Researchers claim that a popular WordPress plugin is being used by criminal hackers to hijack websites and redirect visitors to pages serving malware.
Vulnerabilities in WordPress plugin cause widespread damage:
Slider Revolution is a popular WordPress premium plugin helping users to create responsive sliders. The plugin vulnerabilities were used widely by remote attackers to download files from affected servers. The flaw in a local file inclusion (LFI) affected version 4.1.4 and earlier, and while it was patched by the developer, a large number of sites remain affected.
Here is how the attack happens:
- Cyber hackers scan the WordPress websites to check which ones have Slider Revolution installed.
- Once the plugin is detected, the LFI bug is exploited to enable the hacker to download the wp-config-php file.
- The aforementioned file contains important configuration data that helps the attacker to compromise the target website.
- Once the config file is accessed, second Slider Revolution vulnerability is exploited. This is used to upload a malicious theme to the website injecting a second backdoor that redirects site's visitor to soaksoak.ru.
Slider Revolution is being used by over thousands of websites. However, issue becomes bigger as the plugin is wrapped into a number of WordPress theme packages making site owners completely oblivious of the fact that their sites are open to targeted attacks.
Check WordPress security:
In an effort to minimize impact on the larger internet, Google has already blacklisted over 11,000 websites affected by this soaksoak malware. However, WordPress websites admins can check the security of their sites by using free Sucuri scanner. The malware was first discovered by Sucuri in September, while it has been in works since February.
- Complete report: Sucuri