Zero-days Compromised in Several WordPress Plugins by Hackers cvvshoplv, uniccbazarvip
WordPress is certainly the most popular site building
platform. Based on present statistics, technology provides its content
management platform to about 35% of all internet users.
The technology has always attracted hackers and cyber attackers because of its impressively large number of installations. That’s why hacking attempts on WordPress sites are always on the news.
Last year was one of the busiest for hackers who are
interested in the WordPress sites as there were large numbers of attacks and
After the high level of attacks on WordPress towards the end of last year, the New Year began on a quiet note for the content management platform.
However, it seems the charismas celebration is over for the
hackers as they have returned to normal service. Within the space of 2 weeks,
there have been reports of multiple attacks.
The hackers have resurfaced again as several security
researchers have reported on the huge amount of attack on WordPress sites.
Security firms like NinTechNet, WebARX, and WordFense, have all found out about
More recently, reports by these researchers revealed
that hackers are exploiting a zero-day critical vulnerability in WordPress,
which could see them take control of several thousands of websites.
The zero-days in multiple plugins can allow hackers to plant
backdoors and establish rogue administrators.
Researchers at NinTechNet
said they have submitted the report to the plugin’s development team at
WordPress for necessary actions and updates.
Barely an hour after
receiving the report, the WordPress team released a patch with version 2.3.2 to
fix the actively targeted flaw. However, some users have already been hacked before
the update was available for installation.
WordPress security firm, Defiant, discovered that there were three more zero-days flaws being targeted, which affects other WordPress plugins. The researchers found this while they were analyzing the current zero-day attack.
The 10Web Map Builder and
vulnerabilities being exploited.
According to Mikey
Veenstra, an analyst at Defiant Threat, “This attack campaign exploits XSS
create malicious plugins that include backdoors,”
He also reiterated
that site administrators who make
use of the plugins should take appropriate actions to stop these attacks.
He said the
Defiant Security outfit understands the importance of security disclosure, and
the company will not reveal details about the vulnerabilities if it was not
important for the WordPress community to know.
Lukasz Spryszak from WordPress security desk listed some symptoms
that would indicate a user’s website has been breached by the hacking campaign.
Some of the symptoms include:
1) Rearrangement of checkout fields or the addition of new fields that were not initially added.
2) Suspicious files, particularly those with .zip or .php extensions.
3) The appearance of new plugins that were not initially installed.
4) When new admin accounts appear when the user knows they have not created by the user.
There have been a lot more reports of WordPress plugin vulnerabilities and the exploration of recently patched zero-day vulnerabilities. For example, last week BleepingComputer reported that some hackers tried to completely breach WordPress sites by exploring the unpatched versions of Duplicator, Profile Builder, and ThemeGrill Demo Importal plugins.
The researchers revealed that there were about 1.250,000 installations for those vulnerable plugins. With this large number of installation, the attackers would have had a field day of exploitation if they had succeeded in infiltrating the plugins.
week, hackers exploited a zero-day vulnerability that allows remote code
execution in ThemeREX WordPress plugin. This time, the plugin has about 40,000
installations. The attackers wanted to
create an administrator account that would allow them to take complete control
of the vulnerable websites.
In addition, there
were two bugs found in the WordPress database Reset plugin. Researchers have
revealed that hackers can exploit the vulnerability and reset the sites’
database or completely take over the sites if updates are not completely