WordPress: Massive attack on 900,000 websites

WordPress: Massive attack on 900,000 websites

WordPress in the spotlight hackers, with a new massive attack against more than 900,000 websites.

The attacks appear to be the work of a hacker, who in the past month has used at least 24,000 IP addresses to send malware on over 900,000 websites.

After April 28, hacking attempts became more intense, while WordPress security company Defiant, which made the Wordfence security plugin, detected over 20 million attacks on more than 500,000 websites on May 3.

Defiant QA manager Ram Gall said the hacker has focused more on exploiting cross-site scripting (XSS) vulnerabilities in plugins that have been patched in the past and targeted at others attacks.

Redirecting visitors to malicious ads is a successful endeavor hacking attack. If the user is logged into the browser running the JavaScript, the code tries to inject a PHP backdoor into the header file, along with another JavaScript. Then, the backdoor takes another payload and stores it in the header trying to run it. In this way the hacker can change the payload to a webshell, code that creates a malicious administrator or deletes the content of an entire site. In its announcement, Defiant included exposure indicators in the final payload.

Here's the list of vulnerabilities that appear to be most targeted, and plugins that have either been removed or patched earlier, according to Gall.

1. An XSS vulnerability, in the Easy2Map plugin, which was removed from WordPress in August 2019, and is estimated to have been installed on less than 3,000 websites.
2. A vulnerability in the WP GDPR Compliance options update, which allowed attackers to, among other things, change the URL of sites and was fixed in late 2018. Despite the fact that this plugin exceeded 100,000 plugins, it is estimated that they have not affected more than 5,000 websites.
3. An XSS vulnerability, in Blog Designer, which was patched in 2019. It is estimated that fewer than 1,000 vulnerable installations remain, although this vulnerability has been the target of previous hacking campaigns.
4. An options update vulnerability in Total Donations that allows hackers to change the site's home page URL. This plugin was permanently removed from the Envato Marketplace in early 2019 and is estimated to have less than 1,000 total installations remaining.
5. An XSS vulnerability in the Newspaper theme patched in 2016. This vulnerability has also been targeted in the past.

Source: secnews.gr