Several WordPress plugins, some installed on hundreds of thousands of sites, are currently under active attack. This represents an increase in attacks on WordPress sites compared to the last few months. While many of the exploit attempts targeted recently patched bugs, some of the attacks were considered zero-day exploits because no security patches were available. Below is a list of some of the plugins that were actively attacked during the month of February.
Duplicator is a plugin that allows site administrators to export all of their site content. Prior to version 1.3.28, Wordfence reported that it was possible for an unauthenticated attacker to download any file on the server from any path on sites using the vulnerable plugin. This could lead an attacker to download the wp-config.php file which contains database credentials. Leveraging the site’s database could then lead to anything from stolen data, defacement, or even a full site takeover.
The Profile Builder plugin describes itself as an “Easy to use profile plugin for creating front-end login, user registration, and edit profile forms by using shortcodes.” During member registration, a drop-down option for selecting the new user’s role could be added by a site administrator. Even if this was left disabled, the plugin did not validate this. A malicious registration could modify the form submission to include this field and register as an administrator.
ThemeGrill Demo Importer
WordPress theme vendor ThemeGrill ships a plugin (ThemeGrill Demo Importer) by default with themes purchased from its platform. Before version 1.6.3, it was possible for an attacker to wipe the WordPress database, essentially resetting the installation. From there, it is possible to register as the site’s new administrator.
Another bundled plugin, ThemeREX Addons is a plugin distributed with many themes by ThemeREX to provide “management features.” Wordfence found that versions 1.6.50 and above are currently vulnerable to a remote code execution vulnerability with no patch available to users yet.