CyberSecurity news
FlagThis - #wordpress
|
Daryna Olyniychuk@SOC Prime Blog
//
References:
securityaffairs.com
Attackers are actively exploiting vulnerabilities in popular content management systems (CMS) like WordPress and Craft CMS to gain unauthorized access to web servers. These attacks highlight the critical need for website administrators to stay vigilant and promptly apply security patches. A significant phishing campaign has been identified targeting WordPress WooCommerce users, where victims are tricked into downloading a fake security patch that actually installs a backdoor on their sites, allowing attackers persistent access.
Craft CMS is also facing active exploitation of a critical vulnerability, CVE-2025-32432, which allows for Remote Code Execution (RCE). This flaw is particularly dangerous as it is being chained with another vulnerability, CVE-2024-58136 in the Yii framework, to facilitate zero-day attacks. These chained exploits enable attackers to breach servers and steal sensitive data. Researchers are urging Craft CMS users to update to patched versions immediately to mitigate the risk. An investigation into a compromised server revealed that attackers used CVE-2025-32432 to download a PHP-based file manager, which then enabled them to upload further malicious PHP files. The investigation involved analyzing access logs from the web server and Craft CMS logs, including web logs and phperrors.log, to identify the attacker's actions. The attack leverages Craft CMS's asset management system, exploiting a flaw in how the system handles asset IDs and image transformations. Recommended read:
References :
@securityonline.info
//
A new malware campaign is targeting WordPress websites by using a plugin disguised as a security tool. The malicious plugin, often named 'WP-antymalwary-bot.php', provides attackers with administrator access to compromised sites, all while remaining hidden from the WordPress admin dashboard. The Wordfence Threat Intelligence team discovered this threat in late January 2025 during a site cleanup, revealing the plugin's ability to maintain access, execute remote code, and inject malicious JavaScript. Other names associated with the plugin include addons.php, wpconsole.php, and wp-performance-booster.php, underscoring the campaign's wide reach and adaptability.
The disguised plugin is designed to appear legitimate, mimicking genuine plugin structure and code indentation, which allows it to easily evade detection by site administrators. Once installed, the plugin exploits the REST API to facilitate remote code execution, injecting malicious PHP code into the site theme's header file or clearing caches of popular caching plugins. Furthermore, the plugin incorporates a "pinging" function to report back to a command-and-control server and the ability to spread malware into other directories. A particularly concerning feature is a modified wp-cron.php file that can reactivate the plugin if removed, ensuring the malware's persistence on the compromised site. Security researchers have observed newer versions of this malware handling code injections differently. These updated versions fetch JavaScript code from compromised domains to serve ads or spam, demonstrating the malware's evolving sophistication. The presence of Russian language comments within the code suggests that the threat actors may be Russian-speaking. The discovery of this malware campaign highlights the importance of vigilance when installing WordPress plugins. Site owners should always verify the legitimacy and reputation of plugins before installation to prevent compromise and maintain the integrity of their websites. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com
//
A new malware campaign is targeting WordPress sites, employing a malicious plugin disguised as a security tool to trick users into installing and trusting it. This plugin, often named 'WP-antymalwary-bot.php,' provides attackers with persistent access, remote code execution, and JavaScript injection, while remaining hidden from the plugin dashboard to evade detection. The malware was first discovered in late January 2025 during a site cleanup, where a modified 'wp-cron.php' file was found, which creates and programmatically activates the malicious plugin.
Cybercriminals are specifically targeting WooCommerce users with a large-scale phishing campaign, aiming to gain backdoor access to WordPress websites. The malicious plugin appears legitimate at first glance, complete with header comments, code indentation, and professional structure. However, it contains a backdoor function that allows attackers to log in as the first administrator user by sending a crafted GET request. This allows them to gain administrative access and inject PHP code into theme files, such as header.php, via a REST API route registered without any permission checks. The malware enhances its stealth through various methods, including hiding itself from the WordPress Admin Dashboard using the 'hide_plugin_from_list' function. It also communicates with a Command & Control (C2) server, sending periodic "ping" updates to inform the attacker about its operational status. Furthermore, the malware injects malicious JavaScript ads into the site's pages using obfuscated methods and scripts retrieved from compromised external resources. Even if the plugin is deleted, the modified 'wp-cron.php' file reinstalls and reactivates it during the next site visit, ensuring persistence on a compromised site. Recommended read:
References :
Pierluigi Paganini@securityaffairs.com
//
A large-scale phishing campaign is actively targeting WordPress WooCommerce users, employing deceptive tactics to compromise their websites. Cybercriminals are sending out fake security alerts, urging recipients to download a "critical patch." Unsuspecting users who fall for the scam and download the so-called patch are actually installing a malicious plugin that creates a hidden administrator account and gives attackers backdoor access to their WordPress sites. This campaign highlights the evolving sophistication of cyber threats against e-commerce platforms.
The phishing emails are designed to mimic official WooCommerce communications and often warn of a non-existent "Unauthenticated Administrative Access" vulnerability. To further deceive users, the attackers employ homograph attacks, using domain names that closely resemble the legitimate WooCommerce website but contain subtle character differences such as 'woocommėrce[.]com'. The fake patch, once installed, allows attackers to inject malicious code, redirect site visitors, or even encrypt server resources for extortion. Cybersecurity researchers advise WooCommerce users to be extremely cautious when receiving security alerts and to verify the authenticity of any patches directly through official WooCommerce channels. Users should also scan their instances for suspicious plugins or administrator accounts and ensure all software is up to date. The ultimate goal of the attackers is to gain remote control over the websites, allowing them to inject spam or sketchy ads, redirect site visitors to fraudulent sites, enlist the breached server into a botnet for carrying out DDoS attacks, and even encrypt the server resources as part of an extortion scheme. Recommended read:
References :
@cyberalerts.io
//
A massive ad fraud operation dubbed "Scallywag" has been disrupted after researchers uncovered its scheme of generating up to 1.4 billion fraudulent ad requests daily. This operation monetized pirating and URL shortening websites through specially crafted WordPress plugins. These plugins, including Soralink, Yu Idea, WPSafeLink, and the Droplink extension, facilitated the insertion of ad-laden intermediary pages between piracy catalog sites and the desired pirated content, forcing users to interact with numerous ads and wait times.
HUMAN, a bot and fraud detection company, played a critical role in dismantling Scallywag's operations. The researchers identified anomalous traffic patterns, such as elevated ad impression volume and forced user interactions on seemingly innocuous WordPress blogs. By flagging suspicious domains and working with ad providers to block fraudulent bid requests, HUMAN successfully cut off 95% of the Scallywag fraud-as-a-service operation. Scallywag's success relied heavily on cloaking and obfuscation techniques to evade detection. When ad platforms or advertisers directly visited the intermediary pages, they appeared as benign blogs. Only users redirected from piracy catalog sites encountered the ad-heavy, incentive-laden versions. The takedown has prompted many of Scallywag's affiliates to seek other scams, but the threat actors have shown resilience by rotating domains and moving to other monetization models, highlighting the need for continuous vigilance against ad fraud. Recommended read:
References :
@securityonline.info
//
A critical security vulnerability, identified as CVE-2025-3102, has been discovered in the SureTriggers WordPress plugin, a widely used automation tool active on over 100,000 websites. The flaw allows attackers to bypass authentication and create administrator accounts, potentially leading to complete site takeover. Security researchers disclosed that the vulnerability stems from a missing empty value check in the plugin's `authenticate_user()` function, specifically affecting versions up to 1.0.78.
This vulnerability is particularly dangerous when the SureTriggers plugin is installed but not yet configured with a valid API key. In this state, an attacker can send requests with a blank secret key, tricking the plugin into granting access to sensitive REST API functions, including the ability to create new admin accounts. Exploiting this flaw could enable malicious actors to upload malicious themes or plugins, inject spam, redirect site visitors, and establish persistent backdoors, ultimately gaining full control of the affected WordPress site. WordPress site owners are strongly urged to immediately update to SureTriggers version 1.0.79, which includes a patch for the vulnerability. Users should also review their WordPress user lists for any unfamiliar administrator accounts and ensure that all API-driven plugins have their keys properly configured and stored securely. Within hours of the public disclosure, hackers began actively exploiting the flaw, creating bogus administrator accounts. The attack attempts have originated from two different IP addresses - 2a01:e5c0:3167::2 (IPv6) 89.169.15.201 (IPv4). Recommended read:
References :
info@thehackernews.com (The@The Hacker News
//
Security researchers have uncovered a rise in hackers exploiting WordPress mu-plugins to inject malicious code. The mu-plugins directory, designed for automatically loading essential plugins, is being used to conceal malware, enabling persistent remote access and site redirection. Because these plugins are automatically enabled and not visible in the standard WordPress plugin interface, attackers can maintain a stealthy foothold, bypassing typical security checks. This allows them to inject spam, hijack site images, and maintain long-term control over compromised sites.
Researchers at Sucuri have identified three distinct types of malicious code being deployed. One variant redirects site visitors to external malicious websites, often disguised as browser updates serving malware. Another executes a webshell, providing attackers with remote code execution capabilities. The third injects spam onto the website, replacing images with explicit content and hijacking outbound links to malicious popups. The goal of this spam injection is often to promote scams or manipulate SEO rankings. These tactics are used to target website visitors while evading detection by search engines and administrators. Website administrators are advised to include the mu-plugins directory in their regular security scans to detect and remove any unrecognized or suspicious files. Security experts recommend ensuring WordPress, plugins, and themes are updated and employing strong passwords with two-factor authentication. If a compromise is suspected, all unauthorized admin accounts and malicious files should be removed to prevent reinfection. These measures are crucial to securing WordPress sites against this evolving threat. Recommended read:
References :
Rescana@Rescana
//
A critical vulnerability, tracked as CVE-2025-26909, has been identified in the WP Ghost plugin, a popular WordPress security plugin used by over 200,000 websites. This Local File Inclusion (LFI) flaw can escalate to Remote Code Execution (RCE), potentially allowing attackers to gain complete control over affected web servers without authentication. The vulnerability stems from insufficient validation of user-supplied input through the URL path, specifically within the `showFile` function invoked by the `maybeShowNotFound` function.
This flaw allows unauthenticated users to manipulate the URL to trigger file inclusion, potentially leading to arbitrary code execution, especially when the "Change Paths" feature is set to Lite or Ghost mode. Exploit techniques such as `php://filter` chains and leveraging `PHP_SESSION_UPLOAD_PROGRESS` can be used. Website administrators are strongly advised to immediately update their WP Ghost plugin to the latest version 5.4.02 to mitigate this severe security risk and implement additional security measures. In related news, GoDaddy Security researchers have uncovered a long-running malware operation named DollyWay, which targets visitors of infected WordPress sites. This campaign utilizes injected redirect scripts and a distributed network of TDS nodes hosted on compromised websites to redirect users to malicious sites. This highlights the broader issue of WordPress plugin vulnerabilities and the importance of maintaining strong security practices, including regular updates and vigilance. Recommended read:
References :
@Talkback Resources
//
Millions of WordPress websites face potential script injection attacks due to a critical vulnerability found in the Essential Addons for Elementor plugin, which is installed on over 2 million sites. The flaw, identified as CVE-2025-24752 with a high severity score of 7.1, allows attackers to execute reflected cross-site scripting (XSS) attacks. This is achieved by exploiting insufficient input sanitization within the plugin's password reset functionality, specifically through malicious URL parameters.
A fake WordPress plugin has also been discovered injecting casino spam, impacting website SEO. In a separate incident, cybersecurity researchers have flagged a malicious Python library on the PyPI repository, named 'automslc', which facilitates over 100,000 unauthorized music downloads from Deezer. The package bypasses Deezer's API restrictions by embedding hardcoded credentials and communicating with an external command-and-control server, effectively turning user systems into a botnet for music piracy. Recommended read:
References :
@www.the420.in
//
A large-scale malware campaign has compromised over 35,000 websites by injecting malicious JavaScript. The injected scripts redirect users to Chinese-language gambling platforms, specifically under the "Kaiyun" brand. This attack utilizes obfuscated JavaScript payloads to hijack user browsers, replacing legitimate website content with full-page redirects.
This malicious campaign operates by embedding a one-line `` tag into the source code of affected websites. These scripts then reference domains like zuizhongjs[.]com and other similar URLs. Once loaded, these scripts dynamically inject further payloads, manipulating browser behavior and creating a full-screen overlay that redirects users to unlicensed gambling platforms in Mandarin, targeting users in regions where Mandarin is predominantly spoken. The attackers employ techniques such as string concatenation and Unicode escapes to conceal their activities and evade detection by automated security systems. Recommended read:
References :
Pierluigi Paganini@Security Affairs
//
The GitVenom campaign, a sophisticated cyber threat, has been uncovered, exploiting GitHub repositories to spread malicious code and steal cryptocurrency. This campaign involves creating hundreds of repositories that appear legitimate but contain malicious code designed to infect users’ systems. The attackers craft these fake projects in multiple programming languages, including Python, JavaScript, C, C++, and C#, to lure unsuspecting developers. These projects often promise functionalities like automation tools but instead deploy malicious payloads that download additional components from attacker-controlled repositories.
The malicious components include a Node.js stealer that collects sensitive information like credentials and cryptocurrency wallet data, uploading it to the attackers. According to SecureListReport, a clipboard hijacker is also used to replace cryptocurrency wallet addresses, leading to significant financial theft. Kaspersky Labs discovered the GitVenom cybercrime campaign targeting GitHub users to steal cryptocurrency and credentials, with one attacker-controlled Bitcoin wallet receiving about 5 BTC (approximately $485,000) in November 2024. Recommended read:
References :
|