Researchers are warning of an ongoing campaign exploiting vulnerabilities in a slew of WordPress plugins. The campaign is redirecting traffic from victims’ websites to a number of potentially harmful locations.
Impacted by the campaign is a plugin called Simple 301 Redirects – Addon – Bulk Uploader as well as several plugins made by developer NicDark (now rebranded as “Endreww”). All plugins have updates available resolving the vulnerabilities – but researchers in a Friday post warned that WordPress users should update as soon as possible to avoid attack.
“Redirect locations were a typical spread, whatever ad network is running it likely does some geolocation and tracking to decide where to send you,” said Mikey Veenstra with Wordfence told Threatpost. “Most recent injections don’t even appear to be functional, suggesting some breakdown in infrastructure or a transition of some sort.”
Veenstra told Threatpost that exploitation began on or around July 31, just as the first disclosure for one of the vulnerabilities was published.
“The plugin repository team quickly removed the rest of NicDark’s plugins from the repository, which drew attention and revealed that they all suffered similar vulnerabilities,” he told Threatpost. “So attacks probing for all of them began pretty quickly, despite many of the plugins having fairly small install bases.”
Veenstra told Threatpost that he found at least five plugins by NicDark with flaws being exploited as part of the campaign. These plugins are: Components For WP Bakery Page Builder, Donations,Travel Management, Booking and Learning Courses.
The flaws (all recently patched) are exploited by similar AJAX requests, according to Wordfence. In each case the plugin registers a nopriv_ AJAX action, which is responsible for importing various WordPress settings. Unauthenticated visitors can successfully send these AJAX requests in order to modify the
siteurl setting of the victim’s site – thus sending visitors to other locations.
The other impacted plugin, Simple 301 Redirects – Addon – Bulk Uploader, developed by Webcraftic, adds functionality to a plugin called the Simple 301 Redirects plugin, which enables the redirect of requests to another pages. The plugin has more than 10,000 installations.
The plugin has a recently-patched vulnerability that enables unauthenticated attackers to inject their own 301 redirect rules onto a victim’s website. That means that a bad actor has the ability upload a CSV file that could import a bulk set of site paths and redirect destinations.
Ultimately, if a vulnerable site processes an uploaded malicious CSV file it will begin redirecting all of its traffic to the addresses provided.
Researchers said they have also identified related attacks against other formerly-vulnerable plugins, including Woocommerce User Email Verification, Yellow Pencil Visual Theme Customizer, Coming soon and Maintenance Mode and Blog Designer.
“The domains used by the attackers in performing these script injections and redirects rotate with some frequency. New domains appear every few days, and attacks involving older domains taper off,” researchers said. “At this time, many of the redirect domains associated with these attacks appear to have been decommissioned, despite the fact that these domains still show up in active attacks at the time of this writing.”
Plugins continue to be a security thorn in WordPress’ side. According to a Imperva report, almost all (98 percent) of WordPress vulnerabilities are related to plugins that extend the functionality and features of a website or a blog. Other recent vulnerabilities found in WordPress plugins include WP Live Chat and Yuzo Related Posts.
Interested in more on the internet of things (IoT)? Don’t miss our free *Threatpost webinar**, “IoT: Implementing Security in a 5G World.” Please join Threatpost senior editor Tara Seals and a panel of experts as they offer enterprises and other organizations insight about how to approach security for the next wave of IoT deployments, which will be enabled by the rollout of 5G networks worldwide. Click here to register.*