Threat Management, Malware, Network Security, Vulnerability Management

Attackers exploit old WordPress to inject sites with code enabling site redirection, takeover


Attackers have exploited an old WordPress vulnerability to infect more than one thousand websites with malware capable of injecting malvertising and even creating a rogue admin user with full access privileges, according to researchers.

The exploited flaw is specifically found in outdated versions of the WordPress tagDiv Newspaper and Newsmag themes, according to a Dec. 14 blog post by Sucuri security analyst Douglas Santos. (Sucuri explains the vulnerability in further detail in an older report here.)

"Unfortunately, since this infection is related to a software vulnerability, strong passwords and security plugins will not protect you," writes Santos, noting that the malicious javascript can be found in a WordPress site's theme options.

Following code injection, the malware can execute two possible attack scenarios, depending on the site visitor: If the visitor is determined to be logged in as an admin user, the malware creates the rogue user “simple001” with full admin privileges, allowing for complete takeover of the site. If visitors are not logged as an admin and they have not been to the site within the last 10 hours, then the malware commences a chain of redirects that sends them to various scam and advertisement sites.

Sucuri first noticed this infection trend earlier this month. Previously, attackers were using the same WordPress flaw to inject a variant of the malicious JavaScript that would either display unauthorized pop-ups or redirect visitors to spammy websites, but could not enable a complete site takeover.

Sucuri previously reported in June that the tagDiv Newspaper theme has been sold to more than 40 thousand users, not counting pirated copies.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.