The Wordfence security company warned that hackers have been exploiting zero-day flaws for affecting WordPress plugins to plant backdoors and take control of vulnerable websites.
According to the experts, hackers had been exploiting previously unknown vulnerabilities in three WordPress plugins. The flaws, which were described as critical PHP object injection issues, affect the RegistrationMagic-Custom Registration Forms plugins, the Flickr Gallery, and the Appointments.
The researchers explained that the attacks, which have been exploiting the zero-day vulnerability, include a file creation on targeted websites, however, the logs only showed a POST request to /wp-admin/admin-ajax.php, which made it look as if the file appeared unexpectedly.
“This vulnerability allowed attackers to cause a vulnerable website to fetch a remote file (a PHP backdoor) and save it to a location of their choice. It required no authentication or elevated privileges. For sites running Flickr Gallery, the attackers only had to send the exploit as POST request to the site’s root URL. For the other two plugins, the request would go to admin-ajax.php,” the Wordfence researchers said.
The creators of the affected plugins were informed about the issue and they released updates to address the flaw. The security hole was patched in Appointments 2.2.2, Flickr Gallery 1.5.3 and RegistrationMagic 18.104.22.168.
During the time when the flaw has been critical, the plugins were used by approximately 9,000 (Appointments), 8,000 (RegistrationMagic), and 4,000 (Flickr Gallery) WordPress websites.
The Wordfence statistics for last month shows that the experts had identified malicious functionality in a plugin present on approximately 200,000 websites.
Since spring 2017, WordPress has been running a bug bounty program and has paid out rewards totaling thousands of dollars so far.