Vulnerabilities in several WordPress plugins (including Simple Fields) allow hackers to inject JavaScript code, which can be used to make adjustments to WordPress sites. According to Sucuri, more than two thousand domains have been hacked through these vulnerable plugins.

Because of the vulnerabilities, malicious parties can load scripts which link users to sites such as Admarketlocation and Gotosecond2 via the standard theme. It also allows hackers to modify existing files of the theme so that, if possible, more malware can be injected into the site.

The researchers also point out to owners of WordPress sites the possibility of disabling the modification of the main folders, which prevents hackers from hijacking the entire site.

In the third week of January, there was a significant increase in infections caused by malicious JavaScript. The expectations are that the total number of infected sites will increase, so far, more than two thousand sites are infected. To date, the vulnerability allowing the injection of scripts has only been found in two third-party plugins: Simple Fields and CP Contact Form with PayPal.

Previous findings

It’s not the first time that Sucuri has sounded the alarm because of vulnerabilities in WordPress plugins. In 2019, an extensive study revealed that approximately 90 per cent of hacked content management systems (CMS) in 2018 was based on WordPress. Even then, the main culprit was a large number of vulnerabilities in third-party plugins.