WordPress Security Alert: New Linux Malware Exploiting Over Two Dozen CMS Flaws

WordPress sites are being targeted by a previously unknown strain of Linux malware that exploits flaws in over two dozen plugins and themes to compromise vulnerable systems.

"If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted web pages are injected with malicious JavaScripts," Russian security vendor Doctor Web?said?in a report published last week. "As a result, when users click on any area of an attacked page, they are redirected to other sites."

The attacks involve weaponizing a list of known security vulnerabilities in 19 different plugins and themes that are likely installed on a WordPress site, using it to deploy an implant that can target a specific website to further expand the network.

It's also capable of injecting JavaScript code retrieved from a remote server in order to redirect the site visitors to an arbitrary website of the attacker's choice.

Doctor Web said it identified a second version of the backdoor, which uses a new command-and-control (C2) domain as well as an updated list of flaws spanning 11 additional plugins, taking the total to 30.

The targeted plugins and themes are below

1. WP Live Chat Support
2. Yuzo Related Posts
3. Yellow Pencil Visual CSS Style Editor
4. Easy WP SMTP
5. WP GDPR Compliance
6. Newspaper (CVE-2016-10972)
7. Thim Core
8. Smart Google Code Inserter (discontinued?as of January 28, 2022)
9. Total Donations
10. Post Custom Templates Lite
11. WP Quick Booking Manager
12. Live Chat with Messenger Customer Chat by Zotabox
13. Blog Designer
14. WordPress Ultimate FAQ (CVE-2019-17232?and?CVE-2019-17233)
15. WP-Matomo Integration (WP-Piwik)
16. ND Shortcodes
17. WP Live Chat
18. Coming Soon Page and Maintenance Mode
19. Hybrid
20. Brizy
21. FV Flowplayer Video Player
22. WooCommerce
23. Coming Soon Page & Maintenance Mode
24. Onetone
25. Simple Fields
26. Delucks SEO
27. Poll, Survey, Form & Quiz Maker by OpinionStage
28. Social Metrics Tracker
29. WPeMatico RSS Feed Fetcher, and
30. Rich Reviews

Both variants are said to include an unimplemented method for brute-forcing WordPress administrator accounts, although it's not clear if it's a remnant from an earlier version or a functionality that's yet to see the light.

"If such an option is implemented in newer versions of the backdoor, cybercriminals will even be able to successfully attack some of those websites that use current plugin versions with patched vulnerabilities," the company said.

WordPress users are recommended to keep all the components of the platform up-to-date, including third-party add-ons and themes. It's also advised to use strong and unique logins and passwords to secure their accounts.

The disclosure comes weeks after Fortinet FortiGuard Labs detailed another botnet called?GoTrim?that's designed to brute-force self-hosted websites using the WordPress content management system (CMS) to seize control of targeted systems.

For Further Reference

https://thehackernews.com/2023/01/wordpress-security-alert-new-linux.html