Crooks controlling a network of over 20,000 already-infected WordPress installations are using these sites to launch attacks on other WordPress sites, ZDNet has learned from WordPress security firm Defiant.
The company, which manages and publishes the Wordfence plugin, a firewall system for WordPress sites, says it detected over five million login attempts in the last month from already-infected sites against other, clean WordPress portals. The attacks are what security experts call “dictionary attacks.”
Read more about the WordPress attack campaign on ZDNet.
If you’re one of the 100,000+ users of AMP for WP, good news – the popular plugin for implementing Accelerated Mobile Pages returned to WordPress.org last week. AMP is a Google technology through which users of publishing partners such as WordPress can create pages that will load faster on mobile devices. Doing that requires a plugin, which is where AMP for WP comes in.
The plugin’s hiatus, which began when it abruptly disappeared on 21 October, was starting to look a little unusual. According to a note from the developer, the reason for the disappearance was an ominous-sounding security flaw that “could be exploited by non-admins of the site.”
Read more about the security flaw affecting AMP for WP on NakedSecurity.
A critical security flaw affecting a GDPR compliance plugin for WordPress has been exploited in the wild to take control of vulnerable websites, users have been warned. The WordPress GDPR Compliance plugin, which has over 100,000 active installations, is designed to help the administrators of websites become compliant with the EU’s General Data Protection Regulation (GDPR).
Malicious hackers discovered recently that the plugin is affected by some flaws that can be exploited to hijack vulnerable websites. According to researchers in Defiant’s Wordfence team, the vulnerabilities can be exploited by unauthenticated attackers to obtain privileged access to targeted websites.
Read more about the vulnerabilities of the plugin on SecurityWeek.
According to new research by Simon Scannell, a researcher for PHP Security firm RIPS Tech, a design flaw in the WordPress permission system used by plugins and a file deletion vulnerability in a very popular eCommerce plugin called WooCommerce could allow attackers to gain full control over a WordPress site.
WooCommerce by Automattic is a popular WordPress plugin that adds eCommerce functionality to a blog so that site owners can host their own stores. According to the WooCommerce plugin page at WordPress.org, there are over 4 million active installations of the plugin.
Researchers are warning that attackers are abusing a vulnerability in WordPress site admins’ outdated versions of a migration plugin called Duplicator – allowing them to execute remote code. All Duplicator plugins earlier than version 1.2.42 are vulnerable to the attack. The plugin facilitates the migration of a WordPress site by allowing its duplication.
“WordPress Duplicator does not remove sensitive files after the restoration process,” wrote researchers at Synacktiv (PDF) last month. As a consequence, “an attacker could abuse these scripts to execute arbitrary code on the server and take it over.”
Read more about the WordPress plugin vulnerability on Threatpost.
This Sunday has started with a bang. Google has blacklisted over 11,000 domains with this latest malware campaign from SoakSoak.ru.
Sucuri’s analysis is showing impacts in the order of 100’s of thousands of WordPress specific websites, though they cannot confirm the exact vector, but preliminary analysis is showing correlation with the Revslider vulnerability Sucuri reported a few months back.
Read more about the SoakSoak.ru malware to hit WordPress sites world over on Sucuri.
A whopping 86% of WordPress sites may have been vulnerable to a newly discovered, critical cross-site scripting (XSS) flaw which went unreported for over four years, according to security researchers. Finnish firm Klikki Oy found the vulnerability in version 3.0 of the popular blogging software, which was released in 2010. Although version 4 is not affected by the flaw, most users – tens of millions in fact – are still on the older software platform.
The vulnerability in WordPress “administrative operations” could include taking over the site by creating a new admin account and changing the current account password, then executing malicious PHP code on the server. Although the flaw could be the worst for the blogging giant in five years, Klikki Oy said it had been working with the firm since 26 September and last week WordPress released official patches to deal with the issue.
These come in the form of automatic updates, so most users should be protected by default. Read more about the critical flaw in worlds most popular CMS on InfoSecurity Magazine.
Thousands of backdoored plugins and themes for popular content management systems (CMS) are being leveraged by a threat group to abuse Web servers on a large scale. The Netherlands-based security firm Fox-IT has published a whitepaper detailing the threat dubbed “CryptoPHP.” Researchers have uncovered malicious themes and plugins for WordPress, Drupal and Joomla. In the case of Drupal, only themes have been found to contain the CryptoPHP backdoor.
The attackers often trick website administrators into installing the backdoor by offering them pirated versions of premium themes and plugins. The malicious software is being distributed via various themes and plugins websites, such as Daily Nulled or Nulled Style. Fox-IT estimates that thousands of websites are affected.
Once it’s installed on a Web server, the malware can be controlled by cybercriminals manually, or through command and control (C&C) and email communications. According to Fox-IT, cybercriminals have been using the backdoor for black hat search engine optimization (SEO). CryptoPHP injects links and text into webpages hosted on the compromised server to generate backlinks.
Read more about how the backdoored CMS plugins are used by cyber criminals to gain entry into websites on Security Week.
While attacks using vulnerabilities on commonly used content management systems are a real threat to website owners not keeping up with updates, a new threat social-engineers website owners into unknowingly installing a backdoor on their webservers.
The threat, dubbed CryptoPHP by Fox-IT’s Security Research, uses backdoored Joomla, WordPress and Drupal themes and plug-ins to compromise webservers on a large scale. From there, operators abuse the backdoor for illegal search engine optimization, also known as black hat SEO.
Black hat SEO is a group of techniques and tactics that focus on maximizing search engine results with non-human interaction with the pages, thus violating search engine guidelines. These include keyword stuffing, invisible text, doorway pages, adding unrelated keywords to the page content or page swapping (changing the webpage entirely after it has been ranked by search engines).
“By publishing pirated themes and plug-ins free for anyone to use instead of having to pay for them, the CryptoPHP actor is social-engineering site administrators into installing the included backdoor on their server,” Fox-IT said in its analysis on the attack.
Read more about the latest threat called CryptoPHP which can threaten Joomla, WordPress and Drupal CMS and plugins on Info Security.