Over 900,000 WordPress sites have been targeted in a new attack campaign which aims to redirect visitors to malvertising sites or plant backdoors into a theme's header if an administrator is logged in.
The majority of these attacks appear to be the work of a single threat actor based on the malicious JavaScript payload they are attempting to inject in vulnerable sites. The attacker also leveraged older vulnerabilities that allowed them to change a site's home URL to the same domain used in the cross-site scripting (XSS) payload in order to redirect visitors to malvertising sites.
In a blog post, Senior QA at Defiant, Ram Gall provided further insight on the sheer scale of the campaign, saying:
- Patch this popular WordPress plugin now to avoid site hijacking
- Check out our WP Engine review
- WordPress to add auto-update feature for themes and plugins
“While our records show that this threat actor may have sent out a smaller volume of attacks in the past, it’s only in the past few days that they’ve truly ramped up, to the point where more than 20 million attacks were attempted against more than half a million individual sites on May 3, 2020. Over the course of the past month in total, we’ve detected over 24,000 distinct IP addresses sending requests matching these attacks to over 900,000 sites.”
Targeting older WordPress vulnerabilities
According to Gall, the attacker targeted multiple vulnerabilities in WordPress plugins that have either been removed from official repositories or patched within the last few years.
More than half of all of the attacks targeted sites with the Easy2Map plugin which contains an XSS vulnerability. Although the plugin was removed from the WordPress repository in August of 2019, it is still installed on less than 3,000 sites. The attacker also exploited an XSS vulnerability in the Blog Designer plugin that was patched in 2019 and the Newspaper theme that was patched in 2016.
In order to change a site's home URL, the attacker took advantage of an options update vulnerability in the WP GDPR Compliance and Total Donations plugins. WP GDPR Compliance has more than 100,000 installations but Defiant estimates that no more than 5,000 vulnerable installations remain. Total Donations on the other hand was permanently removed from the Envato Marketplace in early 2019 and it is estimated that less than 1,000 total installations remain.
If your site uses any of these plugins or themes, it is highly recommended that you update them immediately and remove any that are no longer in the official WordPress repository.
- We've also highlighted the best WordPress hosting
Via BleepingComputer
