Hackers are attempting to take over tens of thousands of WordPress sites by exploiting critical vulnerabilities including a zero-day in multiple plugins that allow them to create rogue administrator accounts and to plant backdoors.
The attacks on WordPress sites have started yesterday by targeting a zero-day unauthenticated stored XSS bug found in the Flexible Checkout Fields for WooCommerce plugin with 20,000 active installations by researchers at NinTechNet.
While the plugin’s development team WP Desk pushed out version 2.3.2 to fix the actively targeted security flaw within an hour after receiving the disclosure report from NinTechNet, some users were hacked until it was available and ready to install.
Three critical bugs has been found
an unauthenticated+ stored XSS in 10Web Map Builder for Google Maps (20,000+ installs)
and multiple subscriber+ stored XSS in Modern Events Calendar Lite (40,000+ installs)
Indicators of compromise
- the appearance of new admin accounts that weren’t created yourself
- the appearance of new plugins on the plugins list that weren’t personally installed
- suspicious files, especially the ones with .php or .zip extensions e.g. Woo-Add-To-Carts.zip were placed in /wp-content/uploads/ directory
- rearrangement of the checkout fields, their unusual faulty functioning or appearance of the new fields that hadn’t been previously added.