Message from webmaster's home (ChinaZ. com) on March 2: So far, WordPress is the most widely used website building technology on the Internet. According to recent statistics, more than 35% of Internet websites use WordPress CMS (content management system).
Because WordPress has a large number of users, it has become the target of attackers. It is reported that attacks against WordPress websites have become more and more frequent since February this year. Several network security companies specializing in WordPress security products, such as Wordence, WebARX and NinTechNet, have reported increasing attacks on WordPress sites.
In February, it was reported that all new attacks focused on exploiting vulnerabilities in WordPress plug-ins, rather than problems with WordPress itself. Many attacks target recently patched plug-in vulnerabilities. Hackers hope to hijack websites before webmasters have the opportunity to install security patches.
However, some attacks are also slightly more complex. Some attackers also found and began to exploit the zero day vulnerability. The following is a summary of the new WordPress plug-in vulnerability attacks that occurred in February. It is recommended that website administrators update the following WordPress plug-ins as soon as possible to avoid hacker attacks on related websites.
Duplicator
According to a report by Wordence, since mid February, hackers have exploited a vulnerability in Duplicator, a plug-in that allows site administrators to export their site content.
This vulnerability allows an attacker to export a copy of the site, extract database credentials from it, and then hijack the underlying MySQL server of the WordPress site 28 Repair.
To make matters worse, Duplicator is one of the most popular plug-ins on the WordPress portal. When the attack started on February 10, it was installed more than 1 million times. The commercial version of the plug-in, Duplicator Pro, installed on another 170000 sites, was also affected.
Profile Builder
There is another major vulnerability in the free and professional profile builder plug-ins, which allows hackers to register unauthorized management accounts on the WordPress website.
The vulnerability was fixed on February 10, but the attack started on February 24. According to the report, at least two hacker organizations are taking advantage of this vulnerability. More than 65000 sites (50000 using free versions, 15000 using commercial versions) are vulnerable unless they update the plug-in to the latest version.
ThemeGrill Demo Importer
Another vulnerability lies in the ThemeGrill Demo Importer, which comes with the sales business WordPress Theme Themes sold by ThemeGrill, a web development company.
WebARX, a WordPress security company, said that the old version of ThemeGrill Demo Importer was vulnerable to remote attacks by unauthenticated attackers. The hacker can reset the content of the site to zero, effectively clearing the content activated by the ThemeGrill theme in all WordPress sites, and installing vulnerable plug-ins.
In addition, if the site's database contains a user named "admin", the attacker will be granted access to the user, who has full administrator privileges of the site. More than 200000 sites have installed this plug-in. It is recommended to update it to v1.6 as soon as possible Version 3.
ThemeREX Addons
The security personnel also found an attack against the ThemeREX plug-in, which is a WordPress plug-in with all the ThemeREX business themes pre installed. According to Wordence's report, the attack started on February 18, when hackers discovered the zero day vulnerability of the plug-in and began to use it to create rogue management accounts on vulnerable sites.
Although the attack continues, no patch has been provided. The webmaster is advised to delete the plug-in from their website as soon as possible.
Flexible Checkout Fields for WooCommerce
The attack also targeted websites running the Flexible Checkout Fields for WooCommerce plug-in, which was installed on more than 20000 WordPress based e-commerce websites.
Hackers use a (now patched) zero day vulnerability to inject XSS payloads, which can be triggered in the login administrator's dashboard. The XSS payload allows hackers to create administrative accounts on vulnerable websites.
This type of attack has been carried out since February 26 [1,2].
In addition, Async JavaScript, 10Web Map Builder for Google Maps, and Modern Events Calendar Lite plug-ins also have similar zero day vulnerabilities, which have been applied to 100000, 20000, and 40000 sites, respectively. (zdnet)
