Hackers Use Zero-Days Aggressively on Different WordPress Plugins


The most commonly used website development technology on the internet is WordPress. More than 35 percent of all internet websites operate on WordPress CMS (content management system) models, according to the latest statistics.

WordPress is a large attack surface due to its vast number of active installations. Attempts to hack into WordPress pages are like a constant hum in the background of all internet traffic, occurring at any given time. Fix wordpress site hacked redirecting to another site issue with this simple steps.

In the past few months, this hum of hacking WordPress was lower than last year. In comparison to what we saw.

Calmly, 2020 started after a packed 2019. The cause could be the winter holidays that often lead to a global slowdown in malware and hacking activities, as we have seen in previous years.

New Exploits by Hackers

We’ve seen an increase of attacks against WordPress sites over the last two weeks, signaling an end to the period of relative calm we’ve seen in December and January.

Several WordPress-specific cybersecurity firms— such as Wordfence, WebARX, and NinTechNet— have documented an ever-increasing number of attacks on WordPress pages.

All the new attacks that were found last month concentrated on leveraging vulnerabilities in WordPress plugins instead of using WordPress itself.

Many of the attacks targeted plugin bugs recently fixed, with the hackers aiming to hijack sites before site administrators had an opportunity to apply security patches.

Some of the attacks were a bit more sophisticated, however. Several attackers have found and started to exploit zero-days— a term used to describe bugs that plugin writers don’t know about it. Below is a list of all the WordPress hacking campaigns that occurred in February, and that targeted new plugin vulnerabilities in WordPress.

Website administrators are advised to update all of the WordPress plugins mentioned below, as they are likely to be used all over and probably beyond 2020.


According to a Wordfence article, hackers have exploited a flaw in Duplicator since around mid-February, a plugin that enables site administrators to export the material of their sites.

The flaw, patched in 1.3.28, enables attackers to export a snapshot of the domain, from which they can steal passwords from the database, and then hijack the actual MySQL server from a WordPress site.

Theamgrill Demo Importer

It is also suspected that both groups using the above plugin are targeting a bug in the ThemeGrill Demo Importer, a plugin which ships with thematic products sold by ThemeGrill, a WordPress business provider.

It is built on over 200,000 websites, and the vulnerability allows users to delete a compromised version of pages, and then take over the admin account if specific requirements have been complied with.

Flexible Checkout Fields for Woocommerce

Attacks have attacked pages that operate the WooCommerce app Flexible Checkout Fields, built on more than 20,000 WordPress-based e-commerce sites.

Hackers used a zero-day flaw (now-patched) to upload XSS payloads, which can be activated in a logged-in administrator’s dashboard. XSS payloads allowed hackers to create admin accounts on compromised websites.

Attacks have started since 26th February.

The three zero-days were all XSS vulnerabilities held as the one mentioned above. All three updates were issued, but attacks began before the patches were available, which indicated that some pages were most definitely hacked. Wordfence’s got more about that initiative.

Mark Funk
Mark Funk is an experienced information security specialist who works with enterprises to mature and improve their enterprise security programs. Previously, he worked as a security news reporter.