It’s all up in the air, and it’s true, with 60 million Wordpress users being potentially affected by it. The malvertising campaign that was targeting vulnerable plug-ins has recently upped their game and have been creating rogue admin accounts. Those who had shut down their Wordpress sites for the time being have been wise enough to do so. These malicious movements were first noticed by the majority when it was and posted by Wordfence (WordPress’ security plugin that includes an endpoint firewall and malware scanning) on July 22. After infecting the plug-ins, the hackers first began to promote malicious Android apps, pop-up ads, redirects and fraudulent tech support, the “Coming Soon”, “Bold Page Builder”, and “Maintenance Mode” being their main gateways.

 

Which plug-ins are vulnerable?

 

On August 30th, Wordfence made another announcement, saying that the malvertising campaign has evolved, and backdoors have been made with new plug-ins being targeted as well. These were the vulnerable plug-ins:

  • Bold Page Builder
  • Blog Designer
  • Live Chat with Facebook Messenger
  • Yuzo Related Posts
  • Visual CSS Style Editor
  • WP Live Chat Support
  • Form Lightbox
  • Hybrid Composer
  • All former NicDark plugins (nd-booking, nd-travel, nd-learning, et. al.)
  • Yellow pencil visual theme customizer

How does this exactly affect a WordPress user?

 

Hijacked websites can now be controlled by a hacker, as they can gain admin access. If you are logged in, a function is triggered, that makes an AJAX call to create rogue administrator accounts. Once the call is made and another user is created, the attacker is free to indulge in any malicious activity or to create more backdoors.

 

What's the solution?

 

This is the (only) best part! You don’t have to shut your website down if you were using these plug-ins, or as a precaution. The solution is already out. WordPress 5.2.3 has been released, with all security fixes and 29 bug fixes. You can download and install the upgrade here, or navigate to the admin dashboard, where you would get a notification about the update. Simply click on “update now” and you’ll be safe! The infected plug-ins were made to be temporarily unavailable, and now their updated and safe versions are also accessible to both premium and free users as of today.