Three WordPress Plugin Zero-Days Exploited in the Wild

LASER_oneXM

Level 37
Thread author
Verified
Top Poster
Well-known
Feb 4, 2016
2,520
Hackers have exploited three zero-days to install backdoors on WordPress sites, according to a security alert published minutes ago by WordPress security firm Wordfence.

The zero-days affect three WordPress plugins — Appointments, RegistrationMagic-Custom Registration Forms, and Flickr Gallery.

The plugins' authors released updates to fix the attack vector — a PHP object injection vulnerability that affects all three plugins in the same way.

0-days allow hackers to install backdoors on vulnerable sites
"This vulnerability allowed attackers to cause a vulnerable website to fetch a remote file (a PHP backdoor) and save it to a location of their choice," says Wordfence researcher Brad Haas.

According to Haas, the vulnerability is hilariously easy to exploit, requiring the attackers to package the exploit code inside an HTTP POST request sent to the victim site. Attackers don't need to be authenticated on the site to trigger the exploit.

For sites running the Flickr Gallery plugin, the hacker has to target the site's root URL, while for the other two, the hacker has to aim the POST request at the admin-ajax.php file.

Once the hacker tricked sites into downloading the backdoor, he can take over sites within minutes.

Only 21,000 sites vulnerable
Wordfence said it detected the zero-days after investigating a series of hacked sites and finding evidence of past exploitation.

There is good and bad news. The good news is that the plugins are not that popular, having around 21,000 installations combined.

The bad news is that the zero-days are easy to exploit and other hackers can reverse engineer the plugin changelogs to deduce the exploit code.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top