At least 30 WordPress plugins are actively being exploited by a pair of similar trojans that put a backdoor on websites and redirect traffic to malware infected sites.
If you publish a website using WordPress as your platform, right now would be a good time to go to the back end and see if any of your installed plugins need updating. If there are any, you might want to click on the “update now” button.
Why? Because the Russia-based security company Doctor Web announced on Friday that it’s discovered malware that exploits 30 vulnerabilities in a number of plugins and themes available for WordPress, the content management system that W3Techs says drives 43.2% of the world’s websites. It’s important that website owners catch this one early, since it’s a pretty nasty exploit that can put all of your site’s visitors at risk.
Affected are official WordPress, popular chat, and WooCommerce plugins.
According to Doctor Web, the malware is being delivered by two similar trojans.
The first, which the company is calling Linux.BackDoor.WordPressExploit.1, targets 32-bit versions of Linux, but can also run on 64-bit versions. The exploit is a backdoor that can be remotely controlled to attack a specified web page or website, switch to standby mode, shut itself down, or pause logging its actions.
“The main functionality of the trojan is to hack websites based on a WordPress CMS and inject a malicious script into their web pages. To do so, it uses known vulnerabilities in WordPress plugins and website themes. Before attacking, the trojan contacts its C&C (command and control) server and receives the address of the site it is to infect. Next, [it] successively tries exploiting vulnerabilities in … outdated plugins and themes that can be installed on a website.
The company identifies 19 WordPress plugins that are being exploited by the malware:
- WP Live Chat Support Plugin
- WordPress – Yuzo Related Posts
- Yellow Pencil Visual Theme Customizer Plugin
- WP GDPR Compliance Plugin
- Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972)
- Thim Core
- Google Code Inserter
- Total Donations Plugin
- Post Custom Templates Lite
- WP Quick Booking Manager
- Faceboor Live Chat by Zotabox
- Blog Designer WordPress Plugin
- WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233)
- WP-Matomo Integration (WP-Piwik)
- WordPress ND Shortcodes For Visual Composer
- WP Live Chat
- Coming Soon Page and Maintenance Mode
The second trojan is being called by Doctor Web Linux.BackDoor.WordPressExploit.2.
So far, this second exploit is known to effect 11 WordPress plugins:
- Brizy WordPress Plugin
- FV Flowplayer Video Player
- WordPress Coming Soon Page
- WordPress theme OneTone
- Simple Fields WordPress Plugin
- WordPress Delucks SEO plugin
- Poll, Survey, Form & Quiz Maker by OpinionStage
- Social Metrics Tracker
- WPeMatico RSS Feed Fetcher
- Rich Reviews plugin
Administrators of WordPress websites should definitely check their installed plugins against these lists, but more importantly, should make sure that all of the plugins being run are up-to-date. In our experience, whenever an exploit is in progress, lists such as these are usually incomplete, because some plugins are likely also being exploited but are so far under the radar.
It’s also a good idea to delete any unused plugins from your server.
Although the company reporting the vulnerability is headquartered in Russia, a country being sanctioned by the U.S., the EU, and others, FOSS Force has found no reason to doubt the veracity of the company’s reported findings, which are also being reported by other tech news sites, including Bleeping Computer, Ars Technica, and Dark Reading.