Publication of PoC in popular WordPress plugin leads to scans for vulnerable sites

WordPress security firm Defiant reports "very noticeable uptick" in scans for vulnerable plugin installations.
Written by Catalin Cimpanu, Contributor

Attackers are scanning for WordPress sites running a vulnerable version of a popular plugin that may allow them to take over sites and servers.

The vulnerability affects "Duplicator," a WordPress plugin that's installed on over one million sites, according to statistics listed on the official WordPress Plugins directory. The plugin is popular because it allows site admins migrate sites to new servers within minutes.

Duplicator works by generating a ZIP file containing the previous version of the site, along with a PHP file named installer.php. All a site admin has to do is to upload the ZIP archive and a file named installer.php on the new server, access the PHP file, enter new database credentials, and have the new site up and running.

Also: Severe vulnerability exposes WordPress websites to attack

But in July this year, two security researchers from Synacktiv, Thomas Chauchefoin and Julien Legras, discovered that the plugin does not remove files left over after a successful migration, including both the original ZIP archive and PHP file.

This means that an attacker can access the installer.php script at any time and enter his own DB credentials to gain temporary control over a website, and indirectly over its underlying server.

Also: Best Home Security Devices for 2018 CNET

Performing such an operation results in the breaking of the current website, as the site would run on top of the attacker's rogue DB, but Synacktiv researchers say that during this time, the attacker can gain admin rights over the WordPress installation and install malicious WordPress plugins that can be used to drop hidden backdoors on the underlying server.

Site owners who discover crashed sites and who can't identify the source of the hack or perform proper website clean-up operations would continue to host the attacker's hidden backdoor, even after correcting the database connection issue or reinstalling their sites.

Also: WordPress's broken automatic update function

The team behind the Duplicator plugin fixed this vulnerability on August 24 with the release of Duplicator 1.2.42, following Synacktiv's report. All previous versions are considered to be affected.

Synacktiv published a write-up detailing the bug on August 29, which also included a proof-of-concept (PoC) script that can be used to hijack affected sites where admins did not manually remove files left over after a Duplicator-based server migration.

Also: 7 tips for SMBs to improve data security TechRepublic

"We saw a very noticeable uptick in scans for the vulnerable Duplicator files after the disclosure went public," Sean Murphy, Director of Threat Intelligence at Defiant, the company behind the WordFence security plugin, told ZDNet in an interview yesterday.

Several researchers who did not want to share their names for this piece told ZDNet that they found the Duplicator plugin installed on several top Alexa sites.

These are 2018's biggest hacks, leaks, and data breaches

Previous and related coverage:

What is malware? Everything you need to know

Cyber attacks and malware are one of the biggest threats on the internet. Learn about the different types of malware - and how to avoid falling victim to attacks.

Security 101: Here's how to keep your data private, step by step

This simple advice will help to protect you against hackers and government surveillance.

VPN services 2018: The ultimate guide to protecting your data on the internet

Whether you're in the office or on the road, a VPN is still one of the best ways to protect yourself on the big, bad internet.

Editorial standards