Top 50 Most Attacked WordPress Plugins This Week

Last week we shared the top 20 most attacked WordPress themes and an explanation of why many of them are targeted. This week we’ve dug deep into the data and we are publishing the top 50 most attacked WordPress plugins during the past 7 days.

The data we’re sharing today is based on the following high level metrics:

  • During the past week Wordfence blocked 20,644,496 unique attacks across all the sites we protect.
  • We saw attacks from 73,629 unique IP addresses during the period.
  • 20,622,975 attacks came from IPv4 addresses and 15,160 of those attacks were IPv6 addresses.
  • Of the approximately 1.5 million active websites that we protect, 581,689 of those sites received attacks during the past week.

The following is a list of plugins that received the most attacks during the past week – counted as the most recent 7 days starting on Tuesday evening August 16th and looking back 7 days. Once again we are showing the plugin ‘slug’ which is the unique directory name that the plugin uses when it installs into WordPress.

This week we are ordering things slightly differently. We have the plugins ordered by number of unique sites that received attacks, labeled as “Sites attacked”. We feel this is a more useful order because it shows how widespread an attack is on a particular plugin, rather than just raw volume of attacks.

“Total Attacks” indicates the total number of attacks that we logged on that plugin. “IPs” is the total number of unique IP addresses that an attack targeting the plugin originated from.

“Type” is the type of attack – in most cases it’s a “Local File Inclusion” attack which allows an attacker to download any file they want to on the target system. The vast majority of files that are targeted are either the wp-config.php file which contains the database username, password and server name or /etc/passwd which contains the host operating system usernames.

Where we’ve labeled the Type as “Shell” it indicates an attack that allows an attacker to upload a shell to the target site which gives them full remote access. These are the most serious vulnerabilities and attacks.

All attacks are on vulnerabilities that are already publicly known. If you run any of these WordPress plugins, make sure that:

  1. You are using the newest version of the plugin.
  2. That version does not have any known vulnerabilities.
  3. You are running Wordfence with the Firewall enabled because we protect against all vulnerabilities shown.

The list of the top 50 most attacked plugins during the past week follows:

Plugin Sites attacked Total attacks IPs Type
recent-backups 182,525 351,014 3,467 LFI
wp-symposium 149,860 242,715 3,460 Shell
google-mp3-audio-player 138,282 307,743 2,032 LFI
db-backup 129,519 287,043 2,189 LFI
wptf-image-gallery 107,000 131,938 2,846 LFI
wp-ecommerce-shop-styling 103,471 131,011 2,887 LFI
candidate-application-form 103,017 127,359 2,820 LFI
wp-miniaudioplayer 91,546 196,557 1,381 LFI
ebook-download 88,461 189,640 1,408 LFI
ajax-store-locator-wordpress_0 86,051 119,192 1,396 LFI
hb-audio-gallery-lite 82,041 105,618 1,505 LFI
simple-ads-manager 70,683 166,131 6,476 Shell
revslider 53,549 145,626 407 Shell
inboundio-marketing 53,063 112,696 874 Shell
wpshop 51,609 111,546 830 Shell
dzs-zoomsounds 51,089 225,032 731 Shell
reflex-gallery 49,853 111,624 699 Shell
wp-mobile-detector 38,764 115,235 800 Shell
formcraft 25,192 52,604 668 Shell
sexy-contact-form 19,076 50,649 316 Shell
filedownload 12,584 19,400 353 LFI
plugin-newsletter 11,982 23,887 451 LFI
simple-download-button-shortcode 11,558 21,502 427 LFI
pica-photo-gallery 11,059 16,587 262 LFI
tinymce-thumbnail-gallery 10,972 16,429 263 LFI
dukapress 10,814 16,235 333 LFI
wp-filemanager 10,756 16,634 331 LFI
history-collection 10,427 24,371 607 LFI
s3bubble-amazon-s3-html-5-video-with-adverts 10,312 24,011 595 LFI
simple-image-manipulator 7,268 8,272 448 LFI
ibs-mappro 5,555 18,738 448 LFI
image-export 5,442 6,047 266 LFI
abtest 5,431 5,885 297 LFI
wp-swimteam 5,119 5,433 238 LFI
contus-video-gallery 4,921 17,866 345 LFI
sell-downloads 4,393 4,746 240 LFI
brandfolder 4,268 4,619 230 LFI
thecartpress 4,164 4,534 274 LFI
advanced-uploader 4,066 4,351 203 LFI
aviary-image-editor-add-on-for-gravity-forms 3,548 5,749 247 Shell
wp-post-frontend 1,811 16,690 294 Shell
[redacted]* 1,716 2,133 65 Shell
mdc-youtube-downloader 1,039 5,517 199 LFI
document_manager 915 4,450 148 LFI
paypal-currency-converter-basic-for-woocommerce 797 1,133 129 LFI
justified-image-grid 788 17,852 35 LFI
cherry-plugin 539 3,919 31 Shell
aspose-cloud-ebook-generator 531 720 25 LFI
gwolle-gb 331 406 46 LFI

*The redacted plugin in the list was removed before publication. It is an undocumented older shell upload vulnerability which is being targeted. The vulnerability does not exist in the current version of the plugin. Because it’s undocumented it is technically a zero day vulnerability, even though the vulnerability has been fixed in newer versions of the plugin, so we decided to remove the plugin name.


The large number of local file inclusion vulnerabilities that are being exploited is surprising. I should also note that many of these LFI’s were discovered by Larry Cashdollar who I had the pleasure of seeing speak at Defcon in Las Vegas 2 weeks ago. So I suspect that many of these are being used in an attack script of some kind which may explain their prevalence in the attacks we’re seeing.

Backlit keyboardThe clustering of LFI’s together and Shell exploits together in the list order is odd, but I don’t have a theory to explain that and there is no error in the data that accounts for that. It appears to be coincidence.

The vulnerability in the Recent Backups plugin at the top of the list was disclosed in August 2015 and the plugin has now been removed from the repository, probably because it was not being maintained. The large number of exploits targeting this plugin are puzzling because as far as I can tell from, the plugin only had a few thousand installs. It may be because it is quite easy to “google dork” to find sites that are vulnerable and the abundance of target sites may make this an attractive target.

As a final note, I’d like to add that this data is simply an indication of the volume of attacks that we are seeing on plugins in the wild across the large attack surface that is WordPress websites who are protected by Wordfence. It does not give any indication of whether a plugin in this list is more or less secure than others. It does not include data on how successful attacks on the plugins shown may or may not be. It is purely an indication of attack activity in the wild on WordPress plugins during the past week.

Your comments are welcomed as always.

The post Top 50 Most Attacked WordPress Plugins This Week appeared first on Wordfence.


404 to 301 Plugin Considered Harmful

Yesterday we received a site cleaning request where one of our customers was seeing spammy links, Payday Loans in this case, injected into their WordPress website page content. The links were only appearing when the site was visited by a search engine crawler. This is common when a site has been hacked.

An extract from the customer communication with personal info removed:

We look after a clients website [website removed] and believe that has been compromised.

Specifically, the issue is that when google or bing’s search bots crawl the site, they see some text injected into the top of the homepage. I have been using a user agent switcher to verify it’s presence but it was first spotted when we did a pagespeed test here: [removed] and it showed in their ‘preview’ screengrab on the desktop view.

This text seems isn’t always present and when it is there it’s only on the home url (not actually the page eg. if you visit [page removed] it doesn’t appear).


For reference, the block of injected text appears under the site header (navigation etc.) and also in the body of our exit-intent popup:

Make Ends Meet With Payday Loans

It is often very easy to face any financial emergency if you have adequate money to pay for them. But, this can seem all too impossible if you often live from one paycheck to another. How will you be able to pay for your urgent financial emergencies? Most often than not, you can’t. Face the reality, when your job is unable to pay for your financial emergencies, it is best to turn to payday loan providers out there.

[rest of content removed including link to payday loans site]

Screen Shot 2016-08-16 at 10.59.59 AMIt turns out that this is not a hacked site. It is content that is injected by a plugin called 404 to 301 plugin which has 70,000 active installs and has a 4.5 star review from 56 reviewers. When you install the plugin it asks you to agree to a long agreement which includes parts of the GNU general public license. But at the end it also includes the following text (you have to scroll down to find it):


Third Party Text Links

Third party text networks supply text for display in 404 to 301. These networks may collect your visitors’ IP addresses, in native or hashed forms, for purposes of controlling the distribution of text links. 404 to 301 collects anonymous aggregated usage statistics.

By clicking the button here below, you agree to the terms and conditions and give permission to place text links on your website when search engine crawlers access it. Your website’s layout, performance and interaction with human visitors should not be altered or affected in any way. Please note that this feature can be deactivated at any time under 404 to 301 Setting > Help & Info > Plugin Information > Disable UAN, without affecting any other feature available in 404 to 301.

404 to 301 – Copyright © 2016.

I’m reasonably sure that no sane webmaster would agree to:

  1. Cloaking, which is specifically banned by Google and will result in a search engine penalty.
  2. Allowing ads to be inserted into their site over which they have no editorial control, including PayDay loan ads.

We are contacting the WordPress plugin repository maintainers who will likely remove the plugin by the time you read this post. Now that you’re fully informed, we suggest you make up your own mind about whether or not you want to keep this plugin installed if you have it on your site.

As always we welcome your comments. Please note: We have disabled comments on this post due to the inflammatory nature of some of the comments we’re receiving.

All company, product and service names used in this website are for identification purposes only. Use of these names, logos, and brands does not imply endorsement.

The post 404 to 301 Plugin Considered Harmful appeared first on Wordfence.


Vulnerability in User Role Editor – Users Can Become Admins

There is a major vulnerability in a popular plugin with over 300,000 active installs: User Role Editor 4.24 and older.

The vulnerability allows any registered user to gain administrator access. For sites that have open registration, this is a serious security hole.

If you are running User Role Editor, upgrade to the newest version which is 4.25 immediately.

Looking at a diff of the newest plugin release, the author was checking if users have access to edit another user using the ‘current_user_can’ function and checking for the ‘edit_user’ (without an ‘s’ on the end) capability on a specific user ID. The green code below was added.

Screen Shot 2016-04-04 at 9.58.02 AM

A user can edit themselves, and so sending data to the plugin that supplies the current user’s ID to this access check would bypass the check.

The fix released in version 4.25 (new code shown in green above) checks if the current user has the ‘edit_users’ capability which is a general access check that would fix this vulnerability.

The edit_user check that was being used is undocumented on the Roles wiki page, but it is used by WordPress core (in a secure way). So if you are using this check in your plugins, it is important to realize that it can be bypassed if used as a general access level check.

As always, please make sure that the rest of your plugins are at the newest version because we have seen several, less impactful vulnerabilities emerge during the past month.


The Wordfence Team.

The post Vulnerability in User Role Editor – Users Can Become Admins appeared first on Wordfence.


A Backdoored WordPress Plugin and 3 Additional Vulnerabilities

We have several plugin vulnerabilities we’d like to bring to your attention this week.

First up is a backdoor that was added to the Custom Content Type Manager plugin. The backdoor was added by a malicious coder who gained access to the plugin code in the official WordPress plugin repository.

It’s unclear whether the plugin author’s credentials were stolen or whether the malicious actor was granted access. The WordPress security team removed the malicious user account that added the backdoor to the plugin. They have also removed all malicious code that was added to the plugin and updated the version number so that users running this plugin will be prompted to upgrade.

If you are using Custom Content Type Manager, you will need to take the following steps to remove any infection and install the updated non-backdoored version of the plugin.

  1. Update to version of Custom Content Type Manager
  2. The malicious code in this plugin installed a backdoor in WordPress core files. So run a Wordfence scan on your site to check the integrity of your core files. The free version of Wordfence will do this.  Make sure the option to compare your core files against the official WordPress versions is enabled. In the scan results, make sure that the following three files are not modified.
    • wp-login.php
    • wp-admin/user-edit.php
    • wp-admin/user-new.php
  3. If any of the above files are modified, you can use Wordfence to repair them.
  4. Change the passwords of all your users.
  5. Delete any user accounts you don’t recognize. Check admin accounts in particular.
  6. If a file called wp-options.php exists in your home directory, remove it.

The SP Projects and Document Manager plugin version has multiple vulnerabilities including file upload, code execution, sql injection and XSS. Update to to version immediately which contains the vendor released fixes and is the newest version.

If you are running Easy Digital Downloads, ensure you’ve updated to at least version 2.5.8 which fixes an object injection vulnerability. The current version is 2.5.9. The vulnerability was disclosed within the past week.

A vulnerability was publicly disclosed in the Bulk Delete plugin earlier this month that allows unprivileged users to delete pages or posts. The vendor has already released a fix so make sure that if you’re using the Bulk Delete Plugin, you’ve updated to version 5.5.4 which is the latest version.

That concludes our vulnerability roundup for this week. Please share this with the larger WordPress community to help create awareness of these issues.

The post A Backdoored WordPress Plugin and 3 Additional Vulnerabilities appeared first on Wordfence.