Pierluigi Paganini February 29, 2020

Threat actors are launching a hacking campaign aimed at taking over tens of thousands of WordPress sites by exploiting critical vulnerabilities.

One of the issues exploited in the attacks is a zero-day vulnerability that affects several plugins and that could allow hackers to create admin accounts and take over the sites.

Researchers at NinTechNet reported an ongoing campaign, observed in the past hours, that is actively exploiting a zero-day flaw in the WordPress Flexible Checkout Fields for WooCommerce plugin.

The plugin has over 20,000 active installations, and its developers have already fixed the unauthenticated stored XSS bug that affects version 2.3.1 and below.

“The vulnerability has been actively exploited for the past hours and several users have been hacked. I’m not going to give too many details about this issue yet (although hackers already know about it), but, basically, because the plugin settings can be accessed by anybody, authenticated or not, hackers use it to inject new fields and scripts into the WooCommerce checkout page.” states the post published by the experts.

Unfortunately, other zero-day vulnerabilities were targeted by hackers in the past hours.

Experts at WordPress security firm Defiant reported three zero-day vulnerabilities in WordPress plugin under active exploitation.

The zero-day flaws are:

• a subscriber+ stored XSS affecting the Async JavaScript plugin that has over 100,000 installs.
• an unauthenticated stored XSS in the 10Web Map Builder for Google Maps plugin that has over 20,000 installs.
• multiple subscriber stored XSS in Modern Events Calendar Lite plugin that has over 40,000 installs.

“Early yesterday, the Flexible Checkout Fields for WooCommerce plugin received a critical update to patch a zero-day vulnerability which allowed attackers to modify the plugin’s settings.” reads the advisory published by WordFence. “As our Threat Intelligence team researched the scope of this attack campaign, we discovered three additional zero-day vulnerabilities in popular WordPress plugins that are being exploited as a part of this campaign. The targeted plugins were Async JavaScript, Modern Events Calendar Lite, and 10Web Map Builder for Google Maps. At this time, we have reached out to each plugin’s development team in hopes of getting these issues resolved quickly.”

The development teams behind the Async JavaScript and 10Web Map Builder for Google Maps have already issued security updates to address the zero-day flaws.

“This attack campaign exploits XSS vulnerabilities in the above plugins to inject malicious Javascript that can create rogue WordPress administrators and install malicious plugins that include backdoors,” continues WordFence. “It is important that site administrators using these plugins urgently take steps to mitigate these attacks.”

It is not a good period for administrators of WordPress sites, a few days ago experts warned of a new wave of attacks targeting a zero-day vulnerability in the popular Duplicator WordPress Plugin.

Recently the issues with other WordPress plugins made the headlines:

• Jan. 2020 – An authentication bypass vulnerability in the InfiniteWP plugin that could potentially impact by more than 300,000 sites.
• Jan. 2020 – Over 200K WordPress sites are exposed to attacks due to a high severity cross-site request forgery (CSRF) bug in Code Snippets plugin.
• Feb. 2020 – A serious flaw in the ThemeGrill Demo Importer WordPress theme plugin with over 200,000 active installs can be exploited to wipe sites and gain admin access to the site.
• Feb. 2020 – A stored cross-site vulnerability in the GDPR Cookie Consent plugin that could potentially impact 700K users.
• Feb. 2020 – A zero-day vulnerability in the ThemeREX Addons was actively exploited by hackers in the wild to create user accounts with admin permissions.

I believe it is very important to protect WordPress install with dedicated solutions, I’m currently using WordFence solution, the company provided with a license to evaluate the premium features.

Pierluigi Paganini

(SecurityAffairs – hacking, WordPress)

[adrotate banner=”5″]

[adrotate banner=”13″]