Researchers from Wordfence uncovered an ongoing hacking campaign exploiting security vulnerabilities in some WordPress plugins to redirect visitors to websites under the control of the attackers.
The campaign specifically
All the WordPress plugins targeted in this campaign have updates available addressing the vulnerabilities.
“The vulnerabilities recently patched in plugins developed by NicDark are all exploited by very similar AJAX requests.” reads the post published by WordFence. “In each case the plugin registers a nopriv_ AJAX action, which is accessible even by
The flaws could be exploited by attackers to modify arbitrary WordPress options, for example, to enable registration as an Administrator user. The attackers behind this campaign used to modify the ‘
Experts explained that vulnerable versions of the plugin would constantly listen for the presence of the POST body parameter ‘submit_bulk_301‘. The presence of the parameter allows an uploaded CSV file to be processed and used to import a bulk set of
The campaign began on July 31, other attacks targeted the following WordPress plugins
Attackers used several domains to perform these script injections and redirects, they rotate with some frequency while new domains were added every few days. The WordPress plugin repository team quickly removed the other WordPress plugins developed by NicDark from the repository. Threat actors noticed that all these plugins suffered similar flaws and began to target them.
“An active campaign is targeting a number of vulnerabilities in attempts to redirect victim sites’ visitors to potentially harmful destinations. The vulnerabilities in question have all been patched by their developers, so ensure all of your WordPress plugins are up to date.” concludes WordFence.
(SecurityAffairs – WordPress plugins, hacking)