Cybersecurity researchers have said that a hacker group is exploiting vulnerabilities in more than ten WordPress plugins to create rogue admin accounts on WordPress sites across the internet. These attacks are part of an ongoing hacking campaign that has been exploiting vulnerabilities in the same plugins to plant malicious codes on hacked sites, which showed popup ads or redirects taking visitors to other websites. Recently however, attackers also ran a function to test if visitors on the site had the ability to create user accounts on the site, a feature available exclusively for WordPress admins.
This malicious code waited for site owners to access their own websites. When they did, the malicious code created a new admin account named wpservices, using the email address of wpservices@yandex.com. By creating these accounts, the hacker group behind this campaign changed tactics from exploiting sites for monetary profits, to also adding backdoors for future use, and for a more persistence foothold. According to researchers, these recent attacks are targeting older vulnerabilities in the following plugins. The plugins are linked to their respective vulnerabilities, so readers can determine the version to which they need to update, to prevent attacks, in case they’re using one of the plugins.
After updating the following plugins, site owners are also advised to check admin usernames registered on their sites. Removing these accounts is imperative, as their sole purpose was to create a way back into websites after users updated the vulnerable plugins. Cleaning infected WordPress sites can quite complicated, as site owners will also have to scan their websites with WordPress security plugins in search for various other backdoor mechanisms the hackers might have left behind. Non-technical users are advised to seek professional help.