The vulnerability has been patched in version 3.5.3 of the plugin, so not all sites with that plugin are now vulnerable. To find actually vulnerable sites, hackers scan the Internet and probe the sites. However, instead of using the file with code that actually changes the settings, they just specify a file with a PHP code that returns a predefined text for vulnerable sites.
Here are some of the URLs of such probe files detected by our firewall:
They have very simple PHP code inside
<pre> tags. For example:
Some of such files are hosted on compromised third-party sites and, at this point, some of them have already been removed.
Hacked sites are not the only option used by the attackers. We’ve seen them using Pastebin links (Pastebin removes them after abuse reports). Another option that you can see in the list above, is Github, and specifically their Gist service.
In case of the above Gist link, the user who created it (kolzdnoy71) has joined GitHub just on March 27, 2019.