Alleged problem with plugin leads to malicious code insertion.
Thousands of WordPress sites are redirecting users to exploit kits because of a plugin that was outed as faulty last December, according to an analyst who works for the security vendor Fox-IT.
Hackers can allegedly use the vulnerability in RevSlider to embed malicious code into websites using iframes, with the bug already reported to be affecting around 3,000 websites.
It follows reports from the security vendor Sucuri that the plugin was at the heart of a malware campaign compromising 100,000 WordPress sites.
Yonathan Klijnsma, a threat intelligence analyst at Fox-IT, wrote on his personal blog: "The payloads that are dropped from the exploit kits are diverse.
"There are reports of [the ransomware] Cryptowall 3.0 being dropped, some banking malware as well as ad fraud; it just depends who rents ‘loads’ on these instances."
The attackers were said to exploit the vulnerability in RevSlider by abusing the plugin to add another admin account, uploading a PHP scripting file, or editing other files on the WordPress installation.
The last of these attacks was even allegedly achieved by changing the file of the plugin SimplePie, highlighting some of the security risks created by using a highly modular system such as WordPress, which can create unexpected coding interactions.
Klijnsma said that WordPress admins can mitigate against the attack by updating RevSlider, either through the dashboard or by installing a patching tool if the plugin has been bundled with a theme.
He also noted that website builders should ensure the content management system and plugins are regularly updated, advising that security could also be improved by converting to a static website.
"You could also ask yourself if you really need a dynamic website," he said.
"If you update content constantly you do but if you only update your website every few months consider a static webpage it saves you a lot of trouble."