it would be very appreciated.

    I’m starting to clean my client’s website now, will keep you all updated.
    But, first of all:

    1. Change your database password and possibly the username.
    2. Reset your WP salts and unique keys inside wp_config.php
    3. Reset the siteurl and home inside wp_options, you can do this using

    
UPDATE wp_options SET option_value = 'yoursiteurl' WHERE option_name = 'siteurl';
UPDATE wp_options SET option_value = 'yoursitehomepage' WHERE option_name = 'home';

    In my case, the invader removed wp-login.php and wp-admin folder, so I needed to make a fresh install over the current site.

Viewing 15 replies - 1 through 15 (of 16 total)
  • The topic ‘ND Shortcodes HACKED/EXPLOITED’ is closed to new replies.