A second vulnerability in a high-profile WordPress plugin has come under active exploitation in the span of a week, ZDNet has learned from WordPress security firm Defiant.
Attacks are currently ongoing, the company said today in a detailed blog post after ZDNet reached out for comment yesterday. This is the second separate wave of hacking attempts detected against WordPress sites after Defiant discovered last week a similar hacking campaign aimed at WordPress sites using the WP GDPR Compliance plugin.
But for this most recent hacking campaign, hackers are targeting a vulnerability that impacts AMP for WP (formerly Accelerated Mobile Pages), a WordPress plugin installed on more than 100,000 sites.
This vulnerability came to the general public’s attention last week after web security firm WebARX published proof-of-concept code on how to exploit it on its blog.
However, the actual vulnerability was discovered by a Dutch security researcher named Sybre Waaijer, who found and reported the issue to the maintainers of the WordPress Plugins repository in mid-October.
The AMP for WP plugin was removed from the official WordPress Plugins repo between October 22 and 31, as developers worked and released a security fix for the reported issue (AMP for WP version 0.9.97.20).
The vulnerability is similar to the one reported in the WP GDPR Compliance plugin, as attackers can use the plugin’s vulnerable code to make site-wide changes to site options to which the plugin shouldn’t have had access to.
But it appears that the publication of the proof-of-concept code last week had drawn hackers’ attention to this largely unknown issue. Now, Defiant experts say, that hackers have incorporated this new vulnerability into a “sophisticated attack campaign.”
The campaign is warranted of the “sophisticated” tag because hackers aren’t just blindly abusing the AMP for WP vulnerability directly, but have combined it with another cross-site scripting (XSS) security bug.
Attackers scan the web for vulnerable sites using the AMP for WP plugin, use the XSS vulnerability to store malicious code in various parts of the sites, and wait for an admin user to access those site sections.
The campaign is in full force, Defiant warns, and WordPress site admins should update the AMP for WP plugin as soon as possible, and review if a new admin user account named “supportuuser” has appeared out of the blue in their site’s backend.
More security news:
- Hackers use Drupalgeddon 2 and Dirty COW exploits to take over web servers
- Card skimming malware removed from Infowars online store
- Popular Dark Web hosting provider got hacked, 6,500 sites down
- One in five Magecart-infected stores get reinfected within days
- Access data for 70% of top US & EU websites sold on the dark web TechRepublic
- Website geoblocking is not that widespread, study finds
- Researchers find stolen military drone secrets for sale on the dark web CNET
- A bug in EA Origin client exposes gamers’ data
Source Article from https://www.zdnet.com/article/second-wordpress-hacking-campaign-underway-this-one-targeting-amp-for-wp-plugin/#ftag=RSSbaffb68
Second WordPress hacking campaign underway, this one targeting AMP for WP plugin
Latest blogs for ZDNet
Latest blogs for ZDNet