Security News Zero-day in popular WordPress plugin exploited in the wild to take over sites

[vtqhtr413]

Content source

https://www.zdnet.com/article/zero-day-in-popular-wordpress-plugin-exploited-in-the-wild-to-take-over-sites/

Attacks started around three weeks ago and are still going on. Users should update the WP GDPR Compliance plugin to version 1.4.3 to protect their sites.

Hackers have exploited --and are currently continuing to exploit-- a now-patched zero-day vulnerability in a popular WordPress plugin to install backdoors and take over sites. The vulnerability affects WP GDPR Compliance, a WordPress plugin that helps site owners become GDPR compliant. The plugin is one of the most popular GDPR-themed plugins on the WordPress Plugins directory, with over 100,000 active installs. Around three weeks ago, attackers seem to have discovered a vulnerability in this plugin and began using it to gain access to WordPress sites and install backdoor scripts.

Initial reports about hacked sites were made into another plugin's support forum, but that plugin turned out to have been installed as a second-stage payload on some of the hacked sites. After investigations led by the WordPress security team, the source of the hacks was eventually traced back to WP GDPR Compliance, which was the common plugin installed on all reported compromised sites.

Full story Zero-day in popular WordPress plugin exploited in the wild to take over sites | ZDNet

 

[shmu26]

I see a lot of reports about WordPress sites being compromised, and even stealing credentials when you pay by credit card etc.
How can a user protect himself?
Some say to disable javascript by default when visiting websites, but IMHO this is not a solution, because it will usually kill the interactive content. So when you go to pay, you will always need to enable javascript, and you are once again vulnerable. So, what's a user to do?

 

[509322]

I see a lot of reports about WordPress sites being compromised, and even stealing credentials when you pay by credit card etc.
How can a user protect himself?
Some say to disable javascript by default when visiting websites, but IMHO this is not a solution, because it will usually kill the interactive content. So when you go to pay, you will always need to enable javascript, and you are once again vulnerable. So, what's a user to do?

Disabling javascript only prevents the user from exposing the transaction fields which in turn prevents them from entering the CC data.

In other words, WordPress is extensively compromised and continuing to perform transactions there is nothing short of stupidity. The hack might not even be of the webpage, but of the actual server databases themselves. Either way it doesn't matter. WordPress sites are smashed.

A user can only protect themselves by exercising common sense and not doing financial transactions on WordPress sites.

The expectation of security\protection without a user having to make compromises = users victimizing themselves.

The industry cannot protect users from themselves. The user is always the problem. PCs don't work by themselves. They need a person to operate it.

 

[shmu26]

Disabling javascript only prevents the user from exposing the transaction fields which in turn prevents them from entering the CC data.

In other words, WordPress is extensively compromised and continuing to perform transactions there is nothing short of stupidity. The hack might not even be of the webpage, but of the actual server databases themselves. Either way it doesn't matter. WordPress sites are smashed.

A user can only protect themselves by exercising common sense and not doing financial transactions on WordPress sites.

The expectation of security\protection without a user having to make compromises = users victimizing themselves.

The industry cannot protect users from themselves. The user is always the problem. PCs don't work by themselves. They need a person to operate it.

So this begs the noob question: how do I know if I am on a Wordpress site?
A charity org that I work for actually takes contributions on their Wordpress site, but I only know it is Wordpress because I sometimes edit the content.

 

[Eddie Morra]

So this begs the noob question: how do I know if I am on a Wordpress site?

Create and sign into a WordPress account and then the WordPress UI will show whilst navigating the website.

Alternatively, view the page-source and it will become fairly obvious, the same for other services like Weebly and Wix.

 

[509322]

So this begs the noob question: how do I know if I am on a Wordpress site?
A charity org that I work for actually takes contributions on their Wordpress site, but I only know it is Wordpress because I sometimes edit the content.

From a security perspective, it just isn't very smart to use Wordpress.

Wordpress has been hacked so many times and so many sites have been compromised. The last one I recall is a single hack that compromised 16000 sites.

 

[shmu26]

View the page-source and it will become fairly obvious, the same for other services like Weebly and Wix.

That works

 

[Eddie Morra]

That works

Noice bro

 

[shmu26]

The page-source shows they are using
Yoast SEO plug-in
Is this a bad one?
Tell me what to look for, if there is an obvious security issue here, I know the IT guy, and I can tell him about it. But if I just go and tell them to get off Wordpress and start from scratch, you can guess what they will say.

 

[Eddie Morra]

Yoast SEO plug-in

It helps with Search Engine Optimisation (SEO) - it's also one of the most popular WordPress extensions.

 

[Eddie Morra]

It looks fine to my constricted eye but I have never specialised in digital forensics for web-content (e.g. websites) so I would get a second opinion. I did take a look at the actual website as well.

It's a WordPress website, the plug-in was an instant give away.

Note, if the website is compromised, it could be in literally any component of the website... e.g. configuration details, payment forms on other pages, resources on the back-end, etc.

 

[shmu26]

@Eddie Morra I PMed you their paypage, could you maybe take a look?

 

[shmu26]

It looks fine to my constricted eye but I have never specialised in digital forensics for web-content (e.g. websites) so I would get a second opinion. I did take a look at the actual website as well.

It's a WordPress website, the plug-in was an instant give away.

Note, if the website is compromised, it could be in literally any component of the website... e.g. configuration details, payment forms on other pages, resources on the back-end, etc.

Thanks!!

 

[Eddie Morra]

Replied to PM with something for you to check.

 

[Eddie Morra]

I do want to stress a bit more though that my word is meaningless on the web-content analysis side... I really am not specialised in that area. This isn't one of those times where someone is in denial of what they can do, I really mean it when I say it.

Therefore... if you suspect the website might be compromised and it is related to you in one way or another, I do recommend reaching out to someone who will be experienced on web-content analysis so you can get a stronger second opinion.

 

[shmu26]

I do want to stress a bit more though that my word is meaningless on the web-content analysis side... I really am not specialised in that area. This isn't one of those times where someone is in denial of what they can do, I really mean it when I say it.

Therefore... if you suspect the website might be compromised and it is related to you in one way or another, I do recommend reaching out to someone who will be experienced on web-content analysis so you can get a stronger second opinion.

Thanks Bro!

 

[upnorth]

Here's a few pointers that might be interesting. Personal I would consider transfer the site to another software or simply create a subdomain for the payment option with a different and more secure option then Wordpress. Normally the server supplier should be able to both advise and help with any technical questions.

How to Clean a Hacked WordPress Site - Sucuri Guide