Posted On 17 Apr 2019
Attackers have recently exploited two commonly used WordPress plugins. Profiting from vulnerabilities within these plugins, malicious parties have been able to compromise websites by creating rogue administrative accounts.
Vulnerable firms are those who run these two extensions on top of their content management systems. The plugins affected are Easy WP SMTP and Social Warfare, with 300,000 and 70,000 active installations, respectively.
Patches are available
Although patches have been made available, many at-risk websites are yet to install them. Websites that use these plugins should disable them at once and update their plugins to the latest versions. For Easy WP SMTP, this is version 18.104.22.168. For Social Warfare, it’s version 3.5.3.
Attacks using Easy WP SMTP were initially detected by NinTechNet. On the same day, a patch was provided. Three days later, Defiant reported that the vulnerability was still being exploited despite the patch being installed.
It appears that two competing groups have launched the attacks. While one group creates bogus administrative accounts and then stops, the other uses these accounts to change websites, redirecting their users to malicious domains. Both groups appear to be creating bogus accounts using an attack code that was published by NinTechNet as a proof-of-concept exploit. The second group uses setforconfigplease.com, and getmyfreetraffic.com to monitor redirected users.
Any vulnerable WordPress users should immediately update their plugins. If this is not possible, they should uninstall Easy WP SMTP and Social Warfare until a successful update can be completed. If redirected to a malicious site, the best advice is to force the browser closed. If this is unsuccessful, seek advice. Never call displayed numbers or install linked software.