Nearly a million WordPress sites were attacked by a single person attempting to inject a redirect into the sites by leveraging the cross-site scripting (XSS) vulnerabilities. The threat actor is actively trying to create a backdoor and compromise WordPress-based sites to force the site visitors to malvertising.
The WordFence Threat Intelligence Team revealed the hacking attempts and disclosed that since April 28 the number of XSS attacks has been 30 times its normal rate. The company concluded that a single individual is behind the attacks based on the fact that the same payload is deployed in each attack. The payload is a malicious JavaScript that redirects website visitors and takes advantage of the site administrator’s session to insert a backdoor into the theme’s header.
Ameet Naik, the security evangelist at PerimeterX, said that an XSS attack can lead to more serious issues by gaining privileged access to a website and planting malicious JavaScript code that can steal user data, spread malware, or hijack users to nefarious sites. He added that such techniques have been used to launch Magecart attacks against thousands of e-commerce sites resulting in the theft of millions of credit card numbers. If the victim is not logged in and is not on the login page, the script redirects them to a malvertising web page. If the victim is logged into the site, the script attempts to inject a malicious PHP backdoor into the current website theme’s header file, in addition to another malicious JavaScript.
WordFence believes the hacker might have tried low-level attacks before April 28 but has since then massively increased the number of incidents with 20 million attacks attempted against more than 500,000 individual sites on May 3, 2020, alone. The team reported that over the course of the past month in total, they’ve detected over 24,000 distinct IP addresses sending requests matching these attacks to over 900,000 sites.
The attacks are targeting five WordPress plugins — some of which have been discontinued – but are still used by some of the websites. These plugins include ‘Easy2Map’ and ‘Total Donations’ which were already removed from WordPress repository and Envato Marketplace respectively.
What to do for protecting the WordPress websites from backdoor attacks?
The vast majority of these attacks are targeted at vulnerabilities of plugins and themes that were not used by a large number of users and most of the applications were already patched up. Any attacks are not forecasted against the latest versions of any currently available plugins. Running a Web Application Firewall can also help protect WordPress websites against any other unseen vulnerabilities.
