Hackers exploit cross-site scripting vulnerability in WordPress plugin to attack Mailgun site

None of the applications, including the APIs, dashboard and customer data, were affected by the attack

On Wednesday, Mailgun's website was hacked as part of a coordinated spray-and-pray hacking campaign that has hit several other WordPress websites in recent months.

To carry out the attack, hackers exploited an unpatched cross-site scripting (XSS) vulnerability in a plugin named 'Yuzo Related Posts'. Using the vulnerability, hackers were able to inject malicious code in the website, which redirected incoming visitors to a malicious website.

The company disabled the plugin after detecting the issue. Within two hours, the website was back up and running.

"Today, at approximately 9:00 UTC, the mailgun.com webpage began issuing redirects to sites outside of our domain," Mailgun later said in a statement.

"We immediately launched an incident to determine the source of the redirects and determined that a plugin for WordPress was responsible for issuing the redirects. We've disabled the plugin responsible for this issue."

None of its applications including the APIs, Dashboard and customer data were affected by the attack, according to the company.

Mailgun said that it is currently investigating the issue.

Mailgun is not the first victim of a coordinated series of attacks on WordPress websites. Several other websites have reported similar attacks recently, with attackers exploiting vulnerabilities in various plugin created by developers for use on WordPress platform.

Last month, users of a popular plugin named Social Warfare were asked to immediately update or disable the plugin after security researchers found that hackers were exploiting a XSS flaw in the plugin to attack websites.

The vulnerability enabled hackers to inject JavaScript code into the social sharing links present on a website's posts. The attacks started after a researcher published a proof of concept for the vulnerability.

The plugin was eventually removed from the WordPress platform, although it was still working on more than 70,000 websites.

Again last month, RIPS Technologies found cybercriminals exploiting a cross-site request forgery (CSRF) flaw to attack websites just with the use of a comment.

The CSRF security flaw is present in WordPress version 5.1 or earlier. The vulnerability enabled attackers to hack an authentic user session and to make the malicious instructions appear as if these were sent by the authentic user.

Attackers then used the flaw to lure the WordPress admins to a malicious website serving a XXS payload.

Computing and CRN have united to present the Women in Tech Festival UK 2019, on 17 September in London.

The event will celebrate successful women in the IT industry, enabling attendes to hear about, and to share, personal experiences of professional journeys and challenges.

Whether you're the ‘Next Generation', an ‘Inspirational Leader', or an ‘Innovator of Tech' this event will offer inspiration on not only how to improve yourself, but how to help others too. The event is FREE for qualifying IT pros, but places will go fast