Security experts at various WordPress-centric companies and other organisations have recently been reporting an attack underway that involves exploiting WordPress plugins to redirect traffic.
Anyone trying to visit an affected website will be sent to a potentially dangerous interface. Most of the vulnerabilities that are being exploited are not new and have been known to exist for some time now. The attacks were first reported around the end of July. It began with the targeting of an extension for the Simple 301 Redirects, a popular tool with more than 300,000 active installations.
Major plugins affected by the attack
The add-on tool texploited was Simple 301 Redirects – Addon – Bulk Uploader. It is offered by a developer called Webcraftic. Soon it was found that other products provided by a single developer called NicDark were also compromised. These plugins were:
Components for WPBakery page builder
Other tools also affected by this attack are:
Woocommerce user email verification
Coming soon and Maintenance mode
Yellow pencil visual theme customizer
As soon as it became known that the items were compromised, they were removed from the official plugins directory. The developer responded by releasing updates to all the products to remove the flaws that were being exploited in the attack. Firewall rules were released for premium subscribers of the Simple 301 Redirects extension on 6 August while those for free users will become available today (5 September). The firewall rules for all the other affected products were released for premium customers on 30 July while free access started on 29 August. All the plugins have since been restored to the official repository. The developer has also been rebranded and NicDark is now known as Endreww. People who are using these plugins must update them to make sure their websites remain safe.
Vulnerability exploited by attackers
In all the instances involving NicDark’s products, the feature that was exploited was the nopriv_ AJAX action. This action helps in importing various settings of the CMS. Even unauthenticated website visitors can use these requests. In a nopriv_ AJAX action, the key->value pairs of WordPress options and values are parsed out and applied directly to the database of the website under attack. For example, while exploiting the Travel Management plugin, the attackers sent a POST request that declared the plugin in the action parameter as well as in the GET query string parameter where the new option value ie the URL of the hazardous website was included.
This vulnerability can be exploited to modify WordPress options and get registered as an administrator. However, while targeting NicDark’s tools, the attackers refrained from getting admin registrations. They only changed the siteurl setting of the affected website. This led to all the scripts of the compromised interface not loading from the primary path and instead opening the injected URL in a visitor’s browser.
The Simple 301 Redirects – Addon – Bulk Uploader allows users to upload a CSV of old and new links to the Simple 301 Redirects plugin. Attackers used the tool to upload hazardous CSV files with redirection rules to harmful locations.
It was also found that the domains to which traffic was being redirected in all the cases changed after every few days. A new set of malicious URLs took the place of old ones after some time. All the IP addresses that were found to be linked to the campaign of exploiting WordPress plugins to redirect traffic were made public so that they can be blocked.
Point to ponder
WordPress plugins are looked upon as hugely convenient tools and their development has become a separate industry in itself. They are especially loved by beginners as these tools enable them to add the desired functionality without coding. However, they remain to be a huge security problem for website owners. Many vulnerabilities that are exploited by hackers are related to plugins. Webmasters need to be careful in using these tools and anyone using the affected plugins mentioned here must install the necessary updates to keep their interfaces safe.
Contributed by Brandon Graves, an expert WordPress developer working with HireWPGeeks.