Whilst campaigns of this nature are unfortunately commonplace, targeting vulnerable or out-of-date WordPress websites, this discovery reiterates the need for website owners to ensure that their installations are well maintained, minimising the time between vulnerabilities being discovered and patched, as well as demonstrating how regular site content audits or monitoring could alert website owners to these unauthorised changes.
Based on a review of the websites identified as currently compromised, a variety of WordPress versions and plugins have been identified. As such it is likely that multiple vulnerabilities are being exploited, potentially by multiple campaigns and threat actors, in some cases resulting in one website having multiple instances of injected nefarious payloads.
Whilst many websites may employ old WordPress and plugin versions, likely detectable and exploitable by automated processes, the following recently announced vulnerability is reportedly being exploited by those conducting mass-injection campaigns.
WordPress Duplicator Plugin Remote Code Execution
Affecting version 1.2.40 and earlier, this remote code execution vulnerability, discovered by researchers at Synacktiv, is present within the Duplicator plugin which provides the ability for administrators to migrate or clone their WordPress sites from one location to another.
Figure 1 – Example files remaining following the use of Duplicator v1.2.40 or earlier
Furthermore, a ZIP-compressed archive, containing a full copy of the site, in addition to a SQL database backup file (Figure 2) also remains and can potentially expose sensitive data.
Figure 2 – Example Duplicator generated MySQL backup file (Header comments)
Of the sites observed using a vulnerable version of this plugin, exposed data was detected including API credentials for cloud services, such as Amazon Web Services, as well as API credentials for PayPal (Figure 3).
Figure 3 – Example exposed PayPal API credentials
In addition to potentially abusing cloud service credentials for further nefarious activities, the PayPal API credentials could allow the account holder’s balance to be queried (Figure 4) along with various transaction processes, including refunds, potentially permitting fraudulent activity.
Figure 4 – Example PayPal API query response showing account balance (USD 7.00)
Whilst this vulnerability has now being patched by the vendor, administrators are recommended to ensure that all installation, and potentially sensitive, files are removed post-migration.