WordPress plugins, a potential weak spot in the content management system, are often targeted by attackers. A new campaign is leveraging a selection of new and old vulnerabilities in several plugins to redirect legitimate website traffic to other domains.
The plugins in question — several individual plugins from NicDark and Simple 301 Redirects Addon — have been patched, said security researchers at WordFence.
The Simple 301 Redirects – Addon – Bulk Uploader plugin has also been the subject of attacks targeting a recently-patched vulnerability allowing unauthenticated attackers to inject their own 301 redirect rules onto a victim’s site.
“Vulnerable versions of the plugin would constantly listen for the presence of the POST body parameter submit_bulk_301. If this value is present, an uploaded CSV file would be processed and used to import a bulk set of site paths and their redirect destinations,” noted WordFence researchers in a blogpost.
In addition to the main two plugins above, the researchers have also identified related attacks against a number of other plugins, using a similar modus operandi and also targeting recently-patched vulnerabilities. These include:
- Woocommerce User Email Verification
- Yellow Pencil Visual Theme Customizer
- Coming Soon and Maintenance Mode
- Blog Designer
As Wordfence threat analyst and blogpost author Mikey Veenstra pithily put it on Twitter: “Keep your stuff patched!”
WordPress plugins have long been vulnerable to attack. A vulnerability in the the Ad Inserter plugin that allowed attackers to run their own PHP code was discovered in July 2019, when Ad Inserter had 200,000 installed sites. A vulnerability in the Convert Plus plugin that allowed an attacker to gain administrative privileges was reported in May 2019 – Convert Plus had an install base of 100,000 at the time.
Indicators of Compromise (IOCs) for the current campaign have been issued by Wordfence, which has also updated firewall rules to protect against the attacks.
The top 20 IPs associated with this campaign are listed below.