WordPress administrators are being urged to ensure all of their plug-ins are up-to-date, after researchers detected a 30-fold increase in attack traffic targeting mainly cross-site-scripting vulnerabilities.
The surge in malicious traffic over the past few weeks appeared to peak on May 3, when more than 20 million attacks were attempted against more than half a million individual sites, according to Wordfence’s Ram Gall.
Over the past month, the security vendor detected attacks on more than 900,000 sites, from over 24,000 different IP addresses, all from what appears to be the same malicious actor.
That’s because they’re all attempting to inject the same malicious JavaScript payload to insert a backdoor into the victim site and redirect visitors.
The attacks themselves seek to exploit several cross-site scripting vulnerabilities in: the Easy2Map plug-in, the Blog Designer plug-in and the Newspaper theme. Also targeted are options update vulnerabilities in the WP GDPR Compliance plug-in and the Total Donations plug-in.
However, Gall warned that the hacker behind these attacks is likely to pivot to other vulnerabilities in the future.
The JavaScript in question is designed to redirect users that are not logged-in to a malvertising URL. If they are logged-in it will try to inject a malicious PHP backdoor into the current theme’s header file, alongside another malicious JavaScript, with the aim of taking remote control of the site.
“The most important thing you can do in a situation like this is to keep your plug-ins up-to-date, and to deactivate and delete any plug-ins that have been removed from the WordPress plug-in repository. The vast majority of these attacks are targeted at vulnerabilities that were patched months or years ago, and in plug-ins that don’t have a large number of users,” advised Gall.
“While we did not see any attacks that would be effective against the latest versions of any currently available plug-ins, running a web application firewall can also help protect your site against any vulnerabilities that might have not yet been patched.”