As part of monitoring we do to make sure we are providing customers of our service with the best possible data on vulnerabilities in WordPress plugins they may be using we monitor for what look to be hackers probing for usage of plugins to make sure we quickly can warn our customers of unfixed vulnerabilities that hackers are likely targeting. A month ago through that we saw an apparent ongoing hacker campaign exploiting previously undisclosed vulnerabilities involving nine plugins. It looks like that has started up again, with the plugin Astra Starter Sites being one of the new plugins. There was probing on our website yesterday for that plugin by requesting these files:

• /wp-content/plugins/astra-sites/inc/assets/js/admin-page.js
• /wp-content/plugins/astra-sites/inc/assets/css/admin.css
• /wp-content/plugins/astra-sites/readme.txt

That plugin has 200,000+ installs according to wordpress.org, so you might imagine that it at least had a cursory security review by now, but it doesn’t appear to be the case because we found numerous security issue that would have been flagged by the type of security review of WordPress plugins we do just in our limited checking to figure out what a hacker would be interested in exploiting. Considering that persistent cross-site scripting (XSS) vulnerability have existed in multiple of the others plugin being targeted we were most focused on seeing if has that type of vulnerability and we found it contains an authenticated variant of that. While that requires someone to have access to a WordPress account, which limits it exploitability, with 200,000+ installs that would be something that hackers have previously shown an interest in exploiting. [Read more]