Last week I began tracking malicious redirects affecting multiple WordPress plugins. I have been reviewing the situation over the weekend, and the malicious code does not appear to be related to any of the affected plugins. What seems to be happening in this case is that an adversary is exploiting vulnerabilities in plugins to inject malicious code into WordPress databases or theme files. Once inserted into the site, the code causes pages on the infected site to redirect visitors to another website.
One example of the code we are seeing can be found in the code sample below. There are several variations of this code, most of which do not have the extra <script type='text/javascript' async></script> chunks of code at the end. In a database, the malicious portion of this code, found between the first set of <script> and </script> tags, is inserted into a portion of the database that controls page locations, often in the options table. This example was found in the footer file for a theme.
Removing the extraneous code, you are left with the malicious code that is causing the redirects.
Decoding this, you are left with the code that is run in your browser – a malicious JavaScript redirect.
There are a few versions of these redirects, but they all use the same encoding to build the code that is ultimately run.
The Connection
By now, you’re probably wondering what this has to do with the vulnerable plugins I mentioned. The answer is that the vulnerabilities in the plugins allowed the malicious code to be easily uploaded to the victim websites, through either an arbitrary upload vulnerability, or a SQL injection vulnerability. At this point, I have identified four plugins being utilized in these attacks, two of which have already been patched in the latest version.
| Plugin | Patched Version | Active Installs |
| WP Live Chat Support – Free | N/A – Plugin closed to new installs | 60,000+ |
| WP Live Chat Support – Pro | 8.0.29 | Not disclosed |
| Smart Google Code Inserter | N/A – Last updated 1 year ago | 9,000+ |
| Live Chat with Facebook Messenger | 1.4.8 | 30,000+ |
| Blog Designer | 1.8.13 or higher | 30,000+ |
With the exception of WP Live Chat Support, the plugins were used in attacks prior to the plugin authors having the opportunity to patch the vulnerability. This is what is known as a zero-day vulnerability. You can read more about the vulnerability found in the WP Live Chat Support plugin in the post by the research team that discovered it. At the time of this writing, several of these plugins have already released patches to fix the vulnerabilities that have been exploited.
The Fixes
While the free version of WP Live Chat Support appears to be unpatched, it has also been removed from the WordPress plugin directory. The pro version of the plugin has been patched, and implemented proper validation on uploads, which prevents the attacker(s) from being able to get their malicious code onto sites through this plugin.
The Live Chat with Facebook Messenger plugin changed the way it handles authentication, by changing their use of tokens, and utilizing a cryptographic nonce – a number that is used only once to ensure old tokens cannot be reused.
The Blog Designer plugin was updated after the developer was notified of a vulnerability in the code that saved settings, but did not check if a user was logged in, or had administrative privileges.
The Cleanup
Removing the malicious redirects is fairly simple once you know to search for String.fromCharCode in the theme files and database. However, this is only a part of the fix. Updating to the latest version of the plugin is needed to keep the site from being infected again through the same vulnerability. If you are using the free version of WP Live Chat Support, now might be a good time to move to the Pro version, or to find another chat solution. For users of the Smart Google Code Inserter plugin, the best option is to disable or remove the plugin, until the developer has patched the vulnerability in their plugin.