WordPress websites are facing an increasing number of attacks exploiting the security aspects of popular plugins. Almost all of the attacks involved hackers hijacking websites by attacking recently patched plugin bugs. A news report reveals the list of all the plugins that are discovered as part of these attacks. Users are advised to update these plugins immediately and stay consistent in updating the plugins throughout the year.

ThemeGrill Demo Importer

Bug in this plugin comes with themes as sold by ThemeGrill which lets attackers wipe websites and hijack the admin account. This plugin bug was patched in version 1.6.3

Recommendation: Lazy Loading Will Be Added To All Images In WordPress-5.4

Flexible Checkout Fields for WooCommerce

Attackers inject XSS payloads through a zero-day exploit in this plugin which gets activated in the logged-in user’s dashboard. XSS payloads were used by hackers to form rogue admin accounts. This bug was patched in the latest update.

Duplicator

This WordPress plugin lets website owners export content of their websites. Attackers were able to export website contents and database credentials through a bug in this plugin which was patched in version 1.3.28

Profile Builder Plugin

A bug was patched on February 10th which allowed hackers to register unauthorized admin accounts in its free and paid versions.

Async JavaScript, Modern Events Calendar Lite, 10Web Map Builder For Google Maps

In all these plugins three zero-day exploits were found for which patches are now available.

ThemeREX Addons

Attackers were able to create rogue accounts through a zero-day exploit that comes with ThemeREX commercial themes. Site owners are asked to delete this plugin as no patch has been issued for this bug yet.