A newly identified Trojan backdoor program exploits some 30 vulnerabilities in WordPress plug-ins and themes in order to breach websites based on the WordPress content management system. It only needs to abuse one of those flaws to execute an attack.
And here's a scary twist: "An analysis of an uncovered trojan application, performed by Doctor Web's specialists, revealed that it could be the malicious tool that cybercriminals have been using for more than three years to carry out such attacks and monetize the resale of traffic, or arbitrage," the researchers wrote about the malware, which targets 32-bit versions of Linux and also can run on 64-bit versions of the platform.
Among the plug-ins and themes the Trojan's version 1 variant abuses are WP Live Chat Support Plugin; Yellow Pencil Visual Theme Customizer Plugin; Easysmtp; WP GDPR Compliance Plugin; Google Code Inserter; Blog Designer WordPress Plugin; and WP Live Chat. Version 2 exploits other WordPress plugins, including Brizy WordPress Plugin; FV Flowplayer Video Player; WordPress Coming Soon Page; Poll, Survey, Form & Quiz Maker by OpinionStage; and Social Metrics Tracker.
WordPress plug-ins and themes are a popular avenue for cybercriminals looking to take over websites; they can be used for everything from phishing to ad fraud to malware distribution. Vulnerabilities are not uncommon. For instance, in December an SSRF vulnerability in the Google Web Stories plug-in was found that would allow a cyberattacker to collect metadata from WordPress sites hosted on an AWS server, and potentially log in to a cloud instance to run commands.