With WordPress powering 35% of all the websites on the Internet it is a popular target for hackers. Finding an exploit in one plugin or theme can expose millions of websites. Furthermore, due to the vast number of plugins and themes, there are plenty of things to try and exploit.
Recently there has been a surge of popular plugins that have been exploited, this includes some very popular plugins that many of us use, yes, us too.
Many of the attacks targeted recently patched plugin bugs, with the hackers hoping to hijack sites before site administrators had a chance to apply security patches. This is a common technique and why we always recommend keeping on top of your updates, our hosting services include updating your plugins for you.
Website administrators are advised to update all the WordPress plugins listed below as they’re very likely to be exploited throughout the course of the year.
Table of Contents
Duplicator
This is one of the plugins we previously used ourselves and has over 170k installs. Around mid-February, hackers have exploited a bug in Duplicator, a plugin that lets site administrators export the content of their sites.
The bug, fixed in 1.3.28, allows attackers to export a copy of the site, from where they can extract database credentials, and then hijack a WordPress site’s underlying MySQL server.
Profile Builder plugin
A bug in this plugin can allow hackers to register unauthorized admin accounts on WordPress sites.
The bug was patched on February 10, but attacks began on February 24, on the same day that proof-of-concept code was published online. At least two hacker groups are believed to be exploiting this bug, according to a report.
Currently, this has around 65K installs
ThemeGrill Demo Importer
This is included with themes sold by ThemeGrill and imports demo content. The plugin is installed on more than 200,000 sites, and the bug allows users to wipe sites running a vulnerable version, and then, if some conditions are met, take over the “admin” account.
ThemeREX Addons
Another built-in plugin this time for ThemeREX commercial themes. Attacks began on February 18, when hackers found a zero-day vulnerability in the plugin and began exploiting it to create rogue admin accounts on vulnerable sites.
Despite ongoing attacks, a patch was never made available and site administrators are advised to remove the plugin from their sites as soon as possible.
Flexible Checkout Fields
The Flexible Checkout Fields for WooCommerce plugin has more than 20K installs and hackers used a zero-day vulnerability to inject XSS payloads that can be triggered in the dashboard of a logged-in administrator. The XSS payloads allowed hackers to create admin accounts on vulnerable sites. This is now patched if you have updated the plugin.
3 Plugins – Async JavaScript, 10Web Map Builder for Google Maps, Modern Events Calendar Lite
All these were exploited by a similar zero-days exploit, the Async JavaScript is particularly popular with 100k installs from users attempting to improve Google Page Load Speeds. These have now been patched but the exploits occurred before the patches were pushed, so even if you did update there is a chance you may have been exploited.