A malicious hacking campaign is unveiled by researchers at Wordfence which manipulates security susceptibilities in some WordPress plugins.

The campaign precisely targeted faults in WordPress plugins designed by the developer NicDark, such as a plugin called  Simple 301 Redirects – Addon – Bulk Uploader. All the WordPress plugins targeted in this drive have updates available addressing the susceptibilities.

The vulnerabilities recently patched in plugins developed by NicDark are all exploited by very similar AJAX requests.” reads the post published by WordFence. “In each case the plugin registers a nopriv_ AJAX action, which is accessible even by unauthenticated visitors, responsible for importing various WordPress settings. In these requests, key->value pairs of WordPress options and values are parsed out and applied directly to the affected site’s database.”

Attackers could exploit the faults to adjust arbitrary WordPress options, to enable registration as an Administrator user. The attackers behind this operation used to adjust the ‘siteurl‘ and ‘home’ settings of the beleaguered website to readdress visitors to websites under their control.

NicDark lately addressed a susceptibility in the Simple 301 Redirects – Addon – Bulk Uploader that lets unverified attackers inject their own 301 redirect rules onto a prey’s site.

Experts clarified that susceptible versions of the plugin would continually listen for the presence of the POST body limit ‘submit_bulk_301‘. The presence of the limit allows an uploaded CSV file to be managed and used to import a wholesale set of site paths and their redirect terminuses. The campaign started on July 31.

Attackers used numerous areas to carry out these cursive injections and redirects, which rotate with some regularity while new realms were added every few days. The WordPress plugin repository team rapidly detached the other WordPress plugins developed by NicDark from the repository. Threat actors observed that all these plugins suffered alike faults and began to target them.

“An active campaign is targeting a number of vulnerabilities in attempts to redirect victim sites’ visitors to potentially harmful destinations. The vulnerabilities in question have all been patched by their developers, so ensure all of your WordPress plugins are up to date.” concludes WordFence.

Leave a Reply

Your email address will not be published. Required fields are marked *