A caching plugin currently used by over one million WordPress sites was susceptible to a cross-site scripting (XXS) vulnerability that could allow an attacker to inject a backdoor or add a new administrator. If you use the WP Super Cache plugin, then make sure it is updated to the newest version, 1.4.4, which the developers released to resolve the remotely exploitable vulnerability reported to them by Sucuri.
The WP Super Cache plugin generates static HTML files instead of processing PHP scripts so the pages will load faster. The free plugin generally delivers a decent performance boost and reduces the load on a server. "This plugin will help your server cope with a front page appearance on digg.com or other social networking site." The developers added, "Supercache really comes into its own if your server is underpowered, or you're experiencing heavy traffic." It’s a popular plugin that over seven million total sites have downloaded; yesterday WP Super Cache was downloaded over 22,000 times, with over 130,000 downloads last week.
Yet Sucuri listed the security risk as “dangerous;” according to security vulnerability researcher Marc-Alexandre Montpas, the vulnerability is “very easy” to remotely exploit, giving it an 8 out of 10 DREAD (Damage, Reproducibility, Exploitability, Affected users, Discoverability) score.
“Using this vulnerability, an attacker using a carefully crafted query could insert malicious scripts to the plugin’s cached file listing page,” Montpas explained. “When executed, the injected scripts could be used to perform a lot of other things like adding a new administrator account to the site, injecting backdoors by using WordPress theme edition tools, etc.”
FBI: ISIS sympathizers are exploiting vulnerable plugins on WordPress sites
If you need yet another reason to update the plugin, then consider the warning issued by the FBI yesterday. The feds claimed that attackers who are sympathetic to ISIS are targeting WordPress sites that use vulnerable plugins. After exploiting plugin vulnerabilities, the attackers deface the site. Such website defacements have affected site “operations and the communication platforms of news organizations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international” sites.
According to the FBI Public Service Announcement:
Successful exploitation of the vulnerabilities could result in an attacker gaining unauthorized access, bypassing security restrictions, injecting scripts, and stealing cookies from computer systems or network servers. An attacker could install malicious software; manipulate data; or create new accounts with full user privileges for future Website exploitation.
Defacing a site demonstrates “low-level hacking sophistication,” but it is “disruptive and often costly in terms of lost business revenue and expenditures on technical services to repair infected computer systems.”Although the FBI said the attackers are not members of the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS) terrorist organization, it described the perps and threat as:
These individuals are hackers using relatively unsophisticated methods to exploit technical vulnerabilities and are utilizing the ISIL name to gain more notoriety than the underlying attack would have otherwise garnered. Methods being utilized by hackers for the defacements indicate that individual websites are not being directly targeted by name or business type. All victims of the defacements share common WordPress plug-in vulnerabilities easily exploited by commonly available hacking tools.
In other words, make sure you use the most updated WP plugins and WordPress versions that will hopefully be less susceptible to remote exploitation. The FBI advised hardening WordPress, keeping an eye out for vulnerabilities on US-CERT, the MITRE CVE list and Security Focus as well as running all software as a non-privileged user, instead of granting administrative privileges, to lessen the effects of a successful attack.