According to reports, 35% of the websites in the world run in the WordPress CMS. Due to its popularity, it is also subject to many attacks. A new report has seen a growing number of attacks on WordPress sites that are all taking advantage of security flaws in some of the popular plugins.
Many of these attacks against WordPress sites involve hackers trying to hijack websites by targeting recently-patched plugins.
In other instances, attackers have been able to uncover zero-day exploits in various plugins. This applies to bugs that are unknown to the plugin creator, suggesting that no patch may be available.
Below is a list of plugins identified as being part of this recent string of attacks.
If you are using any of these plugins on your WordPress website, it is recommended that you update them immediately and keep an eye on updating them year-round.
Duplicator (1 million+ installs)
Duplicator is a plugin that lets site owners export the content of their sites. A bug was patched in version 1.3.28 that allowed attackers to export site contents, including database credentials.
ThemeGrill Demo Importer (200,000 installs)
A bug in this plugin, which comes with themes sold by ThemeGrill, allowed attackers to wipe sites and take over the admin account. This bug was patched in version 1.6.3.
Profile Builder Plugin (65,000 installs)
A bug in the free and paid versions of this plugin allowed hackers to register unauthorized admin accounts. This bug was patched on February 10th.
Flexible Checkout Fields for WooCommerce (20,000 installs)
A zero-day exploit in this plugin allowed attackers to inject XSS payloads, which could then be triggered in the dashboard of a logged-in administrator. Attackers used the XSS payloads to create rogue admin accounts.
Attacks began on February 26. A patch has since been issued.
ThemeREX Addons
A zero-day exploit in this plugin, that comes with all ThemeREX commercial themes, allowed attackers to create rogue admin accounts.
Attacks began on February 18. No patch has been issued for this bug, so site owners are advised to remove the plugin as soon as possible.
Async JavaScript (100K installs)
10Web Map Builder for Google Maps (20k installs)
Modern Events Calendar Lite (40k installs)
Three similar zero-day exploits were discovered in these plugins. Patches are available for each of them.
Source: ZDNet, Search Engine Journal