A third-party plugin for WordPress CMS – RevSlider – made vulnerable up to 100K WordPress-based sites, with more than 10K blocked by Google for re-distributing malware they fell victims prior to that. The SoakSoak campaign is targeting WordPress users running Internet Explorer on Windows and that it’s pushing multiple exploit kits to the browser.
That’s bad news for the WordPress users, although this particularly popular content management system has a history of being targeted by malicious campaigns. Last year such sites were infected by an aggressive spambot and hit with bruteforce attacks on admin consoles, in an apparent attempt to beat the credentials out of them.
WordPress is free to use, and highly customizable due to a plethora of third-party plugins available. This makes this CMS very popular for both personal and business needs.
Not all of those plugins are safe, however. This time attackers hit a slideshow plugin “Slider Revolution” aka RevSlider. It is “passively popular” as it comes bundled with many WordPress themes. Lots of users don’t even know they have this plugin, which explains why so many sites are still unpatched.
The vulnerability that could allow an attacker to download any file, including database credentials, from the affected site’s server was discovered back in September in version 4.1.4. The problem is fixed in version 4.2, but users who had the slider installed as part of a bundled theme never received it, since the plugin’s automatic update mechanism is usually disabled when it comes as part of a theme. This is due to the relative instability of the plugin.
It is strongly recommended that the IT workers check out their WordPress installations for the presence of RevSlide plugin with versions older than 4.1.4, and update it, if necessary.
Blocking may be very problematic for the companies those heavily rely on their websites for doing business. Compromising and blocking may occur “out of the blue” while getting the site back in the ranking takes a long time, even if repairs are made promptly.
The site the campaign was pulling malware from – a Russian domain – is currently offline, which is a good news.