WordPress Plugin Exploitation on The Rise For Malvertising Based Exploits

Researchers have spotted active exploitation of WordPress plugin vulnerabilities. Reportedly, the known vulnerabilities in various plugins are facilitating the threat actors for malvertising campaigns.

WordPress Plugin Vulnerabilities Under Exploit

Researchers from the Defiant Threat Intelligence have noticed active exploitation of numerous recently disclosed WordPress plugins vulnerabilities. The attackers exploit the flaws to target the visitors of infected websites with various malvertising campaigns. They have shared their findings in detail in their blog post.

As revealed, the attackers exploit known WordPress plugin flaws to inject malicious code to the front end of the website. The codes then execute when users visit the affected website to target them. According to the researchers,

…a malvertising campaign which is causing victims’ sites to display unwanted popup ads and redirect visitors to malicious destinations, including tech support scams, malicious Android APKs, and sketchy pharmaceutical ads.

The kind of scam executed depends on various factors that predominantly include the visitor’s device.

When the third party code executes in a visitor’s browser, it performs an initial redirect to a central domain, which then performs another redirect to a new destination based on a number of factors, notably the type of device in use by the redirected user.

The researchers noticed quite a few of such malvertising campaigns exploiting different plugins. One such exploit involves an unauthenticated stored XSS flaw in the WordPress plugin “Coming Soon Page and Maintenance Mode”. The vulnerability surfaced online after NinTechNet reported about it.

Similarly, the researchers also found active exploitation of XSS flaws in other plugins. These include a zero-day vulnerability in the ‘Yellow Pencil Visual Theme Customizer’ plugin and a stored XSS in ‘Blog Designer’ plugin, disclosed publicly in April 2019 and May 2019 respectively.

Not ‘Novel’ But ‘Notable’

Although, neither the flaws nor the malvertising campaigns are novel. Considering the frequency of such exploitation, the researchers deem them noteworthy to report.

This campaign is ongoing. We expect the threat actors will be quick to leverage any similar XSS vulnerabilities that may be disclosed in the near future.

They have recommended that WordPress site owners to keep a check on the plugins they use. They should make sure to keep the plugins updated to avoid potential exploitation of any vulnerabilities.

Let us know your thoughts in the comments.

Related posts

Water Facilities Must Secure Exposed HMIs – Warns CISA

Microsoft December Patch Tuesday Arrived With 70+ Bug Fixes

NachoVPN Attack Risks Corporate VPN Clients