HOTforSecurity
  • Home
  • Threats
    • Security alerts
    • Social Networks Security
    • Mobile & Gadgets Security
    • Tips and Tricks
  • Smart Home Security
  • Digital Privacy
    • Digital Identity
    • Good Practices
    • Data Breach Alerts
  • Work from Home: Safety Tips
  • The ABC of Cybersecurity
  • Security Videos
HOTforSecurity
  • Home
  • Threats
    • Security alerts
    • Social Networks Security
    • Mobile & Gadgets Security
    • Tips and Tricks
  • Smart Home Security
  • Digital Privacy
    • Digital Identity
    • Good Practices
    • Data Breach Alerts
  • Work from Home: Safety Tips
  • The ABC of Cybersecurity
  • Security Videos
HOTforSecurity
  • Home
  • Threats
    • Security alerts
    • Social Networks Security
    • Mobile & Gadgets Security
    • Tips and Tricks
  • Smart Home Security
  • Digital Privacy
    • Digital Identity
    • Good Practices
    • Data Breach Alerts
  • Work from Home: Safety Tips
  • The ABC of Cybersecurity
  • Security Videos
Graham CLULEY @gcluley
1 Comment
    Share This!
  • Facebook
  • Twitter
  • Pinterest
  • LinkedIn
  • ReddIt
Industry News

Hackers target critical WordPress plugin flaw to install backdoors and create admin accounts

November 21, 2018
3 Min Read

A recently discovered vulnerability in a popular WordPress plugin is being actively exploited in attacks by hackers attempting to install backdoors on websites, inject custom code, and grant themselves admin rights.

The flaw existed in a version of the AMP for WP – Accelerated Mobile Pages plugin, designed to make webpage load faster on mobile devices.

AMP for WP mysterious disappeared from the official WordPress plugin repository on 21 October, with its 100,000+ users greeted with a message saying:

“This plugin was closed on October 21, 2018 and is no longer available for download.”

An update on the developers’ blog, however, claimed that the plugin’s withdrawal was “just a temporary situation” that would be resolved in a “couple of days” once a security vulnerability had been fixed.

The blog post didn’t share much details about the plugin’s security vulnerability other than to say it “could be exploited by non-admins of the site.”

In an apparent attempt to reassure users, the developers said that existing users could continue to use the plugin while they worked on a fix.

Hmm. A plugin has a vulnerability but carry on using it? That doesn’t sound like great advice to me.

Security researchers at WebARX shared more details of the problem last week, after a fixed version of the plugin was finally released.

The researchers explained that vulnerabilities in AMP for WP allowed unauthorised users to change any plugin option, and could even inject malicious code (such as malvertising or cryptomining code) onto the website’s pages.

The existence of the vulnerability is bad enough, but now researchers at Wordfence say that they have seen it being actively exploited in conjunction with a XSS (cross-site scripting) bug to create new admin user accounts with the name “supportuuser” (of course, the attack could change to use other account names).

If your website runs a self-hosted edition of WordPress then it is essential it – and any third-party plugins – are kept updated. At the time of writing, the latest version of AMP for WP is version 0.9.97.20.

Self-hosting your WordPress site has its benefits, but the biggest drawback is that the onus is put on you to keep it up-to-date with the latest patches and updates (or find yourself a managed wordpress host who is prepared to take it on for you). New vulnerabilities are frequently found in the software and its many thousands of third-party plugins – so it’s not something that you can afford to ignore.

My advice? Enable automatic updates wherever possible.

Left unattended, a website running a self-hosted edition of WordPress can be easy pickings for a hacker, potentially damaging your brand, scamming your website’s visitors, and helping hackers make their fortune.

Tagsadmin account backdoor plugin security vulnerability Wordpress plugin flaw

You may also like

Industry News

Cybercriminals Use Vishing to Steal Remote Employee Credentials, the FBI Warns

15 hours ago
Scottish environmental agency still struggling after Christmas Eve ransomware attack
Industry News

Scottish environmental agency still struggling after Christmas Eve ransomware attack

20 hours ago
Industry News

Organizations Should Establish ‘Blame-Free Employee Reporting’ of Suspicious Activity, CISA Says

2 days ago

About the author

View All Posts

Graham CLULEY

Graham Cluley is an award-winning security blogger, researcher and public speaker. He has been working in the computer security industry since the early 1990s, having been employed by companies such as Sophos, McAfee and Dr Solomon's. He has given talks about computer security for some of the world's largest companies, worked with law enforcement agencies on investigations into hacking groups, and regularly appears on TV and radio explaining computer security threats.

Graham Cluley was inducted into the InfoSecurity Europe Hall of Fame in 2011, and was given an honorary mention in the "10 Greatest Britons in IT History" for his contribution as a leading authority in internet security.

1 Comment

Click here to post a comment
  • LOL says:
    November 27, 2018 at 7:48 pm

    glad I dont use this plugin. :)

Synthetic identity fraud to drive $48 billion in annual losses by 2023 – Juniper Research
Two friends jailed for TalkTalk hack plot
    Share This!
  • Facebook
  • Twitter
  • Pinterest
  • LinkedIn
  • ReddIt

Promo

1.3m
Fans
Like
104.9k
Followers
Follow
2.7k
Subscribers
Subscribe
19
Subscribers
subscribe
1.4m
Fans Love us

Recent shouts

  • Meurig Parri on Microsoft Ends Support for Windows 7. What You Need to Know
  • Kevin on Cable Haunt vulnerability affects millions of Broadcom cable modems
  • Terry on Ransomware attack forces Arkansas CEO to fire 300 employees days before Christmas
  • Martin on 1&1 Telecom GmbH hit by almost €10 million GDPR fine over poor security at call centre
  • Xander on 1&1 Telecom GmbH hit by almost €10 million GDPR fine over poor security at call centre

Time Machine

January 2021
M T W T F S S
 123
45678910
11121314151617
18192021222324
25262728293031
« Dec    

ANTIVIRUS SOFTWARE FOR HOME USERS

Bitdefender Cybersecurity for Smart Home
Bitdefender Complete Protection
Bitdefender PC Protection
Bitdefender Antivirus for Mac
Bitdefender Mobile Security for Android
Bitdefender Product Comparison

BUSINESS SOLUTIONS

Bitdefender GravityZone Business Security
Bitdefender GravityZone Advanced Business Security
Bitdefender GravityZone Enterprise Security
Bitdefender Hypervisor Introspection

TOOLS & RESOURCES

Renewal for Business Customers
Trial Downloads
Free Antivirus
Free Online Virus Scanner
Free Virus Removal Tools
Live Remote Assistance
Free Tools
Bug Bounty
Press Center

Powered by Bitdefender - a leading cyber security technology provider | Copyright © 2008 - 2016. All rights reserved.
  • Home
  • The Team
  • Terms and Conditions
  • Contact
We use cookies to ensure that we give you the best experience on our website. If you continue to use this site we will assume that you are happy with it.Ok