Scroll Top

Malware campaign targeting 11 WordPress plugins

September 14, 2019

Serious vulnerabilities in at least 11 plugins for WordPress are currently being used in an ongoing malware campaign that appears to have started last month.

However, the group appears to have changed their tactics two weeks ago. Mikey Veenstra reported on the WordFence website.

 

Change of tactics

In the first instance, the malicious code with which sites were injected was meant to show pop-up advertisements. Visitors were also redirected to rogue websites.

But according to Veenstra, the hackers changed their code on 20 August. As a result, the code is now also able to check whether a visitor has the rights to create user accounts on the site.

The moment someone with admin rights logs in, the code creates a new admin account unnoticed. For this, the email address of wpservices@yandex.com and the password w0rdpr3ss are used.

The hackers can then use this admin account as a back door for later use.

 

11 plugins abused

So far, the hackers seem to be focusing on old vulnerabilities in 11 plugins. A few months ago it became known that Yuzo Related Posts and WP Live Chat Support were not secure. In addition, the following plugins are also affected:

  • Bold Page Builder
  • Blog Designer
  • Live Chat with Facebook Messenger
  • Visual CSS Style Editor
  • Form Lightbox
  • Hybrid Composer
  • All former NicDark plugins (including nd-booking, nd-travel and nd-learning).

 

Updates & Security precautions

The plugin developers have since released patches that repair the vulnerabilities. But there are still quite a few users who do not use the latest version of the plugins mentioned above. So they are still in danger.

In addition to updating plugins to the most recent version, admins are advised to check the user accounts on their website. If it is found that there are unknown admin accounts, these must be deleted immediately.

Subsequently, it is important to verify the files to ensure that there are no backdoors. If you are unsure, it is best to restore a backup.

Non-technical users who find that unauthorized access to their website has been obtained are advised to hire a security consultant who can assist with the clean-up of your WordPress website.

Related Posts

WordPress Sites Attacked Through Vulnerable Home Routers

Attackers are hijacking vulnerable home routers to launch attacks against WordPress sites. The attacks exploit two flaws in the TR-069 router management protocol to send malicious requests to port 7547. Experts have been advising home users to limit access to port 7547. Internet service providers (ISPs) could take steps…

16 Apr 2017
vulnerability discovered in WooCommerce Checkout Manager

A vulnerability in a popular WordPress plugin called the WooCommerce Checkout Manager is potentially putting more than 60,000 websites at risk, researchers say. The WooCommerce Checkout Manager plugin allows WooCommerce users to customize and manage the fields on their checkout pages. The plugin, owned by Visser Labs, is separate…

07 May 2019
WordPress Users Urged to Delete Total Donations Plugin

Total Donations is a commercial plugin that helps sites create donation campaigns and accept payments from their visitors and is currently used by many non-profit and political organizations who want to accept donations from donors using a donation form. Attacks on the Total Donations plugins have been tracked over…

30 Jan 2019
WordPress 4.3.1 Security and Maintenance Release

WordPress 4.3.1 is now available. This is a security release for all previous versions and we strongly encourage you to update your sites immediately. This release addresses three issues, including two cross-site scripting vulnerabilities and a potential privilege escalation.

15 Sep 2015
Urgent bug fix for GDPR Cookie Consent plugin for WordPress

The popular GDPR Cookie Consent plugin, which has been downloaded over 700.000 times, was temporarily removed from the WordPress.org plugin repository earlier this week after the developer was notified of a critical bug. Two days later (on February 10) a new version 1.8.3 was released. This new version contains…

16 Feb 2020
Vulnerability Patched in Ad Inserter Plugin for WordPress

Ad Inserter is a popular WordPress plugin for managing advertisements. Last week it appeared that version 2.4.21 and below of the plugin contains two critical vulnerabilities. The developer has since released an update to patch the vulnerabilities. Users are advised to update as quickly as possible.

17 Jul 2019
Social Network Tabs plugin contains serious vulnerability

The popular WordPress plugin, Social Network Tabs, which has been downloaded over 53.000 times in the past 7 years and is used to help users share content on social media sites, left thousands of linked Twitter accounts exposed to compromise.

26 Jan 2019
WordPress and plugin vulnerabilities Tripled in 2018

Researchers at Imperva have found that the overall number of new vulnerabilities in Content Management Systems in 2018 (17,142) has increased by 21% compared to 2017 (14,082) and by 159% compared to 2016 (6,615). WordPress-related vulnerabilities have exploded and have seen a staggering 300% increase in 2018 compared to…

09 Jan 2019
Another WordPress commercial plugin gets exploited

And yet another WordPress commercial plugin gets exploited in the wild, as Wordfence security analysts identified attackers exploiting vulnerabilities in outdated versions of a commercial WordPress plugin since the end of january. In this case the fairly popular WP Cost Estimation & Payment Forms Builder plugin developed by Loopus…

17 Feb 2019
Simple Social Buttons plugin for WordPress vulnerability patched

WPBrigade, the developer behind the Simple Social Buttons plugin, have just released a fix to a critical vulnerability. This vulnerability allows an attacker to completely take over a website.

15 Feb 2019
Vulnerabilities found in Newsletter plugin for WordPress

Newsletter, a free WordPress plugin with more than 300,000 installations, was found to contain multiple vulnerabilities that could eventually lead to the takeover of an affected website. The bugs were discovered by the Wordfence team who notified the developer of the plugin.

07 Aug 2020
Another vulnerability found in WP Live Chat Support plugin

Researchers have found a serious bug in the WP Live Chat Support plugin. This is the second time in six weeks that a vulnerability has been found in the plugin which is being used on thousands of WordPress websites. The latest bug allows hackers to inject their own code…

24 May 2019
Rich Reviews plugin for WordPress vulnerability actively abused

The Rich Reviews plugin was removed from the WordPress.org directory on March 11, 2019. This was done due to a security issue. It appears that there is still active abuse of the XSS vulnerability found in the plugin. Wordfence estimates that the plugin has around 16,000 active installations. These…

09 Oct 2019
Media File Manager plugin for WordPress exploited

An exploit was discovered in The Media File Manager plugin version 1.4.2 for WordPress. This vulnerability allows for directory traversal and the initiation of a remote cross site scripting (XSS) attack via the dir parameter of the mrelocator_getdir function of the file wp-admin/admin-ajax.php. A working exploit has been dislosed.

03 Feb 2019
WordPress 4.7.2 security update

WordPress 4.7.2 was released last Thursday, January 26th. WordPress have just announced that In addition to the three security vulnerabilities mentioned in the original release post, WordPress 4.7 and 4.7.1 had one additional vulnerability for which disclosure was delayed.

06 Feb 2017
Our website uses cookies from third party services to improve your browsing experience. Read more about this and how you can control cookies by clicking "Privacy Preferences".
Privacy Preferences
When you visit our website, it may store information through your browser from specific services, usually in form of cookies. Here you can change your privacy preferences. Please note that blocking some types of cookies may impact your experience on our website and the services we offer.
Privacy Policy
You have read and agreed to our privacy policy
Required
Privacy Policy Cookies Policy