WordPress sites are being targeted by a previously unknown strain of Linux malware that exploits flaws in over two dozen plugins and themes to compromise vulnerable systems.
The attacks involve weaponizing a list of known security vulnerabilities in 19 different plugins and themes that are likely installed on a WordPress site, using it to deploy an implant that can target a specific website to further expand the network.
Doctor Web said it identified a second version of the backdoor, which uses a new command-and-control (C2) domain as well as an updated list of flaws spanning 11 additional plugins, taking the total to 30.
The targeted plugins and themes and the affected versions are below -
- WP Live Chat Support
- Yuzo Related Posts (5.12.89)
- Yellow Pencil Visual CSS Style Editor (< 7.2.0)
- Easy WP SMTP (1.3.9)
- WP GDPR Compliance (1.4.2)
- Newspaper (CVE-2016-10972, 6.4 - 6.7.1)
- Thim Core
- Smart Google Code Inserter (discontinued as of January 28, 2022, < 3.5)
- Total Donations (<= 2.0.5)
- Post Custom Templates Lite (< 1.7)
- WP Quick Booking Manager
- Live Chat with Messenger Customer Chat by Zotabox (< 1.4.9)
- Blog Designer (< 1.8.12)
- WordPress Ultimate FAQ (CVE-2019-17232 and CVE-2019-17233, 1.24.2)
- WP-Matomo Integration (WP-Piwik)
- ND Shortcodes (<= 5.8)
- WP Live Chat (8.0.27)
- Coming Soon Page and Maintenance Mode (<= 5.1.0)
- FV Flowplayer Video Player
- Coming Soon Page & Maintenance Mode
- Simple Fields
- Delucks SEO
- Poll, Survey, Form & Quiz Maker by OpinionStage
- Social Metrics Tracker
- WPeMatico RSS Feed Fetcher, and
- Rich Reviews
Both variants are said to include an unimplemented method for brute-forcing WordPress administrator accounts, although it's not clear if it's a remnant from an earlier version or a functionality that's yet to see the light.
"If such an option is implemented in newer versions of the backdoor, cybercriminals will even be able to successfully attack some of those websites that use current plugin versions with patched vulnerabilities," the company said.
WordPress users are recommended to keep all the components of the platform up-to-date, including third-party add-ons and themes. It's also advised to use strong and unique logins and passwords to secure their accounts.
The disclosure comes weeks after Fortinet FortiGuard Labs detailed another botnet called GoTrim that's designed to brute-force self-hosted websites using the WordPress content management system (CMS) to seize control of targeted systems.
Two months ago, Sucuri noted that more than 15,000 WordPress sites had been breached as part of a malicious campaign to redirect visitors to bogus Q&A portals. The number of active infections currently stands at 9,314.
(The story has been updated with information shared by Doctor Web regarding the version numbers of the affected plugins and themes.)