Researchers at Wordfence reported an ongoing hacking campaign exploiting security flaws in some WordPress plugins.

Researchers from Wordfence uncovered an ongoing hacking campaign exploiting security vulnerabilities in some WordPress plugins to redirect visitors to websites under the control of the attackers.

The campaign specifically targeted flaws in WordPress plugins developed by the developer NicDark (now renamed as “Endreww”), such as a plugin called Simple 301 Redirects – Addon – Bulk Uploader .

All the WordPress plugins targeted in this campaign have updates available addressing the vulnerabilities.

“The vulnerabilities recently patched in plugins developed by NicDark are all exploited by very similar AJAX requests.” reads the post published by WordFence. “In each case the plugin registers a nopriv_ AJAX action, which is accessible even by unauthenticated visitors, responsible for importing various WordPress settings. In these requests, key->value pairs of WordPress options and values are parsed out and applied directly to the affected site’s database.”

The flaws could be exploited by attackers to modify arbitrary WordPress options, for example, to enable registration as an Administrator user. The attackers behind this campaign used to modify the ‘ siteurl ‘ and ‘home’ settings of the targeted website to redirect visitors to websites under their control-

NicDark recently addressed a vulnerability in the Simple 301 Redirects – Addon – Bulk Uploader that allows unauthenticated attackers to inject their own 301 redirect rules onto a victim’s site.

Experts explained that vulnerable versions of the plugin would constantly listen for the presence of the POST body parameter ‘submit_bulk_301‘. The presence of the parameter allows an uploaded CSV file to be processed and used to import a bulk set of site paths and their redirect destinations.

The campaign began on July 31, other attacks targeted the following WordPress plugins :

Attackers used several domains to perform these script injections and redirects, they rotate with some frequency while new domains were added every few days. The WordPress plugin repository team quickly removed the other WordPress plugins developed by NicDark from the repository. Threat actors noticed that all these plugins suffered similar flaws and began to target them.

“An active campaign is targeting a number of vulnerabilities in attempts to redirect victim sites’ visitors to potentially harmful destinations. The vulnerabilities in question have all been patched by their developers, so ensure all of your WordPress plugins are up to date.” concludes WordFence.

Pierluigi Paganini

(SecurityAffairs – WordPress plugins, hacking)