Experts at Defiant have uncovered a campaign that exploited recently disclosed plugin vulnerabilities to inject malware into websites.
Experts at Defiant, the company that developed the Wordfence security plugin for WordPress, uncovered a malvertising campaign that leverages recently disclosed plugin flaws to inject malicious code into websites.
Threat actors behind the malvertising campaign are leveraging known flaws in WordPress plugins such as “Coming Soon and Maintenance Mode,” “Yellow Pencil Visual CSS Style Editor” and “Blog Designer.”
Experts pointed out that these plugins are installed on thousands of websites.
Victims are initially redirected to a domain used to checks the type of device used by the visitors, then the malicious code redirects them to malicious destinations, including tech support scams, sites delivering malicious Android APKs, and sketchy pharmaceutical ads.
The hackers have exploited stored cross-site scripting (XSS) vulnerabilities in Blog Designer and Coming Soon and Maintenance Mode, and an unauthenticated arbitrary options update issue in the Yellow Pencil plugin.
“The Yellow Pencil vulnerability is notable because, in most configurations, an attacker could enable new user registrations with Administrator privileges, leading to takeover of vulnerable sites. Instead of taking the sites over entirely, these attackers seem satisfied with the malvertising campaign by itself. ” continues the report.
The experts revealed that the privilege escalation vulnerability in the Yellow Pencil Visual Theme Customizer plugin was exploited in a hacking campaign in April. The flaw could be exploited by attackers to update arbitrary options on vulnerable installations.
Experts at Wordfence observed a high volume of attempts to exploit the vulnerability after a security researcher publicly disclosed a proof of concept (POC) exploit code for a set of two software vulnerabilities affecting the plugin.
The privilege-escalation vulnerability exists in the yellow-pencil.php file. The file is used to check if the request parameter yp_remote_get has been set, and if it has, the plugin escalates the users’ privileges to that of an administrator.
An unauthenticated user could operate with admin privileges, for example, he could change arbitrary options.
“The majority of the XSS injection attempts tracked across this campaign were sent by IP addresses linked to popular hosting providers,” concludes the report. “With attacks sourced from IPs hosting several live websites, as well as our own evidence of infected sites associated with this campaign, it’s likely the threat actor is using infected sites to deliver XSS attacks by proxy.”
The researchers shared Indicators of Compromise and other technical details about this malvertisingcampaign in their analysis.
To read the original article: