WordPress plugins hacked for fake admin accounts
Vulnerabilities allowed attackers to create rogue admin accounts
Popular web hosting site WordPress has come under attack from hackers exploiting a flaw that allows them to create rogue admin accounts.
Researchers at security firm Wordfence discovered that known vulnerabilities in WordPress plugins have been exploited by injecting malicious JavaScript into the frontends of victim sites which leads visitors to these compromised sites to be redirected to potentially harmful content including malware droppers and fraudulent sites. Many of the playloads are obfuscated by the attackers in an attempt to avoid detection by WAF and IDS software.
Wordfence researchers discovered where the attacks are originating from and they have identified various IP addresses linked to web hosting providers. However, once the issue was brought to the attention of the providers, most of the IPs ceased their illegal activity except for one.
- Critical flaw in WordPress live chat discovered
- Tumblr sold to Wordpress owner
- WordPress revamped with new security features
In a blog post explaining its discovery, Wordfence's Mikey Veenstra explained that most of the attacks stemmed from one IP address, saying:
“The IP address in question is 104.130.139.134, a Rackspace server currently hosting some presumably compromised websites. We have reached out to Rackspace to inform them of this activity, in hopes that they will take action in preventing further attacks from their network. We have not yet heard back.”
WordPress plugin vulnerabilities
All of the attacks that have occurred so far have targeted several known vulnerabilities from former NicDark plugins including nd-booking, nd-travel and nd-learning.
While the initial research into the campaign identified the injection of scripts which triggered malicious redirects or unwanted popups in the browsers of those who visited a victim site, the campaign has evolved by adding an additional script which attempts to install a backdoor into the target site by exploiting an administrator's session.
Are you a pro? Subscribe to our newsletter
Sign up to the TechRadar Pro newsletter to get all the top news, opinion, features and guidance your business needs to succeed!
Wordfence also explained how WordPress site owners can avoid falling victim to this campaign saying:
“As always, updating the plugins and themes on your WordPress site is an excellent layer of defense against campaigns like these. Check your site for needed updates frequently to ensure you’re receiving the latest patches as they’re released. Wordfence users periodically receive emails informing them when updates are available as well.”
- We've also highlighted the best WordPress hosting
Via SC Magazine
After working with the TechRadar Pro team for the last several years, Anthony is now the security and networking editor at Tom’s Guide where he covers everything from data breaches and ransomware gangs to the best way to cover your whole home or business with Wi-Fi. When not writing, you can find him tinkering with PCs and game consoles, managing cables and upgrading his smart home.