Some time ago was discovered a malicious campaign that exploits vulnerabilities in some WordPress plugins. According to researchers from Wordfence, victims are redirected to websites controlled by cybercriminals.
The campaign targets WordPress plugins developed by NicDark (now Endreww) such as Simple 301 Redirects – Addon – Bulk Uploader, Woocommerce User Email Verification, Yellow Pencil Visual Theme Customizer, Coming Soon and Maintenance Mode and Blog Designer.Vulnerabilities are exploited using AJAX requests. In each case, the plugin registers the nopriv_AJAX action responsible for importing WordPress settings, available to unauthorized users.
“The vulnerabilities recently patched in plugins developed by NicDark are all exploited by very similar AJAX requests. In each case the plugin registers a nopriv_ AJAX action, which is accessible even by unauthenticated visitors, responsible for importing various WordPress settings. In these requests, key->value pairs of WordPress options and values are parsed out and applied directly to the affected site’s database”, — report Wordfence specialists.
Attackers could exploit vulnerabilities to modify arbitrary WordPress settings, for example, to enable registration as an admin user.
“Because these vulnerabilities allow unauthenticated users to modify arbitrary WordPress options, it’s possible for attackers to enable registration as an Administrator user. However, we don’t see that behavior associated with this attack campaign”, — noted Wordfence researchers.
Instead, campaign operators changed the site url and home settings of the target website and redirected visitors to their own resources. Vulnerable versions of the Simple 301 Redirects – Addon – Bulk Uploader plugin always check for the presence of the “submit_bulk_301” parameter. The presence of the parameter allows processing the downloaded CSV file and use it to import a large set of site paths and redirect points.
Read also: Trojan Saefko compiles a victim’s profile and can spread via USB devices
Domains used by attackers to perform malicious code injections and script redirects undergo rotation. New domains appear every few days, and attacks involving old domains narrow down.
Here is the list of currently active domains:
- greatinstagrampage.com
- gabriellalovecats.com
- jackielovedogs.com
- tomorrowwillbehotmaybe.com
- go.activeandbanflip.com
- wiilberedmodels.com
- developsincelock.com
How to avoid an attack?
An active campaign is targeting a number of vulnerabilities in attempts to redirect victim sites’ visitors to potentially harmful destinations. The vulnerabilities in question have all been patched by their developers, so ensure all of your WordPress plugins are up to date.