WordPress has a user base of over 60 million people and an ongoing “backdoor attack” is trying to compromise as many of them as possible. There has been a website hacking campaign since July which morphed from redirecting browsers to sites containing dodgy adverts or malicious software into something that is even more vulnerable.
Now the question is how are the attackers getting access to a website? It seems that some third party WordPress plugins are behind this security threat. As per the official website of WordPress website, currently, there are 55133 plugins.
In a recent study, Imperva revealed that “98% of WordPress vulnerabilities are related to plugins.” They further elaborated that out of such a big number of plugins, only 3% were added in 2018 which means there are plenty of un-updated old plugins still in use.
A researcher of Defiant Threat Intelligence, Mikey Veenstra said: “the campaign has added another script which attempts to install a backdoor into the target site by exploiting an administrator’s session.”
Veenstra posted a warning in WordFence and revealed that a malicious JavaScript dropped into compromised websites looks to “create a new user with administrator privileges on the victim’s site. He further elaborated that if a logged-in admin is viewing the infected page then it goes on to make an AJAX call via jQuery.
He warned “This AJAX call creates a user named wpservices with the email wpservices@yandex.com and the password w0rdpr3ss. With this user in place, the attacker is free to install further backdoors or perform other malicious activity.”
Veenstra identified some plugins that are currently under attack and some of them are Bold Page Builder, Blog Designer, Live Chat with Facebook Messenger, Yuzo Related Posts, Visual CSS Style Editor, WP Live Chat Support, Form Lightbox, Hybrid Composer, All former NicDark plugins (nd-booking, nd-travel, nd-learning).
To mitigate this issue, Ethical hacker John Opdenakker remarked: “it’s certainly a good idea to use a web application firewall to help block cross-site scripting (XSS) attacks.”
