Attackers tried to grab WordPress configuration files from over a million sites
A hacker tried to gather the WordPress configuration files of 1.3 million sites in one month after insertion a backdoor into the sites in early May. The XSS campaigns have been previously reported and sent attacks from over 20,000 different IP addresses. However, this new campaign is using the same IP addresses but targeting nearly a million new sites that were not included in the last campaign.
The goal of this campaign was to steal database credentials, connection information, and authentication keys through grabbing the wp-config-php file. The threat actor could subsequently gain access to the site database after obtaining information from this file. Although it is unclear what specific plugins and themes the attackers utilized, most vulnerabilities for WordPress lie in plugs that allow file downloads by reading the content of a file and delivering it as a downloadable attachment.