Several WordPress plugins, some installed on hundreds of thousands of sites, are currently under active attack. This represents an increase in attacks on WordPress sites compared to the last few months. While many of the exploit attempts targeted recently patched bugs, some of the attacks were considered zero-day exploits because no security patches were available. Below is a list of some of the plugins that were actively attacked during the month of February.
Duplicator
Duplicator is a plugin that allows site administrators to export all of their site content. Prior to version 1.3.28, Wordfence reported that it was possible for an unauthenticated attacker to download any file on the server from any path on sites using the vulnerable plugin. This could lead an attacker to download the wp-config.php file which contains database credentials. Leveraging the site’s database could then lead to anything from stolen data, defacement, or even a full site takeover.
Profile Builder
The Profile Builder plugin describes itself as an “Easy to use profile plugin for creating front-end login, user registration, and edit profile forms by using shortcodes.” During member registration, a drop-down option for selecting the new user’s role could be added by a site administrator. Even if this was left disabled, the plugin did not validate this. A malicious registration could modify the form submission to include this field and register as an administrator.
ThemeGrill Demo Importer
WordPress theme vendor ThemeGrill ships a plugin (ThemeGrill Demo Importer) by default with themes purchased from its platform. Before version 1.6.3, it was possible for an attacker to wipe the WordPress database, essentially resetting the installation. From there, it is possible to register as the site’s new administrator.
ThemeREX Addons
Another bundled plugin, ThemeREX Addons is a plugin distributed with many themes by ThemeREX to provide “management features.” Wordfence found that versions 1.6.50 and above are currently vulnerable to a remote code execution vulnerability with no patch available to users yet.
Analyst Notes
WordPress is an extremely popular site-building platform with a wide variety of plugins created by third parties. Anyone can create and publish a plugin for the platform. Unfortunately, not all plugin developers have security on their mind, and even those that do can make mistakes. WordPress administrators should evaluate the need for each plugin before installing one. Is the feature really necessary or useful? If it is, is the plugin under active development, or was the last update several years ago? Many WordPress sites are compromised and used for malware distribution because of unsecured and outdated plugins that either the author does not update, or an administrator does not update the plugin with each new release. Site administrators should strive to keep not only their WordPress installation up-to-date but all installed plugins as well. For cases like the ThemeREX Addons plugin, no update is currently available and the plugin must be removed until a patch is available to prevent exploitation of the WordPress site. Web administrators should consider file integrity monitoring for their webroot directories. Integrity monitoring solutions can quickly alert administrators in the event of a critical files being modified or new files being uploaded where they shouldn’t be.
Sources: https://www.zdnet.com/article/hackers-are-actively-exploiting-zero-days-in-several-wordpress-plugins/
Active Attack on Recently Patched Duplicator Plugin Vulnerability Affects Over 1 Million Sites
Critical Vulnerability In Profile Builder Plugin Allowed Site Takeover
Multiple Attack Campaigns Targeting Recent Plugin Vulnerabilities
Zero-Day Vulnerability in ThemeREX Addons Plugin Exploited in the Wild
