Les Bell

Welcome to today's daily briefing on security news relevant to our CISSP (and other) courses. Links within stories may lead to further details in the course notes of some of our courses, and will only be accessible if you are enrolled in the corresponding course - this is a shallow ploy to encourage ongoing study. However, each item ends with a link to the original source.

News Stories

Class Action Invites Latitude Financial Customers to Join

While many security professionals agonise over the possibility of fines for privacy breaches, it is worth remembering that much older penalties continue to apply and can have much more severe consequences than a fine. We reported last week that the breach of consumer lender Latitude Financial had worsened as more details emerged, with investigations revealing that as many as 14 million customer records were compromised.

Now comes news that law firms Gordon Legal and Hayden Stephens and Associates are investigating a potential legal action against Latitude Financial and are looking into whether the lender's security measures and protocols were effective and whether the company had taken appropriate steps to protect its customers' personal information. Of course, should this reach court - or even prior mediation - a lot will depend on a) how the breach actually occurred and b) how a court defines 'appropriate steps' (a more common phrase in legislation is 'reasonable steps').

Current and former customers who believe they may have been affected by the data breach are invited to register their interest. Their site also contains links to useful online resources for those affected, as well as a list of news reports on the breach.

Hayden Stephens and Associates, Latitude Financial Data Breach Investigation, web site, 28 March 2023. Available online at https://www.latitudedatabreach.com.au/.

WordPress Plugin Exposes Millions of Sites

By far the most popular web site content management system is WordPress; millions of businesses use it as the basis of their sites, especially because of its huge range of extensions and plugins. Unfortunately, many of these sites are poorly maintained - a practice that could hit a huge number this week, as hackers exploit a critical vulnerability in a premium WordPress plugin.

The vulnerability, which has a CVSS 3.1 score of 8.8 (high) is present in the Elementor Pro plugin. In particular, it is in the elementor-pro/modules/woocommerce/module.php component, which is loaded when Elementor Pro is installed on WordPress sites that also have the WooCommerce merchant server plugin activated. The component registers two AJAX actions, one of which - pro_woocommerce_update_page_option - is intended to allow the Administrator or the Shop Manager to update some WooCommerce options.

Unfortunately, the function does not check that the user invoking it has appropriate privileges, and it also does not sanitize user input. As a result, an authenticated attacker is able to create an administrator account by enabling the users_can_register setting and setting the default_role to administrator while also changing the administrator email address (admin_email). The vulnerability was discovered and documented by Jerome Bruandet of Ninja Technologies Network.

However, now researchers at another firm, Patchstack, report that the vulnerability is being actively exploited. Users are advised to urgently update their Elementor Pro installations to version 3.11.7 or later (the free version of Elementor is unaffected).

Bruandet, Jerome, High severity vulnerability fixed in WordPress Elementor Pro plugin. blog post, 28 March 2023. Available online at https://blog.nintechnet.com/high-severity-vulnerability-fixed-in-wordpress-elementor-pro-plugin/.

Dave, Critical Elementor Pro Vulnerability Exploited, blog post, 30 March 2023. Available online at https://patchstack.com/articles/critical-elementor-pro-vulnerability-exploited/.

These news brief blog articles are collected at https://www.lesbell.com.au/blog/index.php?courseid=1. If you would prefer an RSS feed for your reader, the feed can be found at https://www.lesbell.com.au/rss/file.php/1/dd977d83ae51998b0b79799c822ac0a1/blog/user/3/rss.xml.

Copyright to linked articles is held by their individual authors or publishers. Our commentary is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License and is labeled TLP:CLEAR.