WordPress Plugins Actively Exploited by Cybercriminals

WordPress

Using a content management system (CMS) such as WordPress to create a website is both easy and inexpensive. It saves webmasters the hassle of writing complex code and masterminding custom web page components from scratch. It comes as no surprise that the above-mentioned free CMS is hugely popular. It currently dominates this niche, boasting a jaw-dropping 59% market share. It is amazingly flexible and supports a plethora of turnkey templates and plugins.

From a cybercriminal’s perspective, such popularity equals a boundless attack surface. This explains why malicious actors are so lured to find weak links in WordPress architecture. It turns out that plugins are the most heavily exploited entities in this framework. While enhancing the web page functionality and improving the user experience, many of them are notoriously insecure.

The following incidents show how WP plugin flaws can become a launchpad for massive hacks and info-stealing campaigns.

A buggy plugin trio playing into crooks’ hands

WordPress fans may be familiar with the plugins called ThemeGrill Demo Importer, Profile Builder, and Duplicator. However, site owners who use these add-ons might be unaware of critical security imperfections they are laced with. The recently discovered bugs allow threat actors to bypass web page authentication and gain administrator privileges. This access can be a source of numerous issues, from stealing credentials to wiping a site’s database.

Analysts at security firm Defiant found that these loopholes are being currently exploited by two attackers. One of them, codenamed “tonyredball,” piggybacks on an admin registration glitch in the ThemeGrill Demo Importer and Profile Builder plugins to affect numerous sites running them.

The former is subject to a greater number of attacks because by sending a specific request to enroll a new administrator account, the criminal gets access broad enough to delete the target website’s entire database. In the case of Profile Builder, the unauthenticated adversary can play a similar trick to obtain elevated permissions, except that the impact is restricted to executing malicious scripts.

One of the ways the malefactor monetizes his fraudulent access is by polluting JavaScript components of a compromised website with a dodgy code that redirects visitors to different dubious locations. In most cases, the landing page displays a fake human verification dialog instructing users to click on the Allow button. The purpose of this trick is to dupe victims into agreeing to receive notifications from that resource that will come in the form of spammy ads and redirects.

According to the researchers, the number of WordPress installations susceptible to the Profile Builder plugin glitch is about 37,000, whereas roughly 40,000 websites can be impacted via the bug in ThemeGrill Demo Importer.

One more perpetrator dubbed “solarsalvador1234” takes it up a notch by additionally mishandling vulnerable versions of the Duplicator plugin. With over 1 million active installations, it is one of the most popular WordPress components enabling webmasters to migrate or clone WP sites and maintain backups of their content.

Duplicator version 1.3.26 and earlier builds are affected by a flaw allowing an attacker to download arbitrary files from a site, including wp-config.php that contains, among other things, all the admin credentials for accessing the web page’s database. The above-mentioned malefactor harnesses this weakness to maintain backdoor access to sites running older Duplicator iterations.

By the way, hundreds of thousands of WordPress installations continue to be exposed to this flaw at the time of writing. Site owners are strongly recommended to apply the latest plugin update addressing this vulnerability.

Database Reset plugin flaws

Site owners who want to reset their WordPress database back to its default state can do it in a few clicks using the WP Database Reset plugin by WebFactory Ltd. One of the main benefits of leveraging this tool is that it allows admins to choose between resetting all database tables or only specific ones. There are currently more than 80,000 active installations of this plugin.

In January 2020, security experts found two vulnerabilities in this plugin. One of them, cataloged as CVE-2020-7047 (High severity rate), allows an unauthenticated adversary to execute a privilege escalation attack. This way, the malefactor can get his role raised to admin permissions by removing all the other users from the table. All it takes is submitting a single request.

By exploiting another bug called CVE-2020-7048 (Critical severity), the attacker may be able to circumvent authentication and reset the WordPress site’s database to its initial condition. Ultimately, both of these imperfections can be a source of website takeover. The most effective technique to avoid such a predicament is to update to WP Database Reset version 3.15.

InfiniteWP Client bug allowing password-less login

The most prominent feature of the plugin in question comes down to managing any number of WordPress websites from a central server – no wonder it has over 300,000 active installations. Researchers discovered that InfiniteWP Client versions prior to 1.9.4.5 have logical errors in the code making them susceptible to a critical authentication bypass flaw.

The problem is that two faulty functions in this plugin, “readd_site” and “add_site,” have no authorization checks in place. To play the trick, an attacker needs to send a Base64 encoded malicious payload to a vulnerable site via a regular POST request.

If the “iwp_action” parameter of the payload equals “readd_site” or “add_site” action value, the hacker only needs to know the site admin’s username to log in without any further authentication. Although the plugin author released a security patch on January 8, 2020 (the day after this vulnerability was reported), WordPress sites using earlier versions of InfiniteWP Client continue to be at risk.

Gaping loophole in ThemeREX Addons plugin

Cybercriminals may be able to spawn user accounts with administrator privileges by taking advantage of a zero-day vulnerability in a popular WP plugin called ThemeREX Addons. According to rough estimates, this tool is being used on at least 44,000 websites.

The imperfection was discovered on February 18, 2020. Affecting plugin versions 1.6.50 and later, it is categorized as a remote code execution bug. One of the adverse exploitation vectors is that a criminal can run a malicious command that creates fraudulent administrative user accounts. This can pave the attacker’s way toward site takeover.

The vendor provided a fix on March 9. To address the issue, webmasters are instructed to completely delete the “~/plugin.rest-api.php file” from ThemeREX Addons. This object is the weak link enabling the attack. It is no longer required for normal operation of the plugin because the corresponding functionality is now fully supported by WordPress core.

Two-pronged vulnerability in GDPR Cookie Consent plugin

With over 700,000 active installations, GDPR Cookie Consent by WebToffee is one of the top 100 plugins in the WordPress ecosystem. It helps admins make their websites GDPR compliant via customizable banners about cookie policy acceptance. In late January 2020, analysts unearthed a critical flaw affecting version 1.8.2 and earlier releases of this plugin.

The glitch is a potential source of privilege escalation and cross-site scripting (XSS) attacks. For instance, any authenticated user can knock the whole WordPress website or specific pages offline by modifying their status to “draft.” To add insult to injury, the vulnerability also allows an attacker to alter, add, or delete arbitrary content. Furthermore, the XSS-related incursion vector can result in malicious JavaScript code injection.

The worst part is that even a subscriber, not necessarily the administrator, can set both of these scenarios in motion. The bug was patched in GDPR Cookie Consent v1.8.3 available since February 10, 2020.

Popup Builder plugin bugs unveiled

In early March 2020, security researchers discovered several

imperfections in Popup Builder, a popular plugin used on more than 100,000 websites. It is an extensively customizable site component making it easy for webmasters to create and manage popups that display a variety of promo materials and subscription requests.

One vulnerability, documented as CVE-2020-10196, can fuel a disruptive form of exploitation where an adversary embeds dubious JavaScript code into any popup shown on an affected WordPress site. As a result, visitors who click on such booby-trapped items may be redirected to malicious landing pages or unknowingly trigger drive-by malware downloads.

The other flaw, CVE-2020-10195, allows any authenticated user to steal different types of data associated with this plugin, including the full list of newsletter subscribers and system configuration details. It’s noteworthy that even minimal permissions suffice to engage in this foul play, so the malicious actor doesn’t necessarily need admin privileges.

In response to the vulnerability discovery report, the plugin author (Sygnoos software company) released a patched version, Popup Builder 3.64.1, on March 11.

Summary

WP plugins are juicy targets for cybercrooks. The primary reason is that a single buggy plugin may become a springboard for affecting hundreds of thousands of sites in one hit. This makes the attack highly impactful and easy to orchestrate at the same time.

As this exploitation vector is quickly gaining traction among threat actors, every website owner should keep tabs on plugin update prompts in their WordPress dashboard. Once a new version is available, it should be installed without a second thought. Another useful tip is to stay tuned for vulnerability reports published by reputable security services such as Wordfence.

All in all, proper update hygiene combined with security awareness will minimize the risk of falling victim to attacks with WP plugin flaws at their core.

David
David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs the Privacy-PC.com project which presents expert opinions on contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy, and white hat hacking.