Received: by 2002:ab2:6203:0:b0:1f5:f2ab:c469 with SMTP id o3csp2174465lqt; Mon, 22 Apr 2024 03:52:44 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCXlayqdIHv7TGrdUaeLx12dQbhwiKj0A3UYguAkETys3cVFplNg9V89nxkgIuM25MG0keC0G1pAM77mngX3+5Mu7+QT5hv0NuzCdzgzgQ== X-Google-Smtp-Source: AGHT+IFEkLW9Yo9PfW+P03EicWZqCKY3sz+enoOI2n/yDD/iFJrjxUKQQCyIHx0eQWiIVF4yNBLP X-Received: by 2002:a17:907:7e8c:b0:a55:9f63:b1cf with SMTP id qb12-20020a1709077e8c00b00a559f63b1cfmr6304232ejc.35.1713783164668; Mon, 22 Apr 2024 03:52:44 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1713783164; cv=none; d=google.com; s=arc-20160816; b=YsA6N2Ny9x/bVld2ZHGK671HvOXLM2F7pE2QEWP+kfER3OctoE590O3H1zyp3iyO1l 51UVNH2UASO4KxsIs4DqU2sMk0xpfj+AyDOtWqcKfC+1Q9zJDC+jMe+Hnwcvxube44z9 hTJ0RTwGAcddd6V3lzgjisuyyo13qhyk/UZsVonmruMC/6CVpL58Nb1mzWk85vTRdbRr cdYoPH9liGr85iJC+k/nOf2xj4zq8QrGrwixvyXV2jfuRwSWM7tKdkRn6JqAhexlg6kl MRyeJm/Tt3Msyy50wvJEWUDmy8pOWfc74dbkt5XSy6D6mGHABJdQFlBtrIpGbdV8ET+T ACBg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=subject:content-transfer-encoding:mime-version:message-id:to:from :date:author:original-subject:dkim-signature:delivered-to:reply-to :list-id:list-subscribe:list-unsubscribe:list-help:list-post :precedence:mailing-list; bh=wqMD1M+WVviKuapF3UBStUgqohTKRDe0QM2IL+OPt7k=; fh=9jsPTyo6edd9xvAeG+KFFrRrXMmgB/RdwUKOrvy9dcA=; b=wmnzEK2l+8jtL2hNDmn8ddO998axu4TpMgfZtqiyboWO9J2INLjwRAibZ2cbt6p/S0 QF7rAPty9dYXmyyoP/g4AIOcWaFiMjQpAERUOU2c/MqzGyELRnWn3sv1m4bU+8/CSFVA XAYsXz3y520hhtg5gB/Pn0SzyMHrHrOZIu0DkNgi2bY28CMcZU03W1zsJzJoEL2eNMZk gZdGyTgOiXiNvDd6p+mzh01FSmAoK9f4ujcOTZy/90xmGRwyLQkpEnkkxHChCtSfenbG Bpfvr7Pth7YDp0LzYw+gXcbhxpG1v+eKQGo2ZXgFqu6uAcWVWGeiV8WUt5cHzioJ2s1d 24/Q==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=fail header.i=@hboeck.de header.s=key1 header.b=DLjmsx8e; spf=pass (google.com: domain of oss-security-return-30067-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30067-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hboeck.de Return-Path: Received: from second.openwall.net (second.openwall.net. [193.110.157.125]) by mx.google.com with SMTP id qq27-20020a17090720db00b00a525c39ac09si5774262ejb.962.2024.04.22.03.52.44 for ; Mon, 22 Apr 2024 03:52:44 -0700 (PDT) Received-SPF: pass (google.com: domain of oss-security-return-30067-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) client-ip=193.110.157.125; Authentication-Results: mx.google.com; dkim=fail header.i=@hboeck.de header.s=key1 header.b=DLjmsx8e; spf=pass (google.com: domain of oss-security-return-30067-linux.lists.archive=gmail.com@lists.openwall.com designates 193.110.157.125 as permitted sender) smtp.mailfrom="oss-security-return-30067-linux.lists.archive=gmail.com@lists.openwall.com"; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=hboeck.de Received: (qmail 24268 invoked by uid 550); 22 Apr 2024 10:52:27 -0000 Mailing-List: contact oss-security-help@lists.openwall.com; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-ID: Reply-To: oss-security@lists.openwall.com Delivered-To: mailing list oss-security@lists.openwall.com Received: (qmail 24237 invoked from network); 22 Apr 2024 10:52:27 -0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=hboeck.de; s=key1; t=1713783138; bh=wqMD1M+WVviKuapF3UBStUgqohTKRDe0QM2IL+OPt7k=; h=Date:From:To:Subject:Message-ID:MIME-Version:Content-Type: Content-Transfer-Encoding; b=DLjmsx8ekTVCt59ODJU1c0SR08Hnz1VkZA1RRhY6HwF5FqSHUvo5xgijL8NeUn+1G cfRNaLi9C69QC+Aut427PGZEtRBAwI7vs2DZQ7+6ChpKVEJZrgx73ii9yzTsfRI1R3 OsSQy3r7SAoJgUEL+toJ9xeaTWkepS+U+bc218a4whN6pv8zyCIICrD+mNQ5HvFnbW NZDA7oZQJ0TBO4G1ccy2kRdEqL9OWX3c1qyiUAdpeelJJbGVbtV0HHvbvUUj/vXsOo oMt9j3JJ/vGTnlXsH2AWD9zChjVQDkEcPBfcjmdiszcqBTZFZ2nNCkKwHZnr2ZY9w0 H/cniXjU/5xHg== Original-Subject: Wordpress Responsive theme: arbitrary HTML content injection (CVE-2024-2848) Author: Hanno =?UTF-8?B?QsO2Y2s=?= Date: Mon, 22 Apr 2024 12:52:17 +0200 From: Hanno =?UTF-8?B?QsO2Y2s=?= To: oss-security@lists.openwall.com Message-ID: <20240422125217.7eb0c5f0.hanno@hboeck.de> X-Mailer: Claws Mail 4.2.0 (GTK 3.24.41; x86_64-pc-linux-gnu) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Subject: [oss-security] Wordpress Responsive theme: arbitrary HTML content injection (CVE-2024-2848) A Wordpress theme called "Responsive" had a vulnerability that allowed injecting arbitrary content into the page's footer. This is fixed in version 5.0.3. There are active attacks exploiting this vulnerability, redirecting page visitors to malicious websites. If you have to cleanup an affected installation, the attack can, as far as I understand, only set the "footer-copyright" option stored in the options table (usually wp_options). So you can check the fielt with option_name=3Dfooter-copyright and remove any malicious / spammy content. Advisory: https://github.com/advisories/GHSA-8vpf-jx6q-39fr Quote: "The Responsive theme for WordPress is vulnerable to unauthorized modification of data due to a missing capability check on the save_footer_text_callback function in all versions up to, and including, 5.0.2. This makes it possible for unauthenticated attackers to inject arbitrary HTML content into the site's footer." Upstream changelog: https://themes.svn.wordpress.org/responsive/5.0.3/changelog.txt "(28/03/2024) =3D Fix - Version 5.0.3 [...] [!] =3D Fixed =3D Fixed the vulnerability of unauthorized modification of footer text." The latest version 5.0.3.1 contains another possibly relevant note in the changelog: "(17/04/2024) =3D Fix - Version 5.0.3.1 [!] =3D Fixed =3D Enhanced Security: Strengthened the codebase to further protect your website." I have not verified whether this is another vulnerabiltiy or just additional hardening. --=20 Hanno B=C3=B6ck https://itsec.hboeck.de/