Another report uncovers an increased number of attacks against WordPress websites, all of which abuse security flaws in popular plugins.
Many of the attacks against WordPress websites a month ago include hackers attempting to hijack sites by targeting recently-patched plugin bugs.
In different cases, hackers were able to reveal zero-day abuses in various plugins. That alludes to vulnerabilities which are known to the plugin developer, which implies there might be no fix available.
Here has a rundown of all the plugins identified as being a piece of this ongoing series of attacks.
If you are using at of these plugins on your site, it’s suggested that you update them quickly and remain watchful about updating them consistently.
Duplicator is a plugin that lets site proprietors export the content of their sites. A bug was fixed in form 1.3.28 that permitted hackers to export site content, including database credentials.
A bug in this plugin, accompanies with themes sold by ThemeGrill, Allowed hackers to wipe websites and take control over the administrator account. This bug was fixed in version 1.6.3.
A bug in the free and paid versions of this plugin allowed attackers to register unapproved administrator accounts. This bug was fixed on February tenth.
A zero-day exploit in this plugin allowed hackers to infuse XSS payloads, which could then be activated in the dashboard of a signed in admin. Hackers utilized the XSS payloads to make rebel administrator accounts.
Attacks started on February 26. A fix has since been given.
A zero-day abuse in this plugin, accompanies with all ThemeREX commercial themes, permitted hackers to make rebel administrator accounts.
Attacks started on February 18. No fix has been given for this bug, so site proprietors are encouraged to expel the plugin as quickly as possible.
Two similar zero-day abuses were found in these plugins. Patches are available for both of them.