Hackers escalate ongoing attacks on WordPress sites, add backdoors and target new plugins

Hackers escalate ongoing attacks on WordPress sites, add backdoors and target new plugins

An ongoing malwaretising campaign that has been targeting WordPress sites since July 2019, has morphed from redirecting browsers to sites containing dodgy adverts or malicious software to something even more dangerous. According to threat analyst from cybersecurity firm Defiant Mikey Veenstra, bad actors are exploiting flaws in more than ten WordPress plugins to create rogue admin accounts on target WordPress sites.

Much of the campaign remains the same, said Veenstra. The attackers exploit known vulnerabilities in WordPress plugins to inject malicious JavaScript code into the frontends of victim sites, which redirects the site’s visitors to potentially harmful content. Where possible, the payloads are obfuscated in an attempt to avoid detection by WAF and IDS software. However, recently the attackers added new vulnerabilities to the list of targets, namely the flaws in Bold Page Builder and NinTechNet plugins.

Also, the hacker group behind the campaign added an additional script “which attempts to install a backdoor into the target site by exploiting an administrator’s session.” The malicious script attempts to create a new user with administrator privileges on the victim’s site.

“If the user is presented with a _wpnonce_create-user nonce when visiting the site’s wp-admin/user-new.phpendpoint, then the script knows a new user can be created. If this is the case, the putmeone() function is triggered. This function makes an AJAX call via jQuery which creates the rogue administrator account” explained Veenstra.

The AJAX call creates a user named “wpservices” with the email “wpservices@yandex.com” and the password “w0rdpr3ss”. Then the attacker can install further backdoors or perform other malicious activity.

Currently, campaign targets following plugins:

Owners of WordPress-powered websites using any of above mentioned plugins are recommended to check if they have the latest versions of software installed. However, Veenstra warned that “it’s reasonable to assume any unauthenticated XSS or options update vulnerabilities disclosed in the near future will be quickly targeted by this threat actor” as the campaign picks up new targets over time.

Back to the list

Latest Posts

Cyber Security Week in Review: July 4, 2025

Cyber Security Week in Review: July 4, 2025

In brief: Google patches Chrome 0Day, the US is on the hunt for North Korean IT workers, and more.
4 July 2025
AI chatbots fall for phishing scams

AI chatbots fall for phishing scams

The models provided the correct URL only 66% of the time; nearly 30% of responses pointed users to dead or suspended domains.
3 July 2025
Chinese hackers exploited Ivanti flaws in attacks against French government

Chinese hackers exploited Ivanti flaws in attacks against French government

ANSSI believes that the Houken campaign is operated by ‘UNC5174’, an entity believed to act as an initial access broker for China’s Ministry of State Security.
2 July 2025