A previously unknown strain of Linux backdoor malware can abuse over 30 WordPress plugins and themes to inject harmful JavaScript code and redirect users.

Numerous WordPress Plugins and Themes Are Vulnerable to a New Kind of Malware

A new kind of malware targeting 32- and 64-bit Linux systems is being used to attack WordPress sites. The plugins and themes being targeted in these attacks are outdated, with vulnerabilities that cybercriminals can use to abuse sites.

In a Dr.Web post published on 30 December 2022, it was stated that "If sites use outdated versions of such add-ons, lacking crucial fixes, the targeted webpages are injected with malicious JavaScripts." This causes users to be redirected to other sites when they try to access the abused WordPress page. The destination site is chosen by the attacker and may be used for phishing, the spread of malware, or other harmful ventures.

Dr.Web dubbed the malware "Linux.BackDoor.WordPressExploit.1 ". It can be operated remotely by malicious actors, with the harmful JavaScript itself coming from remote servers.

An updated version of the original malware was also identified by Dr.Web, dubbed Linux.BackDoor.WordPressExploit.2.

Numerous WordPress Plugins and Themes Are at Risk

is your wp blog targeted by malicious software

In the aforementioned Dr.Web post, the targeted plugins were listed, which can be seen below.

  • WP Live Chat Support Plugin
  • WordPress – Yuzo Related Posts
  • Yellow Pencil Visual Theme Customizer Plugin
  • Easysmtp
  • WP GDPR Compliance Plugin
  • Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972)
  • Thim Core
  • Google Code Inserter
  • Total Donations Plugin
  • Post Custom Templates Lite
  • WP Quick Booking Manager
  • Faceboor Live Chat by Zotabox
  • Blog Designer WordPress Plugin
  • WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233)
  • WP-Matomo Integration (WP-Piwik)
  • WordPress ND Shortcodes For Visual Composer
  • WP Live Chat
  • Coming Soon Page and Maintenance Mode
  • Hybrid

The updated version of this malware, Linux.BackDoor.WordPressExploit.2, can abuse additional vulnerabilities in the following plugins.

  • Brizy WordPress Plugin
  • FV Flowplayer Video Player
  • WooCommerce
  • WordPress Coming Soon Page
  • WordPress theme OneTone
  • Simple Fields WordPress Plugin
  • WordPress Delucks SEO plugin
  • Poll, Survey, Form & Quiz Maker by OpinionStage
  • Social Metrics Tracker
  • WPeMatico RSS Feed Fetcher
  • Rich Reviews

Dr.Web also stated in its post on the matter that each of these variants contains "unimplemented functionality for hacking the administrator accounts of targeted websites through a brute-force attack—by applying known logins and passwords, using special vocabularies." On top of this, even plugins with patched vulnerabilities could be successfully exploited if this feature is implemented in future versions of this backdoor malware.

WordPress Is No Stranger to Cyberattacks

WordPress has fallen victim to cyberattacks numerous times in the past, be it through brute-force attacks, SQL injections, malware, or another kind of illicit tactic. In fact, millions of WordPress websites are attacked every year.

It was found in Sucuri's 2018 Hacked Website Report that 90 per cent of all websites attacked in the same year used WordPress. Other popular CMS platforms, such as Joomla! and Magneto, didn't even reach the 5 per cent mark.

Using Outdated Plugins Can Pose a Risk

While certain outdated plugins can be useful, they also pose a security risk, as their software is not being updated on a regular basis. Ensure that you check whether you're using any of the aforementioned plugins on your WordPress site to determine whether you stand the chance of being targeted by this new malware.