Although for a large part of the general public, talking about WordPress means going back years in the history of the Internet and having to talk about the golden age of blogs, this content manager is still a very present reality. Not surprisingly, it has a market share of over 35%. This means that this platform is behind a third of the websites on the planet. This also means that it could be a very big claim, given its extension, to be an object of dark desire by cyber-criminals, who usually choose targets large websites or software with a large number of users to increase the chances of hitting the target and hunting more victims.
In recent months there has been a new peak in attacks against the platform. In this case they do not seem to be targeting their own structure, but are finding ‘side’ doors to break into. Hackers are using the well-known ‘plugins‘ (accessory functionalities developed by third parties) to access sensitive information, such as administrator credentials, or even to remove databases from sites that are using one of these unsecured versions.
Although there are several vulnerabilities that would allow cybercriminals to carry out a ‘zero day’ attack (learn more about zero day attacks), there is one that has been talked about for several days: the extension of ThemeGrill Demo Importer. Although shortly after the security breach was exposed, the company released a patch, it is likely that some of the sites still have that flank exposed because they have not yet updated. According to the platform’s figures, it has been downloaded more than a million and a half times since the launch of its first version, so it may still be in operation on many sites.
It is enough to have a template from this provider and the mentioned plugin activated to be exposed. The error in question, present in versions 1.3.4 to 1.6.1, would allow the attacker to delete all the contents of a database and leave all settings at ‘zero’. This would result in the loss of posts, pages, comments, user accounts, credentials … When leading to the initial configuration, the attacker could even create an administrator account with all the permissions that come with it.
But this is not the only case. Duplicator, a popular tool with over a million downloads, is under similar attack. What this add-on allows is for administrators to copy and export all of their website content. The hole in their code acts as a butron. Hackers can sneak in, make a copy of the site. This would allow them to access details such as administrator passwords and use them to ‘hijack’ the original site. If you use this extension, make sure you have version 1.3.28 or higher.
A bug detected in ‘Profile Builder’, which is used on tens of thousands of websites, also allows you to fraudulently create accounts with full permissions.
Wordfence, a company specialized in computer security, has also put another theme store, ThemeRex, on the trigger. Specifically, in a package that accompanies their designs that took two weeks to be corrected leaving the websites with the doors open. The error is similar to the one suffered by InfiniteWP Client, used in nearly 200,000 websites. The developers of this solution published the patch in February after the vulnerability was discovered a few days earlier, at the end of January.
This is not just a free tool. Brainstorme Force, which distributes two visual editors for use in WordPress, has had to deal with two security flaws that have affected its paid ‘Ultimate Addons’ products. The vulnerability in question was a critical authentication flaw that allowed even remote privileged access to the administration panel without the need for a password. The bug was fixed, so it is recommended to install it in the latest version.
Although over the years it has reduced certain gaps, they have not managed to eradicate the doubts and we periodically come across reports of this type. This is partly due to the fact that WordPress offers the central part and can be enriched with elements from third parties, such as ‘plugins’ and themes, each with its own security measures, protocols and way of proceeding. A report published in 2019 stated that 54% of the vulnerabilities were found in these extensions, 31.5% were found in the platform itself and the rest in the templates of the most used CMS in the planet Earth.