Fresh Wordpress Campaign Steals Credentials

Written by

WordPress, being one of the most popular content management systems and blogging platforms on the internet, remains an attractive target for cybercriminals due to its large user base. The latest is a fresh credentials-leak campaign on multiple WordPress sites.

According to Zscaler researchers Sameer Patil and Deepen Desai, the compromised sites run backdoor code, which activates when the user submits login credentials. The credentials are then encoded and sent to an attacker website in the form of a GET request.

Dozens of sites have been hit so far.

“We have identified only one domain,, which is collecting all the credentials from these compromised sites,” Patil and Desai said in an analysis.

When unsuspecting users attempt to login to one of the compromised WordPress sites, they are served injected JavaScript code as part of the login page. So, as part of the WordPress login page, the user is getting served malicious information-stealing code too. And, the end user is oblivious to the fact that the credentials were leaked to a remote attacker's site as he is redirected to a successful logged in session of WordPress site.

“While the initial vector behind the compromise of the sites is unclear, it is extremely important for the site administrators to keep their WordPress sites patched with latest security updates,” the researchers said.

In April, Wordpress released a security update for a zero-day flaw discovered in versions 4.2 and earlier which could allow hackers to remotely control the server.

The stored cross site scripting (XSS) vulnerability allows an unauthenticated attacker to inject JavaScript into WordPress comments, triggering the script when the comment is viewed. If triggered by a logged-in administrator, under default settings the attacker can leverage the vulnerability to execute arbitrary code on the server via the plugin and theme editors. Alternatively the attacker could change the administrator’s password, create new administrator accounts, or do whatever else the currently logged-in administrator can do on the target system.”

What’s hot on Infosecurity Magazine?