WordPress in their sights hackers, with a new mass attack against more than 900.000 websites.
After April 28, the crackdown intensified as WordPress security company Defiant, which built the Wordfence security plugin, on May 3, detected more than 20 million attacks on more than 500.000 websites.
Defiant's QA chief Ram Gall said the hacker had focused more on exploiting cross-site scripting (XSS) vulnerabilities in plugins which have been corrected in the past and have been targeted at others attacks.
Here's a list of vulnerabilities that appear to be more targeted, and Plugins have either been removed or corrected in the past, according to Gall.
- An XSS vulnerability in the Easy2Map plugin, which was removed from WordPress in August 2019, and is estimated to have been installed on less than 3.000 websites.
- A vulnerability in WP GDPR Compliance's update options, which allowed intruders, among other things, to change the site's URL and was fixed in late 2018. Although this plugin exceeded 100.000 additions, it is estimated that they have not offended more than 5.000 websites.
- An XSS vulnerability in Blog Designer, which was fixed in 2019. It is estimated that less than 1.000 vulnerabilities remain, although this vulnerability has been the target of previous hacking campaigns.
- A vulnerability in options update to Total Donations that allows hackers to change the URL of the homepage of the website. This plugin was permanently removed from the Envato Marketplace in early 2019 and it is estimated that less than 1.000 total installations remain.
- An XSS vulnerability in the Newspaper theme that was fixed in 2016. This vulnerability has also been targeted in the past.