The cyber security experts: The plugins currently under attack are Bold Page Builder, Blog Designer, Live Chat with Facebook Messenger, Yuzo Related Posts, Visual CSS Style Editor, WP Live Chat Support, Form Lightbox, and Hybrid Composer
During the initial investigation, WordFence identified the attacks coming from a number of IP addresses linked to web hosting providers. Shortly after that post, most of the IPs involved ceased the activity. One, however, has continued the attacks. This is 220.127.116.11, a Rackspace server currently hosting some presumably compromised websites. The cyber security experts have reached out to Rackspace to inform them of this activity, in hopes that they will take action in preventing further attacks from their network. Furthermore the WordPress malvertising campaign has been targeting a number of known vulnerabilities, and new are added to the list of targets as cybercrime discovered. Of particular note is a recently disclosed flaw in the Bold Page Builder plugin. The plugins currently under attack are Bold Page Builder, Blog Designer, Live Chat with Facebook Messenger, Yuzo Related Posts, Visual CSS Style Editor, WP Live Chat Support, Form Lightbox, and Hybrid Composer.
Malvertising campaign picks up new targets over time. Furthermore, cybercrime added an additional script to ones triggered malicious redirects or unwanted popups, which attempts to install a backdoor into the target site by exploiting an administrator’s session
Moreover, the WordPress malvertising campaign picks up new targets over time. It’s reasonable to assume any unauthenticated XSS or options update vulnerabilities disclosed in the near future will be quickly targeted by this threat actor. To boost attacks, cybercrime added an additional script to ones triggered malicious redirects or unwanted popups, which attempts to install a backdoor into the target site by exploiting an administrator’s session. The code is responsible for attempting to create a new user with administrator privileges on the victim’s site. After checking for a cookie to determine if the given visitor has triggered the payload before, a function is executed in order to test if that visitor is capable of creating new users, which would be the case if a logged-in administrator views an affected page.