A report from late 2022 stated that malware that takes advantage of vulnerabilities in 30 different WordPress plugins has affected a large number of websites, possibly for multiple years.
These unpatched vulnerabilities were exploited by the malware.
Researchers from Doctor Web security firm have found that the Linux-based malware has a backdoor that redirects visitors to harmful sites.
It also has the capability to disable event logging, put itself in standby mode, and shut down. The malware gets into the system by exploiting vulnerabilities in plugins that are used to add features such as live chat or metrics-reporting to the WordPress content management system.
These vulnerabilities have already been patched, but the website owners have not yet applied the patches.
Reportedly, the Linux.BackDoor.WordPressExploit.1 trojan’s main purpose is to infiltrate WordPress-based websites and insert a malicious script into their web pages.
It does this by exploiting known vulnerabilities in WordPress plugins and themes.
It first contacts its command-and-control server to get the target website’s address, then it systematically attempts to exploit vulnerabilities in outdated plugins and themes that may be installed on the website.
When the trojan is able to exploit one or more vulnerabilities in the website, it injects malicious JavaScript into the targeted webpage.
This script is then downloaded from a remote server. The injection is done in a way that when the infected webpage is loaded, the malicious JavaScript will execute first, and it will override the original contents of the webpage.
As a result, users who click anywhere on the infected webpage will be redirected to the attacker’s desired website.
The trojan application tracks its activity and sends statistics to its command and control server. It keeps track of the total number of websites it has attacked, the number of successful exploits, and specifically, the number of times it has successfully exploited vulnerabilities in the WordPress Ultimate FAQ plugin and the Facebook messenger from Zotabox.
Furthermore, it also reports all the unpatched vulnerabilities it comes across to the remote server.
Vulnerable plugins
- WP Live Chat Support Plugin
- WordPress – Yuzo Related Posts
- Yellow Pencil Visual Theme Customizer Plugin
- Easysmtp
- WP GDPR Compliance Plugin
- Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972)
- Thim Core
- Google Code Inserter
- Total Donations Plugin
- Post Custom Templates Lite
- WP Quick Booking Manager
- Faceboor Live Chat by Zotabox
- Blog Designer WordPress Plugin
- WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233)
- WP-Matomo Integration (WP-Piwik)
- WordPress ND Shortcodes For Visual Composer
- WP Live Chat
- Coming Soon Page and Maintenance Mode
- Hybrid
- Brizy WordPress Plugin
- FV Flowplayer Video Player
- WooCommerce
- WordPress Coming Soon Page
- WordPress theme OneTone
- Simple Fields WordPress Plugin
- WordPress Delucks SEO plugin
- Poll, Survey, Form & Quiz Maker by OpinionStage
- Social Metrics Tracker
- WPeMatico RSS Feed Fetcher
- Rich Reviews plugin