Hackers are reportedly exploiting vulnerabilities in over ten WordPress plugins in order to backdoor sites with rouge admin accounts.
This is an escalation of an attack that was reported on back in July in which attackers were hijacking sites to serve ads, scams, and malicious app downloads.
Now, the same hacker group is taking complete control of vulnerable sites using similar tactics. ZDNet reports as of August 20 the hacker group modified the malicious code planted on hacked sites.
The malicious code was modified to detect when the site owner logged into their own site. Upon logging in, the code used the owner’s admin privileges to create a new admin account named “wpservices,” which is linked to the email address firstname.lastname@example.org.
With a rouge admin account created, the hacker group could then do anything they wanted with a site.
Vulnerable plugins include:
- Coming Soon Page & Maintenance Mode
- Yellow Pencil Visual CSS Style Editor
- Blog Designer
- Bold Page Builder
- Live Chat with Facebook Messenger
- Yuzo Related Posts
- WP Live Chat Support
- Form Lightbox
- Hybrid Composer
- All former NicDark plugins
The hacker group is targeting older vulnerabilities, which means sites that have been keeping their plugins updated are less likely to fall victim to the recent attacks.
As cleaning up infected WordPress sites can be a challenging task, ZDNet advises non-technical users to seek the help of an experienced professional.
WordPress site owners can prevent attacks such as this one by keeping their software updated.