WordPress plugins are back in the list of positive results for cybercriminals. These attacks explicitly use plugins to perform their malicious actions. In a newly discovered campaign, attackers use some WordPress plugins to divert traffic from websites.
Some vulnerabilities in several WordPress plugins under Exploit Reportedly, WordFence researchers have noticed an ongoing attack campaign on WordPress sites. The campaign exploits vulnerabilities in numerous WordPress plugins to redirect traffic from the victim’s site to other malicious sites.
As indicated in their blog post, the vulnerabilities in this campaign are already public. One of these drawbacks concerns the numerous NicDark plug-ins used by AJAX requests.
Threatpost declarations NicDark plug-ins include components for WP Bakery Page Designer, donations, reservations, travel management, and training courses. Regarding the vulnerability, the researchers said: “In any case, the plug-in records the nopriv_ AJAX action, which is also accessible to unauthenticated visitors responsible for importing various WordPress settings.
In these queries, the key-value pairs of parameters and WordPress values are analyzed and applied directly to the vulnerable site’s database. The use of defects allows an attacker to register as an administrator by changing WordPress settings. However, in the observed attack scenario, attackers attempt to modify destination site scripts to redirect traffic.
Another vulnerability that facilitates attackers in this campaign existed in the Simple 301 Redirects – Addon – Bulk Uploader plugin. This flaw allows an attacker to inject 301 malicious redirects on the target website. As a result, the victim’s site will redirect all traffic to the attackers’ addresses. As the researchers developed: vulnerable versions of the plugin will constantly listen to the presence of the body parameter POST submit_bulk_301.
If this value is present, the downloaded CSV file will be processed and used to import a large set of site paths and related redirection destinations. Many other WordPress plugins are running in this campaign. Some of these include the Woocommerce user email verification, the Coming Soon and the service, Yellow Pen Visual Theme Builder and Blog Designer.
Fix your plugins right now According to the researchers, most of the vulnerabilities that are abused in this campaign have already been solved. As a result, the campaign is primarily a threat to all those sites where patch or old versions of plug-ins are installed.
All WordPress site owners should make sure that their respective plug-ins are updated to the latest patched versions to stay safe and, where possible, try to use still supported plug-ins and keep plug-ins to a minimum, using only those which are mandatory for your CMS Functionality.