At least 30 WordPress plugins are actively being exploited by a pair of similar trojans that put a backdoor on websites and redirect traffic to malware infected sites.
If you publish a website using WordPress as your platform, right now would be a good time to go to the back end and see if any of your installed plugins need updating. If there are any, you might want to click on the “update now” button.
Why? Because the Russia-based security company Doctor Web announced on Friday that it’s discovered malware that exploits 30 vulnerabilities in a number of plugins and themes available for WordPress, the content management system that W3Techs says drives 43.2% of the world’s websites. It’s important that website owners catch this one early, since it’s a pretty nasty exploit that can put all of your site’s visitors at risk.
Affected are official WordPress, popular chat, and WooCommerce plugins.
“If sites use outdated versions of such add-ons lacking crucial fixes, the targeted webpages are injected with malicious JavaScripts,” Doctor Web said. “As a result, when users click on any area of an attacked page, they are redirected to other sites.”
According to Doctor Web, the malware is being delivered by two similar trojans.
The first, which the company is calling Linux.BackDoor.WordPressExploit.1, targets 32-bit versions of Linux, but can also run on 64-bit versions. The exploit is a backdoor that can be remotely controlled to attack a specified web page or website, switch to standby mode, shut itself down, or pause logging its actions.
“The main functionality of the trojan is to hack websites based on a WordPress CMS and inject a malicious script into their web pages. To do so, it uses known vulnerabilities in WordPress plugins and website themes. Before attacking, the trojan contacts its C&C (command and control) server and receives the address of the site it is to infect. Next, [it] successively tries exploiting vulnerabilities in … outdated plugins and themes that can be installed on a website.
“If one or more vulnerabilities are successfully exploited, the targeted page is injected with a malicious JavaScript that is downloaded from a remote server. With that, the injection is done in such a way that when the infected page is loaded, this JavaScript will be initiated first—regardless of the original contents of the page. At this point, whenever users click anywhere on the infected page, they will be transferred to the website the attackers need users to go to.”
The company identifies 19 WordPress plugins that are being exploited by the malware:
- WP Live Chat Support Plugin
- WordPress – Yuzo Related Posts
- Yellow Pencil Visual Theme Customizer Plugin
- Easysmtp
- WP GDPR Compliance Plugin
- Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972)
- Thim Core
- Google Code Inserter
- Total Donations Plugin
- Post Custom Templates Lite
- WP Quick Booking Manager
- Faceboor Live Chat by Zotabox
- Blog Designer WordPress Plugin
- WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233)
- WP-Matomo Integration (WP-Piwik)
- WordPress ND Shortcodes For Visual Composer
- WP Live Chat
- Coming Soon Page and Maintenance Mode
- Hybrid
The second trojan is being called by Doctor Web Linux.BackDoor.WordPressExploit.2.
“It differs from the original one by the C&C server address, the address of the domain from which the malicious JavaScript is downloaded, and also by an additional list of exploited vulnerabilities,” the company said.
So far, this second exploit is known to effect 11 WordPress plugins:
- Brizy WordPress Plugin
- FV Flowplayer Video Player
- WooCommerce
- WordPress Coming Soon Page
- WordPress theme OneTone
- Simple Fields WordPress Plugin
- WordPress Delucks SEO plugin
- Poll, Survey, Form & Quiz Maker by OpinionStage
- Social Metrics Tracker
- WPeMatico RSS Feed Fetcher
- Rich Reviews plugin
Administrators of WordPress websites should definitely check their installed plugins against these lists, but more importantly, should make sure that all of the plugins being run are up-to-date. In our experience, whenever an exploit is in progress, lists such as these are usually incomplete, because some plugins are likely also being exploited but are so far under the radar.
It’s also a good idea to delete any unused plugins from your server.
Although the company reporting the vulnerability is headquartered in Russia, a country being sanctioned by the U.S., the EU, and others, FOSS Force has found no reason to doubt the veracity of the company’s reported findings, which are also being reported by other tech news sites, including Bleeping Computer, Ars Technica, and Dark Reading.