Two of my client’s sites have recently been hit with the exact same website hack that I believe exploits a vulnerability found in versions 3.6.0 through 3.6.2. While the vulnerability has been fully described as a “remote code execution vulnerability,” I have not seen anyone describe any widespread attacks actually exploiting it. Until now!
Well, friends, I am here to describe exactly how it works and how you can fix it.
Note: it’s likely this same attack will be used for future exploits of Elementor and other plugins, too. So if you’ve seen any of these symptoms but don’t use Elementor: read on.
Once your site is exploited, the attackers quickly add a handful of malicious files to your website. As far as I can tell, mostly all they do is redirect logged-out visitors and search engine traffic to spam sites. But I’ve also found that many functions of your site – especially e-commerce sites – may break as well.
Specific Markers of this Hack
I found that the symptoms of this hack were identical in both instances. Specifically I found the following:
- A new plugin installed (but deactivated) identifying itself in the backend as “Cool Timelline” (sic). The most heinous thing about this is that the plugin is not, in fact, cool at all. This plugin actually exists in the plugins folder as “wp-sp”. Note that I’ve heard reports of it being called “wp-pimple” as well.
The plugin contains 4 files, all malicious:
- A file in the site root called “slicemap.php”. The code within in obfuscated but certainly malicious. Other users have reported that it was called simply “class.php”.
- Malicious code is injected into the core WordPress file wp-blog-header.php. I forgot to check the contents of it before I deleted it, but I suspect that this is where the redirects happen.
- Logged-out users get redirected to spam sites. In my case, we logged a bunch of redirects and spam sites including the following domains (don’t go to these, they are likely infected or otherwise malicious):
If you use the popular (and recommended) WordFence plugin, your scan results would likely look much like this:
This should actually be a conclusive list of the files that are changed from this attack.
So how do we fix a WordPress website infected with this attack?
Fortunately, it’s not too difficult!
*Note: I recommend backing up your entire site and database before engaging in any of this. If you don’t know what you’re doing hear, I recommend hiring a WordPress expert to take care of it for you.
- Update your Elementor plugin. This was the original source of the attack, and it makes sense to close that door before dealing with the attack.
- Delete the “Cool Timelline” / wp-sp plugin. You can do this from the WordPress backend, or you could navigate to /wp-content/plugins/ and delete the “wp-sp” folder.
- Delete the “slicemap.php” file located in the website route.
- Reinstall the newest WordPress version from the “Updates” screen in the backend to reset the core files. From the backend, go to Dashboard -> Updates -> “Re-install version 5.9.3” (or whatever version they’re currently at as of the time of this reading). Or just update to the newest version if you aren’t there yet.
- Review the list of Administrators on your account and remove any suspicious accounts.
- Reset all administrator passwords.
- (Recommended) Install the WordFence plugin and run a scan to make sure you got everything.
- (Recommended) Reset the database password for your website. This is recommended because it’s possible the attackers saved this database connection info and will return at a later date.
And that should do it! Luckily this hack doesn’t seem to be too pervasive, so you should be able to remedy it fairly easily. The biggest issue is that you may not notice there’s a problem for some time, as logged-in users don’t get redirected.