So, a zero-day vulnerability was discovered in the plugin Easy WP SMTP with over 300,000 installations. The first vulnerability and attacks on it were noticed by specialists from NinTechNet, which develops Ninja Firewall for WordPress. They reported the bug to the authors of the plugin, after which it was fixed in version v1.3.9.1.
However, according to experts from Defiant, this attack did not stop, since administrators Many sites still haven't updated the plugin, and the attackers seem to be trying to compromise as many resources as possible.
Currently, the problem is being exploited by at least two hacker groups, which even managed to change tactics: first, the criminals made adjustments to the wp_user_roles setting, and then switched to default_role. As a result, all new accounts receive administrator rights. Both groups use the same proof of concept exploit described in the NinTechNet report.
Defiant experts note that the behavior of hack groups is very widespread: one group only creates backdoor accounts on websites and does not take any action after that, while the second group acts more aggressively and redirects all traffic from hacked resources to fake support sites. Another vulnerability already under attack is was found in the plugin
Social Warfare installed on 70,000 sites. Experts warned about the problem
Wordfence, Sucuri and NinTechNet: A bug is a so-called stored XSS, that is, a “stored” or “permanent” XSS vulnerability. This vulnerability could allow an attacker to inject malicious JavaScript code into social media sharing buttons on website pages. As a result, the victim is redirected to a malicious resource. Dangerous plugin had to be temporarily removed from the official WordPress repository, but a patched version of Social Warfare 3.5.3 has already been released and administrators are encouraged to update to it as soon as possible.
Source: xaker.ru