WordPress plugins attacked by malicious redirect campaign

News by Mark Mayne

An active campaign is targeting several WordPress plugins in order to redirect users to potentially harmful destinations

WordPress plugins, a potential weak spot in the content management system, are often targeted by attackers. A new campaign is leveraging a selection of new and old vulnerabilities in several plugins to redirect legitimate website traffic to other domains. 

The plugins in question -- several individual plugins from NicDark and Simple 301 Redirects Addon -- have been patched, said security researchers at WordFence. 

"The vulnerabilities recently patched in plugins developed by NicDark are all exploited by very similar AJAX requests. In each case the plugin registers a nopriv_ AJAX action, which is accessible even by unauthenticated visitors, responsible for importing various WordPress settings. In these requests, key->value pairs of WordPress options and values are parsed out and applied directly to the affected site’s database. In each case, the targeted plugin must be declared in both the action parameter and the GET query string parameter defining the new option values," explained the researchers. "In effect, this replaces all of a site’s loaded JavaScript with a file under the attacker’s control."

The Simple 301 Redirects – Addon – Bulk Uploader plugin has also been the subject of attacks targeting a recently-patched vulnerability allowing unauthenticated attackers to inject their own 301 redirect rules onto a victim’s site.

"Vulnerable versions of the plugin would constantly listen for the presence of the POST body parameter submit_bulk_301. If this value is present, an uploaded CSV file would be processed and used to import a bulk set of site paths and their redirect destinations," noted WordFence researchers in a blogpost

In addition to the main two plugins above, the researchers have also identified related attacks against a number of other plugins, using a similar modus operandi and also targeting recently-patched vulnerabilities. These include:

As Wordfence threat analyst and blogpost author Mikey Veenstra pithily put it on Twitter: "Keep your stuff patched!"

WordPress plugins have long been vulnerable to attack. A vulnerability in the the Ad Inserter plugin that allowed attackers to run their own PHP code was discovered in July 2019, when Ad Inserter had 200,000 installed sites. A vulnerability in the Convert Plus plugin that allowed an attacker to gain administrative privileges was reported in May 2019 - Convert Plus had an install base of 100,000 at the time. 

Indicators of Compromise (IOCs) for the current campaign have been issued by Wordfence, which has also updated firewall rules to protect against the attacks.

The top 20 IPs associated with this campaign are listed below. 


Domain Names

  • greatinstagrampage.com
  • gabriellalovecats.com
  • jackielovedogs.com
  • tomorrowwillbehotmaybe.com
  • go.activeandbanflip.com
  • wiilberedmodels.com
  • developsincelock.com

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews