Attack campaign exploits 0day vulnerabilities on Wordpress plugins

WordPress is by far the most popular website builder on the Internet. According to the most recent statistics, more than 35% of all websites run on versions of the WordPress CMS (content management system).

Due to its large number of active installations, WordPress has a massive attack surface. WordPress hacking attempts are a constant background noise in the background of Internet traffic at all times.

In the past few months, this background noise has been at levels lower than last year.

After a busy 2019, 2020 started on a calm note. The reason for this downtime could be the winter holidays, which, as we have seen in previous years, often lead to a global slowdown in malware and hacking activities, as hackers also take a break .

Hackers Return From Vacation With New Feats

Over the past two weeks, we have witnessed an increase in attacks on WordPress sites, signaling the end of the period of relative calm in December and January.

Several cybersecurity companies specializing in WordPress security products – such as Wordfence, WebARX, and NinTechNet – have reported an ever-increasing number of attacks on WordPress sites.

All of the new attacks spotted last month have focused on exploiting bugs in WordPress plugins, rather than WordPress itself.

There have been numerous attacks targeting recently fixed plugin bugs, with hackers hoping to hack sites before site administrators have the opportunity to apply security fixes.

However, some of the attacks were also a little more sophisticated. Some attackers have also discovered and started exploiting 0day vulnerabilities, a term used to describe vulnerabilities unknown to plugin authors.

Below is a summary of all the WordPress hacking campaigns that took place in February that targeted the new WordPress plugin vulnerabilities.

Website administrators are encouraged to update the WordPress plugins listed below, as they are very likely to be targeted by attacks throughout 2020, and possibly beyond.


According to a Wordfence report, since around mid-February, hackers have exploited a bug in Duplicator, a plugin that allows site administrators to export the content of their sites.

The bug, corrected in version 1.3.28 of the plugin, allows attackers to export a copy of the site, from where they can extract the identification information from the database, then hack the underlying MySQL server d a WordPress site.

To make matters worse, Duplicator is one of the most popular plugins on the WordPress portal, with more than a million installations by the time the attacks started, around February 10. Duplicator Pro, the commercial version of the plugin, installed on 170,000 additional sites, was also affected.

Profile Builder

There is also another major bug in the free and professional versions of the Profile Builder plugin. The bug could allow hackers to register unauthorized administrator accounts on WordPress sites.

The bug was corrected on February 10, but the attacks began on February 24, the day of proof of concept for the attack. At least two groups of hackers are reported to be exploiting the bug, reports say.

Over 65,000 sites (50,000 using the free version and 15,000 using the commercial version) are vulnerable to attack. The solution is to update the plugin to the latest version.

ThemeGrill Demo Importer

The same two groups that operate the above plug-in are also suspected of exploiting a bug in ThemeGrill Demo Importer, a plug-in that comes with themes sold by ThemeGrill, a provider of commercial WordPress themes.

The plugin is installed on more than 200,000 sites, and the bug allows attackers to delete sites running a vulnerable version, then, if certain conditions are met, to resume the “admin” account.

The attacks have been confirmed by Wordfence, WebARX and independent Twitter researchers. The proof of concept code is also available online. Updating to v1.6.3 is recommended as soon as possible.

ThemeREX addons

Attacks have also been spotted against ThemeREX add-ons, a WordPress plugin that ships with all ThemeREX commercial themes preinstalled.

According to a Wordfence report, the attacks began on February 18, when hackers found a 0day vulnerability in the plugin and began to exploit it to create rogue administrator accounts on vulnerable sites.

Despite the ongoing attacks, no patch has been made available and site administrators are advised to remove the plugin from their sites as soon as possible.

Flexible Checkout Fields for WooCommerce

The attacks also targeted sites running the Flexible Checkout Fields for WooCommerce plug-in, installed on more than 20,000 WordPress-based e-commerce sites.

Hackers used a 0day vulnerability (now fixed) to inject malicious XSS code that can be triggered into the dashboard of a logged in administrator. XSS malicious code allowed hackers to create administrator accounts on vulnerable sites.

Attacks have been ongoing since February 26 [1, 2].

JavaScript Async, 10Web Map Builder for Google Maps, Modern Events Calendar Lite

Three similar 0day flaws were also discovered in the Async JavaScript plugins, 10Web Map Builder for Google Maps, Modern Events Calendar Lite. These plugins are used respectively on 100,000, 20,000 and 40,000 sites.

The three flaws were all stored XSS bugs, similar to the one described above. The three have since received patches, but the attacks started before the patches were available, which means that some targeted sites have most likely been compromised. Wordfence has more information on this campaign.



Related Articles

Back to top button