Linux malware targets WordPress websites by exploiting 30 vulnerabilities found in a variety of themes.
The malware is not peculiar in that it the malware basically serves as a backdoor for the attackers to gain access to the target sites. This is done by exploiting 30 vulnerabilities across various WordPress plugins and themes.
These malicious scripts would then redirect website users to the attackers’ sites to execute phishing attacks. The malware can also be paused by the attackers who can set it to standby mode or even shut down.
Websites running unpatched versions of these plugins are at risk:
- WP Live Chat Support Plugin
- WordPress – Yuzo Related Posts
- WP GDPR Compliance Plugin
- Yellow Pencil Visual Theme Customizer Plugin
- Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972)
- Google Code Inserter
- Total Donations Plugin
- Thim Core
- Post Custom Templates Lite
- WP Quick Booking Manager
- Blog Designer WordPress Plugin
- Facebook Live Chat by Zotabox
- WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233)
- WordPress ND Shortcodes For Visual Composer
- WP-Matomo Integration (WP-Piwik)
- WP Live Chat
- Coming Soon Page and Maintenance Mode
There is also another variant called Linux.BackDoor.WordPressExploit.2, that exploits more vulnerabilities in the following plugins.
- WooCommerce WordPress
- Coming Soon Page
- Brizy WordPress Plugin
- FV Flowplayer Video Player
- WordPress theme OneTone
- Simple Fields WordPress Plugin
- Poll, Survey, Form & Quiz Maker by OpinionStage
- WordPress Delucks SEO plugin
- Social Metrics Tracker
- Rich Reviews plugin
- WPeMatico RSS Feed Fetcher