In order to maintain consistent remote exposure and redirect site visitors to fictitious websites, danger actors are using the “mu-plugins” directory in WordPress websites to use malicious code.
The term “,” abbreviated as “,” refers to plugins that are automatically executed by WordPress without having to enable them explicitly in the admin dashboard. They are located in a special directory ( “wp-content/mu-plugins” ). This also makes the file a good place to stage malicious.
According to Sucuri researcher Puja Srivastava,” This approach represents a worrying trend, as the mu-plugins ( Must-Use plugins ) are not listed in the standard WordPress plugin interface, making them less noticeable and simpler for users to ignore during routine security checks,” according to a study conducted.
Three different types of scoundrel PHP script have been found in the directory in the incidents that the net security company has looked into.
- “wp-content/mu-plugins/redirect” php,” which directs site readers to a malicious website that is hosted elsewhere.
- “wp-content/mu-plugins/index .html. Using a remote PHP script hosted on Git Hub, which offers web shell-like functionality, attackers can execute arbitrary code by downloading a remote PHP script.
- “wp-content/mu-plugins/custom-js-loader” PHP,” which inserts unwanted spam into a compromised website with the intention to market fraud or to change Search rankings by replacing all images with explicit information and allowing inbound links to malicious websites with diseased links.
The “redirect” According to Sucuri, “php” disguises as a web browser update to trick users into downloading malware that can grab data or drop further payloads.
According to Srivastava,” the storyline includes a function that determines whether the latest visitor is a bot.” This makes it possible for the text to block search engine crawlers from detecting the routing behavior.
The development comes as threat actors continue to defraud site visitors using sick WordPress sites as staging grounds to rig harmful PowerShell commands through Google reCAPTCHA or Cloudflare CAPTCHA verification, a well-known instrument known as , to give the Lumma Stealer malware.
Additionally, malicious JavaScript is being used to to unapproved third-party domains using stolen WordPress sites or as a skimmer to steal economic data from checkout pages.
The usual suspects are resilient apps or themes, compromised login credentials, and client failures, but it’s not known how the sites may have been breached right now.
Threat actors have consistently exploited four different security flaws since the start of the year, according to a recent report from Patchstack.
- CVE-2024-27956 ( CVSS score: 9.9 )- An unauthenticated arbitrary SQL execution vulnerability in the WordPress Automatic Plugin- AI content generator and auto poster plugin.
- CVE-2024-25600 ( CVSS score: 10 / 10 )- A vulnerability in Bricks theme for remote code execution that cannot be authenticated.
- CVE-2024-8353 ( CVSS score: 10 % )- A GiveWP plugin vulnerability allowing unauthenticated PHP object injection to execute remote code
- CVE-2024-4345 ( CVSS score: 10 / 10 )- A Startklar Elementor Addons for WordPress that allows unauthenticated arbitrary file uploads
It’s essential for WordPress site owners to regularly audit code for the presence of malware, enforce strong passwords, and set up a web application firewall to prevent code injections and malicious requests in order to reduce the risks posed by these threats.