Hackers are actively exploiting zero-days in several WordPress plugins

There's quite the WordPress p0wnage going on right now.
Written by Catalin Cimpanu, Contributor

WordPress is, by far, the most widely used website building technology on the internet. According to the most recent statistics, more than 35% of all internet websites run on versions of the WordPress CMS (content management system).

Due to its huge number of active installations, WordPress is a massive attack surface. Attempts to hack into WordPress sites are like a constant hum in the background of all internet traffic, going on at any given time.

Over the past few months, this hum of WordPress hacking attempts has been at lower levels, compared to what we saw last year.

After a busy 2019, 2020 started on a quiet note. The reason for this downtime could be the winter holidays, which, as we've seen in previous years, often results in a global slowdown in malware and hacking activities, as hackers, also take a break.

Hackers return from the holidays with new exploits

During the past two weeks, we've seen a resurgence in attacks against WordPress sites, signaling an end to the period of relative calm we've seen in December and January.

Several cybersecurity firms specialized in WordPress security products -- such as Wordfence, WebARX, and NinTechNet -- have reported on an ever-increasing number of attacks on WordPress sites.

All the new attacks spotted last month focused on exploiting bugs in WordPress plugins, rather than exploiting WordPress itself.

Many of the attacks targeted recently patched plugin bugs, with the hackers hoping to hijack sites before site administrators had a chance to apply security patches.

However, some of the attacks were also a little bit more sophisticated. Some attackers also discovered and started exploiting zero-days -- a term used to describe vulnerabilities that are unknown to the plugin authors.

Below is a summary of all the WordPress hacking campaigns that have happened in February and which targeted new WordPress plugin flaws.

Website administrators are advised to update all the WordPress plugins listed below as they're very likely to be exploited all throughout 2020, and possibly, beyond.


Per a Wordfence report, since around mid-February, hackers have exploited a bug in Duplicator, a plugin that lets site administrators export the content of their sites.

The bug, fixed in 1.3.28, allows attackers to export a copy of the site, from where they can extract database credentials, and then hijack a WordPress site's underlying MySQL server.

Making matters worse, Duplicator is one of the most popular plugins on the WordPress portal, with more than one million installs at the time the attacks began, circa February 10. Duplicator Pro, the plugin's commercial version, installed on an additional 170,000 sites, was also impacted.

Profile Builder Plugin

There's also another major bug in the free and pro versions of the Profile Builder plugin. The bug can allow hackers to register unauthorized admin accounts on WordPress sites.

The bug was patched on February 10, but attacks began on February 24, on the same day that proof-of-concept code was published online. At least two hacker groups are believed to be exploiting this bug, according to a report.

More than 65,000 sites (50,000 using the free version and 15,000 using the commercial version) are vulnerable to attacks unless they update the plugin to the latest version.

ThemeGrill Demo Importer

The same two groups who are exploiting the plugin above are also believed to target a bug in the ThemeGrill Demo Importer, a plugin that ships with themes sold by ThemeGrill, a vendor of commercial WordPress themes.

The plugin is installed on more than 200,000 sites, and the bug allows users to wipe sites running a vulnerable version, and then, if some conditions are met, take over the "admin" account.

Attacks, have been confirmed by Wordfence, WebARX, and independent researchers on Twitter. Proof-of-concept code is also available online. Updating to v1.6.3 is advised as soon as possible.

ThemeREX Addons

Attacks were also spotted targeting ThemeREX Addons, a WordPress plugin that ships pre-installed with all ThemeREX commercial themes.

Per a Wordfence report, attacks began on February 18, when hackers found a zero-day vulnerability in the plugin and began exploiting it to create rogue admin accounts on vulnerable sites.

Despite ongoing attacks, a patch was never made available and site administrators are advised to remove the plugin from their sites as soon as possible.

Flexible Checkout Fields for WooCommerce

Attacks also targeted sites running the Flexible Checkout Fields for WooCommerce plugin, installed on more than 20,000 WordPress-based e-commerce sites.

Hackers used a (now-patched) zero-day vulnerability to inject XSS payloads that can be triggered in the dashboard of a logged-in administrator. The XSS payloads allowed hackers to create admin accounts on vulnerable sites.

Attacks have been ongoing since February 26 [1, 2].

Async JavaScript, 10Web Map Builder for Google Maps, Modern Events Calendar Lite

Three similar zero-days were also discovered in the Async JavaScript, 10Web Map Builder for Google Maps, Modern Events Calendar Lite plugins. These plugins are used on 100,000, 20,000, and 40,000 sites, respectively.

The three zero-days were all stored XSS bugs like the one described above. All three received patches, but attacks began before the patches were available, meaning some sites were most likely compromised. Wordfence has more on this campaign.

10 worst hacks and data breaches of 2019 (in pictures)

Editorial standards