2 min read

Hackers target critical WordPress plugin flaw to install backdoors and create admin accounts

Graham CLULEY

November 21, 2018

Hackers target critical WordPress plugin flaw to install backdoors and create admin accounts

A recently discovered vulnerability in a popular WordPress plugin is being actively exploited in attacks by hackers attempting to install backdoors on websites, inject custom code, and grant themselves admin rights.

The flaw existed in a version of the AMP for WP – Accelerated Mobile Pages plugin, designed to make webpage load faster on mobile devices.

AMP for WP mysterious disappeared from the official WordPress plugin repository on 21 October, with its 100,000+ users greeted with a message saying:

“This plugin was closed on October 21, 2018 and is no longer available for download.”

An update on the developers’ blog, however, claimed that the plugin’s withdrawal was “just a temporary situation” that would be resolved in a “couple of days” once a security vulnerability had been fixed.

The blog post didn’t share much details about the plugin’s security vulnerability other than to say it “could be exploited by non-admins of the site.”

In an apparent attempt to reassure users, the developers said that existing users could continue to use the plugin while they worked on a fix.

Hmm. A plugin has a vulnerability but carry on using it? That doesn’t sound like great advice to me.

Security researchers at WebARX shared more details of the problem last week, after a fixed version of the plugin was finally released.

The researchers explained that vulnerabilities in AMP for WP allowed unauthorised users to change any plugin option, and could even inject malicious code (such as malvertising or cryptomining code) onto the website’s pages.

The existence of the vulnerability is bad enough, but now researchers at Wordfence say that they have seen it being actively exploited in conjunction with a XSS (cross-site scripting) bug to create new admin user accounts with the name “supportuuser” (of course, the attack could change to use other account names).

If your website runs a self-hosted edition of WordPress then it is essential it – and any third-party plugins – are kept updated. At the time of writing, the latest version of AMP for WP is version 0.9.97.20.

Self-hosting your WordPress site has its benefits, but the biggest drawback is that the onus is put on you to keep it up-to-date with the latest patches and updates (or find yourself a managed wordpress host who is prepared to take it on for you). New vulnerabilities are frequently found in the software and its many thousands of third-party plugins – so it’s not something that you can afford to ignore.

My advice? Enable automatic updates wherever possible.

Left unattended, a website running a self-hosted edition of WordPress can be easy pickings for a hacker, potentially damaging your brand, scamming your website’s visitors, and helping hackers make their fortune.

tags


Author



Right now

Top posts

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

Watch Out for These Ongoing Bank of America Phishing Campaigns Targeting Customers in the US

July 16, 2021

3 min read
How to protect yourself against cyberstalking

How to protect yourself against cyberstalking

July 06, 2021

2 min read
The Top Five Security Risks Smartphone Users Face Today

The Top Five Security Risks Smartphone Users Face Today

July 02, 2021

4 min read
Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

Phishing Alert: Scammers Use Fake SharePoint and DocuSign Messages to Steal Users’ Login Credentials

July 02, 2021

3 min read
Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

Your Doxxing Dossier Will Keep Growing Thicker Until You See the Danger

June 30, 2021

2 min read
Mobile security threats: reality or myth?

Mobile security threats: reality or myth?

June 13, 2021

3 min read

FOLLOW US ON

SOCIAL MEDIA


You might also like

Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands Fraud Family cybercrime ring under the spotlight as arrests made in the Netherlands
Graham CLULEY

July 23, 2021

3 min read
Homoglyph domains used in BEC scams shut down by Microsoft Homoglyph domains used in BEC scams shut down by Microsoft
Graham CLULEY

July 22, 2021

3 min read
China Sets Up New Worrying Vulnerability Disclosure Rules China Sets Up New Worrying Vulnerability Disclosure Rules
Silviu STAHIE

July 20, 2021

1 min read