A website hacking campaign, that has been ongoing since July, has morphed from redirecting browsers to sites containing dodgy adverts or malicious software into something that is potentially even more problematical. Mikey Veenstra, a researcher with the Defiant Threat Intelligence team, said that “the campaign has added another script which attempts to install a backdoor into the target site by exploiting an administrator’s session.”


In a warning posted to the WordFence security blog on August 30, Veenstra revealed that a malicious JavaScript dropped into compromised websites looks to “create a new user with administrator privileges on the victim’s site.” If a logged-in administrator is identified as viewing the infected page, it then goes on to make an AJAX call via jQuery, one that creates a rogue administrator account.

“This AJAX call creates a user named wpservices with the email wpservices@yandex.com and the password w0rdpr3ss,” Veenstra said, “with this user in place, the attacker is free to install further backdoors or perform other malicious activity.”

Meanwhile, Veenstra stated that the plugins that are under attack currently had been identified as follows:

Bold Page Builder

Blog Designer

Live Chat with Facebook Messenger

Yuzo Related Posts

Visual CSS Style Editor


WP Live Chat Support

Form Lightbox

Hybrid Composer

All former NicDark plugins (nd-booking, nd-travel, nd-learning)

If you are a WordPress-powered website owner using any of these plugins, then you are advised to check you have the latest updated versions. Follow the links above to check on update status, as most of these have already been patched. However, Veenstra warned that “it’s reasonable to assume any unauthenticated XSS or options update vulnerabilities disclosed in the near future will be quickly targeted by this threat actor.”

Source: https://www.forbes.com/sites/daveywinder/2019/08/31/critical-backdoor-attack-warning-issued-for-60-million-wordpress-users/amp/