Yesterday, we had a series of strange hacking attempts launched against our website. Here, for example, was one attempt that was logged by our systems:

118.179.26.34 8 /wp-admin/admin-ajax.php Array
(
[action] => wp_ajax_some_action
[sql] => 1 UNION SELECT user, password FROM wp_users
)

That would be an attempt to exploit a SQL injection vulnerability through an AJAX accessible function in a WordPress plugin or theme with the action to access it being “wp_ajax_some_action.” That action name is odd. We couldn’t find any reference to it on the internet or in plugins in the WordPress plugin directory. “wp_ajax” normally isn’t in the name of the action, but in the registration of the action.

Another attempt, which was blocked by our Plugin Vulnerabilities Firewall, involved an attempt to try to upload a file with PHP code in it:

The formatting of the request is broken, though.

That is also an attempt to access an AJAX accessible function. This time it would be accessed through the action “qsm_upload_file.” That seems like legitimate name for an action. But we also couldn’t find any reference to it on the internet or in plugins in the WordPress plugin directory.

We thought we would see if AI could shed any light on that. We asked Microsoft Copilot, “What WordPress plugin vulnerability does qsm_upload_file relate to?” The answer we got was:

The qsm_upload_file function is associated with a vulnerability in the Quiz and Survey Master (QSM) plugin for WordPress. Specifically, versions up to and including 7.0.1 were vulnerable to arbitrary file uploads due to missing filename sanitization in the qsm_upload_image_fd_question() function. This flaw allowed unauthenticated attackers to upload arbitrary files using a double extension attack, potentially leading to remote code execution on affected sites.

The vulnerability was an incomplete fix of a previous issue (CVE-2020-35949) and was rated 9.8 (Critical) on the CVSS scale. A patch was released in version 7.0.2, so updating to this version or later is strongly recommended.

If you’re using this plugin, I’d suggest checking your version and updating immediately. Need help securing your site?

While the AI response suggests “qsm_upload_file” is related to a vulnerability, it isn’t. Version 7.0.1 of the plugin mentioned doesn’t contain any mention of it and the relevant AJAX action to the vulnerability is “qsm_upload_image_fd_question:”

51
52

add_action('wp_ajax_qsm_upload_image_fd_question', array($this, 'qsm_upload_image_fd_question'));
add_action('wp_ajax_nopriv_qsm_upload_image_fd_question', array($this, 'qsm_upload_image_fd_question'));

One explanation for what is going on here is that the hacker behind those hacking attempts is relying on an AI Chatbot to generate exploitation attempts. Those Chatbots are known to make things up that appear vaguely real, which sometimes get referred to them  as “hallucinating.”

Have you had your own experience with strange hacking attempts like this? Please leave a comment below.