In this campaign, known vulnerabilities in WordPress plugins are exploited to inject malicious JavaScript into the frontends of victim sites, which causes the sites’ visitors to be redirected to potentially harmful content like malware droppers and fraud sites. Where possible, the payloads are obfuscated in an attempt to avoid detection.
The plugins currently under attack in this campaign are:
- Bold Page Builder
- Blog Designer
- Live Chat with Facebook Messenger
- Yuzo Related Posts
- Visual CSS Style Editor
- WP Live Chat Support
- Form Lightbox
- Hybrid Composer
- All former NicDark plugins (nd-booking, nd-travel, nd-learning, et. al.)
We’re relieved to report that none of our client’s sites are using any of these plugins. Wordfence Security, which we install on most if not all of our client’s sites, blocks the exploit. So you and your site’s visitors are all safe for now.