Attackers exploit old WordPress to inject code enabling site redirection

Attackers exploited an old WordPress vulnerability to infect more than one thousand websites with malware capable of injecting malvertising and even creating a rogue admin user with full access privileges, according to researchers.

Attackers have exploited an old WordPress vulnerability to infect more than one thousand websites with malware capable of injecting malvertising and even creating a rogue admin user with full access privileges, according to researchers.

The exploited flaw is specifically found in outdated versions of the WordPress tagDiv Newspaper and Newsmag themes, according to a 14 December blog post by Sucuri security analyst Douglas Santos. (Sucuri explains the vulnerability in further detail in an older report here.)

"Unfortunately, since this infection is related to a software vulnerability, strong passwords and security plugins will not protect you," writes Santos, noting that the malicious javascript can be found in a WordPress site's theme options.

Following code injection, the malware can execute two possible attack scenarios, depending on the site visitor: If the visitor is determined to be logged in as an admin user, the malware creates the rogue user “simple001” with full admin privileges, allowing for complete takeover of the site. If visitors are not logged as an admin and they have not been to the site within the last 10 hours, then the malware commences a chain of redirects that sends them to various scam and advertisement sites.

Sucuri first noticed this infection trend earlier this month. Previously, attackers were using the same WordPress flaw to inject a variant of the malicious JavaScript that would either display unauthorised pop-ups or redirect visitors to spam websites, but could not enable a complete site takeover.

Sucuri previously reported in June that the tagDiv Newspaper theme has been sold to more than 40 thousand users, not counting pirated copies.