The FBI has released an official alert warning all website owners who use the WordPress Content Management System (CMS) to patch all their WordPress plugins as soon as possible, before Islamic State (IS) sympathisers deface their websites.
"Continuous Web site defacements are being perpetrated by individuals sympathetic to the Islamic State in the Levant (ISIL) a.k.a. Islamic State of Iraq and al-Shams (ISIS)," said the FBI in a public service announcement.
"The defacements have affected Web site operations and the communication platforms of news organisations, commercial entities, religious institutions, federal/state/local governments, foreign governments, and a variety of other domestic and international Web sites."
The FBI added that although the websites defacements were the work of hackers with only "low-level hacking sophistication", the disruption could cost website owners "lost business revenue and expenditures on technical services to repair infected computer systems".
According to security firm Sucuri, the plugins that are being exploited include the RevSlider plugin (affecting all versions before version 4.2), the GravityForms plugin (affecting all versions before v1.8.20), as well as other popular plugins like FancyBox, Wp Symposium and Mailpoet.
However, it is not just plugins that are being exploited – Sucuri also found attacks being perpetrated against vulnerabilities in WordPress themes, as well as brute force attacks targeted at WordPress administration panel.
Separately on 7 April, Sucuri also found a dangerous vulnerability affecting the WP-Super-Cache plugin, which has been installed on over one million websites.
"Using this vulnerability, an attacker using a carefully crafted query could insert malicious scripts to the plugin's cached file listing page. As this page requires a valid nonce in order to be displayed, a successful exploitation would require the site's administrator to have a look at that particular section, manually," security researcher Marc-Alexandre Montpas wrote in a blog post.
"When executed, the injected scripts could be used to perform a lot of other things like adding a new administrator account to the site, injecting backdoors by using WordPress theme edition tools, etc."
WordPress users would be advised to make sure that they are using the most recent version of the CMS, as well as making sure that their plugins are all updated to the latest version, but that's not all.
"It is not just about keeping it updated anymore," wrote Sucuri's founder and CTO Daniel Cid.
"You have to have security in depth, you have to have monitoring, you have to leverage low-privileged users for most of your actions, you have to monitor your logs, you have to use good passwords, you have to audit the plugins and themes you are using."