Pharma Hacks JUL 2021
WP Security Exploits for SEO/DDoS
Be informed about the latest WP Security Exploits for SEO gains and DoS/DDoS remote controls, identified and reported publicly. With Pharma Hacks JUL 2021 the consequences of a hack are ugly. You will experience major backlash on your WordPress domain, costly damage control/recovery, immediate revenue loss with long-term consequences. Consider our FREE security AUDIT.
An estimated 1.097.000+ active WordPress installations are susceptible to these attack types, considering only the publicly available numbers. The estimated number can double with versions already closed due to security concerns.
It is a whooping 162% increased trend compared to December 2020. We compare last month versus previous winter holiday season, which has the biggest shopping traffic and attack spike throughout the year. Read more about our previous reports here: 8 Pharma Hacks JUN 2021 – WP Security Exploits for SEO/DDoS and 8 Pharma Hacks JAN 2021 – WP Security Exploits for SEO/DDoS. The following cases made headlines PUBLICLY just last month in the Pharma Hacks JUL 2021 category:
- Photo Gallery – Stored XSS via Uploaded SVG in Zip
- Photo Gallery – Stored Cross-Site Scripting via Uploaded SVG
- Photo Gallery – File Upload Path Traversal
- Photo Gallery is the leading plugin for building beautiful mobile-friendly galleries in a few minutes. Active installations: 300,000+
- Workreap – Freelance Marketplace and Directory WordPress Theme – Missing Authorization Checks in Ajax Actions
- Workreap – Freelance Marketplace and Directory WordPress Theme – Multiple CSRF + IDOR Vulnerabilities
- Workreap – Freelance Marketplace and Directory WordPress Theme – Unauthenticated Upload Leading to RCE
- Workreap is a Freelance Marketplace WordPress theme with some exciting features and excellent code quality. It has been designed and developed after thorough research to cater the requirements of people interested in building freelance marketplace or other similar projects. The design is contemporary but at the same time it focuses on the usability, visual hierarchy and aesthetics to ensure easy navigation for the end users.
- ProfilePress – Authenticated Stored XSS
- ProfilePress – Unauthenticated Privilege Escalation
- ProfilePress – Arbitrary File Upload in Image Uploader Component
- ProfilePress – Unauthenticated Cross-Site Scripting
- ProfilePress (formerly WP User Avatar) is a lightweight membership plugin that lets you create beautiful user profiles, member directories and frontend user registration form, login form, password reset and editing profile information. It also allows you to protect sensitive content and control user access. Active installations: 400,000+
- Speed Booster Pack – Authenticated RCE
- WordPress is, hands down, the most popular content management system in the world. But like all giants, WordPress gets bigger and bigger every release; and it needs you to stay healthy and fast. Otherwise, your website can get slower and nobody likes slow websites. NOBODY. Not only your visitors hate your website, but also search engines (especially Google) penalizes you and drop your search engine rankings. Active installations: 40,000+
- Profile Builder – Authenticated Stored XSS
- Profile Builder – Admin Access via Password Reset Bug
- Easy to use user profile plugin for creating front-end login, user registration and edit profile forms by using shortcodes. Active installations: 60,000+
- User Profile Picture – Arbitrary User Picture Change/Deletion via IDOR
- Set or remove a custom profile image for a user using the standard WordPress media upload tool. Active installations: 60,000+
- RSVPMaker – Authenticated SSRF
- RSVPMaker is an event scheduling and RSVP tracking plugin for WordPress. Active installations: 600+
- Woocommerce Tabs Plugin, Add Custom Product Tabs – Arbitrary Tab Deletion/Edition via CSRF
- This plugin has been closed as of June 22, 2018 and is not available for download. This closure is permanent. Reason: Author Request.
- SEO Wizard – Unauthorized robots.txt & .htaccess Edit via CSRF
- This plugin has been closed and is no longer available for download.
- CRM: Contact Management Simplified – UkuuPeople – Unauthorized Favourite Addition/Deletion
- This plugin has been closed as of March 24, 2021 and is not available for download. Reason: Security Issue.
- Haxcan – Arbitrary File Access
- This plugin has been closed as of May 24, 2021 and is not available for download. Reason: Security Issue.
- WPCS – Arbitrary Plugin’s Settings Change via CSRF
- WordPress Currency Switcher (WPCS) is WordPress currency plugin, that allows your site visitors switch prices currencies in your site content according to set currencies rates in the real time! Active installations: 1,000+
- Advanced Menu Manager – Unauthorised Menu Creation/Deletion
- Advanced Menu Manager – Unauthorised Menu CEdition via CSRF
- This plugin has been closed as of June 8, 2021 and is not available for download. This closure is temporary, pending a full review.
- Frontend File Manager – Privilege Escalation
- Frontend File Manager – Unauthenticated Content Injection and Stored XSS
- Frontend File Manager – Authenticated Arbitrary Settings Change to Arbitrary File Upload
- Frontend File Manager – Unauthenticated Arbitrary Post Deletion
- Frontend File Manager – Unauthenticated Post Meta Change to Arbitrary File Download
- Frontend File Manager – Unauthenticated HTML Injection
- This plugin lets the wordpress site users to upload files for admin. Each file is saved in private directory so each user can download/delete their own files after login. Active installations: 2,000+
- WordPress Popular Posts – Authenticated Code Injection
- WordPress Popular Posts is a highly customizable widget that displays your most popular posts. Active installations: 200,000+
- Shantz WordPress QOTD – Arbitrary Setting Update via CSRF
- This plugin has been closed as of June 4, 2021 and is not available for download. Reason: Security Issue.
- RestroPress – Unauthorised AJAX Calls
- RestroPress – Cart Manipulation via CSRF
- RestroPress is an Online Food Ordering system for WordPress. It is a standalone WordPress plugin which allows you to easily add Food Ordering System to your WordPress Website. Using RestroPress you can easily receive both PickUp/Takeaway and Delivery orders. Active installations: 3,000+
- HM Multiple Roles – Arbitrary Role Change
- This HM Multiple Roles plugin provides a user interface and allows you to select multiple roles for a user. It hides the default role dropdown list and displays a list of role checkboxes for both new user and update user page. Multiple roles can be visible from the All User list page. Active installations: 400+
- WooCommerce Currency Switcher – Authenticated (Low Privilege) Local File Inclusion
- WOOCS – WooCommerce Currency Switcher WooCommerce multi currency switcher plugin for wooocmmerce, that allows your site visitors switch products prices currencies according to set currencies rates in the real time and pay in the selected currency (optionally). WOOCS is multi currency plugin that allows to add any currency to WooCommerce store. Ideal solution to make the serious WooCommerce store site in multiple currencies! Active installations: 60,000+
- WPGraphQL – Denial of Service
- WPGraphQL is a free, open-source WordPress plugin that provides an extendable GraphQL schema and API for any WordPress site. Active installations: 10,000+
- AceIDE – Authenticated (admin+) Arbitrary File Access
- This plugin has been closed as of June 1, 2021 and is not available for download. Reason: Security Issue.
BRIEF: Pharma Hacks JUL 2021 is an SEO spam attack type, where a legitimate website is used to sell illicit drugs. In this type of attack, hackers hijack websites, injects malware and uses that specific domain to sell illicit drugs like Viagra, Cialis, Levitra. This is where it started and got its name. Today, not just potency drugs are a drive. Anything that created interest from humans, but their local legislation failed to keep up with the latest trends are in this category. Consider this as a modern inquisition, where your domain is the heretic, spreading undesired ideology – sadly unknowingly.
Pharma Hacks Explained
The Pharma Hacks JUL 2021 exploits are used to insert rogue code in outdated versions of WordPress, themes and plugins. This new content inside existing pages and post are causing search engines to return ads for pharmaceutical products after a new indexation. The vulnerability is more of a spam menace than traditional malware but gives search engines enough reason to block the domain for distributing spam (NOT creating, JUST maintaining, harbouring, spreading).
Working parts of a Pharma Hacks JUL 2021 include a backdoor in plugins, themes and databases. However, the exploits are often vicious variants of encrypted malicious injections hidden in databases and require a thorough clean-up process to fix the vulnerability. Nevertheless, you can easily prevent Pharma Hacks by regularly updating your WordPress installations, themes, and plugins.
What is the impact of Pharma Hacks JUL 2021?
The consequences of a hack are ugly. You will experience some major backlash on your WordPress domain such as:
– A marked drop in search engine rankings for the keywords you’re targeting;
– High bounce rates as visitors are redirected to different websites;
– Wasted SEO efforts in the future;
– SERP blacklist warnings on your website like:
— This site may be hacked
— Deceptive site ahead etc;
— Hosting account suspensions;
— Email providers blacklisting your domain;
— High cleanup, recovery, damage control costs;
— Major decline in your brand’s image, reputation.
What is Denial of Service (DoS)?
Perhaps the most dangerous of them all, Denial of Service (DoS) is used to overwhelm a specific domain’s hosting resources (memory, CPU, bandwidth, etc). Denial of service is typically accomplished by flooding the targeted machine or resource with superfluous requests in an attempt to overload systems and prevent some or all legitimate requests from being fulfilled.
Hackers have compromised millions of websites and raked in millions by exploiting outdated and buggy versions of WordPress, themes, plugins and 3rd party connected software. Even the latest versions of WordPress software cannot comprehensively defend against high-profile DoS attacks, but will at least help you to avoid getting caught in the crossfire between financial institutions and sophisticated cybercriminals.
What is Distributed Denial of Service (DDoS)?
A distributed denial-of-service (DDoS) attack is one of the most powerful weapons on the internet. When you hear about a website being “brought down by hackers”, it generally means it has become a victim of a DDoS attack. In short, this means that hackers made that domain unavailable by flooding or crashing the website with too much traffic.
Although financially motivated cybercriminals are less likely to target small companies, they tend to compromise outdated vulnerable websites in creating botnet chains to attack large businesses. The primary way a DDoS is accomplished is through a network of remotely controlled, hacked domains. This is where small businesses come to the crossfire. These are often referred to as zombies, botnets or network of bots. These are used to flood a high profile target.
What is the impact of DoS/DDoS?
Starts with a slow website, with vital parts not working accordingly (checkout, orders/account registration, processing, dispatching). It peaks for a real visitor as page not available. When the entire server crashed, then the domain is unavailable. END GAME.
This is a costly thing to defend in a cloud environment, due to creating more and more servers to serve traffic spike, it burns your hosting budget for an entire year in a few hours. In classical hosting environments, using a single physical machine to host the domain is simply incapable of facing even the most simple, smallest DoS or DDoS attacks.