Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Thousands of Hijacked WordPress Sites Redirect Users to Exploit Kits

Cybercriminals have been leveraging a vulnerability in a popular WordPress plugin to redirect the visitors of thousands of websites to exploit kits, a researcher has warned.

Cybercriminals have been leveraging a vulnerability in a popular WordPress plugin to redirect the visitors of thousands of websites to exploit kits, a researcher has warned.

Data gathered by security researcher Yonathan Klijnsma and Germany’s Computer Emergency Response Team (CERT-Bund) shows that roughly 3,000 websites have been compromised. However, Klijnsma believes the actual number of affected WordPress sites is much higher.

The attackers are exploiting a known vulnerability in Slider Revolution (RevSlider), a popular premium WordPress plugin. The flaw was fixed silently by the developer back in February 2014 and its existence came to light in September 2014, after cybercriminals started exploiting it to hijack thousands of websites running the vulnerable version.

In December, Sucuri reported seeing a campaign in which more than 100,000 WordPress websites had been compromised and set up to serve malware.

Now, according to Klijnsma, the RevSlider vulnerability is being exploited in a different campaign. The attackers have been planting iframes on vulnerable websites in an effort to redirect their visitors to exploit kits.

Cybercriminals take control of the websites by exploiting a local file inclusion (LFI) vulnerability, which allows them to access and download files from the affected server. The attackers create a new administrator account, upload a script to affected websites, and add backdoors to files associated with other WordPress plugins, the researcher said in a blog post.

In most cases, victims are directed to a Fiesta exploit kit landing page, but the researcher says the Angler exploit kit has also been used in the attack. In the case of Fiesta, vulnerabilities in Adobe Flash, Adobe Reader, Java, Microsoft Silverlight, and Internet Explorer are leveraged to push malware onto users’ computers, Klijnsma told SecurityWeek.

The domains used to host the exploit kits are registered at dynamic DNS providers and they are changed often.

The expert says the exploit kits are set up to serve various pieces of malware, including Cryptowall 3.0 ransomware, ad fraud malware, and banking Trojans. “It just depends who rents ‘loads’ on these instances,” Klijnsma noted.

Over half of the compromised websites observed by the researcher and CERT-Bund are on the .com TLD, and based on their IP addresses, most of them are hosted in the United States. Other impacted websites are located in the Netherlands, Germany, France, Spain, the United Kingdom, Italy, Poland, Canada and Singapore.

Klijnsma advises administrators whose websites have been compromised to remove all accounts and create new ones with new passwords. This step is required because all accounts are likely compromised considering that the attackers have gained administrative access to the site’s backend.

“Check all PHP files for modifications by comparing them to files from the official WordPress website (or own local copies if you are 100% sure they are unaffected). Any modified files should be replaced with the normal ones,” the researcher said.

Finally, the RevSlider plugin should be updated to the latest version. It’s worth noting that the vulnerable plugin is bundled with several themes, so it might be present on a website even if the owner hasn’t knowingly installed it. The RevSlider bug can be addressed in themes by using a special patch available on the official WordPress website.

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Security researchers are warning of a new wave of malicious NPM and PyPI packages designed to steal user information and download additional payloads.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.