Over 900,000 WordPress sites have been targeted in a new attack campaign which aims to redirect visitors to malvertising sites or plant backdoors into a theme’s header if an administrator is logged in.
In a blog post, Senior QA at Defiant, Ram Gall provided further insight on the sheer scale of the campaign, saying:
“While our records show that this threat actor may have sent out a smaller volume of attacks in the past, it’s only in the past few days that they’ve truly ramped up, to the point where more than 20 million attacks were attempted against more than half a million individual sites on May 3, 2020. Over the course of the past month in total, we’ve detected over 24,000 distinct IP addresses sending requests matching these attacks to over 900,000 sites.”
Targeting older WordPress vulnerabilities
According to Gall, the attacker targeted multiple vulnerabilities in WordPress plugins that have either been removed from official repositories or patched within the last few years.
More than half of all of the attacks targeted sites with the Easy2Map plugin which contains an XSS vulnerability. Although the plugin was removed from the WordPress repository in August of 2019, it is still installed on less than 3,000 sites. The attacker also exploited an XSS vulnerability in the Blog Designer plugin that was patched in 2019 and the Newspaper theme that was patched in 2016.
In order to change a site’s home URL, the attacker took advantage of an options update vulnerability in the WP GDPR Compliance and Total Donations plugins. WP GDPR Compliance has more than 100,000 installations but Defiant estimates that no more than 5,000 vulnerable installations remain. Total Donations on the other hand was permanently removed from the Envato Marketplace in early 2019 and it is estimated that less than 1,000 total installations remain.
If your site uses any of these plugins or themes, it is highly recommended that you update them immediately and remove any that are no longer in the official WordPress repository.