Pharma Hacks AUG 2021
WP Security Exploits for SEO/DDoS
Be informed about the latest WP Security Exploits for SEO gains and DoS/DDoS remote controls, identified and reported publicly. With Pharma Hacks AUG 2021 the consequences of a hack are ugly. You will experience major backlash on your WordPress domain, costly damage control/recovery, immediate revenue loss with long-term consequences. Consider our FREE Pharma Hacks AUDIT.
An estimated 10.417.000+ active WordPress installations are susceptible to these attack types, considering only the publicly available numbers. The estimated number can double with versions already closed due to security concerns.
It is a whooping 463% increased trend compared to December 2020. We compare last month versus previous winter holiday season, which has the biggest shopping traffic and attack spike throughout the year. Read more about our previous reports here: 21 Pharma Hacks JUL 2021 – WP Security Exploits for SEO/DDoS and 8 Pharma Hacks JAN 2021 – WP Security Exploits for SEO/DDoS. The following cases made headlines PUBLICLY just last month in the Pharma Hacks AUG 2021 category:
Hire security professionals to protect your WordPress from publicly reported cases of Pharma Hacks AUG 2021 BEFORE IT’S TOO LATE! You will also protect your customers, your reputation and your online business!
- Advanced Shipment Tracking for WooCommerce – Authenticated Options Change
- Advanced Shipment Tracking (AST) provides all you need to manage and automate the WooCommerce fulfillment workflow. Easily add tracking information and fulfill orders, keep your customers informed, reduce time spent on post-shipping inquiries and increase overall customer satisfaction. Active installations: 50,000+
- Bold Page Builder – PHP Object Injection
- Bold Page Builder for WordPress is 100% free – there is no premium version and you can use it freely in your commercial and noncommercial projects. Even in your Premium WordPress themes. Active installations: 50,000+
- HM Multiple Roles – Arbitrary Role Change
- This HM Multiple Roles plugin provides a user interface and allows you to select multiple roles for a user. It hides the default role dropdown list and displays a list of role checkboxes for both new user and update user page. Multiple roles can be visible from the All User list page. Active installations: 500+
- User Rights Access Manager – Access Restriction Bypass
- This plugin has been closed as of July 19, 2022 and is not available for download. This closure is temporary, pending a full review.
- Welcart e-Commerce – Unauthenticated Information Disclosure
- Welcart e-Commerce – Authenticated System Information Disclosure
- Welcart is a free e-commerce plugin for WordPress with top market share in Japan. Welcart comes with many features and customizations for making an online store. You can easily create your own original online store. Active installations: 20,000+
- Image Export – Directory Traversal
- This plugin has been closed and is no longer available for download.
- Simple eCommerce – Arbitrary File Upload
- This plugin has been closed as of June 21, 2022 and is not available for download. Reason: Security Issue.
- Post Grid, Post Carousel, & List Category Posts – by Smart Post Show – Unauthorised AJAX Calls
- Smart Post Show (formerly Post Carousel) allows you to filter and display posts, pages, taxonomy (categories, tags, & post formats) in the beautiful carousel and grid layout easily without coding! The plugin helps you to create a beautiful post carousel or post grid in minutes for making your WordPress site content stand out and keep visitors engaged. Active installations: 10,000+
- Stop User Enumeration – REST API Bypass
- Stop User Enumeration is a security plugin designed to detect and prevent hackers scanning your site for user names. User Enumeration is a type of attack where nefarious parties can probe your website to discover your login name. This is often a pre-cursor to brute-force password attacks. Stop User Enumeration helps block this initial attack and allows you to log IPs launching these attacks to block further attacks in the future. Active installations: 30,000+
- Shopp eCommerce – Unauthenticated Arbitrary File Upload
- This plugin has been closed as of June 29, 2022 and is not available for download. Reason: Security Issue.
- Visual Link Preview – Unauthorised AJAX Calls
- Easily create a Facebook-like link preview for any link on your website. You can choose the image and text to display and create your very own custom template. The default template can be styled from the settings to match your website. Active installations: 9,000+
- WP Cerber Security, Anti-spam & Malware Scan – Rest-API Protection Bypass
- WP Cerber Security, Anti-spam & Malware Scan – 2FA Authentication Bypass
- Defends WordPress against hacker attacks, spam, trojans, and malware. Mitigates brute-force attacks by limiting the number of login attempts through the login form, XML-RPC / REST API requests, or using auth cookies. Tracks user and bad actors activity with flexible email, mobile and desktop notifications. Stops spammers by using a specialized anti-spam engine. Uses Google reCAPTCHA to protect registration, contact, and comments forms. Restricts access with IP Access Lists. Monitors the website integrity with an advanced malware scanner and integrity checker. Reinforces the security of WordPress with a set of flexible security rules and sophisticated security algorithms. Active installations: 200,000+
- Fileviewer – Arbitrary File Upload/Deletion via CSRF
- This plugin has been closed as of June 28, 2022 and is not available for download. Reason: Security Issue.
- WordPress Download Manager – Authenticated Directory Traversal
- WordPress Download Manager – Authenticated File Upload
- WordPress Download Manager – Email Template Setting Update via CSRF
- WordPress Download Manager is a Files / Documents Management Plugin to manage, track and control file downloads from your WordPress Site. Use Passwords, User Roles to control access to your files, control downloads by speed or by putting a limit on download count per user, block bots or unwanted users or spammers using Captcha Lock or IP Block feature, you may also ask users to agree with your terms and conditions before they download. Active installations: 100,000+
- Print My Blog – Print, PDF, & eBook Converter WordPress Plugin – Plugin Deactivation via CSRF
- Offline publishing for you, site visitors, and the world outside WordPress. Print My Blog makes WordPress content useful outside of your website, like in print, PDFs, and other formats. Active installations: 4,000+
- Per Page Add to Head – Authenticated Stored XSS
- Per Page Add to Head – CSRF to Stored XSS
- This plugin has been closed as of June 7, 2022 and is not available for download. Reason: Security Issue.
- Smash Balloon Social Post Feed – Unauthenticated Stored XSS
- Display Facebook posts on your WordPress site. Completely customizable, responsive, search engine crawlable, and GDPR compliant Facebook feeds. Display unlimited Facebook feeds from your Facebook page or Facebook Group, and completely match the look and feel of your site with tons of customization options! Automatically powers any Facebook oEmbeds on your site. Active installations: 200,000+
- Pods – Custom Content Types and Fields – Multiple Authenticated Stored Cross-Site Scripting (XSS)
- Manage all your custom content needs in one location with the Pods Framework. Active installations: 100,000+
- Qyrr – simply and modern QR-Code creation – Authenticated (contributor+) Stored XSS
- Qyrr is a simple yet powerful solution to create and manage QR-Codes. It use a simple interface to create and design your QR-Codes. Active installations: 500+
- Simple Social Media Share Buttons – Social Sharing for Everyone – Contributor+ Stored XSS
- Simple Social Buttons adds ( with lots of options like Sidebar, inline, above and below the posts content, on photos, popups, fly ins ) an advanced set of social media sharing buttons to your WordPress sites, such as: Facebook, WhatsApp, Viber, Twitter, Reddit, LinkedIn and Pinterest. Active installations: 40,000+
- WP Learn Manager – Unauthenticated Stored Cross-Site Scripting (XSS)
- WP Learn Manager – Unauthenticated Arbitrary User Field Edition/Creation
- WP Learn Manager is extensive, featured rich and comprehensive learning management system for WordPress. WP Learn Manager comes with a lots of features like course list, course search with many filters, create course, create lectures, Add Quizzes, take lectures, enrollment, shortlist courses, Messaging, Social logins, Social sharing, Awards and many more. Active installations: 80+
- FluentSMTP – WordPress Mail SMTP, SES, SendGrid, Mailgun and Any SMTP Plugin – Authenticated Stored XSS
- Are you having problems with your WordPress emails not sending? Or looking to set the email address in which your emails are delivered from. This plugin will solve all your email deliverability problems. FluentSMTP is the ultimate WP Mail Plugin that connects with your Email Service Provider natively and makes sure your emails are delivered 💯. Active installations: 30,000+
- Sitewide Notice WP – Authenticated Stored XSS
- Simply add a small message bar to the bottom of each page of your website to display notice messages such as sales, notices and any text messages. A lightweight plugin that simply adds a small notification bar that allows you to insert simple text at the bottom of every page of your website as a call-to-action. Active installations: 5,000+
- Business Hours Indicator – Authenticated Stored XSS
- Highly customizable shortcodes to display your opening times in any format. Active installations: 9,000+
- VDZ Google Analytics or Google Tag Manager / GTM – Authenticated Stored XSS
- Just install and use 🙂. Simple Google Tag Manager (GTM) or Universal Google Analytics plugin. After added Google Analytics ID – select where show your code in Head or Footer section. Active installations: 600+
- Cooked – Recipe Plugin – Unauthenticated Reflected Cross-Site Scripting (XSS)
- Cooked is the absolute best way to create & display recipes with WordPress. SEO optimized (rich snippets), galleries, cooking timers, printable recipes and much more. Check out the full list below. Active installations: 8,000+
- Cookie Notice & Consent Banner for GDPR & CCPA Compliance – Authenticated Stored XSS
- Install a Cookie Notice or Consent Banner as Required by Privacy Laws (GDPR & CCPA). Easily Customizable to Fit Your Design. Active installations: 1,000+
- Site Reviews – Authenticated Stored XSS
- Site Reviews allows your visitors to submit reviews with a 1-5 star rating on your website, similar to the way you would on TripAdvisor or Yelp. The plugin provides blocks, shortcodes, and widgets, along with full documentation. Active installations: 30,000+
- WPFront Notification Bar – Authenticated Stored XSS
- Want to display a notification about a promotion or a news? WPFront Notification Bar plugin lets you do that easily. Active installations: 60,000+
- Stop Spammers Security | Block Spam Users, Comments, Forms – Authenticated Stored XSS
- Stop spam emails, spam comments, spam registration, and spam bots and spammers in general. Run diagnostic tests, view activity, and much more with this well-maintained, mature plugin. Active installations: 60,000+
- Daily Prayer Time – Authenticated Stored XSS
- Alhamdulillah that you can display Yearly and Monthly prayer time with ajax month selector using shortcode [timetable] Daily prayer time can be displayed vertically or horizontally in your preferable widget area. Designed for any Mosque or Islamic institutes. Active installations: 1,000+
- Picture Gallery – Frontend Image Uploads, AJAX Photo List – Authenticated Stored XSS
- Picture Gallery plugin enables users to upload and share pictures from frontend or backend. Generates thumbs, adds pictures and thumbs to WordPress Media Library and integrate galleries for custom posts. Active installations: 500+
- WP Courses LMS – Reflected Cross-Site Scripting
- WP Courses LMS – Authenticated Stored XSS via Video Embed Code
- WP Courses is a full-featured, free learning management system ( LMS ) that makes creating courses on your WordPress site easier than ever with an intuitive interface, drag-and-drop tools, video tutorials and more. Active installations: 1,000+
- WordPress Slider Block Gutenslider – Contributor+ Stored XSS
- Gutenslider is an image slider and video slider plugin for WordPress that adds a simple to use Gutenberg slider block to your WordPress editor. You do not need
other editors but can manage everything directly in the Gutenberg editor you already know and love. You can add any content on top that you want! Gutenslider is faster and slicker than any other slider around. Go and try it out yourself and make use of a content slider, image slider and video slider that will increase user engagement on your website and allow you to create your sliders in seconds not in minutes, by using the Gutenberg backend editor you know already. No need to study complicated backend editors. Gutenslider is the best match for you and your customers. Active installations: 10,000+
- Gutenslider is an image slider and video slider plugin for WordPress that adds a simple to use Gutenberg slider block to your WordPress editor. You do not need
- WP Fusion Lite – Marketing Automation for WordPress – CSRF to Data Deletion
- WP Fusion Lite – Marketing Automation for WordPress – Reflected Cross-Site Scripting (XSS)
- WP Fusion Lite synchronizes your WordPress users with leading CRMs and marketing automation systems, keeps user profiles in sync with CRM contact records, and lets you protect site content based on CRM tags. Active installations: 3,000+
- SP Project & Document Manager – Authenticated Shell Upload
- SP Project & Document Manager – Reflected Cross-Site Scripting
- Project & Document management plugin, Remote file sharing, maintain and control unlimited number of documents, records, files, media, videos and images. You can create unlimited folders and sub folders to share, organize, manage client, student & supplier documents and accounts, control individual documents, and select specific file sharing of documents all in an easy to manage online process. Active installations: 3,000+
- 博客社交分享组件 – Subscriber+ Stored Cross-Site Scripting
- 博客社交分享组件是一款整合了网站打赏,文章点赞,微海报及文章社交分享功能插件。插件为读者提供点赞、微海报和社交分享功能,激励网站访客互动,提升WordPress博客文章传播;同时方便访客通过二维码打赏(捐赠)站长以鼓励站长继续创作贡献。 Active installations: 1,000+
- Jock on air now – Authenticated Stored Cross-Site Scripting
- Jock on air now – Reflected Cross-Site Scripting
- Jock on air now – Arbitrary Plugin’s Settings Update via CSRF
- Joan is a WordPress plugin that lets site admins easily manage and display a rotating programming schedule for radio or TV. Jock on air now (JOAN) displays the name of the current show and upcoming show with current time. If nothing is scheduled, it displays a custom message of your choice. Active installations: 1,000+
- Email Artillery – Multiple Authenticated SQL Injections
- Email Artillery – Multiple Reflected Cross-Site Scripting
- Email Artillery – CSRF to Stored XSS
- Email Artillery – Arbitrary File Upload
- This plugin has been closed as of June 28, 2022 and is not available for download. Reason: Security Issue.
- WooCommerce – Authenticated Blind SQL Injection
- WooCommerce is the world’s most popular open-source eCommerce solution. Our core platform is free, flexible, and amplified by a global community. The freedom of open-source means you retain full ownership of your store’s content and data forever. Active installations: 5+ million
- WooCommerce Blocks – Unauthenticated SQL Injection
- WooCommerce Blocks are the easiest, most flexible way to display your products on posts and pages! Active installations: 200,000+
- Membership & Content Restriction – Paid Member Subscriptions – Reflected Cross-Site Scripting (XSS)
- Membership & Content Restriction – Paid Member Subscriptions – Authenticated SQL Injection
- Paid Member Subscriptions is a robust WordPress membership plugin that’s a joy to setup and use. It offers a complete membership solution, allowing you to accept member payments, manage members, create subscription plans and restrict access to premium content. Active installations: 10,000+
- BuddyPress – Activation Key Disclosure
- BuddyPress – SQL Injections
- Are you looking for modern, robust, and sophisticated social network software? BuddyPress is a suite of components that are common to a typical social network, and allows for great add-on features through WordPress’s extensive plugin system. Active installations: 200,000+
- Listing, Classified Ads & Business Directory – uListing – Unauthenticated SQL Injection
- Listing, Classified Ads & Business Directory – uListing – Authenticated IDOR
- Listing, Classified Ads & Business Directory – uListing – Authenticated Reflected XSS
- Listing, Classified Ads & Business Directory – uListing – Multiple CSRF
- Listing, Classified Ads & Business Directory – uListing – Modify User Roles via CSRF
- Listing, Classified Ads & Business Directory – uListing – Settings Update via CSRF
- Listing, Classified Ads & Business Directory – uListing – Unauthenticated Privilege Escalation
- Developing listing and classified ads websites is a lucrative business opportunity, but in the past, it could be complicated to set up and maintain such a site. Doing it through WordPress previously meant investing quite a bit of money on a multitude of plugins that could be difficult to understand and to run together. Active installations: 3,000+
- Album and Image Gallery with Lightbox – Flagallery Photo Portfolio – Full Path Disclosure
- Album and Image Gallery with Lightbox – Flagallery Photo Portfolio – Reflected Cross-Site Scripting
- Album and Image Gallery with Lightbox – Flagallery Photo Portfolio – lib/hitcounter.php pid Parameter SQL Injection
- Album and Image Gallery with Lightbox – Flagallery Photo Portfolio – Reflected Cross-Site Scripting via wp-admin/admin.php skin parameter
- Album and Image Gallery with Lightbox – Flagallery Photo Portfolio – Multiple Vulnerabilities
- Gallery Grand Flagallery – powerfull media and image gallery plugin. Easy interface for handling photos and image galleries. You can create a beautiful video gallery from YouTube, Vimeo. Active installations: 10,000+
Get Healthy, Stay Healthy! A healthier online business starts today and it begins with you. Hire security experts to solve all your vulnerabilities created from Pharma Hacks AUG 2021.
BRIEF: Pharma Hacks AUG 2021 is an SEO spam attack type, where a legitimate website is used to sell illicit drugs. In this type of attack, hackers hijack websites, injects malware and uses that specific domain to sell illicit drugs like Viagra, Cialis, Levitra. This is where it started and got its name. Today, not just potency drugs are a drive. Anything that created interest from humans, but their local legislation failed to keep up with the latest trends are in this category. Consider this as a modern inquisition, where your domain is the heretic, spreading undesired ideology – sadly unknowingly.
Pharma Hacks Explained
The Pharma Hacks AUG 2021 exploits are used to insert rogue code in outdated versions of WordPress, themes and plugins. This new content inside existing pages and post are causing search engines to return ads for pharmaceutical products after a new indexation. The vulnerability is more of a spam menace than traditional malware but gives search engines enough reason to block the domain for distributing spam (NOT creating, JUST maintaining, harbouring, spreading).
Working parts of a Pharma Hacks AUG 2021 include a backdoor in plugins, themes and databases. However, the exploits are often vicious variants of encrypted malicious injections hidden in databases and require a thorough clean-up process to fix the vulnerability. Nevertheless, you can easily prevent Pharma Hacks by regularly updating your WordPress installations, themes, and plugins.
What is the impact of Pharma Hacks AUG 2021?
The consequences of a hack are ugly. You will experience some major backlash on your WordPress domain such as:
– A marked drop in search engine rankings for the keywords you’re targeting;
– High bounce rates as visitors are redirected to different websites;
– Wasted SEO efforts in the future;
– SERP blacklist warnings on your website like:
— This site may be hacked
— Deceptive site ahead etc;
— Hosting account suspensions;
— Email providers blacklisting your domain;
— High cleanup, recovery, damage control costs;
— Major decline in your brand’s image, reputation.
What is Denial of Service (DoS)?
Perhaps the most dangerous of them all, Denial of Service (DoS) is used to overwhelm a specific domain’s hosting resources (memory, CPU, bandwidth, etc). Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.
Hackers have compromised millions of websites and raked in millions by exploiting outdated and buggy versions of WordPress, themes, plugins and 3rd party connected software. Even the latest versions of WordPress software cannot comprehensively defend against high-profile DoS attacks, but will at least help you to avoid getting caught in the crossfire between financial institutions and sophisticated cybercriminals.
What is Distributed Denial of Service (DDoS)?
A distributed denial-of-service (DDoS) attack is one of the most powerful weapons on the internet. When you hear about a website being “brought down by hackers”, it generally means it has become a victim of a DDoS attack. In short, this means that hackers made that domain unavailable by flooding or crashing the website with too much traffic.
Although financially motivated cybercriminals are less likely to target small companies, they tend to compromise outdated vulnerable websites in creating botnet chains to attack large businesses. The primary way a DDoS is accomplished is through a network of remotely controlled, hacked domains. This is where small businesses come to the crossfire. These are often referred to as zombies, botnets or network of bots. These are used to flood a high profile target.
What is the impact of DoS/DDoS?
Starts with a slow website, with vital parts not working accordingly (checkout, orders/account registration, processing, dispatching). It peaks for a real visitor as page not available. When the entire server crashed, then the domain is unavailable. END GAME.
This is a costly thing to defend in a cloud environment, due to creating more and more servers to serve traffic spike, it burns your hosting budget for an entire year in a few hours. In classical hosting environments, using a single physical machine to host the domain is simply incapable of facing even the most simple, smallest DoS or DDoS attacks.
SOLVE TODAY any reported Pharma Hacks AUG 2021 vulnerability! Do you suspect security / seo circumvention in your WP?
