21,000 Websites Affected after Exploiting of Three WordPress Plugins Zero-day – Solution: Update Those Plugins ASAP.
Zero-day vulnerabilities are blessing for cybercriminals the most and this time around hackers have managed to exploit not one or two but three of them. Security firm Wordfence reported that the three exploited vulnerabilities have affected WordPress plugins but the attack vector has been fixed now and updates have been released by the authors of these plugins.
It must be noted that the attack vector was a PHP object injection vulnerability, which similarly affected the three WordPress plugins. Wordfence identified zero-days during its regular “site cleaning service” when a series of hacked websites and hints of exploitation were discovered. When the hacked sites were inspected, it an that the exploit also generated a malicious file on victim websites while the logs only showed POST request to /wp-admin/admin-ajax.php.
The company captured the attacks in its threat data. Matt Barry, Wordfence’s lead developer, managed to reconstruct the exploits and immediately pushed new WAF rules to block the exploits. New rules were sent to premium customers so that their protection from the exploits could be ensured and the plugin authors were also informed so that quick fixes could be published.
Affected plugins, which have now been fixed include:
1. WPMU Dev’s Appointments (which was fixed in v. 2.2.2)
2. Dan Coulter’s Flickr Gallery (which was fixed in v. 1.5.3) and
3. CMSHelpLive’s RegistrationMagic-Custom Registration Forms (which was fixed in v. 22.214.171.124)
In its advisory, Wordfence explained that the vulnerabilities were exploited to install backdoors on WordPress websites and warned the users about the plugins since about 21,000 websites until these are updated with the newly released plugins versions. Though the number of websites is surprisingly low, that’s because these three plugins are not that popular as others nevertheless, Wordfence has advised users to exercise caution. On the CVSSv3 severity scale, this zero-day vulnerability has a score of 9.8 out of 10, which is of course very high and this means it is of Critical nature.
Wordfence researcher Brad Haas states that through this vulnerability hackers were able to force a website to “fetch a remote file” which was a PHP backdoor. The attackers would then store the file at the desired location. However, Haas explains that the vulnerability is very easily exploited as it just needs a hacker to package the exploit code within an HTTP POST request that is sent to the targeted website and there isn’t any need to undergo any authentication process on the site for triggering the exploit. Whats even more disturbing is the fact that other hackers can also perform reverse engineering in the plugins’ changelogs to ‘deduce’ the exploit code.
The exploits were elusive: a malicious file seemed to appear out of nowhere, and even sites with access logs only showed a POST request to /wp-admin/admin-ajax.php at the time the file was created. But we captured the attacks in our threat data, and our lead developer Matt Barry was able to reconstruct the exploits. We quickly pushed new WAF rules to block these exploits. Premium customers received the new rules and were protected immediately. We also notified the plugin authors; all three have published updates to fix the vulnerabilities.
Sites that run on Flickr Gallery plugin can be exploited by targeting their root URL while the other two require the attacker to aim at the POST request at the admin-ajax.php file. When the hacker successfully tricks the targeted websites into downloading backdoor it is possible to hijack the site within mere minutes.