WordPress Sites are Being Backdoored With Rogue Admin Users

upnorth

Moderator
Thread author
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,457
Lock up your WordPress – a recent malvertising campaign targeting vulnerable plugins is now trying to backdoor sites by creating rogue admin accounts.

In July when web firewall company WordFence (aka Defiant) first noticed the campaign, it was attempting to hijack sites to push popup ads, tech support scams and malicious Android apps. Plugins targeted included vulnerable versions of Coming Soon Page & Maintenance Mode, which followed attacks in April and May on the Yellow Pencil Visual CSS Style Editor and Blog Designer. Six weeks on, perhaps encouraged by the number of vulnerable sites they found, the attackers have upgraded their attacks to take complete control of sites vulnerable to their attacks. A new vulnerable plugin, Bold Page Builder, has also been added to the exploitation list, which attackers reportedly started targeting on 22 August.

Anyone with a vulnerable plugin is now at risk of having their site backdoored by a rogue user account with administrator privileges. As before, the attackers attempt to infect vulnerable sites with malicious JavaScript code that’s run whenever a user visits an affected page. The moment of weakness occurs if the user :
  1. Has previously visited an infected page
  2. Is a WordPress administrator on the infected site
  3. Is currently logged in to the site
If these conditions are met the code silently abuses the logged-in administrator’s ability to create new users, issuing an AJAX request to create a rogue administrator account named wpservices. What could the attackers do with the access this rogue account gives them? Pretty much anything they want.
 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top