Home » How to remove » Adware » Hackers exploit vulnerabilities in more than 10 WordPress plugins in one campaign

Hackers exploit vulnerabilities in more than 10 WordPress plugins in one campaign

Defiant experts have warned that a group of hackers exploits vulnerabilities in more than 10 WordPress plugins to create new admin accounts on other people’s sites. Then, these accounts serve as backdoors for attackers.

According to researchers, occurs natural continuation of the malicious campaign that began in July 2019. That time the same hack group used vulnerabilities in the same plugins to inject malicious code on websites. This code was intended to display pop-up ads or to redirect visitors to other resources. Now, starting on August 20, 2019, criminals have changed tactics and use other payloads.

“Much of the campaign remains identical. Known vulnerabilities in WordPress plugins are exploited to inject malicious JavaScript into the frontends of victim sites, which causes the sites’ visitors to be redirected to potentially harmful content like malware droppers and fraud sites. Where possible, the payloads are obfuscated in an attempt to avoid detection by WAF and IDS software”, — explained Defiant experts.

So, now instead of the code responsible for the implementation of pop-ups and redirects, code is used to check whether the visitor to the site has the ability to create user accounts (a feature available only to admin accounts in WordPress).

Read also: Vulnerability in the plugin for WordPress allowed to execute PHP-code remotely

In fact, the malware is waiting for the owner of the site to access his resource. When this happens, the malicious code creates a new administrator account named wpservices using the address wpservices@yandex.com and the password w0rdpr3ss. Then these accounts are used as backdoors.

“The campaign picks up new targets over time. It’s reasonable to assume any unauthenticated XSS or options update vulnerabilities disclosed in the near future will be quickly targeted by this threat actor”, — say Defiant researchers.

Researchers write that attacks target previously famous vulnerabilities in the following plugins:

READ  Vulnerability in WP Live Chat Support plugin allows stealing logs and insert messages in chats

Defiant strongly recommends that website owners update the above plugins to the latest versions, as well as check their resources for new administrator accounts and, if necessary, delete fraudulent accounts.

[Total: 0    Average: 0/5]

About Trojan Killer

Carry Trojan Killer Portable on your memory stick. Be sure that you’re able to help your PC resist any cyber threats wherever you go.

Check Also

How to remove Qqs7.xyz?

Are you fed up facing Qqs7.xyz virus at all times in your house page? Well, …

How to remove Searchxp.xyz?

Are you fed up dealing with Searchxp.xyz virus constantly in your house page? Well, certainly …

Leave a Reply