430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|430,000 FortiGate Devices Exposed in FortiBleed Ransomware Link|Adobe fixed multiple maximum-severity flaws in ColdFusion and Campaign Classic|Alleged Scattered Spider Hacker Extradited to U.S. to Face Cybercrime Charges|Oracle E-Business Suite Flaw Under Active Attack, 950 Systems Exposed|Azure CLI Targeted in LSHIY Password Spray Campaign Across 64 Orgs|CISA Warns BlueHammer Flaw Is Now Exploited in Ransomware Attacks|RustDuck: The Botnet That’s Still Small but Engineering Like It Plans to Grow|GuardFall Flaw Hits 10 of 11 Popular Open-Source AI Agents|XSS.is, The Forum That Ran the Ransomware Supply Chain Is Down. The Market Isn’t|U.S. CISA adds SimpleHelp flaw to its Known Exploited Vulnerabilities catalog|Hackers Steal Data of 4.38 Million Aflac Japan Customers|Apple Fixes WebKit Flaws in iOS and macOS, With Help From AI Tools|
Advertisement

Ad Placeholder

Full Width × 90

Breaking News

Experts uncovered a hacking campaign targeting several WordPress Plugins

Researchers at Wordfence reported an ongoing hacking campaign exploiting security flaws in some WordPress plugins. Researchers from Wordfence uncovered an ongoing hacking campaign exploiting security vulnerabilities in some WordPress plugins to redirect visitors to websites under the control of the attackers. The campaign specifically targeted flaws in WordPress plugins developed by the developer NicDark (now […]

wordpress plugins

Researchers at Wordfence reported an ongoing hacking campaign exploiting security flaws in some WordPress plugins.

Researchers from Wordfence uncovered an ongoing hacking campaign exploiting security vulnerabilities in some WordPress plugins to redirect visitors to websites under the control of the attackers.

The campaign specifically targeted flaws in WordPress plugins developed by the developer NicDark (now renamed as “Endreww”), such as a plugin called  Simple 301 Redirects – Addon – Bulk Uploader.

All the WordPress plugins targeted in this campaign have updates available addressing the vulnerabilities.

“The vulnerabilities recently patched in plugins developed by NicDark are all exploited by very similar AJAX requests.” reads the post published by WordFence. “In each case the plugin registers a nopriv_ AJAX action, which is accessible even by unauthenticated visitors, responsible for importing various WordPress settings. In these requests, key->value pairs of WordPress options and values are parsed out and applied directly to the affected site’s database.”

The flaws could be exploited by attackers to modify arbitrary WordPress options, for example, to enable registration as an Administrator user. The attackers behind this campaign used to modify the ‘siteurl‘ and ‘home’ settings of the targeted website to redirect visitors to websites under their control-

NicDark recently addressed a vulnerability in the Simple 301 Redirects – Addon – Bulk Uploader that allows unauthenticated attackers to inject their own 301 redirect rules onto a victim’s site.

Experts explained that vulnerable versions of the plugin would constantly listen for the presence of the POST body parameter ‘submit_bulk_301‘. The presence of the parameter allows an uploaded CSV file to be processed and used to import a bulk set of site paths and their redirect destinations.

The campaign began on July 31, other attacks targeted the following WordPress plugins:

Attackers used several domains to perform these script injections and redirects, they rotate with some frequency while new domains were added every few days. The WordPress plugin repository team quickly removed the other WordPress plugins developed by NicDark from the repository. Threat actors noticed that all these plugins suffered similar flaws and began to target them.

“An active campaign is targeting a number of vulnerabilities in attempts to redirect victim sites’ visitors to potentially harmful destinations. The vulnerabilities in question have all been patched by their developers, so ensure all of your WordPress plugins are up to date.” concludes WordFence.

[adrotate banner=”9″] [adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – WordPress plugins, hacking)

[adrotate banner=”5″]

[adrotate banner=”13″]