NewStats: 3,261,951 , 8,175,633 topics. Date: Saturday, 31 May 2025 at 08:31 AM 3h111p

A website hacking campaign, that has been ongoing since July, has morphed from redirecting browsers to sites containing dodgy adverts or malicious software into something that is potentially even more problematical. Mikey Veenstra, a researcher with the Defiant Threat Intelligence team, said that “the campaign has added another script which attempts to install a backdoor into the target site by exploiting an ’s session.”


In a warning posted to the WordFence security blog on August 30, Veenstra revealed that a malicious JavaScript dropped into compromised websites looks to “create a new with privileges on the victim’s site.” If a logged-in is identified as viewing the infected page, it then goes on to make an AJAX call via jQuery, one that creates a rogue .

“This AJAX call creates a named wpservices with the email [email protected] and the w0rdpr3ss,” Veenstra said, “with this in place, the attacker is free to install further backdoors or perform other malicious activity.”

Meanwhile, Veenstra stated that the plugins that are under attack currently had been identified as follows:

Bold Page Builder

Blog Designer

Live Chat with Facebook Messenger

Yuzo Related Posts

Visual CSS Style Editor


WP Live Chat

Form Lightbox

Hybrid Composer

All former NicDark plugins (nd-booking, nd-travel, nd-learning)

If you are a WordPress-powered website owner using any of these plugins, then you are advised to check you have the latest updated versions. Follow the links above to check on update status, as most of these have already been patched. However, Veenstra warned that “it’s reasonable to assume any unauthenticated XSS or options update vulnerabilities disclosed in the near future will be quickly targeted by this threat actor.”

Source: https://www.forbes.com/sites/daveywinder/2019/08/31/critical-backdoor-attack-warning-issued-for-60-million-wordpress-s/amp/