Hackers Have Been Probing For Usage of the Kiwi Social Share WordPress Plugin for a Couple of Weeks
Back on the 12th we full disclosed an option update vulnerability in the plugin Kiwi Social Share and said this at the beginning of the post for that:
Due to the moderators of the WordPress Support Forum’s continued inappropriate behavior we are full disclosing vulnerabilities in protest until WordPress gets that situation cleaned up, unfortunately so far that hasn’t happened. Instead they have continued apace doing downright strange stuff, like deleting people just saying thank you, and inappropriate stuff, like continuing to violate their own guidelines to promote certain security companies to clean up hacked websites (and lying in the process since the companies they promote as “reputable” are any but, as one of them lies all the time and the other doesn’t even attempt to properly clean up hacked websites). Now comes the time when their refusal to clean up their act is likely to have a huge consequence.
Last week an option update vulnerability in the plugin WP GDPR Compliance was widely exploited after it was fixed. After that happened we went to do some checks over the 1,000 most popular WordPress plugins related to that, while looking into improving our automated tool for detecting possible security issues in plugin, the Plugin Security Checker, and we found that the plugin Kiwi Social Share also has the same type of vulnerability.
Earlier today we had a couple of requests on this website that look like they came from a hacker probing for usage of the plugin, as they twice made requests for a file from the plugin, /wp-content/plugins/kiwi-social-share/assets/js/kiwi.min.js. The hacker also requested files to check usage of WP GDPR Compliance, /wp-content/plugins/wp-gdpr-compliance/assets/js/admin.js, and Ultimate Member, /wp-content/plugins/ultimate-member/assets/js/um-scripts.js. The check for Ultimate Member would likely be related to trying to exploit a vulnerability fixed back in August.
In checking abuseipdb.com for other similar hacker probing, we found that an IP address used for malicious activity had done probing for a different file form the plugin back on November 15th.
We would say this would make people on the WordPress side of things reconsider their actions, but it seems like they may want WordPress websites to get hacked.
We’ve had a continuous stream of attacks/probes trying to access wp-content/plugins/kiwi-social-share/assets/js/kiwi.min.js on a site which is still in build. Our security plugin is set to block IPs that display this sort of random behaviour, as they are not up to any good.
Requests for a JavaScript file would not be an attack, just probing for usage of something, since JavaScript files don’t run code on the server.
We have yet to see any WordPress security plugin that provides evidence that it is effective and blocking IP addresses is just the sort of thing they do to make it appear like they are doing something while not necessarily being effective, since in looking at logging from real hacks we have seen hackers that switch IP address as often as each request. By comparison we discovered and warned our customers about this vulnerability before it was ever exploited, which is real protection.