Office of Information Security

December 30, 2022

Linux malware targets WordPress sites

Audience for this post: UW System administrators, IT staff, and staff members responsible for maintaining websites

The Office of Information Security has received a report this morning that a malicious Linux program is exploiting vulnerabilities in various WordPress plugins and themes. If you manage a WordPress (WP) site, it is recommended that you review the list of affected add-ons and check to see if you have all available updates.

Things to do

While we do not have direct evidence of actors targeting UW systems, following the guidance below to update vulnerable WP plugins and themes will help secure your website.

  1. As with other types of software, it is recommended to regularly update all components of your WordPress platform–and any other app, platform, or service you use–and to replace any components that are no longer supported with alternatives that are updated.While we recommend regularly updating all WP plugins and themes, specific WP components have been identified by security researchers as particularly vulnerable targets for the current Linux malware threat. A list of those specific components is provided in item #4 below, as well as in the linked resources.
  2. The Wordfence Vulnerability Database can help you regularly check for vulnerabilities in WordPress add-ons, plugins, and themes. Wordfence Vulnerability Database: https://www.wordfence.com/threat-intel/vulnerabilities
  3. For more information about how adversaries use vulnerabilities in websites to infiltrate systems and networks and things to do to mitigate threats, please review our Web Shells Risk Advisory: https://ois.uw.edu/education/risk-advisories/web-shells/
  4. We recommend auditing your environment to ensure you are not running a vulnerable version of any of the following:
    • WP Live Chat Support Plugin
    • WordPress – Yuzo Related Posts
    • Yellow Pencil Visual Theme Customizer Plugin
    • Easysmtp
    • WP GDPR Compliance Plugin
    • Newspaper Theme on WordPress Access Control (vulnerability CVE-2016-10972)
    • Thim Core
    • Google Code Inserter
    • Total Donations Plugin
    • Post Custom Templates Lite
    • WP Quick Booking Manager
    • Faceboor Live Chat by Zotabox
    • Blog Designer WordPress Plugin
    • WordPress Ultimate FAQ (vulnerabilities CVE-2019-17232 and CVE-2019-17233)
    • WP-Matomo Integration (WP-Piwik)
    • WordPress ND Shortcodes For Visual Composer
    • WP Live Chat
    • Coming Soon Page and Maintenance Mode
    • Hybrid
    • Brizy WordPress Plugin
    • FV Flowplayer Video Player
    • WooCommerce
    • WordPress Coming Soon Page
    • WordPress theme OneTone
    • Simple Fields WordPress Plugin
    • WordPress Delucks SEO plugin
    • Poll, Survey, Form & Quiz Maker by OpinionStage
    • Social Metrics Tracker
    • WPeMatico RSS Feed Fetcher
    • Rich Reviews plugin

Source: Linux backdoor malware infects WordPress-based websites

References

Bleeping Computer: New Linux malware uses 30 plugin exploits to backdoor WordPress sites

Dr. Web: Linux backdoor malware infects WordPress-based websites

Wordfence: Wordfence Vulnerability Database

OIS: