A widespread and ongoing malicious advertising campaign is exploiting several recently-disclosed WordPress plugin vulnerabilities to redirect website visitors to booby-trapped landing pages.

Researchers at Wordfence said that they recently discovered bad actors injecting code into websites with the vulnerable plugins in order to display unwanted popup ads, as well as redirect site visitors to tech support scam pages, malicious Android APKs and sketchy pharmaceutical ads.

“This type of campaign is far from novel, but these attacks drew our attention,” said Michael Veenstra, threat analyst at Wordfence in a Monday analysis. “By targeting a few recently disclosed WordPress plugin vulnerabilities, the attackers inject a JavaScript payload into the front end of a victim’s site. These injections each contain a short script which sources additional code from one or more third-party URLs. That code is executed when a visitor opens the victim website.”

Attackers exploited a variety of recently-disclosed WordPress plugin, such as cross-site scripting vulnerabilities, to launch the malvertising attack.

The most recently targeted vulnerability is in the WordPress Coming Soon Page and Maintenance Mode plugin, which has more 7,000 installations and helps users launch website maintenance pages. The plugin has a recently-disclosed cross-site scripting vulnerability enabling an unauthenticated attacker to inject JavaScript or HTML code into the blog front-end. While a patch is available, many websites with vulnerable versions 1.7.8 or below have still not updated.

Several other vulnerabilities disclosed over the past few months were also exploited in earlier iterations of the malvertising campaign.

That includes a vulnerability in the Yellow Pencil Visual CSS Style Editor plugin (which has 30,000 installs) disclosed and patched in April, and a flaw in the Blog Designer plugin, (which has more than 30,000 installations) that was disclosed and patched in May.

“At this time, all of the plugins with vulnerabilities they’re attempting to exploit either have patches available or have been discontinued by their developers and are unavailable for new installs,” Veenstra told Threatpost.

Through exploiting these vulnerabilities, attackers were able to inject a JavaScript payload into the front end of victims’ websites, Veenstra said.

The injections tout a short script which sources additional code from third-party URLs, which is executed when a visitor opens the victim website.

“When the third-party code executes in a visitor’s browser, it performs an initial redirect to a central domain, which then performs another redirect to a new destination based on a number of factors, notably the type of device in use by the redirected user,” according to Wordfence.

In addition to the redirects, attackers were able to inject popup ads into victims’ sites. The popup injection JavaScript code was identified on domains directly associated with the attacker, but researchers said that they also found injections sourcing scripts from legitimate sites which were infected by the attacker through other means.

The earliest confirmed activity associated with the campaign was tied to the registration of yourservice[.]live (one of the URLs being commonly sourced in the injected script on websites) in September 2018, Veenstra told Threatpost. However, he said that it didn’t necessarily mean they began an attack campaign at the same time.

“We do know they were issuing attacks at scale by April of 2019, but the attacker’s TTPs [tactics techniques and procedures] change frequently enough that the campaign may have had a much different scope before then,” he said.

Plugins continue to be a security thorn in WordPress’ side: According to a Imperva report, almost all (98 percent) of WordPress vulnerabilities are related to plugins that extend the functionality and features of a website or a blog. Other recent vulnerabilities found in WordPress plugins include WP Live Chat and Yuzo Related Posts.

While the total number of infected websites is unknown, Veenstra told Threatpost that it’s reasonable to expect anyone impacted by a newly disclosed XSS flaw in the near future to be at risk.

“It’s difficult to estimate an expected impact in this case,” Veenstra told Threatpost. “Some plugins they’re attacking have been removed from the official repository, which makes version install counts hard to assess, and some were never there in the first place. The attackers still probe for months-old vulnerabilities, but quickly adopt new ones as they’re disclosed.”

Interested in more on patch management? Don’t miss our free live Threatpost webinar, “Streamlining Patch Management,” on Wed., July 24, at 2:00 p.m. EDT. Please join Threatpost editor Tom Spring and a panel of patch experts as they discuss the latest trends in Patch Management, how to find the right solution for your business and what the biggest challenges are when it comes to deploying a program. Register and Learn More