A group of attackers that has been injecting WordPress-based sites with a script redirecting visitors to malicious and fraudulent pages has now also started backdooring the vulnerable installations, Wordfence’s Mikey Veenstra warns.
The attackers are exploiting vulnerabilities in a number of WordPress plugins, namely:
- Bold Page Builder
- Blog Designer
- Live Chat with Facebook Messenger
- Yuzo Related Posts
- Visual CSS Style Editor
- WP Live Chat Support
- Form Lightbox
- Hybrid Composer
- All former NicDark plugins (nd-booking, nd-travel, nd-learning, etc.)
The list of targeted plugins have been growing, so it’s likely that this one is not definitive. “It’s reasonable to assume any unauthenticated XSS or options update vulnerabilities disclosed in the near future will be quickly targeted by this threat actor,” Veenstra noted.
What to do if you’ve been hit?
Admins of WordPress-based websites that have been injected with these scripts should:
- Update the vulnerable plugins to their latest version (or remove them if they are not needed)
- Remove the rogue admin account (wpservices)
- Clean the malicious scripts from their site (check all pages).
“As always, updating the plugins and themes on your WordPress site is an excellent layer of defense against campaigns like these. Check your site for needed updates frequently to ensure you’re receiving the latest patches as they’re released,” Veenstra advised.
The Cloud Consultancy provide cost effective and bespoke creative services to help promote your business across all media.
- Responsive websites built and securely hosted by The Cloud Consultancy
- Cross platform application development
- Drones with gyro-stabilised cameras used to create cinematic 4K footage for company showreels
- Drone pilots are BNUC-S qualified for flying unmanned aerial vehicles
- We can provide ground based filming, hi-res aerial photography and professional ground photography
- Utilising high-end post production editing software we can produce finished videos for your website