Threat Management, Malware, Network Security

Pair of WordPress plug-ins inject malicious scripts to deliver unwanted ads

Two malicious plug-ins were recently discovered injecting obfuscated JavaScript into WordPress websites, in order to generate advertisements that appear if a visitor clicks anywhere on the page.

The two plug-ins, injectbody and injectscr, share similar functionalities and file structures, according to a Feb. 12 blog post from Sucuri, whose researchers found the threats on Feb. 8. Further analysis showed that attackers are adding the plugins after logging into website operators' WordPress dashboards using either rogue admin accounts or stolen credentials, and also that plug-in installation requests are primarily coming from random IP addresses and are probably automated.

In order to conceal their presence from everyone but the attackers, injectbody and injectscr both employ a function that removes them from a list of active plug-ins on the WordPress dashboard. “Only the attackers, who can log into WordPress using the malicious admin users INJECTBODY__ADMIN or INJECTSCR__ADMIN, or alternatively use legitimate admin credentials and append “?INJECTBODY__ADMIN=1” or “?INJECTSCR__ADMIN=1” GET parameters in the URL, are able to detect the presence of these malicious plugins on an infected website. explains blog post author and malware researcher Denis Sinegubko.

Sinegubko also reports that some websites infected with injectbody or injectscr were previously infected in January with a malware programmed to distribute spam email as well as create backdoors and file uploading scripts on the server.

In other WordPress news, Israeli security researcher Barak Tawily reported last week that a flaw in open source CMS WordPress could allow a malicious actor to take down a website with a single machine via a denial of service attack.

Bradley Barth

As director of multimedia content strategy at CyberRisk Alliance, Bradley Barth develops content for online conferences, webcasts, podcasts video/multimedia projects — often serving as moderator or host. For nearly six years, he wrote and reported for SC Media as deputy editor and, before that, senior reporter. He was previously a program executive with the tech-focused PR firm Voxus. Past journalistic experience includes stints as business editor at Executive Technology, a staff writer at New York Sportscene and a freelance journalist covering travel and entertainment. In his spare time, Bradley also writes screenplays.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.