Thousands of WordPress sites vulnerable by plugin backdoor
A recently discovered Linux malware has been discovered that uses vulnerabilities in outdated WordPress plugins and themes to inject malicious JavaScript. The malware is known to exploit at least 30 different vulnerabilities.
Antivirus vendor Dr. Web has reported that the Linux malware targets both 32-bit and 64-bit systems, allowing the operator to have remote command capabilities. The primary function of the trojan is to hack into WordPress sites using a series of hardcoded exploits until one of them is successful.
The following plugins and themes are known to be targeted:
- WP Live Chat Support Plugin
- WordPress – Yuzo Related Posts
- Yellow Pencil Visual Theme Customizer Plugin
- Easysmtp
- WP GDPR Compliance Plugin
- Newspaper Theme on WordPress Access Control (CVE-2016-10972)
- Thim Core
- Google Code Inserter
- Total Donations Plugin
- Post Custom Templates Lite
- WP Quick Booking Manager
- Faceboor Live Chat by Zotabox
- Blog Designer WordPress Plugin
- WordPress Ultimate FAQ (CVE-2019-17232 and CVE-2019-17233)
- WP-Matomo Integration (WP-Piwik)
- WordPress ND Shortcodes For Visual Composer
- WP Live Chat
- Coming Soon Page and Maintenance Mode
- Hybrid
- Brizy WordPress Plugin
- FV Flowplayer Video Player
- WooCommerce
- WordPress Coming Soon Page
- WordPress theme OneTone
- Simple Fields WordPress Plugin
- WordPress Delucks SEO plugin
- Poll, Survey, Form & Quiz Maker by OpinionStage
- Social Metrics Tracker
- WPeMatico RSS Feed Fetcher
- Rich Reviews plugin
If the targeted website has an outdated and vulnerable version of the above plugins or themes, the malware will automatically fetch and inject malicious JavaScript from its command and control server into the website.
Infected pages can act as redirectors to locations chosen by the attacker, potentially being used in phishing, malware distribution, and malvertising campaigns to evade detection and blocking. It is also possible that the operators of the auto-injector are selling their services to other cybercriminals.
To defend against this threat, WordPress website admins should update to the latest versions of all themes and plugins on their site, and replace any that are no longer being developed with supported alternatives. Using strong passwords and enabling two-factor authentication can also help protect against brute-force attacks."