More threads by djbaxter


Jun 28, 2012
Reaction score
Malicious WordPress Redirect Campaign Attacking Several Plugins
by Mikey Veenstra, Wordfence
August 22, 2019

Over the past few weeks, our Threat Intelligence team has been tracking an active attack campaign targeting a selection of new and old WordPress plugin vulnerabilities. These attacks seek to maliciously redirect traffic from victims’ sites to a number of potentially harmful locations.

Vulnerable plugins:
  • NicDark Plugins – Unauthenticated Arbitrary Options Update
    • Though several individual plugins are affected, the vulnerability is the same across each and they are covered by a single firewall rule.
    • Affected plugin slugs are prefixed with nd-. Example plugins include Components For WP Bakery Page Builder (slug: nd-shortcodes), Booking (slug: nd-booking), Travel Management (slug: nd-travel), etc.
    • Firewall rule released for Premium users on July 30, 2019
    • Available for Free users starting August 29. 2019
  • Simple 301 Redirects Addon – Bulk Uploader <= 1.2.5 – Unauthenticated Options Update
    • Firewall rule released for Premium users on August 6, 2019
    • Available for Free users starting September 5, 2019
Each of these plugins have updates available which resolve the vulnerabilities. All WordPress users, regardless of firewall status, are advised to keep their plugins up-to-date at all times.

In addition to the primary two above, we have identified related attacks against a number of other formerly-vulnerable plugins, including (but not limited to):
The domains used by the attackers in performing these script injections and redirects rotate with some frequency. New domains appear every few days, and attacks involving older domains taper off.

Ongoing Malvertising Campaign Evolves, Adds Backdoors and Targets New Plugins
by Mikey Veenstra,
August 30, 2019

In July, we reported on a malvertising campaign which was distributing redirect and popup code through a number of public vulnerabilities affecting the WordPress ecosystem. As mentioned in the article, we’ve continued tracking this threat for new or changing activity.

Much of the campaign remains identical. Known vulnerabilities in WordPress plugins are exploited to inject malicious JavaScript into the frontends of victim sites, which causes the sites’ visitors to be redirected to potentially harmful content like malware droppers and fraud sites. Where possible, the payloads are obfuscated in an attempt to avoid detection by WAF and IDS software.

One IP Address Is Issuing Most of the Attacks
During the initial investigation, we identified the attacks coming from a number of IP addresses linked to web hosting providers. Shortly after that post, most of the IPs involved ceased the activity. One IP address, however, has continued the attacks.

The IP address in question is, a Rackspace server currently hosting some presumably compromised websites. We have reached out to Rackspace to inform them of this activity, in hopes that they will take action in preventing further attacks from their network. We have not yet heard back.

The plugins currently under attack in this campaign are:
The campaign picks up new targets over time. It’s reasonable to assume any unauthenticated XSS or options update vulnerabilities disclosed in the near future will be quickly targeted by this threat actor.


Login / Register

Already a member?   LOG IN
Not a member yet?   REGISTER

LocalU Event

Live Webinar - Local SEO Audits

  Promoted Posts

New advertising option: A review of your product or service posted by a Sterling Sky employee. This will also be shared on the Sterling Sky & LSF Twitter accounts, our Facebook group, LinkedIn, and both newsletters. More...
Top Bottom