Bugs in WordPress possibly allowed hackers to gain admin rights and clean off data from vulnerable websites
New accounts with administrative rights can be created and used for complete website takeover. Hackers actively exploited critical bugs in WordPress plugins that allowed them to control the content of websites completely and even clear them off. A zero-day vulnerability was discovered in the ThemeREX Addons WordPress plugin. The flaw, when exploited, allows attackers to create accounts with administrative privileges, so websites can be taken over.
The particular plugin is installed on at least 44,000 websites, according to the Wordfence security firm, so those sites are all vulnerable. The plugin provides 466 commercial WordPress themes and templates for sale, so customers can configure and manage themes easier.
The plugin works by setting up a WordPress REST-API endpoint, but without checking if commands sent to this REST API are coming from the site owner or an authorized user or not. This is how remote code can get executed by any unauthenticated visitor.
Another bug involving the WordPress themes was found in plugins by ThemeGrill that sells website themes to more than 200,000 sites. The flaw allowed attackers to send the particular payload to those vulnerable sites and trigger wanted functions after gaining admin rights.
The scheme of trojanized WordPress themes that led to compromised servers
According to analysis, such flaws allowed compromising at least 20,000 web servers all over the globe. It possibly has led to malware installations, malicious ad exposure. More than one-fifth of these servers belong to medium-sized businesses that have less funding to make more custom websites, unlike bigger firms, so such security incidents are also more significant in damage.
Taking advantage of such widely used CMS may have started back in 2017. Hackers can achieve their goals and unknowingly compromise various websites due to victims' lack of security awareness. In addition to the mentioned vulnerable plugins and other flaws, 30 websites that offer WordPress themes and plugins got discovered.
Trojanized packages got installed, and users spread malicious files without even knowing that such behavior allows attackers to gain full control over the webserver. From there, adding admin accounts, recovering web servers, and even gaining access to corporate resources is easy.
Additionally, malware included in such attacks can:
- communicate with hacker-owned C&C servers;
- download files from the server;
- add cookies to collect various visitor data;
- collect information about the affected machine.
Also, criminals involved in such schemes can use keywords, malicious advertising, and other techniques:
In numerous cases, the advertisements were completely benign and would direct the end user to a legitimate service or website. In other cases however, we observed pop-up ads prompting the user to download potentially unwanted programs.
WordPress is the most popular CMS of the world
The recent reports show that using a CMS is no longer optional and on the rise. Especially for enterprise companies and headless applications that control content separated from the initial display layer or the front-end user experience. The research shows that when compared to other content management systems, the usage of WordPress has increased.
Also, enterprises clearly benefit from using more than one CMS at once, so this practice becomes more and more popular. That is exceptionally handy when it comes to such issues with vulnerabilities and bugs or different issues regarding the services, the privacy, and security of your website and sensitive data.
Researchers advise organizations and admins to:
- avoid using pirated software;
- enable and update Windows Defender or different AV solutions;
- stay away from reusing passwords across accounts;
- update OS regularly
- rely on patches that are available for some of those vulnerabilities and updates for particular plugins.
- ^ Chloe Chamberland. Zero-Day Vulnerability in ThemeREX Addons Plugin Exploited in the Wild. Wordfence. WordPress security.
- ^ Lindsey O'Donnell. Critical WordPress Plugin Bug Afflicts 700K Sites. Threatpost. Technology and privacy experts.
- ^ Dan Goodin. Hackers exploit critical vulnerability found in ~100,000 WordPress sites. Arstechnica. Cyber threats.
- ^ Catalin Cimpanu. Bug in WordPress plugin can let hackers wipe up to 200,000 sites. ZDNet. Cybersecurity news.
- ^ Danny Adamitis, Matt Thompson. PHP’s Labyrinth - Weaponized WordPress Themes & Plugins. Prevailion. Security researchers' blog.
- ^ Multi-CMS rises in the enterprise. WPengine. Digital experience platform.