A new malware campaign has compromised more than 5,000 WordPress websites by creating unauthorized admin accounts and installing a malicious plugin. The attack, first discovered by the web security company c/side during an incident response engagement, involves the use of a malicious script that loads from the wp3[.]xyz domain. This script creates a rogue admin account, “wpx_admin,” and installs a malicious plugin known as plugin.php, which is downloaded from the same domain. The plugin’s purpose is to collect sensitive data, such as administrator credentials and logs, and send it to the attacker’s server.
Once the rogue admin account is created, the script verifies the operation and installs the plugin on the compromised site. The malicious plugin operates by exfiltrating data in an obfuscated manner, making the stolen information appear as an image request. While the exact infection vector is still unknown, the malicious script takes over the website and gives attackers control over critical administrative features. Researchers believe the attacker is using this method to gather sensitive information that could further compromise the security of the site and its users.
To mitigate the risks associated with this attack, c/side recommends that website owners take immediate action
To mitigate the risks associated with this attack, c/side recommends that website owners take immediate action by blocking the wp3[.]xyz domain using firewalls and security tools. Admins are also urged to review privileged accounts on their websites to check for unauthorized activity, particularly by identifying and removing any rogue plugins. These precautions are vital to ensure that attackers are unable to maintain long-term access to compromised sites and prevent further data exfiltration.
Additionally, the report emphasizes the importance of strengthening CSRF protections and implementing multi-factor authentication to enhance the security of WordPress sites. To improve CSRF defenses, c/side recommends using unique token generation, server-side validation, and short expiration times for tokens. Multi-factor authentication should also be set up to protect accounts, especially those whose credentials have already been compromised. These measures are essential to protect WordPress websites from similar attacks in the future and to secure any previously compromised accounts.
