Cybercriminals are paying close attention to the security flaws that were recently discovered in several popular WordPress plugins and they have begun to target websites that still run vulnerable versions of them.
According to BleepingComputer, at least two threat actors are actively attacking unpatched versions of the ThemeGrill Demo Importer, Profile Builder and Duplicator plugins. What these three plugins have in common is the fact that they were all revealed to contain a critical security bug that could be exploited in recent reports.
Researchers estimate that there are hundreds of thousands of WordPress sites that are currently at risk of being exploited because their admins have not yet patched these three plugins.
One of the threat actors, who goes by the handle ‘tonyredball’, is exploiting two of these vulnerable plugins to obtain backdoor access. Tonyredball was observed exploiting the administrator registration vulnerability in Profile Builder by using requests that contained the username, email and other profile details of the new administrator account, according to WordPress security experts at Defiant.
However, the researchers also noted that tonyredball has launched a number of attacks which take advantage of the database deletion flaw in older versions of the ThemeGrill Demo Importer plugin.
Exploiting vulnerable WordPress plugins
Another threat actor exploiting vulnerable WordPress plugins is identified by Defiant as ‘solarsalvador1234’ because of an email address used in the requests leading to exploitation.
In addition to targeting ThemeGrill Demo Importer and Profile Builder, this threat actor is also exploiting unpatched flaws in Duplicator which is a plugin that allows websites to be cloned and migrated to other locations.
Duplicator versions lower than 1.3.28 have been found to contain a security bug that allows unauthenticated users to download arbitrary files from victim sites. By exploiting the bug, an attacker can retrieve a site’s configuration file (wp-config.php) where the credentials for database access are stored. This allows a threat actor like solarsalvador1234 to establish long-term access to a compromised site.
According to update rates, Defiant estimates that around 800,000 sites may still run a vulnerable version of the Duplicator plugin.
If you’re WordPress site is running an older version of ThemeGrill Demo Importer, Profile Builder or Duplicator, it is highly recommended that you update to the latest version as soon as possible to prevent falling victim to these kinds of attacks.