Vulnerability in outdated theme and plugin takes WordPress site visitors to unwanted websites
Researchers at Sucuri have discovered a new WordPress redirect campaign that takes the website visitors to sites that they wouldn’t like to visit.
The attackers have infected the websites through tagDiv themes and Ultimate Member plugin, both of which together have over 100,000+ active installations.
According to Sucuri researchers, the visitors are redirected to websites where they see annoying pages with random web addresses and fake reCAPTCHA images. The messages and content on those sites ask users to verify and subscribe to browser notifications without telling the reasons of such behavior.
The attackers are using two websites to inject malware— dn.eeduelements[.]com and cdn.allyouwant[.]online. First one was used in initial stages of the campaign, while the second one was used about a week later.
Sucuri found 1700+ sites with cdn.eeduelements[.]com script and 500+ websites with cdn.allyouwant[.]online script. What the attackers do is add the malicious code to the external scripts of outdated tagDiv themes and Ultimate Member plugins. The code uses the src.eeduelements[.]com/get.php address to fetch a URL that contains a redirect script
“However, due to laziness or poor coding skills, the attackers didn’t remove the previously injected code when they reinfected the websites with the new version of the malware – so you can find both scripts on the same sites.”
“This injector code was a bit of an overkill. Most of the infected web pages have multiple inclusions of the same malicious scripts. That’s not the only problem with the injector. This code doesn’t take into account the <head> words inside PHP comments. As a result, we see the script injected into comments too,” wrote Sucuri in a blog post.
To prevent the infection, the researchers recommended the WordPress website owners to update all themes and plugins, delete all PHP files in subdirectories (to avoid Ultimate Member Exploitation) and clean the sites that share the same server account.