A number of new and old WordPress plugin vulnerabilities are being targeted in an attempt to redirect traffic from victims’ sites to a number of potentially harmful locations.
WordFence’s Threat Intelligence team said users of the plugins under attack are protected by individual firewall rules or generic protections built into the plugin, however, two of the vulnerabilities have firewall rules which are currently available only to premium users.
These were found several of the NicDark plugins, all of which are prefixed with –nd such as the plugin Booking (slug: nd-booking). Premium users are already protected with a patch being pushed out for free users on August 29. The other plugin being hit is the Simple 301 Redirects Addon Bulk Uploader. Premium users are protected with free receiving the firewall rule on September 5.
In the case of the NicDark plugins these vulnerabilities can allow unauthenticated users to modify arbitrary WordPress options, it’s possible for attackers to enable registration as an Administrator user. However, the attackers are not taking advantage of this and WordFence is instead seeing the access being used to modify the site URL setting in order to place a redirect.
The vulnerability being abused with the Simple 301 Redirects Addon – Bulk Uploader allows an attacker to inject their own 301 redirect rules onto the victim site. Vulnerable versions of the plugin constantly search for the presence of the POST body parameter submit_bulk_301. If this value is present, an uploaded CSV file would be processed and used to import a bulk set of site paths and their redirect destinations.