WordPress plugins have once again made it on the hitlist for cybercriminals. These attacks are clearly using plugins to execute their malicious activities. In a recently discovered campaign, the attackers are abusing some WordPress plugins to divert traffic from websites.
Vulnerabilities In Multiple WordPress Plugins Under Exploit
Reportedly, researchers from WordFence have noticed an ongoing attack campaign targeting WordPress sites. The campaign exploits the vulnerabilities in numerous WordPress plugins to redirect traffic from the victim site to other malicious sites.
As stated in their blog post, the vulnerabilities under exploit in this campaign are already public. One of these flaws affects numerous NicDark plugins exploited by AJAX requests. As stated by Threatpost, the affected NicDark plugins include Components For WP Bakery Page Builder, Donations, Booking, Travel Management, and Learning Courses. Regarding the vulnerability, the researchers stated,
In each case, the plugin registers a
nopriv_AJAX action, which is accessible even by unauthenticated visitors, responsible for importing various WordPress settings. In these requests, key->value pairs of WordPress options and values are parsed out and applied directly to the affected site’s database.
Exploiting the flaws allows an attacker to register as an Admin by modifying WordPress options. However, in the observed attack scenario, the attackers attempt to modify the target site’s scripts to redirect traffic.
Another vulnerability facilitating the attackers in this campaign existed in Simple 301 Redirects – Addon – Bulk Uploader plugin. The flaw allows an attacker to inject malicious 301 redirects onto a target website. As a result, the victim site would redirect all traffic to the attackers’ addresses. As elaborated by the researchers:
Vulnerable versions of the plugin would constantly listen for the presence of the POST body parameter
submit_bulk_301. If this value is present, an uploaded CSV file would be processed and used to import a bulk set of site paths and their redirect destinations.
Many other WordPress plugins are under exploit in this campaign. Some of these include Woocommerce User Email Verification, Coming Soon and Maintenance Mode, Yellow Pencil Visual Theme Customizer, and Blog Designer.
Patch Your Plugins Now
According to the researchers, most of the vulnerabilities under abuse in this campaign have already received fixes. Hence, the campaign basically poses a threat to all those websites running unpatched or old plugin versions.
All WordPress site owners should ensure updating their respective plugins to the latest patched versions to stay protected and where possible try to use plugins that are still supported and keep your plugins to a minimum by only using those which are imperative for your CMS functionality.