Recent security issue

  • Resolved nathan62223

    (@nathan62223)


    3 years, 2 months ago

    Hello,

    I can’t answer on this topic : https://www.ads-software.com/support/topic/recent-security-issue-2/ and just want to add this information (maybe this can help someone).

    It’s sometimes necessary to delete plugin ‘wp-striplple/wp-striplple.php’ directly in database because it’s doesn’t appear in wordpress administration. To do this, go on table ‘wp_options’, field ‘active_plugins’ and remove the plugin. Be carreful it’s can be dangerous !

    Thanks

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author Steve Burge

    (@stevejburge)

    Thanks for reporting this @nathan62223

    Kenji

    (@kenjitoyooka)

    Hello,

    I’d like to add some detail about the recent security issue. One of my sites was hacked, and it was running PublishPress Capabilities 2.3.2, which is troubling.

    That said, the suspicious ‘wp-striplple/wp-striplple.php’ plug-in had NOT been installed or uploaded. (I scanned the whole DB and confirmed). So it seems like version > 2.3 does the trick there.

    BUT, my general settings site URL WAS changed to ‘trainresistor.cc’, as some others have mentioned. That was causing my page to not load. I fixed it by editing my database.

    So there may be two different attacks involved, or two different aspects to one.

    Plugin Author Steve Burge

    (@stevejburge)

    Hi @kenjitoyooka

    You may well be correct. Wordfence is reporting that these attacks on PublishPress Capabilities are part of a larger effort to hit multiple plugins and themes with options update vulnerabilities:
    https://www.wordfence.com/blog/2021/12/massive-wordpress-attack-campaign/

    So sites hacked through issues in those other plugins and themes may also see the “trainresistor” related impacts.

    Plugin Author Kevin Behrens

    (@kevinb)

    @kenjitoyooka The vulnerability is fixed in 2.3.1 and 2.3.2. Malicious code or database updates uploaded under an older Capabilities version could have a completely different name or location, and could cause a delayed effect even after updating Capabilities. The best course is to restore files and database from backup, then update Capabilities.

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Recent security issue’ is closed to new replies.