David Balaban September 23rd, 2020

Top WP Plugins Breached by Hackers

No content management system measures up to WordPress in terms of popularity. It is an indisputable champion in its niche, boasting an impressive 60% global market share. Furthermore, roughly 35% of all websites on the Internet run WordPress.

It does not take a rocket scientist to figure out why this CMS has been creating ripples in the web ecosystem area for years. It provides a flexible framework that fits virtually any context online, from small personal blogs and news outlets to sites operated by major brands.

What do cybercriminals think of this hype train? You guessed it – they do not mind jumping on it. Unlike webmasters, though, their motivation is far less benign. The silver lining is that WordPress Core is properly secured from different angles. The bad news is that third-party plugins can be easy prey for malicious actors to try and hunt down.

Unsurprisingly, plugins with many active installations are a bigger lure. By exploiting them, crooks can take a shortcut and significantly increase the potential attack surface. Here is a summary of security vulnerabilities recently found in WP plugins that have huge user audiences.

File Manager

In early September 2020, researchers came across a security loophole in File Manager, a WP plugin installed on at least 700,000 sites. Categorized as a zero-day remote code execution vulnerability, this critical bug allows an unauthenticated adversary to access the admin area, run malicious code, and upload dodgy scripts on any WordPress site running File Manager versions between 6.0 and 6.8.

To the plugin maker’s credit, a patched version (File Manager 6.9) was released mere hours after security analysts reported this vulnerability. However, hundreds of thousands of sites continue to be susceptible to compromise because their owners are slow to update the plugin to the latest patched build.

When white hats discovered this flaw, it was already being exploited in real-world onslaughts attempting to upload harmful PHP files to “wp-content/plugins/wp-file-manager/lib/files/” directory on unsecured websites. At the time of this writing, more than 2.6 million WordPress instances have been probed for outdated File Manager versions.

Moreover, different cybercriminal gangs appear to be waging war over websites that continue to be low-hanging fruit. One of the elements of this rivalry comes down to specifying a password for accessing the plugin’s file named “connector.minimal.php,” which is a primary launchpad for remote code execution in unpatched File Manager iterations.

In other words, once threat actors gain an initial foothold in a vulnerable WordPress installation, they block the exploitable component from being used by other criminals who may also have backdoor access to the same site. Speaking of which, analysts have observed attempts to hack websites via File Manager plugin bug coming from a whopping 370,000 different IP addresses.

Page Builder

The Page Builder WP plugin by SiteOrigin has more than a million installations. In early May 2020, security analysts made a disconcerting discovery: this hugely popular WordPress component is susceptible to a series of cross-site request forgery (CSRF) vulnerabilities that can be weaponized to gain elevated privileges in a site.

The plugin’s buggy features, “Live Editor” and “builder_content,” allow a malefactor to register a new administrator account or open a backdoor to access a vulnerable site at will. If a hacker is competent enough, they can take advantage of this vulnerability to execute a site takeover.

SiteOrigin rolled out a fix within a day after being alerted to these flaws. However, the issue will continue to make itself felt across the board until webmasters apply the patch – unfortunately, this could take months.

GDPR Cookie Consent

This plugin is one of the heavyweights in the WordPress ecosystem, being installed and actively used on more than 800,000 sites. It allows webmasters to comply with the EU’s General Data Protection Regulation (GDPR) through customizable cookie policy notifications.

Last January, security experts found that GDPR Cookie Consent version 1.8.2 and earlier were exposed to a severe vulnerability that allowed bad actors to pull off cross-site scripting (XSS) and privilege escalation attacks.

The bug paves a hacker’s way toward altering, posting, or deleting any content on an exploitable WordPress website even with subscriber permissions. Another adverse scenario boils down to injecting harmful JavaScript code that causes redirects or displays unwanted ads to visitors.

The developer, WebToffee, released a patched version in mid-February. However, websites are not on the safe side until the plugin is updated to a secure version.

Duplicator

With over 1 million active installations and a total of 20 million downloads, Duplicator is on the list of the top 100 WP plugins. Its primary feature is about migrating or cloning a WordPress site from one location to another. Plus, it allows site owners to back up their content easily and securely.

In February 2020, security services provider WordFence pinpointed a flaw that allowed a perpetrator to download arbitrary files from sites running Duplicator version 1.3.26 and older. For instance, an attacker could piggyback on this bug to download the contents of the “wp-config.php” file that contains, among other things, the site admin credentials.

The flaw was patched two days after the vulnerability was reported to the vendor, so webmasters should do their homework and install the latest secure version if they have not already.

Site Kit by Google

A severe flaw in Site Kit by Google, a plugin actively used on 300,000+ sites, allows an attacker to take over the associated Google Search Console and disrupt the site’s online presence. By obtaining unauthorized owner access through this weakness, a malicious actor can change sitemaps, de-list pages from Google Search results, inject harmful code, and orchestrate black hat SEO frauds.

One of the facets of this loophole is that the plugin has crude implantation of the user role checks. To top it off, it exposes the URL leveraged by Site Kit to communicate with Google Search Console. When combined, these imperfections can fuel attacks leading to privilege escalation and the post-exploitation scenarios mentioned above.

The vulnerability was spotted on April 21, 2020. Although the plugin author released an updated version (Site Kit 1.8.0) on May 7, numerous site owners have yet to apply it.

InfiniteWP Client

This plugin has more than 300,000 active installations for a reason: it allows site owners to manage multiple sites from their own server. A flip side of enjoying these perks is that an adversary may be able to circumvent authentication via a critical flaw unearthed in January 2020.

To set such an attack in motion, a hacker could exploit buggy InfiniteWP Client functions called “add_site” and “readd_site.” Because these entities did not have proper authentication controls in place, an attacker could leverage a specially crafted Base64 encoded payload to sign into a WordPress admin dashboard without having to enter a valid password. The administrator’s username would suffice to get access.

Although an update taking care of this vulnerability arrived soon after the discovery, webmasters need to give it a go so that their sites are tamper-proof.

Summary

Plugins extend the functionality of a WordPress site, but they can be a mixed blessing. Even the most popular WP plugins may have imperfections that enable various types of foul play, from CSRF and XSS to remote code execution and privilege escalation leading to site takeover and data theft.

The good news is plugin authors quickly respond to these weaknesses and roll out patches. Therefore, applying updates once available is the fundamental countermeasure for these hacks. Also, keep in mind that awareness is half the battle, so it’s a good idea to be a proactive webmaster and stay abreast of bug reports issued by WordFence and similar resources in the security arena.


Photo by Clint Patterson on Unsplash

David Balaban

David Balaban is a computer security researcher with over 17 years of experience in malware analysis and antivirus software evaluation. David runs MacSecurity.net and Privacy-PC.com projects that present expert opinions on contemporary information security matters, including social engineering, malware, penetration testing, threat intelligence, online privacy, and white hat hacking. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.