7 Popular WordPress Plugins Are Being Exploited By Hackers in 2020

March 3, 2020

WordPress Website Development Sweden

Another report uncovers an increased number of attacks against WordPress websites, all of which abuse security flaws in popular plugins.

Many of the attacks against WordPress websites a month ago include hackers attempting to hijack sites by targeting recently-patched plugin bugs.

In different cases, hackers were able to reveal zero-day abuses in various plugins. That alludes to vulnerabilities which are known to the plugin developer, which implies there might be no fix available.

Here has a rundown of all the plugins identified as being a piece of this ongoing series of attacks.

If you are using at of these plugins on your site, it’s suggested that you update them quickly and remain watchful about updating them consistently.

Duplicator (1 million+ installs)

Duplicator is a plugin that lets site proprietors export the content of their sites. A bug was fixed in form 1.3.28 that permitted hackers to export site content, including database credentials.

ThemeGrill Demo Importer (200,000 installs)

A bug in this plugin, accompanies with themes sold by ThemeGrill, Allowed hackers to wipe websites and take control over the administrator account. This bug was fixed in version 1.6.3.

Profile Builder Plugin (65,000 installs)

A bug in the free and paid versions of this plugin allowed attackers to register unapproved administrator accounts. This bug was fixed on February tenth.

Flexible Checkout Fields for WooCommerce (20,000 installs)

A zero-day exploit in this plugin allowed hackers to infuse XSS payloads, which could then be activated in the dashboard of a signed in admin. Hackers utilized the XSS payloads to make rebel administrator accounts.

Attacks started on February 26. A fix has since been given.

ThemeREX Addons

A zero-day abuse in this plugin, accompanies with all ThemeREX commercial themes, permitted hackers to make rebel administrator accounts.

Attacks started on February 18. No fix has been given for this bug, so site proprietors are encouraged to expel the plugin as quickly as possible.

Async JavaScript (100K installs)

Modern Events Calendar Lite (40k installs)

Two similar zero-day abuses were found in these plugins. Patches are available for both of them.

We at CodeLedge, offer the professional WordPress Website Development Services in Sweden. Feel free to discuss your queries with us. Email us at hi@codeledge.com or get a quote from here.

Leave a Reply

Your email address will not be published. Required fields are marked *

Translate »