WordPress Plugin Flaws Still Being Exploited
A malvertising attack redirecting website bringing up popups is being exploited in WordPress using known vulnerabilities in WordPress plugins as the back door. The attack has been going on since the summer, with hackers redirecting website visitors to malware and fake sites. They're targeting vulnerable websites with outdated WordPress plugin versions to inject malicious JavaScript into the front ends to perform the redirects. Recent, new exploits have been added to the hackers' bag of tricks. They have started installing persistent backdoors on compromised sites.
The plugins targeted are extensive and include Bold Page Builder, Blog Designer, Live Chat with Facebook Messenger, Yuzo Related Posts, Visual CSS Style Editor, WP Live Chat Support, Form Lightbox, Hybrid Composer, and all former NicDark plugins. Some of these have updated and others have been removed from the WordPress.org repository and are no longer supported by their developers.
Any unauthenticated cross-site scripting ( XSS ) or options update vulnerabilities disclosed in the near future will be quickly targeted by the hackers. In fact, a flaw in the Bold Page Builder plugin was disclosed in August, and an exploit for it was added to the malvertising attack the next day. As for the backdoor, the hackers are exploiting administrator sessions to install an additional script into the website. The malvertising attack comes from a single IP address belonging to a Rackspace server, most likely a legitimate webserver that has been compromised. Wordfence contacted Rackspace about the issue.
Plugins continue to be an attractive target for WordPress' hackers. According to a Imperva report, 98 percent of WordPress vulnerabilities are related to plugins, which extend the functionality and features of a website or a blog.