Numerous WordPress plugins have been found to maliciously reroute traffic to criminal websites, researchers find.
In a blog post, the Threat Intelligence team at Wordfence share details about a redirect campaign that is actively “targeting a selection of new and old WordPress plugin vulnerabilities. These attacks seek to maliciously redirect traffic from victims’ sites to a number of potentially harmful locations.”
Researchers found that the malicious campaign specifically targeted plugins developed by NicDark, such as Simple 301 Redirects – Addon – Bulk Uploader.
“The vulnerabilities recently patched in plugins developed by NicDark are all exploited by very similar AJAX requests.” reads the post. “In each case the plugin registers a nopriv_ AJAX action, which is accessible even by unauthenticated visitors, responsible for importing various WordPress settings. In these requests, key->value pairs of WordPress options and values are parsed out and applied directly to the affected site’s database.”
Even more, the vulnerabilities could allow hackers to “modify arbitrary WordPress options,” for example, to enable registration as an Administrator user.
The campaign began on July 31. Other attacks targeted the following WordPress plugins:
- Woocommerce User Email Verification
- Yellow Pencil Visual Theme Customizer
- Coming Soon and Maintenance Mode
- Blog Designer
Other indicators of compromise include:
Below, is the top 20 IP addresses associated with the campaign — “addresses listed in bold text appear in the list of IPs Attacking Most Sites.”
WordPress has since removed other plugins developed by NicDark.