Defunct WordPress plugin leaves nearly 400 websites vulnerable to sensitive information disclosure

On Saturday, April 13, 2019, our honeypots detected an exploit attempt targeting WordPress sites with a defunct plugin, CodeArt – Google MP3 Player, installed. This malicious activity originated from a host on the network of LeaseWeb (AS60781) and exploited a directory traversal flaw to retrieve the wp-config.php settings file. Our scans have indicated 391 WordPress sites are using the vulnerable plugin and are open to this type of attack.

The Exploit Attempt

wp-directory-traversal-attack-from-leaseweb — Attackers leveraged a directory traversal flaw to download the wp-config.php file.

The wp-config.php file contains sensitive information such as the WordPress database name, username, password and hostname.

wp-config-example — Example wp-config.php file

This file also contains the WordPress secret keys which can be used to forge authentication cookies. However, access to the WordPress database alone is enough for a threat actor to leverage further attacks to compromise the site. If the password used for the database is same as the admin user (credential reuse) it could be used to take over the targeted site via the front-end.

In short, there’s plenty of damage that can be incurred against a targeted site with the information contained in the wp-config.php file.

Vulnerable Sites Found

Using data provided by PublicWWW, we’ve scanned 964 WordPress sites currently using the “CodeArt – Google MP3 Player” plugin. Our scans found 391 sites are vulnerable.

The top three hosting providers of vulnerable sites are GoDaddy, Unified Layer, and OVH.

188 of the vulnerable sites found are hosted in the United States.

vulnerable-sites-by-country — Click here to view an interactive map of the results

IOCs

212.32.245.142
/wp-content/plugins/google-mp3-audio-player/direct_download.php?file=../../../wp-config.php

Closing remarks

Due to the sensitive nature of this vulnerability, the list of vulnerable websites will not be published publicly. However, the list is freely available for authorized CERT teams to review. We’ve shared our findings directly with MS-ISAC and affected government organizations, such as the Government of Los Angeles County.

The “CodeArt – Google MP3 Player” WordPress plugin is no longer maintained by developers and was last updated six years ago. Anyone still using this plugin is advised to remove it immediately and change their WordPress database and user passwords.

Update 2019-04-18:

Our honeypots have detected additional directory traversal attacks against vulnerable WordPress sites, including those using the plugin described in this post.

51.38.34.14 (🇫🇷) is exploiting every known #WordPress directory traversal vulnerability to steal database credentials and security keys from targeted sites. pic.twitter.com/WEwIoFKTEL

— Bad Packets Report (@bad_packets) April 18, 2019