More than one million WordPress sites attacked over the weekend of late May 2020

WordPress throughout its history has always found itself appearing in the news for its security vulnerabilities. The most recent vulnerability incident with WordPress is with a plugin call Page Builder by SiteOrigin.

Attackers mount a campaign over the weekend of 29 – 31 May against more than one million WordPress sites in an attempt to download wp-config.php, a file critical to all WordPress installations. This file contains sensitive information such as database credentials, connection information as well as unique authentication salt and keys. Therefore, anyone with access to the file could gain access to the database where the site content and users are stored.

To download that file, the attackers targeted cross-site scripting (XSS) vulnerabilities found in older plugins or themes that allow files to be downloaded or exported.

The attacks came from more than 20,000 IP addresses, which were also implicated in a previous attack that happened earlier in May 2020 used by the same threat actor.

The earlier attack targetted a different set of XSS vulnerabilities with the intention of having visitors redirected to malvertising sites. This set of vulnerabilities were found in plugins that have mostly been patched or plugins that have been removed from the WordPress plugin repository. Below is the list of plugins and their respective vulnerabilities that were popular with the attackers.

  • Easy2Map plugin — Removed from WordPress plugin repository due to XSS vulnerability
  • Blog Designer — XSS vulnerability that was patched in 2019
  • WP GDPR Compliance — Options update vulnerability that was patched in late 2018
  • Total Donations — Removed from Envato Marketplace permanently. It had a critical options update vulnerability.
  • Newspaper theme — XSS vulnerability that was patch in 2016.

The good news is that WordPress site owners who uses Wordfence are protected. According to Ram Gall at Wordfence, the Wordfence firewall blocked over 130 million attacks intended on harvesting database credentials.

How do you know if you were attacked?

The attack should be logged. You could look for any log entries that contain wp-config.php in the query string with the HTTP response code 200.

Below are the top 10 IP addresses used for this attack campaign.

  • 200.25.60.53
  • 51.255.79.47
  • 194.60.254.42
  • 31.131.251.113
  • 194.58.123.231
  • 107.170.19.251
  • 188.165.195.184
  • 151.80.22.75
  • 192.254.68.134
  • 93.190.140.8

What should you do next?

WordPress sites running Wordfence are protected from the attack. For the other users, you should change the database password and the unique authentication keys and salt immediately if you believe you are compromised.

The reason is simple.

WordPress servers that have been configured to allow remote database access could easily allow an attacker with the database credentials to add an administrative user, extract sensitive data or delete the site. Even if remote database access is not enabled, an attacker who knows the authentication keys and salts could bypass other security mechanisms that protect your site more easily.

And what if you are not comfortable making changes mentioned above?

Then you should contact your host or service provider since changing the database password without updating the wp-config.php file can render your site offline temporarily.

Last but not least, you should also update any plugins and themes. You may also want to consider changing the plugins or themes if these are no longer maintained by the original developers.


This article uses material from Wordfence.

Bugs in WordPress page builder plugin leave 1 million sites vulnerable to full takeover

Are you using WordPress? If you are and have installed SiteOrigin’s Page Builder plugin, your site could be vulnerable to full takeover by hackers.

To the uninitiated, Page Builder is a WordPress plugin created by SiteOrigin that is used to build websites using drag-and-drop functionality. It currently has a million active installations.

Researchers at Wordfence found two security bugs in the plugin that can lead to cross-site request forgery (CSRF) and reflected cross-site scripting (XSS). These two bugs allow attackers to forge requests on behalf of a site administrator and execute malicious code in the administrator’s browser.

The bugs have been assigned with a severity rating of 8.8 out of 10 by the researchers, but no CVEs have yet been assigned.

The details of the flaws

The two flaws can be used by attackers to redirect a site’s administrator, create a new administrative user account or inject a backdoor on a site. The details of the flaws could be found in the link provided above.

The first flaw affect the built-in live editor within the plugin.

For the plugin to show the modifications done in the live editor in real time, it registers the is_live_editor() function to check if a user is in the live editor. If the user is in the live editor, the siteorigin_panels_live_editor parameter will be set to “true” and register that a user is accessing the live editor. The plugin will then attempt to include the live editor file which renders all of the content. Then, the “live-editor-preview.php” rendering file updates the page preview with changes made in real time.

This is all good but the problem lies in the lack of nonce protection. It is a method that could be used to verify that an attempt to render content in the live editor came from a legitimate source.

According to the researchers, some of the available WordPress widgets, such as the ‘Custom HTML’ widget, could be used to inject malicious Javascript into a rendered live page.

The second flaw is also a CRSF to XSS issue and it lies with the action_builder_content function of the plugin.

The purpose of the function was to transmit submitted content as panels_data from the live editor to the WordPress editor in order to update or publish the post using the content created from the live editor. Although the function did have a user permission check, there was no nonce protection to verify the request source, causing a CSRF flaw.

The researchers found that the “Text” widget could be used to inject malicious Javascript due to the ability to edit content in a “text” mode rather than a “visual” mode. With this, potentially malicious Javascript could be allowed to be sent unfiltered.

What should you do?

The flaws affect SiteOrigin’s Page Builder version 2.10.15 and below. In order to avoid full site takeover, admins should upgrade the plugin to version 2.10.16.

And it should be noted that an attacker needs to trick a site administrator into executing an action like click on a link or an attachment for the attack to succeed. Therefore, it is advisable not to click on any link or open any attachments that you are unsure of.