Thanks for reporting this @nathan62223
Hello,
I’d like to add some detail about the recent security issue. One of my sites was hacked, and it was running PublishPress Capabilities 2.3.2, which is troubling.
That said, the suspicious ‘wp-striplple/wp-striplple.php’ plug-in had NOT been installed or uploaded. (I scanned the whole DB and confirmed). So it seems like version > 2.3 does the trick there.
BUT, my general settings site URL WAS changed to ‘trainresistor.cc’, as some others have mentioned. That was causing my page to not load. I fixed it by editing my database.
So there may be two different attacks involved, or two different aspects to one.
Hi @kenjitoyooka
You may well be correct. Wordfence is reporting that these attacks on PublishPress Capabilities are part of a larger effort to hit multiple plugins and themes with options update vulnerabilities:
https://www.wordfence.com/blog/2021/12/massive-wordpress-attack-campaign/
So sites hacked through issues in those other plugins and themes may also see the “trainresistor” related impacts.
@kenjitoyooka The vulnerability is fixed in 2.3.1 and 2.3.2. Malicious code or database updates uploaded under an older Capabilities version could have a completely different name or location, and could cause a delayed effect even after updating Capabilities. The best course is to restore files and database from backup, then update Capabilities.
