Security experts at Wordfence reported that Zero-Day vulnerabilities in three different WordPress plugins have been exploited in the wild.
Zero-day vulnerabilities in several WordPress plugins have been exploited by threat actors in the wild to hack vulnerable websites and deliver backdoors, the alarm was launched by security firm Wordfence.
The attackers have exploited three critical zero-day vulnerabilities in three distinct WordPress plugins. The flaws have been classified as critical PHP object injection issues, they affect the Appointments, Flickr Gallery, and RegistrationMagic-Custom Registration Forms plugins.
The attacks detected by Wordfence exploited the issue to create a file on targeted websites, the analysis of logs for compromised sites only showed a POST request to /wp-admin/admin-ajax.php.
“This vulnerability allowed attackers to cause a vulnerable website to fetch a remote file (a PHP backdoor) and save it to a location of their choice. It required no authentication or elevated privileges. For sites running Flickr Gallery, the attackers only had to send the exploit as POST request to the site’s root URL. For the other two plugins, the request would go to admin-ajax.php,” states the blog post published by Wordfence.
The researchers at Wordfence reported the zero-day flaws to the development team behind the flawed plugins, all of them promptly addressed the flaws with the following releases:
The impact of the issues is limited because the number of WordPress installs using them is modest, the experts counted 8,000 installs using RegistrationMagic, 9,000 for Appointments and 4,000 using the Flickr Gallery.
Recently Wordfence reported that 200,000 WordPress websites using the Display Widgets Plugin were impacted after it was updated to include malicious code.
The good news is that WordPress, as many other organizations, has been running a bug bounty program since May 2017 that already allowed to find many vulnerabilities in the popular CMS.
Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer.
Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US.
Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines.
Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.