Hackers have exploited three zero-days to install backdoors on WordPress sites, according to a security alert published minutes ago by WordPress security firm Wordfence.
The zero-days affect three WordPress plugins — Appointments, RegistrationMagic-Custom Registration Forms, and Flickr Gallery.
The plugins' authors released updates to fix the attack vector — a PHP object injection vulnerability that affects all three plugins in the same way.
"This vulnerability allowed attackers to cause a vulnerable website to fetch a remote file (a PHP backdoor) and save it to a location of their choice," says Wordfence researcher Brad Haas.
According to Haas, the vulnerability is hilariously easy to exploit, requiring the attackers to package the exploit code inside an HTTP POST request sent to the victim site. Attackers don't need to be authenticated on the site to trigger the exploit.
For sites running the Flickr Gallery plugin, the hacker has to target the site's root URL, while for the other two, the hacker has to aim the POST request at the admin-ajax.php file.
Once the hacker tricked sites into downloading the backdoor, he can take over sites within minutes.
Wordfence said it detected the zero-days after investigating a series of hacked sites and finding evidence of past exploitation.
There is good and bad news. The good news is that the plugins are not that popular, having around 21,000 installations combined.
The bad news is that the zero-days are easy to exploit and other hackers can reverse engineer the plugin changelogs to deduce the exploit code.
The vulnerability at the core of these zero-days has a score of 9.8 out of 10 on the CVSSv3 severity scale, which is very high, and classifies the vulnerability as "Critical."
Website owners can update the plugins to the patched versions, or they can uninstall the plugins, just to be on the safe side. Below are the plugin versions where developers fixed the vulnerabilities: