We've updated our policy regarding how we treat and protect data that is collected and used from our websites. This site also uses cookies which are necessary to its functioning and required to achieve the purposes illustrated in the policy. By using this site you agree to our use of cookies. Please read our Privacy Policy for more information and your related choices.

Colossal WordPress Redirect Campaign Targets Vulnerable Websites

Your hard earned website visitors get redirected to malicious websites

Here we go again. The WordPress open source project has another huge vulnerability that's resulting in a massive amount of websites getting hijacked in order to redirect visitors to unwanted phishing sites web pages. Which would be surprising, if this hadn't happened a hundred times before.

This time, a super-popular theme company (tagDiv) and a prominent plugin (Ultimate Member) are both under fire for giving hackers the ability to hijack right into WordPress blogs and web sites. The vulnerability present users with a redirection page to spam site posts and pages. Currently, it's unknown how many websites have been affected, but seeing how the combined active installs of the theme and plugin are over 200,000, it's probably a ton.

Let's take a look at this new colossal WordPress redirecting campaign in this edition of WordPress Security Advisory.

It's a Little Phishy

This particular attack has two main pathways -- tagDiv themes or the Ultimate Member plugin (+100,000 downloads.)

The methodology is similar between the two attacks, but the injector itself is a little different.

tagDiv Themes

tagDiv, one of the more popular WordPress theme companies — responsible for Newspaper (+100,000 sales) — has some theme issues currently. Of course, by currently, we mean it was patched in 2017, but the issue is ongoing. Hackers are using a pretty buggy injector to take over the tagDiv themes so you may notice comments that look like injector script if you've been hacked.

This was first discovered by Secarma labs, who published a free white paper outlining their findings. It's a little dense, especially if you don't know PHP. The main takeaway here is that the attacks seem to be ongoing, and the news of the attacks is really breaking this week.

Ultimate Member Plugin

The other way that hackers are injecting malicious PHP scripts is via the Ultimate Member plugin (which has been patched.) Even though the Ultimate Member plugin has now been patched, it isn't automatically updated, meaning that tons of WordPress websites are currently vulnerable. The PHP injection here is much cleaner than tagDiv themes so you may have no idea that your website is infected.

Of course, this isn't the first time that a massively popular plugin has had vulnerabilities within it. At least this time it doesn't look purposeful.

What If You're Infected?

If you suspect that your website is infected (which is probably more visible for tagDiv hacks than Ultimate Member ones), then you should immediately update everything.

Here's where things get a little complicated. Let's say you own three websites, and one of your sites had a tagDiv theme in it -- it's extremely likely that all of your websites are infected.

Even if your other websites don't have Ultimate Member or tagDiv, these malicious injections take over the entire server. This means that they will target and infect your sites that don't have any vulnerable themes or plugins.

So, if you are infected and you have multiple websites, you may have to delete and reinstall WordPress altogether on every single website.

The PHP Issues

The WordPress community has been experiencing some severe vulnerability issues this year. Whether it's PHP issues built directly into the core of WordPress or themes and plugins ravaged with vulnerabilities, keeping up with WordPress's security issues can be tedious.

If you use WordPress, we highly recommend keeping up-to-date with WordPress security news. You can find a semi-comprehensive list of confirmed CVE WordPress vulnerabilities at the CVE Details website. Of course, we'll also be doing our best to keep everyone updated as part of our continued effort to expose vulnerabilities and help keep websites safe.

Related posts

  • Jul 24, 2018, 12:00 AM

    Typically, cryptojackers will infect a host website with packets containing malware that use a visitor’s browser to download themselves onto host computers and infect them with malware.

  • Jul 17, 2018, 12:00 AM

    Recently, a powerful new Malware was discovered infiltrating WordPress, Joomla, and Drupal websites; it's called Baba Yaga.

  • Jul 26, 2018, 12:00 AM

     Check Point Research recently reported more than 10,000 WordPress sites were compromised in a well-planned "malvertisement" attack.