Threat actors are launching a hacking campaign aimed at taking over tens of thousands of WordPress sites by exploiting critical vulnerabilities.
One of the issues exploited in the attacks is a zero-day vulnerability that affects several plugins and that could allow hackers to create admin accounts and take over the sites.
Researchers at NinTechNet reported an ongoing campaign, observed in the past hours, that is actively exploiting a zero-day flaw in the WordPress Flexible Checkout Fields for WooCommerce plugin.
The plugin has over 20,000 active installations, and its developers have already fixed the unauthenticated stored XSS bug that affects version 2.3.1 and below.
“The vulnerability has been actively exploited
Unfortunately, other zero-day vulnerabilities were targeted by hackers in the past hours.
Experts at WordPress security firm Defiant reported three zero-day vulnerabilities in WordPress plugin under active exploitation.
The zero-day flaws are:
a subscriber+ stored XSSaffecting the Async JavaScript plugin that has over 100,000 installs.an unauthenticated stored XSS in the 10Web Map Builder for Google Maps plugin that has over 20,000 installs.- multiple subscriber stored XSS in Modern Events Calendar Lite plugin that has over 40,000 installs.
“Early yesterday, the Flexible Checkout Fields for WooCommerce plugin received a critical update to patch a zero-day vulnerability which allowed attackers to modify the plugin’s settings.” reads the advisory published by WordFence. “As our Threat Intelligence team researched the scope of this attack campaign, we discovered three additional zero-day vulnerabilities in popular WordPress plugins that are being exploited as a part of this campaign. The
The development teams behind the Async JavaScript and 10Web Map Builder for Google Maps have already issued security updates to address the zero-day flaws.
“This attack campaign exploits XSS vulnerabilities in the above plugins to inject malicious Javascript that can create rogue WordPress administrators and install malicious plugins that include
It is not a good period for administrators of WordPress sites, a few days ago experts warned of a new wave of attacks targeting a zero-day vulnerability in the popular Duplicator WordPress Plugin.
Recently the issues with other WordPress plugins made the headlines:
- Jan. 2020 – An authentication bypass vulnerability in the InfiniteWP plugin that could potentially impact by more than 300,000 sites.
- Jan. 2020 – Over 200K WordPress sites are exposed to attacks due to a high severity cross-site request forgery (CSRF) bug in
Code Snippets plugin . - Feb. 2020 – A serious flaw in the ThemeGrill Demo Importer WordPress theme plugin with over 200,000 active installs can be exploited to wipe sites and gain admin access to the site.
- Feb. 2020 – A stored cross-site vulnerability in the GDPR Cookie Consent plugin that could potentially impact 700K users.
- Feb. 2020 – A zero-day vulnerability in the ThemeREX
Addons was actively exploited by hackers in the wild to create user accounts with admin permissions.
I believe it is very important to protect WordPress install with dedicated solutions, I’m currently using WordFence solution, the company provided with a license to evaluate the premium features.
[adrotate banner=”9″] | [adrotate banner=”12″] |
(
[adrotate banner=”5″]
[adrotate banner=”13″]