Experts uncovered a hacking campaign targeting several WordPress Plugins

Researchers at Wordfence reported an ongoing hacking campaign exploiting security flaws in some WordPress plugins.

Researchers from Wordfence uncovered an ongoing hacking campaign exploiting security vulnerabilities in some WordPress plugins to redirect visitors to websites under the control of the attackers.

The campaign specifically targeted flaws in WordPress plugins developed by the developer NicDark (now renamed as “Endreww”), such as a plugin called Simple 301 Redirects – Addon – Bulk Uploader.

All the WordPress plugins targeted in this campaign have updates available addressing the vulnerabilities.

“The vulnerabilities recently patched in plugins developed by NicDark are all exploited by very similar AJAX requests.” reads the post published by WordFence. “In each case the plugin registers a nopriv_ AJAX action, which is accessible even by unauthenticated visitors, responsible for importing various WordPress settings. In these requests, key->value pairs of WordPress options and values are parsed out and applied directly to the affected site’s database.”

The flaws could be exploited by attackers to modify arbitrary WordPress options, for example, to enable registration as an Administrator user. The attackers behind this campaign used to modify the ‘siteurl‘ and ‘home’ settings of the targeted website to redirect visitors to websites under their control-

NicDark recently addressed a vulnerability in the Simple 301 Redirects – Addon – Bulk Uploader that allows unauthenticated attackers to inject their own 301 redirect rules onto a victim’s site.

Experts explained that vulnerable versions of the plugin would constantly listen for the presence of the POST body parameter ‘submit_bulk_301‘. The presence of the parameter allows an uploaded CSV file to be processed and used to import a bulk set of site paths and their redirect destinations.

The campaign began on July 31, other attacks targeted the following WordPress plugins:

Attackers used several domains to perform these script injections and redirects, they rotate with some frequency while new domains were added every few days. The WordPress plugin repository team quickly removed the other WordPress plugins developed by NicDark from the repository. Threat actors noticed that all these plugins suffered similar flaws and began to target them.

“An active campaign is targeting a number of vulnerabilities in attempts to redirect victim sites’ visitors to potentially harmful destinations. The vulnerabilities in question have all been patched by their developers, so ensure all of your WordPress plugins are up to date.” concludes WordFence.

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – WordPress plugins, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]

Pierluigi Paganini

Pierluigi Paganini is member of the ENISA (European Union Agency for Network and Information Security) Threat Landscape Stakeholder Group and Cyber G7 Group, he is also a Security Evangelist, Security Analyst and Freelance Writer. Editor-in-Chief at "Cyber Defense Magazine", Pierluigi is a cyber security expert with over 20 years experience in the field, he is Certified Ethical Hacker at EC Council in London. The passion for writing and a strong belief that security is founded on sharing and awareness led Pierluigi to find the security blog "Security Affairs" recently named a Top National Security Resource for US. Pierluigi is a member of the "The Hacker News" team and he is a writer for some major publications in the field such as Cyber War Zone, ICTTF, Infosec Island, Infosec Institute, The Hacker News Magazine and for many other Security magazines. Author of the Books "The Deep Dark Web" and “Digital Virtual Currency and Bitcoin”.