Researchers discovered a new malicious campaign targeting plugins for WordPress

WordPress Plugins Malicious Campaign
Written by Brendan Smith

Some time ago was discovered a malicious campaign that exploits vulnerabilities in some WordPress plugins. According to researchers from Wordfence, victims are redirected to websites controlled by cybercriminals.

The campaign targets WordPress plugins developed by NicDark (now Endreww) such as Simple 301 Redirects – Addon – Bulk Uploader, Woocommerce User Email Verification, Yellow Pencil Visual Theme Customizer, Coming Soon and Maintenance Mode and Blog Designer.

Vulnerabilities are exploited using AJAX requests. In each case, the plugin registers the nopriv_AJAX action responsible for importing WordPress settings, available to unauthorized users.

“The vulnerabilities recently patched in plugins developed by NicDark are all exploited by very similar AJAX requests. In each case the plugin registers a nopriv_ AJAX action, which is accessible even by unauthenticated visitors, responsible for importing various WordPress settings. In these requests, key->value pairs of WordPress options and values are parsed out and applied directly to the affected site’s database”, — report Wordfence specialists.

Attackers could exploit vulnerabilities to modify arbitrary WordPress settings, for example, to enable registration as an admin user.

“Because these vulnerabilities allow unauthenticated users to modify arbitrary WordPress options, it’s possible for attackers to enable registration as an Administrator user. However, we don’t see that behavior associated with this attack campaign”, — noted Wordfence researchers.

Instead, campaign operators changed the site url and home settings of the target website and redirected visitors to their own resources. Vulnerable versions of the Simple 301 Redirects – Addon – Bulk Uploader plugin always check for the presence of the “submit_bulk_301” parameter. The presence of the parameter allows processing the downloaded CSV file and use it to import a large set of site paths and redirect points.

Read also: Trojan Saefko compiles a victim’s profile and can spread via USB devices

Domains used by attackers to perform malicious code injections and script redirects undergo rotation. New domains appear every few days, and attacks involving old domains narrow down.

Here is the list of currently active domains:

  • greatinstagrampage.com
  • gabriellalovecats.com
  • jackielovedogs.com
  • tomorrowwillbehotmaybe.com
  • go.activeandbanflip.com
  • wiilberedmodels.com
  • developsincelock.com

How to avoid an attack?

An active campaign is targeting a number of vulnerabilities in attempts to redirect victim sites’ visitors to potentially harmful destinations. The vulnerabilities in question have all been patched by their developers, so ensure all of your WordPress plugins are up to date.

Sending
User Review
0 (0 votes)
Comments Rating 0 (0 reviews)

About the author

Brendan Smith

I'm Brendan Smith, a passionate journalist, researcher, and web content developer. With a keen interest in computer technology and security, I specialize in delivering high-quality content that educates and empowers readers in navigating the digital landscape.

With a focus on computer technology and security, I am committed to sharing my knowledge and insights to help individuals and organizations protect themselves in the digital age. My expertise in cybersecurity principles, data privacy, and best practices allows me to provide practical tips and advice that readers can implement to enhance their online security.

Leave a Reply

Sending