Shop Plans

Linux Malware Targets 30+ WordPress Plugins

Contents

Summary Of The Attack

  • Linux Trojan Application exploits outdated plugins and themes in WordPress sites for malicious purposes.
  • Two versions of the malicious application exist with the second one being an improved version of the first.
  • There is a chance that even if updates are made on the plugins, the attackers can still target administrators’ accounts on the WordPress sites.
  • It is quite important to keep all components of the WordPress sites up-to-date.
.

What Happened?

A Linux backdoor malware has been discovered that has the capabilities to exploit around 30 WordPress plugins with the goal to inject malicious JavaScript code and make user redirects to harmful, malicious, phishing sites created by the attackers.

What Was The Impact?

The reason why such exploits are possible is that vulnerable WordPress sites are running outdated versions of the plugins and themes.

Due to that, the attackers are able to carry out these attacks since once a user lands on an infected WordPress site, it is immediately redirected to a malicious web page where they:

  • Fall victim to malvertising.
  • Are tricked into downloading malware on their computers.
  • Become a target of phishing attacks.

WordPress Exploit Version 1 & 2

Dr.Web, a security researcher, discovered the malware Linux.BackDoor.WordPressExploit.1.

This malware attempts to exploit websites through outdated and vulnerable plugins or themes.

Once it is confirmed that the website has a vulnerable plugin installed, it acts as a backdoor in order to insert a malicious JavaScript that is extracted from a remote Command and Control server to the vulnerable website.

From there, once one or several vulnerabilities are successfully exploited, the vulnerable page is injected with harmful JavaScript.

Whenever a user loads the page, the malicious JavaScript is initiated first and a redirection to a malicious site occurs.

A second version of the trojan application, Linux.BackDoor.WordPressExploit, is the Command and Control server address and the domain address from which the JavaScript that is used in the exploit is downloaded.

A total of 30 outdated themes and plugins have been identified and should be updated immediately:

  • WP Live Chat Support PluginThim Core
  • Yellow Pencil Visual Theme Customizer Plugin
    Easysmtp
  • WordPress – Yuzo Related Posts
  • WP GDPR Compliance Plugin
  • Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972)
  • WP Quick Booking Manager
  • Google Code Inserter
  • Post Custom Templates Lite
  • Total Donations Plugin
  • Faceboor Live Chat by Zotabox
  • Blog Designer WordPress Plugin
  • WP Live Chat
  • WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233)
  • WordPress ND Shortcodes For Visual Composer
  • WP-Matomo Integration (WP-Piwik)
  • Hybrid
  • Coming Soon Page and Maintenance Mode

Free Security Policy Templates

Get a step ahead of your cybersecurity goals with our comprehensive templates.

Download Now
IT Security Policy Templates

The Future Of The Attack

According to the initial research by Doctor Web, version 1 and version 2 of the trojan application have unimplemented functionality which could allow them to conduct brute-force attacks on the administrator’s accounts of the affected websites through crafted username-passwords dictionaries.

This could even possibly allow the attackers to exploit these websites even after the plugin and theme versions are patched.

How Can This Attack Be Prevented?

The remediation and prevention of this type of attack generally consist of 2 steps:

  1. Updating the plugin and theme versions on your WordPress website.
  2. Creating strong passwords for your accounts.

The way to check whether a plugin is outdated is through the WordPress Plugin Directory where you can check the current version of the plugin when it was last updated and if it is still maintained.

Article by

Picture of Jason Firch, MBA
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.
Linkedin
Picture of Jason Firch, MBA
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.

Share This Article

Our Editorial Process

Our content goes through a rigorous approval process which is reviewed by cybersecurity experts – ensuring the quality and accuracy of information published.

Categories

AI Security

Cybersecurity Strategy

General Cybersecurity

Network Security

Penetration Testing

Ransomware

Recent Cyber Attacks

Small Business

Social Engineering

Vulnerability Management

The Breach Report

Our team of security researchers analyze recent cyber attacks, explain the impact, and provide actionable steps to keep you ahead of the trends.

Learn More

Related Breaches

PurpleSec

Get Secure Today.

Founded in 2019, PurpleSec is a veteran-owned cybersecurity company with a mission to help SMBs and startups affordably meet their security requirements.

Explore The Savings

Our Solutions

Virtual CISO

Defiance XDR

Social Engineering

Vulnerability Mgmt

Penetration Testing

Contact Us

Why PurpleSec?

About Us

Case Studies

How We Work

Our Leadership

Our Mission & Values

Linkedin Youtube Twitter

Learn With PurpleSec

Blog

Podcasts

Recent Cyber Attacks

Cybersecurity Insights

View All Resources