Title: Critical Vulnerability in MalCare Plugin Exposes Over 300,000 WordPress Sites
Introduction
WordPress security services provider, Snicco, has recently discovered a critical vulnerability in the popular MalCare plugin, which is currently active on more than 300,000 websites. The vulnerability allows attackers to exploit broken cryptography and potentially take complete control of affected sites. This article will delve into the details of the vulnerability, the potential risks it poses, and the actions taken by MalCare to address the issue.
Understanding the Vulnerability
According to Calvin Alkan, a WordPress security researcher at Snicco, MalCare utilizes broken cryptography to authenticate API requests from its remote servers to connected WordPress sites. The vulnerability arises from the comparison of a shared secret stored as plaintext in the WordPress database with the one provided by MalCare’s remote application. Exploiting this flaw enables attackers to impersonate MalCare’s remote application and carry out various malicious actions, including creating rogue admin users, uploading random files, and installing or removing plugins.
Pre-Conditions for Exploitation
To exploit this vulnerability, certain pre-conditions must be met. These include a site with a SQL injection vulnerability in a plugin, theme, or WordPress core, a compromised database at the hosting level, or another vulnerability that allows the attacker to read or update WordPress options. While these pre-conditions limit the scope of potential attacks, they still pose a significant threat to vulnerable websites.
MalCare’s Response
Snicco revealed that MalCare had been informed about the vulnerability three months prior to its public release. However, despite offering free assistance, MalCare dismissed the issue, claiming it was an industry-standard for API authentication. Additionally, concerns were raised regarding the pre-condition requirement, as it alone could be considered a vulnerability.
Two days after Snicco published the security advisory with a proof of concept, MalCare released a patch in version 5.16 on July 8, 2023. The plugin’s blog also featured a notice addressing the issue. MalCare acknowledged the rare possibility of an attacker being able to read the MalCare key if a site already had a high severity SQL injection vulnerability. To address this, they stated their commitment to strengthening their authentication systems and reviewed various plugins and best practices in the ecosystem to develop a comprehensive solution.
No Evidence of Exploitation
MalCare has assured its users that there is no evidence of the vulnerability being exploited thus far. However, it is crucial for website owners using MalCare, WPRemote, or Blogvault plugins to update to the latest versions immediately. Snicco has discovered that the same vulnerability exists in WPRemote (20k installs) and Blogvault (100k installs) plugins, as they share the same code.
Conclusion
The discovery of a critical vulnerability in the MalCare plugin has raised concerns among the WordPress community. The broken cryptography used for API authentication exposes over 300,000 websites to potential attacks. While MalCare has released a patch and addressed the issue, it is essential for users of MalCare, WPRemote, and Blogvault plugins to update to the latest versions promptly. Website owners should remain vigilant and prioritize security measures to protect their valuable online assets from potential threats.
By staying informed about vulnerabilities and promptly updating plugins, WordPress users can ensure the security and integrity of their websites.
