Malware targets 30 unpatched WordPress plugins

Christopher Boyd

Christopher Boyd

If you make use of plugins on your WordPress site (and you probably do), it’s time to take a good look at what’s running under the hood. Ars Technica reports that unpatched vulnerabilities being exploited across no fewer than 30 plugins.

A long list of plugin problems

If you own or operate a website there is a very good chance it uses WordPress. More than 40 precent of websites use a version of it, and it’s used on more websites that all other website Content Management Systems (CMS) combined. One of the reasons it’s so popular is that it can be easily extended by adding plugins, of which there are tens of thousands.

Provided it is kept up to date and protected by two-factor authentication, WordPress itself is quite secure. Because of that, in recent years threat actors have focussed on exploiting it via vulnerabilities in plugins rather than attacking it directly.

Plugins are created by third parties and vary widely in quality. Some are updated frequently while others are unsupported. Some are so popular that they are successful software products in their own right, with paid staff, secure development lifecycles, and millions of users, and others are made by lone hobbyists. And while WordPress will update itself with security fixes by default, automatic updating of pluigns has to be enabled by each website operator.

So, news of a malware campaign targeting plugins with unpatched vulnerabilities is no surprise. In fact researchers suggest the malware used for these attacks may have been in circulation for three years. Ars Technica reports that once a vulnerable website is detected, the attack injects rogue scripts into the pages of the site. The scripts redirect website visitors to malicious websites when they click anywhere on an affected web page.

According to research by Dr Web, attacks rely on unpatched versions of the following plugins or themes:

  • WP Live Chat Support Plugin
  • WordPress – Yuzo Related Posts
  • Yellow Pencil Visual Theme Customizer Plugin
  • Easysmtp
  • WP GDPR Compliance Plugin
  • Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972)
  • Thim Core
  • Google Code Inserter
  • Total Donations Plugin
  • Post Custom Templates Lite
  • WP Quick Booking Manager
  • Facebook Live Chat by Zotabox
  • Blog Designer WordPress Plugin
  • WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233)
  • WP-Matomo Integration (WP-Piwik)
  • WordPress ND Shortcodes For Visual Composer
  • WP Live Chat
  • Coming Soon Page and Maintenance Mode
  • Hybrid
  • Brizy WordPress Plugin
  • FV Flowplayer Video Player
  • WooCommerce
  • WordPress Coming Soon Page
  • WordPress theme OneTone
  • Simple Fields WordPress Plugin
  • WordPress Delucks SEO plugin
  • Poll, Survey, Form & Quiz Maker by OpinionStage
  • Social Metrics Tracker
  • WPeMatico RSS Feed Fetcher
  • Rich Reviews plugin

Plugging the plugin gap

Time and again, not updating a plugin comes back to haunt WordPress admins in the worst possible way. Cleanup is often not an easy task, and a tiny slice of preventative action can keep you far away from a massive repair operation further down the line.

The following preventative maintenance could save you a lot of trouble:

  • Update existing plugins. If you use WordPress you can check if you have any plugins that need updating by logging in to your site and going to Dashboard > Updates. (The Themes and Plugins menu items will also have red circles next to them if any need updating.) Update everything.
  • Turn on automatic updates for plugins. By default, WordPress does not update plugins automatically. You can enable this on a per-plugin basis by going to the Plugins screen and clicking Enable auto-updates next to each plugin.
  • Remove unsupported plugins. Go to the Plugins screen and click View details for each plugin. This screen shows you the last version of WordPress the plugin was tested with, and when it was last updated. It will also display an alert if it thinks the plugin is no longer supported.
  • Remove unnecessary plugins. Check out how many plugins and themes you have installed on your site. Do you need them all? Can any of them be removed or replaced? Generally, fewer is better.

If you can’t make enough time available to keep on top of theme and plugins, it might be a good time to accept that you don’t need the risk and hand the job to an agency or hosting company. The last thing you want is a stack of emails some rainy Monday morning telling you that visitors have been drafted into a botnet courtesy of your blog.

Stay safe out there!