8 Popular WordPress Plugins Are Currently Being Exploited By Hackers

A new report reveals an increased number of attacks against WordPress sites, all of which exploit security flaws in popular plugins.

Many of the attacks against WordPress sites last month involve hackers trying to hijack sites by targeting recently-patched plugin bugs.

In other cases, attackers were able to uncover zero-day exploits in different plugins. That refers to vulnerabilities which are unknown to the plugin developer, which means there may be no patch available.

Here is a list of all the plugins identified as being part of this recent string of attacks.

If you are utilizing any of these plugins on your site, it’s recommended that you update them immediately and stay vigilant about updating them throughout the year.

Duplicator (1 million+ installs)

Duplicator is a plugin that lets site owners export the content of their sites. A bug was patched in version 1.3.28 that allowed attackers to export site contents, including database credentials.

ThemeGrill Demo Importer (200,000 installs)

A bug in this plugin, which comes with themes sold by ThemeGrill, allowed attackers to wipe sites and take over the admin account. This bug was patched in version 1.6.3.

Profile Builder Plugin (65,000 installs)

A bug in the free and paid versions of this plugin allowed hackers to register unauthorized admin accounts. This bug was patched on February 10th.

Flexible Checkout Fields for WooCommerce (20,000 installs)

A zero-day exploit in this plugin allowed attackers to inject XSS payloads, which could then be triggered in the dashboard of a logged-in administrator. Attackers used the XSS payloads to create rogue admin accounts.

Attacks began on February 26. A patch has since been issued.

ThemeREX Addons

A zero-day exploit in this plugin, that comes with all ThemeREX commercial themes, allowed attackers to create rogue admin accounts.

Attacks began on February 18. No patch has been issued for this bug, so site owners are advised to remove the plugin as soon as possible.

Async JavaScript (100K installs)
10Web Map Builder for Google Maps (20k installs)
Modern Events Calendar Lite (40k installs)

Three similar zero-day exploits were discovered in these plugins. Patches are available for each of them.

Source: ZDNet

#