One of the things we do provide the best data on vulnerabilities in WordPress plugins for our customers is monitoring our websites for hacking attempts against plugins. At first that allowed us to add additional old vulnerabilities that we didn’t yet have in data set and then starting in May that allowed us to find numerous zero-day vulnerabilities, vulnerabilities that existed in the current versions of plugins that the developers were not aware of.
In doing that monitoring we have also noticed some odd things about the choice of vulnerabilities that hackers are targeting. One, is that we have seen hackers targeting vulnerabilities that don’t exist. With just a little testing the could have seen that the vulnerabilities doesn’t exist. So it doesn’t seem to make sense when some of the hacking campaigns against those seem to fairly broad, that the hacker didn’t test things out first. For everybody else this is a good thing, since hackers are wasting resources on hacking attempts that will never be successful.
Another odd thing we have noticed is the choice of vulnerabilities that hackers target. We have noticed that hackers seem to target certain vulnerabilities repeatedly, while rarely targeting other vulnerabilities that based on what they are targeting would be expected to be targeted as often. Take for instance the plugin Vertical Slideshow, which is a plugin that as of earlier this year only 100+ active installs according to wordpress.org. Back in June we noticed a hacker probing for usage of the plugin and discovered that it had an arbitrary file upload vulnerability. Arbitrary file upload vulnerabilities are almost guaranteed to be exploited, but with a plugin with under 200 installs you wouldn’t expect to see much interest from hackers since you have a small chance of it running on websites (if you do a broad targeting of your exploit attempts) and for the few websites that are vulnerable there is good chance that someone already exploited it. And yet, recently we have seen a number of probes for usage of the plugin. At the same time we have also seen quite a bit of search traffic to our post about the vulnerability.
What makes this seems even odder was the fact that we had discovered 13 other plugins from the same developer that contained the same vulnerability and we haven’t seen any hacking attempts against most of those.
The continued outsized search traffic lead to do some searching to see if we could find what might be the cause of that. That lead us to a number of YouTube videos and to a plausible explanation as to why some of this odd targeting is occurring.
What we found was that there were multiple YouTube videos showing the exploitation of the Vertical Slideshow gallery that were released in the last month. While a couple of them were titled with an indication of what was actually being exploited, WordPress Exploit – Vertical SlideShow Plugin and WordPress Arbitrary File Upload Vulnerability in Vertical SlideShow [ Shell Upload ], two others had names that would seem to indicate they were for exploiting WordPress itself, Exploit WordPress Arbitrary File Upload [ Upload Shell ] and WordPress Arbitrary File Upload Vulnerability. That is pretty big distinction, considering that WordPress runs on millions of website versus the plugin’s under 200 websites.
That kind of thing could cause hackers that are not really familiar with WordPress to focus on exploiting vulnerabilities that wouldn’t make much sense for someone more familiar with the WordPress ecosystem. Giving this further credence was what we found when doing a search on YouTube for “WordPress Exploit”:
Not only do multiple videos show up involving the exploitation of the vulnerability Vertical SlideShow, but the other videos seem to closely match with other vulnerabilities we see receiving an unusually high amount of interest from hackers, including the other vulnerability that we discovered that recently has been receiving such interest.