Computer researchers uncovered several popular WordPress plugins which are actively abused in order to hack sites. This is due to a weakness found in them allowing for malicious code to be injected. Since the discovery was made they have been patched but the campaigns are still active. All WordPress site owners are urged to update their installations in order to prevent them from becoming victims.
WordPress Plugins Once Again Are The Conduit of Exploits
A series of popular WordPress plugins have been found to contain a security weakness thus allowing hackers to take over control of the sites and infect them with other threats. The discovery was made of the attack campaign which targets blogs running the popular content management systems on a global scale. The list of victim WordPress plugins includes Simple 301 Redirects – Addon – Bulk Uploader and others which are made by the developer known as NicDark. When the vulnerability was announced to them an update was released amending the flaws.
However this has not stopped the campaign as many blog owners have not updated their installations. Once a site is affected by the threat the malicious script will edit the pages on the WordPress blog in order to redirect the victims to a hacker-controlled site. This is useful in several common scenarios:
- Phishing Scams — The criminals can automatically redirect the victims to a login page or a fake home page which can impersonate well-known sites or services. By doing so they can hijack sensitive account credentials or other kind of personal information.
- Intrusive Advertising — The WordPress blogs can have their contents edited so that they will include all kinds of intrusive ads under different forms: banners, pop-ups, text links and etc. For every display the hacker operators will receive income by the ads providers.
- Malware Delivery — The intrusions allow for different threats to be deployed onto the sites. As a result the WordPress blogs when visited or interacted with will actually lead to virus infections. Depending on the type of threat which is programmed in them they can range from Trojans (that are used to take over control of the computers) to cryptocurrency miners that will exploit the machine’s resources for profit.
The global attack campaign uses rotating domain names showing that the hacker or group behind the intrusion attempts have enough resources in order to continue targeting whole networks. Their identity is not yet known, we anticipate that as the attacks continue more information will become available.