Vulnerabilities in WordPress Plugins allow hackers to create rogue admin accounts

News by Rene Millman

Several WordPress plugins could be used by hackers to create administrator accounts on unpatched websites.

Attacks on WordPess sites using rogue admin accounts started last month and have been ongoing according to a blog post by researchers at Wordfence. Known vulnerabilities in WordPress plugins reported to be exploited by injecting malicious JavaScript into the frontends of victim sites, which causes the sites’ visitors to be redirected to potentially harmful content such as malware droppers and fraud sites. Where possible, the payloads are obfuscated in an attempt to avoid detection by WAF and IDS software.
Researchers found where the attacks came from, identifying various IP addresses linked to web hosting providers; once the issue had been highlighted, most of the IPs involved ceased activity, leaving just one to continue.
"The IP address in question is 104.130.139.134, a Rackspace server currently hosting some presumably compromised websites. We have reached out to Rackspace to inform them of this activity, in hopes that they will take action in preventing further attacks from their network. We have not yet heard back," said researchers.
The attacks  have been targeting several known vulnerabilities in the following plugins: 
Bold Page Builder
Blog Designer
Live Chat with Facebook Messenger
Yuzo Related Posts
Visual CSS Style Editor
WP Live Chat Support
Form Lightbox
Hybrid Composer
All former NicDark plugins (nd-booking, nd-travel, nd-learning, et. al.)
The initial research into this campaign identified the injection of scripts which triggered malicious redirects or unwanted popups in the browsers of a victim site’s visitors.
"Since that time, the campaign has added an additional script which attempts to install a backdoor into the target site by exploiting an administrator’s session," said researchers.
Researchers said that attacks are still ongoing.
"As always, updating the plugins and themes on your WordPress site is an excellent layer of defense against campaigns like these. Check your site for needed updates frequently to ensure you’re receiving the latest patches as they’re released," said researchers.
Pascal Geenens, Radware EMEA security evangelist, told SC Media UK that attacks are moving from the server to client-side, in this case attempting to hijack the context of a privileged user. 
"Magecart uses similar tactics to virtually skim credit card data, although not through WordPress plugins but through infection of third party libraries. The primary objective in this case seems to be compromising the WordPress websites for further abuse, in the case of Magecart it is clearly credit-card information they are after, but one cannot exclude the use of similar tactics to extract information from websites; such attacks are insidious and hard to detect," he said.
Fabian Libeau, VP EMEA at RiskIQ, told SC Media UK that to stop malvertising from targeting individuals, everyone involved in the ad delivery chain must take a ‘one for all’ approach and unite to prevent its spread. 
"Publishers, demand-side platforms and brands should all consider what they are doing to prevent malicious digital ads? If the answer is not a lot, then they should look to incorporate advertising and ad technology into their cyber-security programme. This will identify and remove malicious malvertisements hosts and advertisers from a network or publisher website, while minimising the threat to end-users," he said.

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews