Google has responded to a malware campaign compromising WordPress sites by blacklisting 11,000 infected websites, according to web security company Sucuri. The malware campaign is known as SoakSoak after the soaksoak.ru domain, which is the first in the redirection path.
Sucuri announced the discovery of the malware campaign, along with Google’s move to blacklist the sites, in a blog post on Sunday. The company’s analysis shows over 100,000 WordPress sites are infected, and that a vulnerability in the “RevSlider” plugin is the attack vector.
Slider Revolution Responsive WordPress Plugin, which Sucuri refers to as “RevSlider”, is a premium slide disply solution developed by ThemePunch, which says the vulnerability is only present in releases prior to its version 4.2 release in February. The newest Slider Revolution version is 4.6, released in September, however many plugin users seem not to have updated beyond the vulnerable legacy version.
ThemePunch has both offered an apology on its website and urged users to keep their WordPress plugins up to date.
Unfortunately for many website operators this seems to be easier said than done.
“The biggest issue is that the RevSlider plugin is a premium plugin, it’s not something everyone can easily upgrade and that in itself becomes a disaster for website owner,” said Daniel Cid, Sucuri founder and CTO in a follow up post. “Some website owners don’t even know they have it as it’s been packaged and bundled into their themes. We’re currently remediating thousands of sites and when engaging with our clients many had no idea the plugin was even within their environment.”
ThemePunch released the updates to Slider Revolution without explicitly warning users of the vulnerability, in a move that has drawn criticism from Sucuri. The developer says an official public announcement was decided against as it might “spark a mass exploitation of the issue.” Sucuri counters that the vulnerability had already begun to leak out through “underground forums.”