On Saturday, April 13, 2019, our honeypots detected an exploit attempt targeting WordPress sites with a defunct plugin, CodeArt – Google MP3 Player, installed. This malicious activity originated from a host on the network of LeaseWeb (AS60781) and exploited a directory traversal flaw to retrieve the wp-config.php settings file. Our scans have indicated 391 WordPress sites are using the vulnerable plugin and are open to this type of attack.
The Exploit Attempt

The wp-config.php file contains sensitive information such as the WordPress database name, username, password and hostname.

This file also contains the WordPress secret keys which can be used to forge authentication cookies. However, access to the WordPress database alone is enough for a threat actor to leverage further attacks to compromise the site. If the password used for the database is same as the admin user (credential reuse) it could be used to take over the targeted site via the front-end.
In short, there’s plenty of damage that can be incurred against a targeted site with the information contained in the wp-config.php file.
Vulnerable Sites Found
Using data provided by PublicWWW, we’ve scanned 964 WordPress sites currently using the “CodeArt – Google MP3 Player” plugin. Our scans found 391 sites are vulnerable.
The top three hosting providers of vulnerable sites are GoDaddy, Unified Layer, and OVH.
188 of the vulnerable sites found are hosted in the United States.

IOCs
212.32.245.142 /wp-content/plugins/google-mp3-audio-player/direct_download.php?file=../../../wp-config.php
Closing remarks
Due to the sensitive nature of this vulnerability, the list of vulnerable websites will not be published publicly. However, the list is freely available for authorized CERT teams to review. We’ve shared our findings directly with MS-ISAC and affected government organizations, such as the Government of Los Angeles County.
The “CodeArt – Google MP3 Player” WordPress plugin is no longer maintained by developers and was last updated six years ago. Anyone still using this plugin is advised to remove it immediately and change their WordPress database and user passwords.
Update 2019-04-18:
Our honeypots have detected additional directory traversal attacks against vulnerable WordPress sites, including those using the plugin described in this post.
51.38.34.14 (🇫🇷) is exploiting every known #WordPress directory traversal vulnerability to steal database credentials and security keys from targeted sites. pic.twitter.com/WEwIoFKTEL
— Bad Packets Report (@bad_packets) April 18, 2019