Attackers are exploiting vulnerable WP plugins to backdoor sites

A group of attackers that has been injecting WordPress-based sites with a script redirecting visitors to malicious and fraudulent pages has now also started backdooring the vulnerable installations, Wordfence’s Mikey Veenstra warns.

WP sites backdoored

The attacks

The attackers are exploiting vulnerabilities in a number of WordPress plugins, namely:

  • Bold Page Builder
  • Blog Designer
  • Live Chat with Facebook Messenger
  • Yuzo Related Posts
  • Visual CSS Style Editor
  • WP Live Chat Support
  • Form Lightbox
  • Hybrid Composer
  • All former NicDark plugins (nd-booking, nd-travel, nd-learning, etc.)

The list of targeted plugins have been growing, so it’s likely that this one is not definitive. “It’s reasonable to assume any unauthenticated XSS or options update vulnerabilities disclosed in the near future will be quickly targeted by this threat actor,” Veenstra noted.

Aside from the redirecting JavaScript, they are also injecting one that checks if a visitor can create new users (i.e., is a logged-in administrator). If they can, the script will create a rogue administrator account named wpservices with the password w0rdpr3ss and email wpservices@yandex.com.

WP sites backdoored

What to do if you’ve been hit?

Admins of WordPress-based websites that have been injected with these scripts should:

  • Update the vulnerable plugins to their latest version (or remove them if they are not needed)
  • Remove the rogue admin account (wpservices)
  • Clean the malicious scripts from their site (check all pages).

“As always, updating the plugins and themes on your WordPress site is an excellent layer of defense against campaigns like these. Check your site for needed updates frequently to ensure you’re receiving the latest patches as they’re released,” Veenstra advised.