Incident Response, TDR, Vulnerability Management

FBI warns of WordPress defacements as new plugin vulnerability is found

The FBI issued a public service announcement (PSA) on Tuesday, warning that individuals sympathetic to the Islamic State in the Levant (ISIL), or Islamic State of Iraq and al-Shams (ISIS), are defacing WordPress websites by exploiting vulnerabilities in plugins.

According to the PSA, the perpetrators – whom are believed to be supporters, not members of the ISIL terrorist organization – have targeted websites belonging to news outlets, commercial entities, religious institutions, federal and state and local governments, and foreign governments.

An attacker that successfully exploits a vulnerability in a WordPress plugin could gain unauthorized access to the website, bypass security restrictions, inject scripts, steal cookies, install malicious software, manipulate data, and create accounts with full user privileges, the PSA stated.

The website defacements demonstrate a low level of hacking sophistication, the PSA noted, but the attacks are disruptive and often lead to losses in business revenue and added costs for services needed to address the issue.

Daniel Cid, CTO of Sucuri, told in a Wednesday email correspondence that the political defacements are standard and relatively simple to execute.

“They have a list of the latest plugin vulnerabilities and go through them all on as many sites as they can,” Cid said. “They mix that with brute-force attempts using popular open source tools. If they can get in, they deface the site and install standard backdoors (Filesman) and move on.”

In a Wednesday post responding to the FBI's announcement, Cid wrote that the most common bugs being exploited are in outdated versions of the Slider Revolution plugin and Gravity Forms plugin. One point missed in the PSA, Cid noted in the post, is that flaws in WordPress themes are also a target.

The FBI announcement was published on the same day that Sucuri posted about a newly identified cross-site scripting (XSS) vulnerability in the WP Super Cache plugin, which has more than a million active installs.

Sucuri considers the issue – which could lead to backdoors being injected, or the creation of new administrator accounts – a dangerous security risk, and the security company is advising users to immediately update to version 1.4.4.

“The XSS on [WP Super Cache] is very easy to be exploit and only requires one malicious packet with the XSS payload injected in the cookies header,” Cid said. “Our proof-of-concept for this vulnerability is just one simple “curl” command that anyone can run from the Linux terminal.”

He added, “After that, the attacker has to wait for the admin of the site to visit the cached file listing page on the plugin settings and get the XSS executed. From there, the attacker can force the admin to add a new user, modify the theme files and basically do anything that an admin can do from the dashboard.”

In a Wednesday email correspondence, Tony Perez, CEO of Sucuri, told that simple updating and auto-updating will not do the trick, and that website operators need to be looking at a more holistic approach to WordPress security.

“Access control is often something easier for website owners to grasp, it's tangible [and] they can fix [it], they can see it,” Perez said. “Software vulnerabilities, however, is different; most website owners aren't developers and most developers don't know what insecure code really looks like. This leaves very little options for everyday website owners, and it's also where technologies like cloud-based website firewalls come into play.”

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.