WordPress is the leading content management system used in designing websites. The 2020 internet statistics indicate that WordPress powers over 35% of the entire internet. But with the numbers of sites utilising WordPress continuing to grow, more and more hackers are attempting to find vulnerabilities within the software.
Due to the high number of installations, WordPress has become the main target for website hackers. Although the number of hacking attempts declined at the close of 2019, it has increased from February 2020. However, this time hackers are not targeting WordPress itself, but its plugins.
Most hackers follow news on the latest patches and then attack sites that have not updated the plugin to use the latest patch.
There is also a more sophisticated attack. It involves the exploitation of the bugs or flaws that the plugin author is not aware of, also known as zero-days.
We have compiled eight popular WordPress plugins that hackers have started exploiting in 2020. You should update the plugin as soon as possible if it is on this list.
ThemeGrill Demo Importer
ThemeGrill is a vendor of commercial WordPress themes and runs on over 200,000 sites by the time of this writing. It is believed that attackers are targeting a bug that comes with one of the plugins used in ThemeGrill themes called ThemeGrill Demo Importer.
The bug makes it possible for attackers to wipe data from sites running the vulnerable version. Under certain circumstances, they can also take over the admin account. The bud was resolved in the 1.6.3 version.
Duplicator
Duplicator is a plugin that site administrators use to export site contents. It is currently being used in over one million sites.
In February 2020, Wordfence released a report indicating that hackers were exploiting a bug in the plugin, which allowed them to extract a copy of the site, extract database details, and even hijack the site’s MySQL server. The commercial version of the plugin, Duplicator Pro, was also affected. The bug has been fixed version 1.3.28.
Flexible Checkout Fields for WooCommerce
The WooCommerce plugin is used on WordPress-powered commercial sites. It had a zero-day flaw that hackers have exploited since 26th February to inject XSS payloads. As a result, the hackers could create admin accounts on the attacked sites. A patch is available in the latest version.
Profile Builder
This plugin allows users to create accounts on a site and had a bug that was fixed on 10th February. However, hackers started exploiting sites that had not updated their plugin by the 26th of February. The bug allows hackers to create fake admin accounts. Both the free and commercial versions of the plugin are vulnerable.
ThemeRex Addons
ThemeREX addons are pre-installed on all commercial themes offered by ThemeRex. Hackers have found vulnerabilities in the plugin and are using it to create fake admin accounts. Since there is no patch available, it is advisable to remove this plugin from your site.
The same zero-day vulnerability has been found on three other popular plugins. However, unlike the case in ThemeRex addons, patches for the affected plugins are available. These plugins are:
Modern Events Calendar Lite.
Async JavaScript.
10Web Map Builder for Google Maps.