Scroll Top

Malware campaign targeting 11 WordPress plugins

September 14, 2019

Serious vulnerabilities in at least 11 plugins for WordPress are currently being used in an ongoing malware campaign that appears to have started last month.

However, the group appears to have changed their tactics two weeks ago. Mikey Veenstra reported on the WordFence website.

 

Change of tactics

In the first instance, the malicious code with which sites were injected was meant to show pop-up advertisements. Visitors were also redirected to rogue websites.

But according to Veenstra, the hackers changed their code on 20 August. As a result, the code is now also able to check whether a visitor has the rights to create user accounts on the site.

The moment someone with admin rights logs in, the code creates a new admin account unnoticed. For this, the email address of wpservices@yandex.com and the password w0rdpr3ss are used.

The hackers can then use this admin account as a back door for later use.

 

11 plugins abused

So far, the hackers seem to be focusing on old vulnerabilities in 11 plugins. A few months ago it became known that Yuzo Related Posts and WP Live Chat Support were not secure. In addition, the following plugins are also affected:

  • Bold Page Builder
  • Blog Designer
  • Live Chat with Facebook Messenger
  • Visual CSS Style Editor
  • Form Lightbox
  • Hybrid Composer
  • All former NicDark plugins (including nd-booking, nd-travel and nd-learning).

 

Updates & Security precautions

The plugin developers have since released patches that repair the vulnerabilities. But there are still quite a few users who do not use the latest version of the plugins mentioned above. So they are still in danger.

In addition to updating plugins to the most recent version, admins are advised to check the user accounts on their website. If it is found that there are unknown admin accounts, these must be deleted immediately.

Subsequently, it is important to verify the files to ensure that there are no backdoors. If you are unsure, it is best to restore a backup.

Non-technical users who find that unauthorized access to their website has been obtained are advised to hire a security consultant who can assist with the clean-up of your WordPress website.

Related Posts

Vulnerability Patched in Ad Inserter Plugin for WordPress

Ad Inserter is a popular WordPress plugin for managing advertisements. Last week it appeared that version 2.4.21 and below of the plugin contains two critical vulnerabilities. The developer has since released an update to patch the vulnerabilities. Users are advised to update as quickly as possible.

17 Jul 2019
WordPress plugin Spambyebye vulnerable

A Cross-site scripting vulnerability was found in WordPress plugin spam-byebye with all versions up to version 2.2.1 reported vulnerable. It is possible to launch this attack remotely and it allows for the injection of arbitrary web scripts or HTML via unspecified vectors. This would alter the appearance and would…

24 Jan 2019
Injection vulnerability In WP Database Backup Plugin

Researchers of the Threat Intelligence team of WordFence have warned on Tuesday that WordPress plugin WP Database Backup contains a critical vulnerability. The developer has since patched this flaw.

02 Jun 2019
Three vulnerabilities in LearnPress discovered

Three vulnerabilities in LearnPress prior to version 3.1.0 have been discovered. LearnPress is a popular plugin with more than 50.000 installations for the WordPress CMS that can be used to create and sell courses online. LearnPress is similar to Moodle, an open source learning platform.

13 Jan 2019
Simple Social Buttons plugin for WordPress vulnerability patched

WPBrigade, the developer behind the Simple Social Buttons plugin, have just released a fix to a critical vulnerability. This vulnerability allows an attacker to completely take over a website.

15 Feb 2019
Social Network Tabs plugin contains serious vulnerability

The popular WordPress plugin, Social Network Tabs, which has been downloaded over 53.000 times in the past 7 years and is used to help users share content on social media sites, left thousands of linked Twitter accounts exposed to compromise.

26 Jan 2019
Another vulnerability found in WP Live Chat Support plugin

Researchers have found a serious bug in the WP Live Chat Support plugin. This is the second time in six weeks that a vulnerability has been found in the plugin which is being used on thousands of WordPress websites. The latest bug allows hackers to inject their own code…

24 May 2019
Rich Reviews plugin for WordPress vulnerability actively abused

The Rich Reviews plugin was removed from the WordPress.org directory on March 11, 2019. This was done due to a security issue. It appears that there is still active abuse of the XSS vulnerability found in the plugin. Wordfence estimates that the plugin has around 16,000 active installations. These…

09 Oct 2019
vulnerability discovered in WooCommerce Checkout Manager

A vulnerability in a popular WordPress plugin called the WooCommerce Checkout Manager is potentially putting more than 60,000 websites at risk, researchers say. The WooCommerce Checkout Manager plugin allows WooCommerce users to customize and manage the fields on their checkout pages. The plugin, owned by Visser Labs, is separate…

07 May 2019
Media File Manager plugin for WordPress exploited

An exploit was discovered in The Media File Manager plugin version 1.4.2 for WordPress. This vulnerability allows for directory traversal and the initiation of a remote cross site scripting (XSS) attack via the dir parameter of the mrelocator_getdir function of the file wp-admin/admin-ajax.php. A working exploit has been dislosed.

03 Feb 2019
Exploit WordPress Arigato Autoresponder and Newsletter v2.5.1.8

TheĀ Arigato Autoresponder and Newsletter by Kiboko Labs plugin allows scheduling of automated autoresponder messages and newsletters, and managing a mailing list. You can add/edit/delete and import/export members. There is also a registration form which can be placed in any website or blog.

28 Dec 2018
Urgent bug fix for GDPR Cookie Consent plugin for WordPress

The popular GDPR Cookie Consent plugin, which has been downloaded over 700.000 times, was temporarily removed from the WordPress.org plugin repository earlier this week after the developer was notified of a critical bug. Two days later (on February 10) a new version 1.8.3 was released. This new version contains…

16 Feb 2020
WordPress Users Urged to Delete Total Donations Plugin

Total Donations is a commercial plugin that helps sites create donation campaigns and accept payments from their visitors and is currently used by many non-profit and political organizations who want to accept donations from donors using a donation form. Attacks on the Total Donations plugins have been tracked over…

30 Jan 2019
WordPress 4.3.1 Security and Maintenance Release

WordPress 4.3.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. This release addresses three issues, including two cross-site scripting vulnerabilities and a potential privilege escalation.

15 Sep 2015
Vulnerabilities found in Newsletter plugin for WordPress

Newsletter, a free WordPress plugin with more than 300,000 installations, was found to contain multiple vulnerabilities that could eventually lead to the takeover of an affected website. The bugs were discovered by the Wordfence team who notified the developer of the plugin.

07 Aug 2020
Our website uses cookies from third party services to improve your browsing experience. Read more about this and how you can control cookies by clicking "Privacy Preferences".
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.
Privacy Policy
You have read and agreed to our privacy policy
Required
Privacy Policy Cookies Policy