The FBI is advising people responsible for WordPress websites to be on the lookout for attacks carried out by individuals sympathetic to the Islamic State of Iraq and al-Shams terrorist group, which is also known as the Islamic State in the Levant. The mostly unskilled attackers are exploiting known vulnerabilities that have already been patched by developers of the widely used content management system and widely used plugins—but individual Web masters have failed to install them.
"Successful exploitation of the vulnerabilities could result in an attacker gaining unauthorized access, bypassing security restrictions, injecting scripts, and stealing cookies from computer systems or network servers," a public service announcement the FBI published Tuesday warned. "An attacker could install malicious software; manipulate data; or create new accounts with full user privileges for future Web site exploitation."
The steady stream of vulnerabilities found in WordPress plugins, and to a lesser extent WordPress itself, make defacements and other types of website compromises largely a cut-and-paste exercise. Earlier Tuesday one such vulnerability came to light in a WordPress plugin with one million active installations. Relatively unskilled miscreants are seizing on sites that fall behind applying patches. The PSA went on to say: