The flaw – which was discovered Feedjit's Mark Maunder on August 1– centres on an image resizing utility offered as a WordPress plug-in.
According to Websense, the flaw was found to be exploited just a week later, when the security firm's ThreatSeeker network started seeing exploit code that been injected into a number of WordPress sites.
At first, says the company, its research team saw the injected domain name hxxp://superpuperdomain.com/ injected at the foot of compromised WordPress blogs. This code, the firm adds, appears to have been delivering advertisements to end users via redirects to search engines.
“Last Friday, we saw a slight adaptation within the injected code. This time, browsers to compromised sites led to the domain hxxp://superpuperdomain2.com/, which seemingly was a placeholder for more nefarious malicious activity. Websense customers are protected with ACE, our Advanced Classification Engine”, says the company in its latest security advisory.
“Interestingly, over the weekend, we saw the number of injections leading to the first URL decrease as the use of the second URL ramped up on August 12, as the chart shows”, adds the firm.
Websense concludes that this sequence of events is fairly typical in the life of a zero-day vulnerability.
“As the issue becomes known, developers rush to fix the vulnerability. In the meantime, malware authors seek to launch attacks on vulnerable web sites and deliver variations of attack code to bypass security products. In this case, we saw peaks of 10,000 WordPress-running web sites infected with the code”, notes the company.