Another major WordPress security flaw is putting thousands of websites at risk

Wordpress brand logo on computer screen. Man typing on the keyboard.
(Image credit: Shutterstock/David MG)

Cybersecurity researchers from Defiant recently spotted a new malware strain targeting WordPress by impersonating an optimization plugin.

The goal of the malware, it was said, was to grant the attackers administrative access to the WordPress website.

While cleaning a website over the summer of 2022, the researchers discovered a plugin with a “professional-looking” opening comment about how it’s a caching tool helping reduce the strain on the server and cut down on page loading times. This choice, the researchers further explained, was deliberate, to make sure web admins don’t suspect much on manual inspection. Furthermore, the plugin is set to exclude itself from the list of active plugins, for the same purpose.

Monetizing compromised websites

The malware is capable of doing a number of things, including creating a “superadmin” account with a hard-coded password; detecting bot traffic to serve them spam content (sometimes erroneously, causing a spike in spam reports from genuine users); replacing content on the site and inserting spam links or buttons (to everyone except site admins so that they don’t realize what’s going on); controlling plugins (remotely activating or deactivating plugins, wiping any traces of its existence, etc.); and remotely activating different malicious functions.  

"Taken together, these features provide attackers with everything they need to remotely control and monetize a victim site, at the expense of the site’s own SEO rankings and user privacy," the researchers explained their findings.

Defiant did not name the threat actor currently distributing the malware, nor the estimated number of infected websites. We also don’t know exactly how the malware is being distributed, but the researchers speculate the attackers are either brute-forcing their way into WP websites and installing the plugin, or using login credentials stolen elsewhere, in earlier attacks. Then, there is always the possibility of other vulnerable plugins being abused to gain access.

Via BleepingComputer

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.