More than 900,000 WordPress websites have been targeted by an unidentified bad actor in a large-scale hacking campaign over the past week. Defiant, which makes Wordfence security plugins for the web publishing platform, said that it started noticing and tracking a spike in attacks targeting especially Cross-Site Scripting (XSS) vulnerabilities on April 28th. The large-scale campaign ultimately resulted in a 30-fold increase in attack traffic.
Based on the malicious payload, Defiant suspects that most of these attacks are being carried out by a single malicious actor. According to Wordfence QA engineer Ram Gall, the cybercriminal started off with a small volume of attacks and didn’t ramp up the efforts until last week, with the campaign peaking at 20 million attempted attacks against more than half a million websites on May 3rd.
“Over the course of the past month in total, we’ve detected over 24,000 distinct IP addresses sending requests matching these attacks to over 900,000 sites,” he added. The ne’er-do-well targets Cross-Site Scripting (XSS) as well as other vulnerabilities in an attempt to inject malicious code into the websites that then redirect visitors to malvertising sites.
It is worth noting that security updates are available for the flaws under exploitation, and that the patches were rolled out months and, in some cases, even years ago.
Three of the five targeted vulnerabilities are XSS-related. One of them affects the Easy2Map plugin, which accounted for more than half of the attacks and is likely installed on fewer than 3,000 websites. The second security hole resides in Blog Designer and was patched last year; it has been targeted before and Defiant estimates that there are approximately 1,000 vulnerable installations. The third XSS vulnerability is found in the Newspaper theme, which has also been at the center of attacks in the past and has been patched since 2016
The last two are options updates vulnerabilities. One affects the WP GDPR Compliance plugin that has been patched since 2018 and we previously wrote about a campaign that attempted to seize control of websites using the plugin. The other affects the Total Donations plugin that was permanently pulled from the Envato Marketplace in 2019. Each of the vulnerabilities allow hackers to change the site’s home web address.
The researchers suspect that the attacker is skilled enough to target other vulnerabilities in the future. The best advice for WordPress site admins is as old as the hills: keep the core WordPress software and all plugins up-to-date. It’s also important to ditch any abandoned or no-longer-needed plugins, since they only increase the attack surface of a WordPress installation.