Year-old flaw in popular WordPress plugin still actively exploited

Sucuri Security researchers have discovered yet another malicious campaign redirecting users to sites hosting exploits. As per usual, the attackers are mostly leveraging vulnerabilities in WordPress plugins to compromise sites that will become the first link of the redirection chain.

The researchers didn’t mention what malware is delivered to users whose computers get compromised, but have pointed out one depressing fact that allows attackers to mount this kind of attack again and again: too many owners of WordPress sites are failing (or aren’t even trying) to regularly update WordPress or any of the plugins they use.

In this particular campaign, the attackers took advantage of the fact that the site admins still use an old version Slider Revolution (RevSlider) plugin, which contains a critical vulnerability that allows attackers to compromise websites via their database.

The vulnerability has since been (silently) closed by the plugin developers, but unfortunately, RevSlider is so popular that it’s regularly bundled in theme packages, and often times admins who use such packages are not aware they even have the plugin installed and that they should update it.

In this campaign, the compromised WP sites redirect users to a site that serves as a traffic directing system (TDS): it detects which visitors use Internet Explorer, and which don’t.

Those who belong to the first category are redirected to another site that checks whether the visitor uses Kaspersky and Trend Micro AV solutions or a virtual machine, and if they don’t, the site injects a Flash exploit from a third site. A similar fate awaits users of other Trident-based browsers, Presto-based browsers, and iPhone browsers.

Those users that don’t use any of these browsers are redirected to Bitcoin.org. The motive for this is unknown, but the good news is that particular site has not been compromised.

“Please don’t think that only the Slider Revolution plugin need to be updated,” the researchers entreated. “Keep all of your plugins and themes up-to-date. Any plugin can have critical vulnerabilities at any given time, known or unknown. Even the most popular plugins can have security issues.”

Share this