While the attacks have been ongoing for around a month, the peak occurred on May 3, when around half a million sites were websites were targeted in around 20 million attacks. Multiple flaws have been targeted, most of which are cross-site scripting vulnerabilities in the Newspaper theme and the Easy2Map and Blog Designer plugins. Vulnerabilities in the WP GDPR Compliance and Total Donations WordPress plugins have also been targeted. The vulnerabilities being targeted are old and patches to correct the flaws were released several months ago.
“This method would allow the attacker to maintain control of the site, as they could simply change the contents of the file at https://stat[.]trackstatisticsss[.]com/n.txt to code of their choice which could be used to embed a webshell, create a malicious administrator, or even delete the entire contents of the site,” said Defiant.
Defiant warns that the scale of the campaign and variety of the attacks make it possible that all WordPress sites could be exposed to attack, and suggest the hacker will likely use other vulnerabilities in future attacks.
WordPress website owners have been advised to login to their websites and ensure they are running the latest version of WordPress, update all plugins on the site, and to delete all plug-ins that have been removed from the WordPress repository. Website owners should also consider using a web application firewall, which will provide protection against unpatched vulnerabilities.