Thousands of WordPress sites redirecting users to dangerous domains

Person working on a WordPress post
(Image credit: Pixabay)

Over 900,000 WordPress sites have been targeted in a new attack campaign which aims to redirect visitors to malvertising sites or plant backdoors into a theme's header if an administrator is logged in.

The majority of these attacks appear to be the work of a single threat actor based on the malicious JavaScript payload they are attempting to inject in vulnerable sites. The attacker also leveraged older vulnerabilities that allowed them to change a site's home URL to the same domain used in the cross-site scripting (XSS) payload in order to redirect visitors to malvertising sites.

In a blog post, Senior QA at Defiant, Ram Gall provided further insight on the sheer scale of the campaign, saying:

“While our records show that this threat actor may have sent out a smaller volume of attacks in the past, it’s only in the past few days that they’ve truly ramped up, to the point where more than 20 million attacks were attempted against more than half a million individual sites on May 3, 2020. Over the course of the past month in total, we’ve detected over 24,000 distinct IP addresses sending requests matching these attacks to over 900,000 sites.”

Targeting older WordPress vulnerabilities

According to Gall, the attacker targeted multiple vulnerabilities in WordPress plugins that have either been removed from official repositories or patched within the last few years.

More than half of all of the attacks targeted sites with the Easy2Map plugin which contains an XSS vulnerability. Although the plugin was removed from the WordPress repository in August of 2019, it is still installed on less than 3,000 sites. The attacker also exploited an XSS vulnerability in the Blog Designer plugin that was patched in 2019 and the Newspaper theme that was patched in 2016.

In order to change a site's home URL, the attacker took advantage of an options update vulnerability in the WP GDPR Compliance and Total Donations plugins. WP GDPR Compliance has more than 100,000 installations but Defiant estimates that no more than 5,000 vulnerable installations remain. Total Donations on the other hand was permanently removed from the Envato Marketplace in early 2019 and it is estimated that less than 1,000 total installations remain.

If your site uses any of these plugins or themes, it is highly recommended that you update them immediately and remove any that are no longer in the official WordPress repository.

Via BleepingComputer

TOPICS
Anthony Spadafora

After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home. 

Latest in Website Building
Wix automation
The world's leading website builder aims to save businesses time with new tool
Squarespace
Build a website for less with 10% off Squarespace subscriptions
Squarespace
Fresh season, fresh start— launch your dream website with Squarespace with this offer
Wix Printful
Wix teams up with Printful for in-house print-on-demand tools
Squarespace
Don't miss out on this great Squarespace deal
Hostinger Website Builder vs WordPress.com: Which is better?
Hostinger Website Builder vs WordPress.com: Battle of the WordPress website builders
Latest in News
A young woman is working on a laptop in a relaxed office space.
I’ll admit, Microsoft’s new Windows 11 update surprised me with its usefulness, providing accessibility fixes, a gamepad keyboard layout, and PC spec cards
inZOI promotional material.
inZOI has become the most wishlisted game on Steam, but I wouldn't get too caught up in the hype
Xbox Series X and Xbox wireless controller set to a green background
Xbox Insiders are currently testing a new Game Hub feature that looks useful, but I've got mixed feelings about it
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Microsoft Surface Laptop and Surface Pro devices on a table.
Hate Windows 11’s search? Microsoft is fixing it with AI, and that almost makes me want to buy a Copilot+ PC
Oura Ring 4
Activity tracking on Oura Ring is about to get a whole lot better, but I've got bad news about your step count