WordPress sites are being targeted by previously unknown Linux malware that exploits flaws in over 20 plugins and themes to compromise vulnerable systems.
In a report published last week, Russian security vendor Doctor Web said, “If a site uses an outdated version of such an add-on and is missing a critical fix, the targeted web page may contain malicious JavaScript. “As a result, if the user clicks on any area of the attacked page, it will be redirected to the other site.”
The attack involves weaponizing a list of known security vulnerabilities in 19 different plugins and themes that are likely installed on your WordPress site and using it to target specific websites and compromise your network. It involves deploying implants that can be expanded further.
It can also inject JavaScript code retrieved from a remote server to redirect site visitors to any website of the attacker’s choosing.
Doctor Web says it has identified a second version of the backdoor that uses a new command-and-control (C2) domain and an updated list of flaws across 11 additional plugins, bringing the total to 30 .
Affected plugins and themes are listed below –
- WP Live Chat Support
- Articles related to Yuzo
- Yellow Pencil Visual CSS Style Editor
- Easy WP SMTP
- WP GDPR Compliance
- Newspaper (CVE-2016-10972)
- Tim Core
- Smart Google Code Inserter (retired on 28 January 2022)
- Total donation
- Custom Template Light Post
- WP Quick Booking Manager
- Live Chat with Messenger Customer Chat by Zotabox
- blog designer
- WordPress Ultimate FAQ (CVE-2019-17232 and CVE-2019-17233)
- WP-Piwik integration (WP-Piwik)
- ND shortcode
- WP Live Chat
- Coming soon page and maintenance mode
- hybrid
- blizzy
- FV Flowplayer Video Player
- Woo Commerce
- Coming soon page & maintenance mode
- one tone
- simple field
- Deluxe SEO
- Poll, Survey, Form and Quiz Maker by OpinionStage
- social metrics tracker
- WPeMatico RSS feed fetcher, and
- rich review
Both variants are said to contain an unimplemented method of brute-forcing WordPress admin accounts, but whether it is a holdover from previous versions or a feature yet to be revealed. It is not clear whether
“If such an option were implemented in a newer version of the backdoor, cybercriminals could attack some of the websites that use the current plugin version with the vulnerabilities patched. even possible,” the company said.
WordPress users are encouraged to keep all components of the platform up to date, including third-party addons and themes. We also recommend using a strong and unique login and password to protect your account.
The disclosure is that Fortinet FortiGuard Labs has discovered another bot called GoTrim designed to use WordPress content management systems (CMS) to brute force attacks on self-hosted websites and gain control of the targeted systems. It took place a few weeks after revealing the details of the net.
Last month, Sucuri noted that over 15,000 WordPress sites were compromised as part of a malicious campaign that redirected visitors to fake Q&A portals. Currently, he has 9,314 active cases.
The GoDaddy-owned website security company also shared information in June 2022 about a traffic direction system (TDS) known as Parrot. This TDS has been observed targeting WordPress sites with malicious JavaScript that drops additional malware onto hacked systems.
