Posted on March 2, 2020 at 12:05 PM

Zero-days Compromised in Several WordPress Plugins by Hackers

WordPress is certainly the most popular site building platform. Based on present statistics, technology provides its content management platform to about 35% of all internet users.

The technology has always attracted hackers and cyber attackers because of its impressively large number of installations. That’s why hacking attempts on WordPress sites are always on the news.

Last year was one of the busiest for hackers who are interested in the WordPress sites as there were large numbers of attacks and attempted attacks.

After the high level of attacks on WordPress towards the end of last year, the New Year began on a quiet note for the content management platform.

However, it seems the charismas celebration is over for the hackers as they have returned to normal service. Within the space of 2 weeks, there have been reports of multiple attacks.

The hackers have resurfaced again as several security researchers have reported on the huge amount of attack on WordPress sites. Security firms like NinTechNet, WebARX, and WordFense, have all found out about the attacks.

More recently, reports by these researchers revealed that hackers are exploiting a zero-day critical vulnerability in WordPress, which could see them take control of several thousands of websites.

The zero-days in multiple plugins can allow hackers to plant backdoors and establish rogue administrators.

Researchers at NinTechNet said they have submitted the report to the plugin’s development team at WordPress for necessary actions and updates.

Barely an hour after receiving the report, the WordPress team released a patch with version 2.3.2 to fix the actively targeted flaw. However, some users have already been hacked before the update was available for installation.

Reports revealed three additional zero-days were attacked

WordPress security firm, Defiant, discovered that there were three more zero-days flaws being targeted, which affects other WordPress plugins. The researchers found this while they were analyzing the current zero-day attack.

The 10Web Map Builder and Async JavaScript developers have also released updates to fix the vulnerabilities being exploited.

According to Mikey Veenstra, an analyst at Defiant Threat, “This attack campaign exploits XSS vulnerabilities in the above plugins to inject malicious Javascript that can create malicious plugins that include backdoors,”

He also reiterated that site administrators who make use of the plugins should take appropriate actions to stop these attacks.

He said the Defiant Security outfit understands the importance of security disclosure, and the company will not reveal details about the vulnerabilities if it was not important for the WordPress community to know.

Finding out whether your WordPress site is compromised

Lukasz Spryszak from WordPress security desk listed some symptoms that would indicate a user’s website has been breached by the hacking campaign. Some of the symptoms include:

1) Rearrangement of checkout fields or the addition of new fields that were not initially added.

2) Suspicious files, particularly those with .zip or .php extensions.

3) The appearance of new plugins that were not initially installed.

4) When new admin accounts appear when the user knows they have not created by the user.

There have been a lot more reports of WordPress plugin vulnerabilities and the exploration of recently patched zero-day vulnerabilities. For example, last week BleepingComputer reported that some hackers tried to completely breach WordPress sites by exploring the unpatched versions of Duplicator, Profile Builder, and ThemeGrill Demo Importal plugins.

The researchers revealed that there were about 1.250,000 installations for those vulnerable plugins. With this large number of installation, the attackers would have had a field day of exploitation if they had succeeded in infiltrating the plugins.

Similarly, last week, hackers exploited a zero-day vulnerability that allows remote code execution in ThemeREX WordPress plugin. This time, the plugin has about 40,000 installations.  The attackers wanted to create an administrator account that would allow them to take complete control of the vulnerable websites.

There are other vulnerable WordPress plugins the attackers could target, including the multiple GDPR Cookie vulnerability plugins, which has more than 700, 000 installations. Attackers can explore these vulnerabilities and inject CSRF bug or malicious JavaScript code into the plugin.

In addition, there were two bugs found in the WordPress database Reset plugin. Researchers have revealed that hackers can exploit the vulnerability and reset the sites’ database or completely take over the sites if updates are not completely installed.