Pharma Hack JAN 2022
WP Security Exploits for SEO/DDoS
Be informed about the latest WP Security Exploits for SEO gains and DoS/DDoS remote controls, identified and reported publicly. With Pharma Hack JAN 2022 the consequences of a hack are ugly. You will experience major backlash on your WordPress domain, costly damage control/recovery, immediate revenue loss with long-term consequences. Consider our FREE Pharma Hack consulting.
An estimated 7.713.000+ active WordPress installations are susceptible to these attack types, considering only the publicly available numbers. It is a whooping 138% increased trend compared to last month. The estimated number can double with versions already closed due to security concerns.
The following cases made headlines PUBLICLY in the Pharma Hack JAN 2022 category:
- Logo Carousel – Logo Slider, Logo Showcase, and Clients Logo Gallery – Stored Cross-Site Scripting (XSS)
- Logo Carousel – Logo Slider, Logo Showcase, and Clients Logo Gallery – Unauthorised Private Post Access
- Logo Carousel is a beautiful logo showcase and clients logo gallery plugin that allows you to display a group of logo images in a visually appealing carousel through an intuitive Shortcode Generator. It’s very user-friendly and convenient to manage & display the logo images in your any WordPress site. Active installations: 20,000+
- Kudos Donations – Easy donations and payments with Mollie – Arbitrary Items Deletion via CSRF
- Kudos Donations allows you to add a donate button anywhere on your website. Once a user clicks this button they will be greeted with a pop-up window where they can enter their details and how much they would like to donate. Active installations: 30+
- Simple JWT Login – Login and Register to WordPress using JWT – Insecure Password Creation
- This plugin allows you to login, register, authenticate, delete and change user password to a WordPress website using a JWT. It’s main purpose is to allow you to connect a mobile App with a WordPress website. Active installations: 2,000+
- Hide My WP – Amazing Security Plugin for WordPress! – Unauthenticated Plugin Deactivation
- Hide My WP – Amazing Security Plugin for WordPress! – Unauthenticated SQL Injection
- Hide My WP is number one security plugin for WordPress. It hides your WordPress from attackers, spammers and theme detectors. Over 26,000 satisfied customers use Hide My WP. It also hides your wp login URL and renames admin URL. It detects and blocks XSS, SQL Injection type of security attacks on your WordPress website. Active installations: 30,000+
- WP Mail Logging – Outdated Redux Framework
- WP Mail Logging is the most popular plugin to log emails sent by WordPress or WooCommerce. Simply activate it and it will work immediately, no configuration necessary. Active installations: 100,000+
- LiteSpeed Cache – IP Check Bypass to Unauthenticated Stored Cross-Site Scripting (XSS)
- LiteSpeed Cache – Reflected Cross-Site Scripting (XSS)
- LiteSpeed Cache for WordPress (LSCWP) is an all-in-one site acceleration plugin, featuring an exclusive server-level cache and a collection of optimization features. Active installations: 2+ million
- OMGF | Host Google Fonts Locally – Arbitrary Folder Deletion via Path Traversal
- Leverage Browser Cache, Minimize DNS requests, reduce Cumulative Layout Shift and serve your Google Fonts in a 100% GDPR compliant way with OMGF! Active installations: 40,000+
- CAOS | Host Google Analytics Locally – Arbitrary Folder Deletion via Path Traversa
- CAOS (Complete Analytics Optimization Suite) for Google Analytics allows you to host analytics.js/gtag.js locally and keep it updated using WordPress’ built-in Cron-schedule. Fully automatic! Active installations: 20,000+
- Advanced Custom Fields – Arbitrary ACF Data/Field Groups View and Fields Move
- Advanced Custom Fields turns WordPress sites into a fully-fledged content management system by giving you all the tools to do more with your data. Active installations: 2+ million
- Canto – Unauthenticated Blind SSRF
- Easily find and publish photos, images, and any other web-safe media file from directly to your WordPress website. Simplify collaboration with your creative team by retrieving media without having to search through emails or folders. Active installations: 70+
- All-in-One Video Gallery – Local File Inclusion
- All-in-One Video Gallery is a VIDEO POSTS plugin that helps you adding videos as posts and build scalable, searchable, SEO optimized video galleries in minutes. Active installations: 20,000+
- RegistrationMagic – Custom Registration Forms, User Registration and User Login Plugin – Authentication Bypass
- RegistrationMagic – Custom Registration Forms, User Registration and User Login Plugin – SQL Injection
- Create custom WordPress Registration Forms, allow secure user registration, accept payments, track submissions, manage users, analyze stats, assign user roles, automate processes, send bulk emails and much more. If you need to build a custom WordPress Registration Forms process, look no further! Active installations: 10,000+
- Stars Rating – Comments Denial of Service
- A simple and easy to use plugin that turns post, pages and custom post types comments into reviews. Active installations: 800+
- All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic – Authenticated Privilege Escalation
- All in One SEO – Best WordPress SEO Plugin – Easily Improve SEO Rankings & Increase Traffic – Authenticated SQL Injection
- All in One SEO for WordPress is the original WordPress SEO plugin started in 2007. Over 3 million smart website owners use AIOSEO to properly setup WordPress SEO, so their websites can rank higher in search engines. Active installations: 3+ million
- Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier) – Unauthenticated Arbitrary Option Update
- Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier) is an impressive, lightweight, responsive Image hover effects gallery. Use modern and elegant CSS hover effects and animations. Best Used for portfolio/ gallery/image showcase items in WordPress site using shortcodes and custom post. Consider the comfort of developers, we lunch an advanced pure CSS3 based hover effect plugin named Image Hover Effects Ultimate (Image Gallery, Effects, Lightbox, Comparison or Magnifier). It is fully responsive. Bring your images to live with some beautiful animation and transition with this awesome plugin. Active installations: 20,000+
- The Plus Addons for Elementor – Unauthenticated SQL Injection
- The Plus Addons for Elementor – Sensitive Data Disclosure
- Unlock a Faster Elementor Experience with Extra 120+ Powerful Widgets & Extensions for your next big idea! Active installations: N/A
- Contact Form 7 Database Addon – CFDB7 – Arbitrary Form Deletion via CSRF
- Contact Form 7 Database Addon – CFDB7 – Unauthenticated Stored Cross-Site Scripting (XSS)
- The “CFDB7” plugin saves contact form 7 submissions to your WordPress database. Export the data to a CSV file. By simply installing the plugin, it will automatically begin to capture form submissions from contact form 7. Active installations: 400,000+
- Event Tickets – Open Redirect
- This plugin makes it easy to sell tickets and collect registration for in-person or virtual events. Plus, it comes with features backed by our world-class team of developers and designers. Integrate Event Tickets with your PayPal business account and manage attendees from your WordPress dashboard. Active installations: 40,000+
- Tabs – Responsive Tabs with WooCommerce Product Tab Extension – Unauthenticated Arbitrary Option Update
- Tabs – Responsive Tabs with WooCommerce Product Tab Extension brought to you the exclusive WordPress Tabs with WooCommerce integrated product tabs. It was designed to be the best way for adding dynamic content tabs very easily within any professional website and eCommerce store. This awesome animated tabs with CSS3 plugin is the best while creating responsive tabs with dropdown and unlimited effects & animation support. It is the most lightweight yet customizable WordPress Tabs plugin with major page builder integration. Active installations: 10,000+
BRIEF: Pharma Hack JAN 2022 is an SEO spam attack type, where a legitimate website is used to sell illicit drugs. In this type of attack, hackers hijack websites, injects malware and uses that specific domain to sell illicit drugs like Viagra, Cialis, Levitra. This is where it started and got its name. Today, not just potency drugs are a drive. Anything that created interest from humans, but their local legislation failed to keep up with the latest trends are in this category. Consider this as a modern inquisition, where your domain is the heretic, spreading undesired ideology – sadly unknowingly.
Pharma Hack Explained
The Pharma Hack JAN 2022 exploits are used to insert rogue code in outdated versions of WordPress, themes and plugins. This new content inside existing pages and post are causing search engines to return ads for pharmaceutical products after a new indexation. The vulnerability is more of a spam menace than traditional malware but gives search engines enough reason to block the domain for distributing spam (NOT creating, JUST maintaining, harbouring, spreading).
Working parts of a Pharma Hack JAN 2022 include a backdoor in plugins, themes and databases. However, the exploits are often vicious variants of encrypted malicious injections hidden in databases and require a thorough clean-up process to fix the vulnerability. Nevertheless, you can easily prevent Pharma Hack by regularly updating your WordPress installations, themes, and plugins.
What is the impact of Pharma Hack JAN 2022?
The consequences of a hack are ugly. You will experience some major backlash on your WordPress domain such as:
– A marked drop in search engine rankings for the keywords you’re targeting;
– High bounce rates as visitors are redirected to different websites;
– Wasted SEO efforts in the future;
– SERP blacklist warnings on your website like:
— This site may be hacked
— Deceptive site ahead etc;
— Hosting account suspensions;
— Email providers blacklisting your domain;
— High cleanup, recovery, damage control costs;
— Major decline in your brand’s image, reputation.
What is Denial of Service (DoS)?
Perhaps the most dangerous of them all, Denial of Service (DoS) is used to overwhelm a specific domain’s hosting resources (memory, CPU, bandwidth, etc). Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.
Hackers have compromised millions of websites and raked in millions by exploiting outdated and buggy versions of WordPress, themes, plugins and 3rd party connected software. Even the latest versions of WordPress software cannot comprehensively defend against high-profile DoS attacks, but will at least help you to avoid getting caught in the crossfire between financial institutions and sophisticated cybercriminals.
What is Distributed Denial of Service (DDoS)?
A distributed denial-of-service (DDoS) attack is one of the most powerful weapons on the internet. When you hear about a website being “brought down by hackers”, it generally means it has become a victim of a DDoS attack. In short, this means that hackers made that domain unavailable by flooding or crashing the website with too much traffic.
Although financially motivated cybercriminals are less likely to target small companies, they tend to compromise outdated vulnerable websites in creating botnet chains to attack large businesses. The primary way a DDoS is accomplished is through a network of remotely controlled, hacked domains. This is where small businesses come to the crossfire. These are often referred to as zombies, botnets or network of bots. These are used to flood a high profile target.
What is the impact of DoS/DDoS?
Starts with a slow website, with vital parts not working accordingly (checkout, orders/account registration, processing, dispatching). It peaks for a real visitor as page not available. When the entire server crashed, then the domain is unavailable. END GAME.
This is a costly thing to defend in a cloud environment, due to creating more and more servers to serve traffic spike, it burns your hosting budget for an entire year in a few hours. In classical hosting environments, using a single physical machine to host the domain is simply incapable of facing even the most simple, smallest DoS or DDoS attacks.