3 min Security

Hackers actively exploit second vulnerability in WordPress plugin

Hackers actively exploit second vulnerability in WordPress plugin

Hackers have been able to exploit a second vulnerability in a commonly used WordPress plugin in just one week. That’s what sets WordPress security company Defiant against ZDNet. Right now, the attacks are being carried out.

It’s the second separate wave of hack attempts against WordPress sites since Defiant discovered a similar hack campaign on these sites a week ago. That campaign abused the WP GDPR Compliance plugin. In the second wave, hackers focus on a vulnerability in AMP for WP, a plugin installed on over 100,000 sites.

The vulnerability was revealed last week, when security company WebARX placed proof-of-concept code on how to abuse it. The actual vulnerability was discovered by the Dutch security researcher Sybre Waaijer. He reported the problem to the people who maintain the WordPress Plugins repository in mid-October.

Between October 22nd and 31st, the AMP for WP plugin was removed from the official repository. At that time, developers were working on a solution that was also released.


The vulnerability is comparable to the one found in the WP GDPR Compliance plugin. Hackers can use the vulnerable code to make changes throughout the website to the site options that the plugin should not be able to access.

It seems that the publication of the code by WebARX has attracted the attention of hackers to the little-known problem. Defiant experts state that hackers have now incorporated the vulnerability into an “advanced attack campaign”. The attack is advanced, because hackers do not blindly exploit the vulnerability directly, but combine it with another cross-site scripting (XSS) error.

Attackers can search the web for vulnerable websites that use the AMP for WP plugin, use the XSS vulnerability to place malicious code in various parts of the site, and wait for an admin user to use parts of the site. The malicious code loads a JavaScript file from the sslapis.com domain, which attempts to invoke URLs that are only available to users with admin accounts.


Defiant states that the code allows hackers to create an admin account called “supportuuser”, but also gets access to the code editor of other plugins. There, other malicious code is placed which serves as a backdoor, should the “support user” account be deleted.

Defiant states that administrators of WordPress sites should update the AMP for WP plugin as soon as possible. They should also check if a new admin account called “supportuuser” has appeared in the backend of the site.

This news article was automatically translated from Dutch to give Techzine.eu a head start. All news articles after September 1, 2019 are written in native English and NOT translated. All our background stories are written in native English as well. For more information read our launch article.