There is no doubt that WordPress that powers 35% of all websites on the web, is the most widely used content management system on the internet.
Given by its popularity, WordPress has been the target of many cyberattacks. Since 2019 saw its end and 2020 began, things however were rather quiet. Just like in previous years, Christmas and New Year made things rather dull in the cybersecurity field.
Hackers after all, need holidays too.
But when things settled, everything went back to business.
And here, hackers apparently returned with new exploits to attack WordPress-powered websites.
In mid-February, several cybersecurity firms specialized in WordPress security products, like Wordfence ("1, 2), WebARX (1, 2), and NinTechNet (1), have all reported an ever-increasing number of attacks on WordPress sites.
All the attacks discovered in February were focused on exploiting bugs on WordPress plugins, rather than exploiting WordPress itself.
While many of the plugins were already patched, and hackers are still hoping to compromise websites before their administrators apply those security patches, hackers also returned with more sophisticated campaign.
Researchers found that some attacks were zero-days exploits, which means that hackers were attacking WordPress sites through vulnerabilities that are unknown to the plugins' developers.
Website administrators are advised to update all of their WordPress plugins whenever a newer version is available.
But most importantly, plugins listed below should be a priority as hackers seemed to have put more efforts on exploiting them.
- Duplicator: According to Wordfence, hackers have exploited a bug in Duplicator, a popular plugin that allows WordPress site administrators export the content of their sites. Exploiting this plugins allow hackers to extract database credentials and compromise a website's MySQL.
- Profile Builder Plugin: A bug was found on this plugin, which could allow hackers create new administrator accounts on WordPress sites. At least two hacker groups are believed to be exploiting this bug.
- ThemeGrill Demo Importer: The same two groups were also exploiting a bug in this plugin. Installed on more than 200,000 sites, the bug allowed hackers users to wipe sites running a vulnerable version, to then create new administrator accounts.
- ThemeREX Addons: This WordPress plugin that ships pre-installed with all ThemeREX commercial themes, according to Wordfence, had a zero-day vulnerability that allowed hackers create new administrator accounts.
- Flexible Checkout Fields for WooCommerce: Having installed on more than 20,000 WordPress websites, hackers had use zero-day vulnerability to inject XSS payloads to create new administrator accounts on infected sites.
- Async JavaScript, 10Web Map Builder for Google Maps, Modern Events Calendar Lite: These plugins are installed on 100,000, 20,000, and 40,000 sites, respectively. Same as the above, the three had zero-days exploits.
Further reading: Hackers Target WordPress Websites by Exploiting Plugins To Create Rogue Admins